SAP HANA Technical User and Security Model on Remote System
A new technical user is required for model metadata generation.
Technical User
We recommend that you create a new technical user for model metadata generation. The technical user must have the following InA role assigned – sap.bc.ina.service.v2.userRole::INA_USER.
The technical user authentication is only basic authentication i.e. username and password. Basic authentication needs to be enabled on the HANA XS administration side.
HANA Modeling View Security and Data Model Security (Analytic Privileges)
The SAP HANA security model always applies.
Analytic Privileges
Analytic privileges grant different users access to different portions of data in the same view based on their business role. Within the definition of an analytic privilege, the conditions that control which data users see is either contained in an XML document or defined using SQL.
SAP HANA analytic privileges enable the access control to SAP HANA modeling views at the data level, for example, by filtering out certain values in a column. If the SAP HANA modeling view has the Apply Analytic Privileges property set, then analytic privileges can also be used to restrict data points (i.e. dimensions or dimension members).
To collect statistics across all data points the SAP HANA technical user can be assigned the special analytical privilege _SYS_BIC_CP_ALL. This means analytic privileges that filter data would not be applied to that user. It is not recommended to do this in production, and use more detailed analytic privileges instead.
For more information, see the chapter called Analytic Privileges in the SAP HANA Administration Guide for SAP HANA Platform on the SAP Help Portal at https://help.sap.com/viewer/index.
Object Privileges
The technical user must have the appropriate object level privileges to be able to read the data from a view.
-
The SELECT privilege on the _SYS_BIC schema. For more information, you can refer to the SAP Note 2353833 called SAP Analytics Cloud cannot read data from an SAP HANA live connection (remote SAP HANA System).
-
The SELECT privilege on all dependent objects, such as tables or other dependent modeling views.