Every now and again I receive questions regarding SAP authorisation issues. I thought it might be useful to create a troubleshooting walk through.
This document will deal with issues regarding analytical privilege in SAP HANA Studio
So what are Privileges some might ask?
System Privilege:
System privileges control general system activities. They are mainly used for administrative purposes, such as creating schemas, creating and changing users and roles, performing data backups, managing licenses, and so on.
Object Privilege:
Object privileges are used to allow access to and modification of database objects, such as tables and views. Depending on the object type, different actions can be authorized (for example, SELECT, CREATE ANY, ALTER, DROP, and so on).
Analytic Privilege:
Analytic privileges are used to allow read access to data in SAP HANA information models (that is, analytic views, attribute views, and calculation views) depending on certain values or combinations of values. Analytic privileges are evaluated during query processing.
In a multiple-container system, analytic privileges granted to users in a particular database authorize access to information models in that database only.
Package Privilege:
Package privileges are used to allow access to and the ability to work in packages in the repository of the SAP HANA database.
Packages contain design time versions of various objects, such as analytic views, attribute views, calculation views, and analytic privileges.
In a multiple-container system, package privileges granted to users in a particular database authorize access to and the ability to work in packages in the repository of that database only.
For more information on SAP HANA privileges please see the SAP HANA Security Guide:
So, you are trying to access a view, a table or simply trying to add roles to users in HANA Studio and you are receiving errors such as:
- Error during Plan execution of model _SYS_BIC:onep.Queries.qnoverview/CV_QMT_OVERVIEW (-1), reason: user is not authorized
- pop1 (rc 2950, user is not authorized)
- insufficient privilege: search table error: [2950] user is not authorized
- Could not execute 'SELECT * FROM"_SYS_BIC"."<>"' SAP DBTech JDBC: [258]: insufficient privilege: Not authorized.SAP DBTech JDBC: [258]: insufficient privilege: Not authorized
These errors are just examples of some the different authorisation issues you can see in HANA Studio, and each one is pointing towards a missing analytical privilege.
Once you have created all your models, you then have the opportunity to define your specific authorization requirements on top of the views that you have created.
So for example, we have a model in HANA Studio Schema and its called "_SYS_BIC:Overview/SAP_OVERVIEW"
We have a user, lets just say its the "SYSTEM" user, and when you query this view you get the error:
Error during Plan execution of model _SYS_BIC:Overview/SAP_OVERVIEW (-1), reason: user is not authorized.
So if you are a DBA, and you get a message from a team member informing you that they getting a authorisation issue in HANA Studio. What are you to do?
How are you supposed to know the User ID? And most importantly, how are you to find out what the missing analytical privilege is?
So this is the perfect opportunity to run an authorisation trace through the means of the SQL console on HANA Studio.
So if you follow the below instructions it will walk you through executing the authorisation trace:
1) Please run the following statement in the HANA database to set the DB trace:
alter system alter configuration ('indexserver.ini','SYSTEM') SET
('trace','authorization')='info' with reconfigure;
2) Reproduce the issue/execute the command again/
3) When the execution finishes please turn off the trace as follows in the Hana studio:
alter system alter configuration ('indexserver.ini','SYSTEM') unset
('trace','authorization') with reconfigure;
So now that you have turned the trace on and reproduced the issue, now you must turn off the trace.
