SAP HANA Reference

GRANT

Syntax

GRANT <system_privilege>,... TO <grantee> [WITH ADMIN OPTION]

| GRANT <schema_privilege>,... ON SCHEMA <schema_name> TO <grantee> [WITH GRANT
OPTION]
| GRANT <object_privilege>,... ON <object_name> TO <grantee> [WITH GRANT OPTION]
| GRANT <role_name>,... TO <grantee> [WITH ADMIN OPTION]
| GRANT STRUCTURED PRIVILEGE <privilege_name> TO <grantee>

Syntax Elements

<system_privilege> ::= AUDIT ADMIN | BACKUP ADMIN

| CATALOG READ | CREATE SCENARIO
| CREATE SCHEMA | CREATE STRUCTURED PRIVILEGE
| DATA ADMIN | EXPORT
| IMPORT | INIFILE ADMIN
| LICENSE ADMIN | LOG ADMIN
| MONITOR ADMIN | OPTIMIZER ADMIN
| RESOURCE ADMIN | ROLE ADMIN
| SAVEPOINT ADMIN | SCENARIO ADMIN
| SERVICE ADMIN | SESSION ADMIN
| STRUCTUREDPRIVILEGE ADMIN | TRACE ADMIN
| TRUST ADMIN | USER ADMIN
| VERSION ADMIN
| <identifier>.<identifier>

System privileges are used to restrict administrative tasks. The table below describes the supported
system privileges.

System Privilege Privilege Purpose Comment

Controls the execution of the following
auditing-related commands: CREATE AUDIT
AUDIT ADMIN POLICY, DROP AUDIT POLICY and ALTER
AUDIT POLICY and the changes of the
auditing configuration.
Authorizes the BACKUP command to define
BACKUP ADMIN and initiate a backup process or to perform
a recovery process.
Normally, the content of
Authorizes users to have unfiltered read-
these views is filtered based
CATALOG READ only access to all system and monitoring
on the privileges of the
views.
accessing user.
 Controls the creation of calculation
CREATE SCENARIO
scenarios and cubes (calculation database)
Authorizes the creation of database
schemas using the CREATE SCHEMA
CREATE SCHEMA command.By default each user owns one
schema, with this privilege the user is
allowed to create additional schemas.
Only the owner of an
Analytical Privilege can
CREATE STRUCTURED Authorizes the creation of Structured
further grant or revoke that
PRIVILEGE Privileges (Analytical Privileges)
privilege to other users or
roles.
A user having this privilege
Authorizes reading all data in the system cannot select or change
and monitoring views. It also enables data stored tables for which
DATA ADMIN execution of any Data Definition Language they do not have access
(DDL) commands in the SAP HANA privileges, but they can drop
database tables or modify table
definitions.
Authorizes export activity in the database
via the EXPORT TABLE command.Note that
EXPORT beside this privilege the user requires the
SELECT privilege on the source tables to be
exported.
Note that beside this
privilege the user requires
Authorizes the import activity in the
IMPORT the INSERT privilege on the
database using the IMPORT commands.
target tables to be
imported.
INIFILE ADMIN Authorizes changing of system settings.
Authorizes the SET SYSTEM LICENSE
LICENSE ADMIN
command install a new license.
Authorizes the ALTER SYSTEM LOGGING
LOG ADMIN [ON|OFF] commands to enable or disable
the log flush mechanism.
Authorizes the ALTER SYSTEM commands
MONITOR ADMIN
for EVENTs.
Authorizes the ALTER SYSTEM commands
concerning SQL PLAN CACHE and ALTER
OPTIMIZER ADMIN SYSTEM UPDATE STATISTICS commands,
which influence the behavior of the query
optimizer.
This privilege authorizes commands
concerning system resources, for example
ALTER SYSTEM RECLAIM DATAVOLUME and
RESOURCE ADMIN
ALTER SYSTEM RESET MONITORING VIEW.
It also authorizes many of the commands
available in the Management Console.
This privilege authorizes the creation and Activated roles, meaning
deletion of roles using the CREATE ROLE roles whose creator is the
ROLE ADMIN and DROP ROLE commands. It also pre-defined user
authorizes the granting and revocation of _SYS_REPO, can neither be
roles using the GRANT and REVOKE granted to other roles or
 commands. users nor dropped directly.
Not even users having ROLE
ADMIN privilege are able to
do so. Please check
documentation concerning
activated objects.
Authorizes the execution of a savepoint
SAVEPOINT ADMIN process using the ALTER SYSTEM
SAVEPOINT command.
Authorizes all calculation scenario-related
SCENARIO ADMIN
activities (including creation).
Authorizes the ALTER SYSTEM This privilege is for
SERVICE ADMIN [START|CANCEL|RECONFIGURE] administering system
commands. services of the database
authorizes the ALTER SYSTEM commands
SESSION ADMIN concerning sessions to stop or disconnect a
user session or to change session variables.
STRUCTUREDPRIVILEGE Authorizes the creation, reactivation, and
ADMIN dropping of structured privileges.
Authorizes the ALTER SYSTEM
[CLEAR|REMOVE] TRACES commands for
TRACE ADMIN
operations on database trace files and
authorizes changing trace system settings.
Authorizes commands to update the trust
TRUST ADMIN
store.
Authorizes the creation and modification of
USER ADMIN users using the CREATE USER, ALTER
USER, and DROP USER commands.
Authorizes the ALTER SYSTEM RECLAIM
VERSION SPACE command of the multi-
VERSION ADMIN
version concurrency control (MVCC)
mechanism.
Components of the SAP HANA database can
create new system privileges. These
privileges use the component-name as first
<identifier>.<identifier>
identifier of the system privilege and the
component-privilege-name as the second
identifier.

