Privileges for geodatabases in SAP HANA

Privileges determine what someone is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does within the organization. Is this person involved with administration of the geodatabase? Does this person need to edit or create data? Or would this person only need to query the data?

Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.

Privileges are set at the database or dataset level. Use SQL or SAP HANA tools to grant and revoke database privileges or privileges on SAP HANA system metadata tables.

Privileges on datasets in geodatabases must be granted or revoked using ArcGIS, and must be done by the dataset owner.

SAP HANA grants the SELECT privilege on system metadata tables to the PUBLIC role by default. If you revoke these privileges, you must grant privileges to individual groups or users.

The following sections list privileges that apply to databases in SAP HANA and SAP HANA Cloud.

Minimum privileges

The following table lists the minimum privileges required for the sde user and for other users to query, edit, or create data from ArcGIS. If you create standard SAP HANA users, they already have the privileges to select sys tables and to create and drop tables. If you create restricted users, they require the privileges listed here.

Minimum privileges for geodatabases in SAP HANA

Type of userRequired privilegesPurpose

Data viewer

SELECT on sys.st_geometry_columns, sys.st_spatial_reference_systems, and st_units_of_measure SAP HANA system views

These privileges are required to read ST_Geometry metadata for spatial operations.

SELECT on <table1>, <table2>, <tablen>

Data viewers must have the SELECT privilege on specific tables you want them to query.

Data editor

Data editors require the same privileges as data viewers, plus these additional privileges.

INSERT, UPDATE, DELETE on other users' tables

Grant the editing operations you want editors to perform on specific tables.

Data creator

Data creators require the same privileges as data viewers, plus these additional privileges.

  • CREATE TABLE
  • DROP TABLE

These privileges allow data creators to create tables and feature classes in the database.

Geodatabase administrator (the sde user)

The sde user requires the same privileges as data creators, plus these additional privileges.

CATALOG READ

This privilege is required for the sde user to enable a geodatabase in SAP HANA and to view and manage geodatabase connections.

EXECUTE ON ACQUIRE_APPLICATION_LOCK and EXECUTE ON RELEASE_APPLICATION_LOCK in the database

These privileges are required for the sde user to enable a geodatabase in SAP HANA Cloud.

Additional privileges

If data creators need to create views to restrict the amount of data returned from the database to the ArcGIS client, also grant them CREATE VIEW and DROP VIEW privileges.

If the sde user needs to remove connections from the geodatabase, grant the sde user SESSION ADMIN permission in the database.

If data creators will publish data from SAP HANA Cloud to an ArcGIS Server feature service that has the version management capability enabled, grant those users EXECUTE ON ACQUIRE_APPLICATION_LOCK and EXECUTE ON RELEASE_APPLICATION_LOCK privileges in the database.

ArcGIS Insights may require additional privileges. See Required database privileges in the ArcGIS Insights help for more information.