Privileges for geodatabases in SAP HANA

Privileges determine what someone is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does within the organization. Is this person involved with administration of the geodatabase? Does he or she need to edit or create data? Or would this person only need to query the data?

Privileges are set at the database or dataset level. Use SQL or SAP HANA tools to grant and revoke database privileges or privileges on SAP HANA system metadata tables.

Privileges on other user's datasets should be granted or revoked by the dataset owner using ArcGIS. See Grant and revoke dataset privileges for instructions.

SAP HANA grants SELECT privileges on system metadata tables to PUBLIC by default. If you revoke these privileges, you must grant privileges to individual groups or users.

The following sections list privileges that apply to databases in SAP HANA and SAP HANA Cloud.

Minimum privileges

The following table lists the minimum privileges required for the sde user and for other users to query, edit, or create data from ArcGIS. If you create standard SAP HANA users, they already have the privileges to select sys tables and to create and drop tables. If you create restricted users, they require the privileges listed here.

Minimum privileges for geodatabases in SAP HANA

Type of userRequired privilegesPurpose

Data viewer

SELECT ON sys.st_geometry_columns, sys.st_spatial_reference_systems, and st_units_of_measure SAP HANA system views

These privileges are required to read ST_Geometry metadata for spatial operations.

SELECT ON <table1>, <table2>, <tablen>

Data viewers need select privileges on specific user tables you want them to see and query.

Data editor

Data editors require the same privileges as data viewers, plus these additional privileges.

INSERT, UPDATE, DELETE on other users' tables

Grant the editing operations you want editors to perform on specific tables.

Data creator

Data creators require the same privileges as data viewers, plus these additional privileges.

  • CREATE TABLE
  • DROP TABLE

These privileges allow data creators to create tables and feature classes in the database.

Geodatabase administrator (the sde user)

The sde user requires the same privileges as data creators, plus this additional privilege.

CATALOG READ

This privilege is required for the sde user to enable a geodatabase in SAP HANA and to view and manage geodatabase connections.

Additional privileges

If data creators need to create views to restrict the amount of data returned from the database to the ArcGIS client, also grant them CREATE VIEW and DROP VIEW privileges.

If the sde user needs to remove connections from the geodatabase, grant the sde user SESSION ADMIN permission in the database.