You should now see a new indexserver0000000trc file created in the Diagnosis Files Tab in HANA Studio
So once you open the trace files, scroll to the end of the file and you should see something familiar to this:
e cePlanExec cePlanExecutor.cpp(06890) : Error during Plan execution of model _SYS_BIC:onep.Queries.qnoverview/CV_QMT_OVERVIEW (-1), reason: user is not authorizedi TraceContext TraceContext.cpp(00718) : UserName=TABLEAU, ApplicationUserName=luben00d, ApplicationName=HDBStudio, ApplicationSource=csns.modeler.datapreview.providers.ResultSetDelegationDataProvider.<init>(ResultSetDelegationDataProvider.java:122);csns.modeler.actions.DataPreviewDelegationAction.getDataProvider(DataPreviewDelegationAction.java:310);csns.modeler.actions.DataPreviewDelegationAction.run(DataPreviewDelegationAction.java:270);csns.modeler.actions.DataPreviewDelegationAction.run(DataPreviewDelegationAction.java:130);csns.modeler.command.handlers.DataPreviewHandler.execute(DataPreviewHandler.java:70);org.eclipse.core.commandsi Authorization XmlAnalyticalPrivilegeFacade.cpp(01250) : UserId(123456) is missing analytic privileges in order to access _SYS_BIC:onep.MasterData.qn/AT_QMT(ObjectId(15,0,oid=78787)). Current situation:AP ObjectId(13,2,oid=3): Not granted.i Authorization TRexApiSearch.cpp(20566) : TRexApiSearch::analyticalPrivilegesCheck(): User TABLEAU is not authorized on _SYS_BIC:onep.MasterData.qn/AT_QMT (787878) due to XML APse CalcEngine cePopDataSources.cpp(00488) : ceJoinSearchPop ($REQUEST$): Execution of search failed: user is not authorized(2950)e Executor PlanExecutor.cpp(00690) : plan plan558676@<> failed with rc 2950; user is not authorizede Executor PlanExecutor.cpp(00690) : -- returns for plan558676@<> e Executor PlanExecutor.cpp(00690) : user is not authorized(2950), plan: 1 pops: ceJoinSearchPop pop1(out a)e Executor PlanExecutor.cpp(00690) : pop1, 09:57:41.755 +0.000, cpu 139960197732232, <> ceJoinSearchPop, rc 2950, user is not authorizede Executor PlanExecutor.cpp(00690) : Comm total: 0.000e Executor PlanExecutor.cpp(00690) : Total: <Time- Stamp>, cpu 139960197732232e Executor PlanExecutor.cpp(00690) : sizes a 0e Executor PlanExecutor.cpp(00690) : -- end executor returnse Executor PlanExecutor.cpp(00690) : pop1 (rc 2950, user is not authorized)
So we can see from the trace file that User who is trying to query from the view is called TABLEAU. TABLEAU is also represented by the User ID (123456)
So by looking at the lines:
i Authorization XmlAnalyticalPrivilegeFacade.cpp(01250) : UserId(123456) is missing analytic privileges in order to access _SYS_BIC:onep.MasterData.qn/AT_QMT(ObjectId(15,0,oid=78787)).
&
i Authorization TRexApiSearch.cpp(20566) : TRexApiSearch::analyticalPrivilegesCheck(): User TABLEAU is not authorized on _SYS_BIC:onep.MasterData.qn/AT_QMT (787878) due to XML APs
We can clearly see that TABLEAU user is missing the correct analytical privileges to access the_SYS_BIC:onep.MasterData.qn/AT_QMT which is located on Object 78787.
So now we have to find out who owns the Object 78787. We can find out this information by querying the following:
select * from objects where object_oid = '<oid>';
Select * from objects where object_oid = '78787'
Once you have found out the owner for this object, you can get the owner to Grant the TABLEAU user the necessary privileges to query the object.
Please be aware that if you find that the owner of an object is _SYS_REPO, this is not as straight forward as logging in as _SYS_REPO as this is not possible because SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.
You have to create a .hdbrole file which which gives the access ( Development type of role, giving select, execute, insert etc access) on this schema. You then assign this role to the user who is trying to access the object.
Another option that is available for analyzing privileges issues was introduced as of SP9. This comes in the form of the Authorization Dependency Viewer. Man-Ted Chan has prepared an excellent blog on this new feature:
For more useful information on Privileges can be seen in the following KBA's:
KBA #1735586 – Unable to grant privileges for SYS_REPO.-objects via SAP HANA Studio authorization management.
KBA #1966219 – HANA technical database user _SYS_REPO cannot be activated.
KBA #1897236 – HANA: Error" insufficient privilege: Not authorized " in SM21
KBA #2092748 – Failure to activate HANA roles in Design Time.
KBA #2250445 - SAP DBTech JDBC 485 - Invalid definition of structured privilege: Invalid filter condition
For more useful Troubleshooting documentation you can visit: