Wednesday, 12 June 2024

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

In order to get the system privileges someone has to give them to your HDI container. This are the steps you have to follow to get them into the container. In this a sample the IMPORT/EXPORT privileges could be given.

1. [optional] A user with DBA-ADMIN role creates a usergroup  [HELP] such as "HDI_CONTAINER_RIGHTS"

Either use the HANA Cloud Central to create a USERGROUP

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

2. or use a SQL command:

-- DROP USERGROUP "HDI_CONTAINER_RIGHTS";

CREATE USERGROUP "HDI_CONTAINER_RIGHTS";

3. Create a USER "HDI_IMPORT_EXPORT_GRANTOR":

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

or use a SQL command:

--DROP USER HDI_IMPORT_EXPORT_GRANTER;

CREATE USER HDI_IMPORT_EXPORT_GRANTERPASSWORD Abcd1234 NO FORCE_FIRST_PASSWORD_CHANGE SET USERGROUP "HDI_CONTAINER_RIGHTS";

4. Define a ROLE "HANAIMPORTEXPORT4HDI" that has the privileges needed for the container:

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

or use and SQL command:

CREATE ROLE HANAIMPORTEXPORT4HDI;GRANT IMPORT TO HANAIMPORTEXPORT4HDI;GRANT EXPORT TO HANAIMPORTEXPORT4HDI;

5. Now this role has to be given to the HDI_IMPORT_EXPORT_GRANTOR with GRANT to others.
He will give the HDI container the role so that the container can import and export

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

or with the SQL commend:

GRANT HANAIMPORTEXPORT4HDI TO HDI_IMPORT_EXPORT_GRANTER WITH ADMIN OPTION;

Now we have done the HANA Cloud side of things.
There is a user "HDI_IMPORT_EXPORT_GRANTER" that can grant a role "HANAIMPORTEXPORT4HDI" with  IMPORT and EXPORT privileges.

6. Now we have to get this role into our HDI container. We have to switch to the BTP Cockpit:
Inside your development space -here dev - a CUPS (Custom User Provided Service) needs to be defined.

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

{   "user": "HDI_IMPORT_EXPORT_GRANTER",   "password": "Abcd1234",   "tags": [      "hana"   ]}

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

Now there is a CUPS service in your space that could grant your HDI Containers the role to import and export. Of course you need all this in a similar style in other landscapes you are using. Explain this to your SAP HANA Cloud ADMIN. Certainly there are only very few people in production allowed to see the passwords. The rights of the role had been selected by intention very limited.

7. Now we go into BusinessApplicationStudio to get the wanted role into the HDI Container.

1. Invoke the CUPS service into your project:

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

That will appear as a "cross-container-service-n". (In my case I had another one as well)
This container get a name: here "cross-container-service-3" which you will also find back in the mta.yaml file:

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

2. Now that we have a service that could GRANT us the role we are looking for we need a hdbgrants file:

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

or here the text version:

{   "ServiceName_3":      {          "object_owner":{               "global_roles": [                   {                     "roles": [                        "HANAIMPORTEXPORT4HDI"                     ]                   }                ]          },          "application_user": {               "global_roles": [                   {                     "roles": [                        "HANAIMPORTEXPORT4HDI"                ]            }         ]      }   }}
(Formatting is maybe wrong but content should be ok

3. Next step is deployment

The result shows that we successful granted the hdbgrants files:

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

8. Now the import /export can be tested: Open the DBX application as RT user:

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

and the prices are now imported and exported through my S3 bucket ( as BTP object store service)

Grant System Privileges Like Export Or Import Into A (Hdi) Hana Deployment Container

9. There is a PSE/Certificate setting that needed to be defined as well. Please check with below BLOG to establish this HANA Cloud setting.

No comments:

Post a Comment