SAP HANA XS Engine Odata Service doesn't let me Create/Update/Delete

Question

I hava a SAP HANA XS Server with some DB Tables and an OData service. I am able to connect to the OData service and to read data. As soon as I try to Create/Update/Delete data I get the 403 - Forbidden Error.
Actually my user has the required rights to execute all of the mentioned actions (I created data using the SQL command line in HANA Studio). When I try the same with the SYSTEM user I get the same result.

Answer 1

If your .xsaccess file looks like this:

{
    "prevent_xsrf": true,
    ...
} 

you have to fetch an XSRF-token before you modify your entity. Reading the entity works without.

Such a token can be obtained by executing a GET to the service endpoint with following header X-CSRF-Token=Fetch. The response contains a header like this X-CSRF-Token=13DC4988AEAA95.... If you execute your e.g. POST now with the just obtained token it will work.

Answer 2

I am guessing that your OData service is defined to not allow modifications of the data.

From the SAP HANA Developer Guide:

By default, all entity sets and associations in an OData service are writeable, that is they can be modified with a CREATE, UPDATE, or DELETE requests. However, you can prevent the execution of a modification request by setting the appropriate keyword (create, update, or delete) with the forbidden option in the OData service definition. The following example of an OData service definition for SAP HANA XS shows how to prevent any modification to the table myTable that is exposed by the OData service. Any attempt to make a modification to the indicated table using a CREATE, UPDATE, or DELETE request results in the HTTP response status 403 FORBIDDEN.

service {
  “sap.test::myTable”
    create forbidden
    update forbidden
    delete forbidden;
}