You can find the following object privileges which are supported in the SAP HANA database system. Object privileges are used to allow access to and modification of database objects, such as tables and views.
| Object Privilege | Command Types | Applies to | Privilege Description |
|---|---|---|---|
| ALL PRIVILEGES | DDL & DML | - Schemas - Tables - Views | This privilege is a collection of all Data Definition Language (DDL) and Data Manipulation Language (DML) privileges that the grantor currently possesses and is allowed to grant further. The privilege it grants is specific to the particular object being acted upon.This privilege collection is dynamically evaluated for the given grantor and object. |
| ALTER | DDL | - Schemas - Tables - Views - Functions/procedures | Authorizes the ALTER statement for the object. |
| CREATE ANY | DDL | - Schemas - Tables - Views - Sequences - Functions/procedures - Remote sources - Graph workspaces | Authorizes all CREATE statements for the object. |
| CREATE VIRTUAL FUNCTION | DDL | - Remote sources | Authorizes creation of virtual functions (the REFERENCES privilege is also required). |
| CREATE VIRTUAL PROCEDURE | DDL | - Remote sources | Authorizes creation of virtual procedure to create and run procedures on a remote source. |
| CREATE VIRTUAL PACKAGE | DDL | - Schemas | Authorizes creation of virtual packages that can be run on remote sources. |
| CREATE VIRTUAL TABLE | DDL | - Remote sources | Authorizes the creation of proxy tables pointing to remote tables from the source entry. |
| CREATE TEMPORARY TABLE | DDL | - Schemas | Authorizes the creation of a temporary local table which can be used as input for procedures even if the user does not have the CREATE ANY privilege for the schema. |
| DEBUG | DML | - Schemas - Calculation Views - Functions/procedures | Authorizes debug functionality for the procedure or calculation view or for the procedures and calculation views of a schema. |
| DEBUG MODIFY | DDL | - Functions/procedures | For internal use only. |
| DELETE | DML | - Schemas - Tables -Views -Functions/procedures | Authorizes the DELETE and TRUNCATE statements for the object. While DELETE applies to views it only applies to updatable views (that is views that do not use a join / do not contain a UNION and do not use aggregation). |
| DROP | DDL | - Schemas - Tables - Views - Sequences - Functions/procedures - Remote sources - Graph workspaces | Authorizes the DROP statements for the object. |
| EXECUTE | DML | - Schemas - Functions/procedures | Authorizes the execution of a SQLScript function or a database procedure by using the CALLS or CALL statement respectively. It also allows a user to execute a virtual function. |
| INDEX | DDL | - Schemas - Tables | Authorizes the creation / modification or dropping of indexes for the object. |
| INSERT | DML | - Schemas - Tables - Views | Authorizes the INSERT statement for the object. The INSERT and UPDATE privilege are both required on the object to allow the REPLACE and UPSERT statements to be used. While INSERT applies to views it only applies to updatable views (views that do not use a join / do not contain a UNION and do not use aggregation). |
| REFERENCES | DDL | - Schemas - Tables | Authorizes the usage of all tables in this schema or this table in a foreign key definition or the usage of a personal security environment (PSE). It also allows a user to reference a virtual function package. |
| SELECT | DML | - Schemas - Tables - Views - Sequences - Graph workspaces | Authorizes the SELECT statement for the object or the usage of a sequence. When selection from system-versioned tables users must have SELECT on both the table and its associated history table. |
| SELECT CDS METADATA | DML | - Schemas - Tables | Authorizes access to CDS metadata from the catalog. |
| SELECT METADATA | DML | - Schemas - Tables | Authorizes access to the complete metadata of all objects in a schema (including procedure and view definitions) including objects that may be located in other schemas. |
| TRIGGER | DDL | - Schemas - Tables | Authorizes the CREATE TRIGGER/DROP TRIGGER statement for the specified table or the tables in the specified schema. |
| UNMASKED | DML | - Schemas - Views - Tables | Authorizes access to masked data in user-defined views and tables. This privilege is required to view the original data in views and tables that are defined by using the WITH MASK clause. |
| UPDATE | DML | - Schemas - Tables - Views | While UPDATE applies to views it only applies to updatable views (views that do not use a join / do not contain a UNION and do not use aggregation). |
| USERGROUP OPERATOR | DML | - User groups | Authorizes a user to change the settings for a user group and to add and remove users to/from a user group.Users with the USERGROUP OPERATOR privilege can also create and drop users but only within the user group they have the USERGROUP OPERATOR privilege on (CREATE USER USER_NAME SET USERGROUP USERGROUP_NAME). A user can have the USERGROUP OPERATOR privilege on more than one user group and a user group can have more than one user with the USERGROUP OPERATOR privilege on it. |
| identifier.identifier | DDL | Components of the SAP HANA database can create new object privileges. These privileges use the component-name as first identifier of the system privilege and the component-privilege-name as the second identifier. |