<schema_privilege> ::= CREATE ANY | DEBUG

| DELETE | DROP
| EXECUTE | INDEX
| INSERT | SELECT
| TRIGGER | UPDATE

Schema privileges are used to restrict the access and modifications on a schema and the objects
stored in this schema. The following schema privileges are defined:

CREATE ANY
This privilege allows the creation of all kinds of objects, in particular, tables, views, sequences,
synonyms, SQLScript functions, or database procedures in a schema.

DELETE, DROP, EXECUTE, INDEX, INSERT, SELECT, UPDATE

The specified privilege is granted on every object stored in the specified schema currently and in
future. For detailed description of the privileges please see the part describing object privileges below
and please check below, which privileges are applicable for which kind of object.

<object_privilege> ::= ALL PRIVILEGES | ALTER

| DEBUG | DELETE
| DROP | EXECUTE
| INDEX | INSERT
| SELECT | REFERENCES
| TRIGGER | UPDATE
| <identifier>.<identifier>

Object privileges are used to restrict the access and modifications on database objects. Database
objects are tables, views, sequences, procedures, etc. The table below describes the supported object
privileges.

Command
Object Privilege Privilege Description Comment
Types
This privilege is a collection of
all Data Definition
Language(DDL) and Data This privilege collection is
Manipulation Language(DML) dynamically evaluated for
privileges that the grantor the given grantor and
ALL PRIVILEGES DDL & DML
currently possesses and is object. ALL PRIVILEGES is
allowed to grant further. The applicable to a table or
privilege it grants is specific to view
the particular object being
acted upon.
Authorizes the ALTER
ALTER DDL
command for the object
Authorizes debug-functionality
for the procedure or
DEBUG DML calculation view or for the
procedures and calculation
views of a schema.
Authorizes the DELETE and
DELETE DML TRUNCATE commands for the
object
Authorizes the DROP
DROP DDL
commands for the object
Authorizes the execution of an
SQLScript function or a
EXECUTE DML database procedure using the
CALLS or CALL command
respectively.
Authorizes the creation,
INDEX DDL modification or dropping of
indexes for the object
 The INSERT and UPDATE
privilege are both required
Authorizes the INSERT
INSERT DML on the object to allow the
command for the object.
REPLACE and UPSERT
commands to be used.
Authorizes the usage of all
tables in this schema or this
REFERENCES DDL
table in a foreign key
definition.
Authorizes the SELECT
SELECT DML command for this object or the
usage of a sequence.
Authorizes the CREATE
TRIGGER / DROP TRIGGER
TRIGGER DDL command for the specified
table or the tables in the
specified schema.
he INSERT and UPDATE
privilege are both required
on the object to allow the
REPLACE and UPSERT
Authorizes the UPDATE commands to be used. The
UPDATE DML
command for that object. UPDATE privilege is also
required to perform delta
merges of column store
tables using the MERGE
DELTA command.
Components of the SAP HANA
database can create new
system privileges. These
privileges use the component-
<identifier>.<identifier> DDL
name as first identifier of the
system privilege and the
component-privilege-name as
the second identifier.

Not all object privileges are applicable to all kinds of database objects. For details of which object
types allow which privilege to be used please see the table below.

Privilege Schema Table View Sequence Function/Procedure

ALL PRIVILEGES --- YES YES --- ---
ALTER YES YES --- --- YES
CREATE ANY YES --- --- --- ---
DEBUG YES --- YES --- YES
DELETE YES YES YES --- ---
DROP YES YES YES YES YES
EXECUTE YES --- --- --- YES
INDEX YES YES --- --- ---
INSERT YES YES YES --- ---
REFERENCES YES YES --- --- ---
SELECT YES YES YES YES ---
TRIGGER YES YES --- --- ---
UPDATE YES YES YES --- ---

DELETE, INSERT and UPDATE on views are valid for updatable views only. Updatable views have the
following characteristics:

 Does not use a join

 Does not contain a UNION
 Does not use aggregation

DEBUG is only valid for calculation views.

For synonyms, the same restrictions apply to the synonym as they would do for the object the
synonym represents.

