I am not really clear on exactly what your question is here. I take it that you want to implement row level security, but are unsure how to achieve it? Not sure what the following comment means.
"But is this the correct approach for a HANA system where we have implemented full security for many users/roles?" Does this mean you already have authorization in place or wish to do so?
In general, you always want to start with some type of matrix that helps you map a group of users against what data they should see, ie - managers of region A should see all of region A, but finance clerks in region A should only see a subset of region A.
Once you have this functionally defined, the next step would be implementation. In this case I am only considering the HANA side security, no other client tools etc.
Two options right off the bat
1) Implement explicitly defined analytic privileges, that have the values allowed for a given set of users. For example, if you have three different groups of people that need three different slices of region A, then that requires 3 different analytic privileges.
2) Implement dynamic analytic privileges using stored procedures in combination with an authorization table. In this case, you have one single analytic privilege for all users, but move the mapping down into another table. This table may be a simple two column table like | USER | REGION |. A stored procedure is created and used inside of the analytic procedure, that reads the above table and returns authorized values.
In either case, you always have to maintain the authorizations, you mention "someone new joining or a new region being added", but in the second option there is no transport of analytic privileges required. You only need to insert/update/delete entries in the authorization table.
If you have a specific question please let me know. I have implemented dynamic AP's with some good success.
Regards,
Justin