9    Package Privileges

In this chapter, we’ll explore the different package privileges that you can grant to a package hierarchy and the processes you’ll use for granting them.

SAP HANA is a development platform, in addition to many of its other data management qualities. To facilitate application development, application code storage, security, and application lifecycle management, SAP HANA provides a repository. This repository is used to store design-time objects used by both the database system and the SAP HANA extended application services, classic model (SAP HANA XS). The hierarchy of this repository is organized into packages and their subpackages. Each package contains design-time development artifacts. To govern access to both packages and development artifacts, SAP HANA package privileges can be assigned to users and roles.

To understand package privileges thoroughly, you must understand the makeup of the SAP HANA development repository. In this chapter, we’ll start by discussing the SAP HANA development repository. We’ll then review the various privileges that can be granted for packages and show you how they’re granted. Let’s first discuss how the development repository is organized and managed.

9.1    What Is the SAP HANA Development Repository?

The SAP HANA development repository is organized into major node structures called packages. In this section, we’ll explore the hierarchical structure of this package-based repository, and we’ll explain the process for creating packages. Finally, we’ll explain the process for creating delivery units.

9.1.1    Structure of the Development Repository

The development repository consists of packages, logical organizational units that begin with the root node, followed by the top-level nodes, then optionally a hierarchy of subpackage nodes. Figure 9.1 shows an example package hierarchy as viewed in the SAP HANA Web-Based Development Workbench editor.

Package and Development Artifact Hierarchy in SAP HANA Repository

Figure 9.1    Package and Development Artifact Hierarchy in SAP HANA Repository

As shown in Figure 9.1, the root of all the packages is at the top, with the Content folder. This folder is a logical location, but privileges can be applied at this level. The logical root node is named .REPO_PACKAGE_ROOT; you’ll reference that name when assigning root package privileges in graphical user interfaces (GUIs) and via SQL commands. However, only top-level packages can exist under the root level. You can’t create development artifacts directly under the root node. Beneath the root are several top-level packages, for example, the package named e-corp shown in Figure 9.1. Top-level packages can contain either subpackages or development artifacts. Several development artifacts are stored below or within the package named Roles also shown in Figure 9.1. Package privileges can only be applied at the package level; development artifacts effectively inherit privileges from their parent or grandparent package nodes.

With this structure in mind, let’s review the process for creating packages and subpackages.

9.1.2    Creating Packages and Subpackages

Using the SAP HANA Web-Based Development Workbench editor, you can create packages within the hierarchy. To create a top-level package, right-click the Content folder and choose NewPackage. To create a subpackage within a top-level package, right-click an existing package and choose NewPackage. You can also use the keyboard shortcut (Ctrl)+(Alt)+(Shift)+(N) as an alternative to the right-click menu to launch the package creation process. Once you start the process, the Create Package popup window will appear. Figure 9.2 shows an example of the window that will appear where you can define the package.

Naming Your Package in the Create Package Popup Window

Figure 9.2    Naming Your Package in the Create Package Popup Window

Enter the Package Name in the provided field. Enter a text description to help others identify the purpose of the package in the Description field. The remaining Responsible and Original Language fields are additional, optional metadata fields. Click the Create button, and a new package will appear in the hierarchy below the node where you started the creation process. You can repeat this process for each new top-level node or subpackage that is required to secure and organize your development artifacts.

9.1.3    Overview of Delivery Units

Delivery units play a role in the lifecycle management of packages. Before you can export content to a file or transport development content from one SAP HANA system to another, you must first assign a package or package hierarchy to a delivery unit. A delivery unit should contain package and development artifacts that are associated with each other. For example, a web-based application developed in the XS engine and its associated package hierarchy can be assigned to a single delivery unit. Using a delivery unit allows the content to be transported in an organized and consistent manner.

Once content is organized into a delivery unit, you can export the delivery unit to a compressed file, which then can be imported into another SAP HANA system for the purposes of transporting the code. Using SAP HANA application lifecycle management, you can also transport delivery units between systems. A delivery unit can also serve as an external code backup and can be imported back into the originating SAP HANA system if content needs to be restored.

Note that an administrator must define the vendor ID or content vendor within the system configuration before content can be assigned to a delivery unit. This vendor definition is configured in the indexserver.ini file under the repository option and content_vendor key. Specify a value that will identify your organization’s name; for example, you could enter a domain name, such as “e-corp.com.”

The user creating the delivery unit must have privileges similar to those assigned to the default role sap.hana.xs.lm.roles::Administrator. Note that the INIFILE admin system privilege, found in this default role, is only necessary for defining the content vendor. A custom role should be created for developers that create delivery units to avoid granting them access to make configuration changes to the SAP HANA system.

Additional Information about Delivery Units

For additional information pertaining to the creation and management of delivery units, refer to the SAP HANA Application Lifecycle Management Guide, available at http://s-prs.co/v498206.