We have developed Analytical views, Analytical Privilege and Analytic Procedure.
The Analytic Privilege is connected an Analytic View and the data restriction is via the Analytic Procedure.
The filter for data restriction is obtained from the OLTP schema as String. and that is populated into the VAR_FILTER object.
| VAR_TABLE = APPLY_FILTER("_SYS_BIC"."MY_SCHEMA.MY_PACKAGE/MY_ANALYTIC_VIEW", :VAR_FILTER); |
The above line of code is in the Analytic procedure.
We have created a restricted user and granted him the following roles/privileges
GRANT SELECT ON SCHEMA _SYS_BI TO RESTRICTED_USER;
GRANT EXECUTE ON SCHEMA _SYS_BI TO RESTRICTED_USER;
GRANT SELECT ON SCHEMA _SYS_BIC TO RESTRICTED_USER;
GRANT EXECUTE ON SCHEMA _SYS_BIC TO RESTRICTED_USER;
GRANT EXECUTE ON REPOSITORY_REST TO RESTRICTED_USER;
GRANT RESTRICTED_USER_ODBC_ACCESS TO RESTRICTED_USER;
GRANT RESTRICTED_USER_JDBC_ACCESS TO RESTRICTED_USER;
GRANT SELECT and EXECUTE on the data schema is also provided to the user.
Access to the Analytic Privilege is also provided to the user.
When we execute the APPLY_FILTER command with the view as the object to filter as a restricted user results in the following error.
SAP DBTech JDBC: [258]: insufficient privilege: [2950] user is not authorized
If we replace the view to a table in the APPLY FILTER condition, it does not throw any error and works fine.
If we grant additional privilege such as MODELLING or CONTENT_ADMIN, then the filtering does not happen, and all records are shown.
Please note that, the execution is on HANA Studio as the restricted user.
Do we need to give any special privilege for a restricted user to execute the following command in a Analytic Procedure ?