Good morning, Sekhar,
Consider the recommendations in Richard Bremer's excellent How To... Define Standard Roles for Administrators and Developers in SAP HANA Database.
First schema1 should be created via an hdbschema file so as to simplify security. Once activated the schema belongs to _SYS_REPO and the creation, granting and migration of access roles is simplified.
The access for your two users should be divorced as much as possible from the existence of these two users. Richard's design for design time roles provides the template for that.
You will need a number of schema roles depending upon how granular you wish to get with authorizations. I have four levels that build (extend) upon the lower level access role:
- <schema>_select - SELECT
- <schema>_execute - EXECUTE (extends select)
- <schema>_power - everything but TRIGGER and DEBUG (extends execute)
- <schema>_admin - all schema powers (extends power)
This allows you to grant only at the access level required.
For packages you can utilize a similar method:
- <package>_read - REPO
- <package>_native - REPO.EDIT_NATIVE_OBJECTS, REPO.ACTIVATE_NATIVE_OBJECTS and REPO.MAINTAIN_NATIVE_PACKAGES (extends read)
- <package>_imported - REPO.EDIT_IMPORTED_OBJECTS, REPO.ACTIVATE_IMPORTED_OBJECTS and REPO.MAINTAIN_IMPORTED_PACKAGES (extends read)
Ideally User 3 (the Security girl) creates these roles and grants them to User 1 and User 2. And maybe User 4 (the DBA girl) created the schema depending upon your separation of duties model.
Good luck,
Robert Hanno