Restricting access to Views in SAP HANA for SAP Lumira

I recently got asked this by a customer of ours and it sparked the idea to put it into a blog post for those who are looking for a similar solution 

The blog posts and guides that I found when researching this would grant SAP Lumira access to all the views on your HANA server but none that I found restricted access to only certain packages.

Firstly let’s create a new ROLE that users will be assigned to:

Blog1

And let’s now create a test USER and add it to the ROLE we created above:

Blog2

Now let’s try log into HANA via SAP Lumira with the new user. We get the following error message which is as expected:

Blo3

I will then give the TEST_ROLE Select rights to _SYS_BI and _SYS_BIC objects as below:

Blog4

I will then try access HANA again using the TEST_USER. The good news is that we can now connect to SAP HANA but we do not have access to any analytical views yet:

Blog5

There are a few blog post on SCN, that I found, like this one that touches on granting access for Lumira. Typically this involves granting access to the _SYS_B_CP_ALL Analytic Privilege to your USER/ROLE as below:

Blog6

The problem/limitation with this method is that it casts the access net over your whole HANA system and will give that user access to all the Views/Packages on your system. As can be seen below we have access to 40 views in total:

Blog7

So let me revoke the _SYS_BI_CP_ALL privileged first. Once that is done I now want to grant this TEST_ROLE access to only the CV_DEMO package and the three views in that as per the screen shot above.

In HANA Studio right click on the package you want to grant access to (cv_demo in my case) and choose to create a new Analytic Privilege as below:

Blog8

As a matter of reference I created my Analytic Privilege as AP_CV_DEMO. The final piece of the puzzle is to go back to the TEST_ROLE and grant it access to AP_CV_DEMO Analytic Privilege that we have just created:

Blog9

For one final check let’s head back into Lumira. When we log on we only have access to the 3 views in CV_DEMO which is what we wanted:

Blog10

Finally if we access one of those views we are able to see the data in Lumira:

Blog11

I hope this will help people out who are stuck with this and please do leave comments below if you have any further questions or ideas on this.

As a side note the revisions of Software that this is done on was:

SAP HANA Rev 82 (1.00.82.00.394270)

SAP Lumira 1.19.0 (Build 1099)

One thought on “Restricting access to Views in SAP HANA for SAP Lumira

  1. Hi Clint,

    Excellent blog. Very precise and clear.

    I know this is not a forum, but I have been stuck for a few days with a Hana privilege issue. I’m using a SAP Hana Cloud Trial landscape account (developer license). I have Hana Studio in Eclipse in a MAC (OSX). I do not see the _SYS_BIC schema. I see the _SYS_BI and _SYS schemas. I have created and activated analytic and attribute views, but am unable to preview data as it gives my an unauthorized user error. I am the owner of this account, and SAP states that I should be able to view this as a System owner. Can you please advise? My email is manish.sood.kg@gmail.com in case you wish to send an email.

Leave a Reply