Translate

Troubleshooting SAP HANA Authorisation issues

Every now and again I receive questions regarding SAP authorisation issues. I thought it might be useful to create a troubleshooting walk through.

This document will deal with issues regarding analytical privilege in SAP HANA Studio

So what are Privileges some might ask?
System Privilege:
System privileges control general system activities. They are mainly used for administrative purposes, such as creating schemas, creating and changing users and roles, performing data backups, managing licenses, and so on.
Object Privilege:
Object privileges are used to allow access to and modification of database objects, such as tables and views. Depending on the object type, different actions can be authorized (for example, SELECT, CREATE ANY, ALTER, DROP, and so on).
Analytic Privilege:
Analytic privileges are used to allow read access to data in SAP HANA information models (that is, analytic views, attribute views, and calculation views) depending on certain values or combinations of values. Analytic privileges are evaluated during query processing.
In a multiple-container system, analytic privileges granted to users in a particular database authorize access to information models in that database only.
Package Privilege:
Package privileges are used to allow access to and the ability to work in packages in the repository of the SAP HANA database.
Packages contain design time versions of various objects, such as analytic views, attribute views, calculation views, and analytic privileges.
In a multiple-container system, package privileges granted to users in a particular database authorize access to and the ability to work in packages in the repository of that database only.

For more information on SAP HANA privileges please see the SAP HANA Security Guide:


So, you are trying to access a view, a table or simply trying to add roles to users in HANA Studio and you are receiving errors such as:
  • Error during Plan execution of model _SYS_BIC:onep.Queries.qnoverview/CV_QMT_OVERVIEW (-1), reason: user is not authorized
  • pop1 (rc 2950, user is not authorized)
  • insufficient privilege: search table error: [2950] user is not authorized
  • Could not execute 'SELECT * FROM"_SYS_BIC"."<>"' SAP DBTech JDBC: [258]: insufficient privilege: Not authorized.SAP DBTech JDBC: [258]: insufficient privilege: Not authorized

These errors are just examples of  some the different authorisation issues you can see in HANA Studio, and each one is pointing towards a missing analytical privilege.

Once you have created all your models, you then have the opportunity to define your specific authorization requirements on top of the views that you have created.

So for example, we have a model in HANA Studio Schema and its called "_SYS_BIC:Overview/SAP_OVERVIEW"
We have a user, lets just say its the "SYSTEM" user, and when you query this view you get the error:

Error during Plan execution of model _SYS_BIC:Overview/SAP_OVERVIEW (-1), reason: user is not authorized.

So if you are a DBA, and you get a message from a team member informing you that they getting a authorisation issue in HANA Studio. What are you to do?
How are you supposed to know the User ID? And most importantly, how are you to find out what the missing analytical privilege is?

So this is the perfect opportunity to run an authorisation trace through the means of the SQL console on HANA Studio.
So if you follow the below instructions it will walk you through executing the authorisation trace:

1) Please run the following statement in the HANA database to set the DB  trace:
alter system alter configuration ('indexserver.ini','SYSTEM') SET
('trace','authorization')='info' with reconfigure;

2) Reproduce the issue/execute the command again/

3) When the execution finishes please turn off the trace as follows in the Hana studio:
alter system alter configuration ('indexserver.ini','SYSTEM') unset
('trace','authorization') with reconfigure;


So now that you have turned the trace on and reproduced the issue, now you must turn off the trace.

You should now see a new indexserver0000000trc file created in the Diagnosis Files Tab in HANA Studio
Capture.PNG

So once you open the trace files, scroll to the end of the file and you should see something familiar to this:

e cePlanExec      cePlanExecutor.cpp(06890) : Error during Plan execution of model _SYS_BIC:onep.Queries.qnoverview/CV_QMT_OVERVIEW (-1), reason: user is not authorized
i TraceContext    TraceContext.cpp(00718) : UserName=TABLEAU, ApplicationUserName=luben00d, ApplicationName=HDBStudio, ApplicationSource=csns.modeler.datapreview.providers.ResultSetDelegationDataProvider.<init>(ResultSetDelegationDataProvider.java:122);csns.modeler.actions.DataPreviewDelegationAction.getDataProvider(DataPreviewDelegationAction.java:310);csns.modeler.actions.DataPreviewDelegationAction.run(DataPreviewDelegationAction.java:270);csns.modeler.actions.DataPreviewDelegationAction.run(DataPreviewDelegationAction.java:130);csns.modeler.command.handlers.DataPreviewHandler.execute(DataPreviewHandler.java:70);org.eclipse.core.commands
i Authorization    XmlAnalyticalPrivilegeFacade.cpp(01250) : UserId(123456) is missing analytic privileges in order to access _SYS_BIC:onep.MasterData.qn/AT_QMT(ObjectId(15,0,oid=78787)). Current situation:
AP ObjectId(13,2,oid=3): Not granted.
i Authorization    TRexApiSearch.cpp(20566) : TRexApiSearch::analyticalPrivilegesCheck(): User TABLEAU is not authorized on _SYS_BIC:onep.MasterData.qn/AT_QMT (787878) due to XML APs
e CalcEngine      cePopDataSources.cpp(00488) : ceJoinSearchPop ($REQUEST$): Execution of search failed: user is not authorized(2950)
e Executor        PlanExecutor.cpp(00690) : plan plan558676@<> failed with rc 2950; user is not authorized
e Executor        PlanExecutor.cpp(00690) : -- returns for plan558676@<> 
e Executor        PlanExecutor.cpp(00690) : user is not authorized(2950), plan: 1 pops: ceJoinSearchPop pop1(out a)
e Executor        PlanExecutor.cpp(00690) : pop1, 09:57:41.755  +0.000, cpu 139960197732232, <> ceJoinSearchPop, rc 2950, user is not authorized
e Executor        PlanExecutor.cpp(00690) : Comm total: 0.000
e Executor        PlanExecutor.cpp(00690) : Total: <Time- Stamp>, cpu 139960197732232
e Executor        PlanExecutor.cpp(00690) : sizes a 0
e Executor        PlanExecutor.cpp(00690) : -- end executor returns
e Executor        PlanExecutor.cpp(00690) : pop1 (rc 2950, user is not authorized)

So we can see from the trace file that User who is trying to query from the view is called TABLEAU. TABLEAU is also represented by the User ID (123456)

So by looking at the lines:

i Authorization    XmlAnalyticalPrivilegeFacade.cpp(01250) : UserId(123456) is missing analytic privileges in order to access _SYS_BIC:onep.MasterData.qn/AT_QMT(ObjectId(15,0,oid=78787)).
&
i Authorization    TRexApiSearch.cpp(20566) : TRexApiSearch::analyticalPrivilegesCheck(): User TABLEAU is not authorized on _SYS_BIC:onep.MasterData.qn/AT_QMT (787878) due to XML APs

We can clearly see that TABLEAU user is missing the correct analytical privileges to access the_SYS_BIC:onep.MasterData.qn/AT_QMT which is located on Object 78787.

So now we have to find out who owns the Object 78787. We can find out this information by querying the following:

select * from objects where object_oid = '<oid>';
Select * from objects where object_oid = '78787'

Once you have found out the owner for this object, you can get the owner to Grant the TABLEAU user the necessary privileges to query the object.

Please be aware that if you find that the owner of an object is _SYS_REPO, this is not as straight forward as logging in as _SYS_REPO as this is not possible because SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.
You have to create a .hdbrole file which which gives the access ( Development type of role, giving select, execute, insert etc access) on this schema. You then assign this role to the user who is trying to access the object.


Another option that is available for analyzing privileges issues was introduced as of SP9. This comes in the form of the Authorization Dependency Viewer. Man-Ted Chan has prepared an excellent blog on this new feature:




For more useful information on Privileges can be seen in the following KBA's:
KBA #2220157 - Database error 258 at EXE insufficient
KBA #1735586 – Unable to grant privileges for SYS_REPO.-objects via SAP HANA Studio authorization management.
KBA #1966219 – HANA technical database user _SYS_REPO cannot be activated.
KBA #1897236 – HANA: Error&quot; insufficient privilege: Not authorized &quot; in SM21
KBA #2092748 – Failure to activate HANA roles in Design Time.
KBA #2126689 – Insufficient privilege. Not authorized
KBA #2250445 - SAP DBTech JDBC 485 - Invalid definition of structured privilege: Invalid filter condition


For more useful Troubleshooting documentation you can visit:


Posted by
Labels: , , , , , , , , , , ,

2 comments:

Unknown said...

Very informative post you shared with us...
sap mm online training | sap fscm online training in Hyderabad

May 19, 2016 at 3:40 PM
Unknown said...