<object_name> ::= <table_name> | <view_name>

| <sequence_name> | <procedure_name>
| <synonym_name>

Object privileges are used to restrict the access and modifications on database objects like tables,
views, sequences, procedures and synonyms.

<grantee> :: = <user_name> | <role_name>

The grantee can be a user or a role. In case a privilege or role is granted to a role, then all user being
granted that role, will have the specified privilege or role.

A role is a named collection of privileges and can be granted to either a user or a role.
If you want to allow several database users to perform the same actions, you should create a role,
grant the needed privileges to this role, and finally grant the role to the different database users.
When granting roles to roles, a tree of roles can be build. When granting a role (R) to a role or user
(G), G will have all privileges directly granted to R and all privileges granted to roles which had been
granted to R.

<user_name> ::= <simple_identifier>

The grantee username.

<role_name> ::= <identifier>

The grantee role name.

<schema_name> ::= <identifier>

The schema containing the database object to be acted upon.

 <table_name> ::= [<schema_name>.]<identifier>

The database table object name.

<view_name> ::= [<schema_name>.]<identifier>

The database view object name.

<sequence_name> ::= [<schema_name>.]<identifier>

The sequence object name.

<procedure_name> ::= [<schema_name>.]<identifier>

The procedure object name.

<synonym_name> ::= [<schema_name>.]<identifier>

The synonym name.

<privilege_name> ::= <identifier>

The name of the privilege to be granted.

WITH ADMIN OPTION and WITH GRANT OPTION

Specifies that the granted privileges can be granted further by the specified user or by those user
having the specified role.

With GRANT STRUCTURED PRIVILEGE <privilege_name>

A previously defined analytical privilege based on a generic structured privilege is granted to a user or
role. This analytical privileges is used to restrict the access for read operations to certain data in
Analytic, Attribute, and Calculation Views by filtering the attribute values.

Description

GRANT is used to grant privileges and structured privileges to users and roles. GRANT is also used to
grant roles to users and other roles.

The specified users, roles, objects, and structured privileges have to exist before they can be used in
the GRANT command.
In order to use the GRANT command to grant privileges to other users and roles, a user must have
the privilege and also the permissions required to grant that privilege.

A user can not grant a privilege to themselves.

User SYSTEM has at all system privileges and the role PUBLIC. All other users have the role PUBLIC.
These privileges and roles cannot be revoked.

Although the SYSTEM user has many privileges, it cannot select or change data in other user's tables
unless this privilege has been explicitly granted.
All users have the privilege to create objects in their own default schema. The default schema for a
user always has the same schema name as the user.

For tables created by users, users have all privileges and may grant all privilges further to other users
and roles.

For objects which are dependent on other objects, like views being dependent on tables, it can occur
the owner of the dependent object does not have a complete set of privileges. This can occur if the
user do not have the privileges on the underlying objects on which their object depends.

Users can have privileges on an object, but may not have sufficient priviliges to grant them to other
users and roles.

System and Monitoring Views

USERS: shows all users, their creator, creation date and some info about their current states.
ROLES: shows all roles, their creator and creation date.
GRANTED_ROLES: shows which roles are granted to which user or role.
GRANTED_PRIVILEGES: shows which privileges are granted to which user or role.

Examples

You create a schema called my_schema.

CREATE SCHEMA my_schema;

You create a table named work_done in the my_schema schema.

CREATE TABLE my_schema.work_done (t TIMESTAMP, user NVARCHAR (256), work_done

VARCHAR (256));

You create a new user named worker with password His_Password_1.

CREATE USER worker PASSWORD His_Password_1;

You create role called role_for_work_on_my_schema.

CREATE ROLE role_for_work_on_my_schema;

You grant the SELECT on any object privilege in my_schema to the role
role_for_work_on_my_schema.

GRANT SELECT ON SCHEMA my_schema TO role_for_work_on_my_schema;

You grant the INSERT privilege for the work_done table to the role role_for_work_on_my_schema.

GRANT INSERT ON my_schema.work_done TO role_for_work_on_my_schema;

You grant the role_for_work_on_my_schema role to the worker user.

 GRANT role_for_work_on_my_schema TO worker WITH ADMIN OPTION;

You grant DELETE privilige for this table to the worker user.

GRANT DELETE ON my_schema.work_done TO worker;

You grant the worker user the privilege to create any kind of object in the my_schema schema.

GRANT CREATE ANY ON SCHEMA my_schema TO worker;

The result of the above commands is that the worker user has the privilege to SELECT all tables and
views in schema my_schema, to INSERT into and DELETE from table my_schema.work_done and to
create objects in schema my_schema. Additionally the worker user is allowed to grant DELETE on the
table myschema.work_done to other users and roles.

You grant the privileges INIFILE ADMIN and TRACE ADMIN to the user worker. You grant these
privileges along with the permission for the worker user to grant them further.

GRANT INIFILE ADMIN, TRACE ADMIN TO worker WITH ADMIN OPTION;

Copyright ©2012 SAP AG Complete Copyright Notice