Skip to Content

*New documentation in SAP HANA SP10 also covers this and this documentation can be found here

Resolve Errors Using the Authorization Dependency Viewer – SAP HANA Administration Guide – SAP Library

Hi everyone,

My name is Man-Ted Chan and I’m from the SAP HANA product support team. While on the team we see a lot of issues involving permissions issues on a table or modeled view, in these scenarios we would request customers to turn on authorization tracing so that we can see which object did the user failed to get authorizations for (SAP Note 1809199).

Starting with SP9 the Authorization Dependency Viewer was introduced, this is a tool that will display the dependency graphically for stored procedures and calculation views. Use this tool when you see the following errors:

  • NOT AUTHORIZED (258)
  • INVALIDATED VIEW (391)
  • INVALIDATED PROCEDURE (430)

ExampleI have create an Analytic View under the user MAKER

/wp-content/uploads/2015/07/1_742076.png

When we try to view the data as the user RED
/wp-content/uploads/2015/07/2_742077.png

We get the following error

/wp-content/uploads/2015/07/3_742078.png

We can use the Authorization Dependency View to see is the missing permission


In order to use the viewer the user will need to have the either the CATALOG READ or DATA ADMIN system privilege.In the SAP HANA studio you would expand the system that contains the object you are having an issue with. In this case I’m going to be expanding the HANA system DEV

/wp-content/uploads/2015/07/4_742079.png

Expand the Catalog folder and expand the _SYS_BIC schema

/wp-content/uploads/2015/07/5_742080.png

/wp-content/uploads/2015/07/6_742081.png

In the ‘Column Views’ folder search for the object that is having the issue, in this case test/AN_TEST (this is the <package name>/<object name>)

/wp-content/uploads/2015/07/7_742082.png

/wp-content/uploads/2015/07/8_742083.png

Please note that if there are more than 1000 objects in the schema some of them will not appear and you will see the following

/wp-content/uploads/2015/07/9_742084.png

If you need to right click on the ‘Column View’ folder and select ‘Filters…’

/wp-content/uploads/2015/07/10_742085.png

Once selected fill in a string to find the object, in this case we are looking for test/AN_TEST so I will enter in ‘test/’

/wp-content/uploads/2015/07/11_742086.png

Right click on the object and select ‘Show Authorization’

/wp-content/uploads/2015/07/12_742087.png

The following graph appears

/wp-content/uploads/2015/07/13_742088.png

We can clean up the view by selecting the ‘Show missing authorization only’ button

/wp-content/uploads/2015/07/14_742089.png

It will now look like this

/wp-content/uploads/2015/07/15_742090.png

The following table is a legend for the authorization graph

Connection Description
Long dash line (– – – –) An AND connection exists between the parent node and the child nodes. Access to the parent node requires authorization to all child nodes.
Solid line (–––––) An OR connection exists between the parent node and the parent nodes. Access to the parent node requires authorization to one of the child nodes.
Black line The authorization dependency status is valid, that is, the user has the required privilege to the child object and is authorized to grant it further. This is additionally indicated by the /wp-content/uploads/2015/07/16_742091.png  (AUTHORIZED GRANTABLE) icon.
Red line The authorization dependency status is invalid in some way. The following icons indicate the exact status:

  • /wp-content/uploads/2015/07/17_742093.png The user does not have the required privilege for the child object.
  • /wp-content/uploads/2015/07/18_742094.pngThe user has the required privilege for the child object but is not authorized to grant it further because he is missing WITH GRANT OPTION.
  • /wp-content/uploads/2015/07/19_742095.gifThe user has the required privilege for the child object but is not able to grant it further because it itself is not grantable. This fact determines the dependency status of the parent object even if the parent object has an OR connection to another child object with valid authorization.
  • /wp-content/uploads/2015/07/20_742096.gifThe user does not have the required privilege for the child object or the child object is invalidated. This fact determines the dependency status of the parent object even if the parent object has an OR connection to another child object with a valid dependency status.

So how do we debug this?

We can click on first line that shows an invalid connection

/wp-content/uploads/2015/07/21_742097.png

Check the properties window to see the issue, we see that there is a select issue

/wp-content/uploads/2015/07/22_742098.png

Select the line that connects to a schema

/wp-content/uploads/2015/07/23_742099.png

/wp-content/uploads/2015/07/24_742100.png

Now we see that the _SYS_REPO user is not authorized to select from the READER schema

To resolve this issue we would run

Grant select on schema READER to _SYS_REPO with grant option;

Refresh the authorization view

/wp-content/uploads/2015/07/25_742101.png

We can see now that we have access the schemas, but not the tables. If you checked the connection type it is OR meaning one of authorizations needs to be fulfilled.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Benedict Venmani Felix

    Nice to know Man-Ted. Thank you for this useful information. This looks simple and fantastic.

    I have tried this way  a few time before and failed to understand how the ‘Show Authorization’ worked. Then, had to go to the security team to get the traces enabled and read through the logs.

    Benedict

    (0) 
  2. Papil Patil

    Thanks Man-Ted Chan for sharing such a critical information… Very easy to debug and gets more clarity.

    Just one doubt… in the Legends Description you have explained, for the Solid Line (OR), the connection should be between parent and child nodes right ?

    Solid line (–––––) An OR connection exists between the parent node and the parent nodes. Access to the parent node requires authorization to one of the child nodes.

    Cheers for the outstanding blog…

    (0) 
  3. Liezl Nel

    I tried to use this, but can only use this for Stored Procedures. I can’t see the privileges of Remote Sources, Virtual Tables,Ā Calculation Views andĀ even Tables. This would be VERY handy for Everything! šŸ˜‰

    Or Alternatively, is there a VIEW in HANA that allows me to see this level of detail for Remote Sources and Virtual Tables?

    (0) 

Leave a Reply