Very good article thank you for sharing. Visit out site for more info SAPUI5 Online Training

August 25, 2016 at 6:59 PM

Post a Comment

Subscribe to: Post Comments (Atom)

Labels

sap hana hana database aws s4 hana hana db s4hana conversion steps sap hana azure bw4hana hana migration s4hana migration sap cloud migration steps sap hana migration steps sap hana migration to azure s4hana sap fiori fiori performance fiori erp s4 hana fiori sap fiori app sap fiori client sap fiori launchpad sap s4 hana fiori cisco ecc AI SAP AI abap dumps hana sap S/4HANA S/4HANA Conversion best sap ui5 & fiori training configuration database fiori tutorial on webide free sap ui5 & fiori training s/4 hana sap dumps sap fiori tutorial sap ui5 sap ui5 & fiori sap ui5 & fiori tutorial sara ui5cn 2367245 - Troubleshooting performance issues with SAP BPA Amazon free tier for SAP AWS setup Experience CALL_FUNCTION_NOT_FOUND CCMS Configuration and Use Create New Data Class in SAP (Oracle) Critical top SAP Abap dumps DHCP Clients Not Receiving IP Addresses Download Stack.xml HAN-DB HAN-DB-ENG High CPU Usage Due to Excessive Process Switching How To How to Start and Stop SAP Hana Tenant Database How to change SAP Hana Sql Output results are limited to 5000 Records How to perform SAP Dual Stack Split - Netweaver Inactive Objects in SAP Intercompany transactions in SAP AP / AR : Cross Company Code Transaction Interface Flapping Due to Duplex Mismatch KBA LOAD_PROGRAM_LOST MSSQL shrinking transaction log file Migrating to SAP hana database NAT Overload Causing Internet Access Failure Note 500235 - Network Diagnosis with NIPING OSPF Adjacency Not Forming PRINCE2 Foundation Sample Questions Preparing for S/4HANA Conversion and the MUST know items Push to Download Basket S/4HANA Migration Cockpit S/4JANA SAP BI Support Data Load Errors and Solutions SAP BI/BW Landscape SAP BPA SAP Basis SAP Basis Automation SAP Business Objects SAP CPS SAP Certification SAP FI Certification SAP FI Certification Sample Questions SAP HANA Admin - Cockpit SAP HANA DB Engines SAP HANA Database SAP HANA terminate session connection disconnect cancel kill hang stuck SAP Hana DB restore SAP Hana Numeric Error Codes SAP Landscape SAP Language installation SAP MM and Purchase Order Tables SAP Maintenance Planner SAP Note 500235 SAP R/3 Glossary SAP Readiness Check SAP S/4HANA 1709 Installation Files SAP S/4HANA 2023 SAP S/4HANA 2023 Installation SAP S/4HANA 2023 running SAP S/4HANA Installation SAP Scheduling SAP Solman 7.2 CHARM: SAP Support Package Stack Strategy SAP Support package SAP Upgrade SAP support stack upgrade SP stacks STORAGE_PARAMETERS_WRONG_SET SUSE/SLES/Kernel versions Setup of S/4hana 2023 TSV_TNEW_PAGE_ALLOC_FAILED TSV_TNEW_PAGE_ALLOC_FAILED error Transaction ID Unable to download an SAP Note Unix/Linux Command That Are Helpful For SAP Basis Upgrading SAP Kernel Without Downtime Upgrading windows server 2008 to windows server 2019 What is OSS Notes? SAP SNOTE Tutorial accounting agile ale idoc ale/edi archive FI documents audit auditing auditor aws aws cloud basic type bluefield approach ccms ccmsidb charm copilot datavard dbacockpit download sap note download snote edi idoc electronic data interchange enable sap archiving objects erpprep ffid firefighter fraud functional hana admin how to apply sap security note https://www.erpprep.com/ idoc install install sap fiori installation interfaces intermediate document internal control license key linux version materials management messsage niping test order type port prince2 agile prince2 agile practitioner purchasing quick info s4 hana sap abap dumps sap abbreviations sap activate certification sap activate project manager sap authorization sap aws sap brownfield sap ccms sap ccms configuration sap erp sap error sap grc sap greenfield sap internet demo system sap license sap maintenance certificate sap material management sap meaning sap mm sap mm consultant sap monthly security note sap netweaver sap network diagnostic sap niping sap note sap oss sap patch day sap performance sap performance issue sap purchase order sap s/4hana sap sales and distribution sap sap otc sap sd sap sd certification training sap sd course sap sd jobs sap sd module sap sd online training sap sd training sap sd tutorial sap sd tutorial for beginners sap security sap security note sap snote sap snote tutorial sap solution manager sap sql segregation of duties separation of duties sles slicense smc snote snote in sap system sod conflict solution manager solution maneger stop start hana database suse linux techie trex two step upgrade required waterfall