Authorization Dependency Viewer

*New documentation in SAP HANA SP10 also covers this and this documentation can be found here

Resolve Errors Using the Authorization Dependency Viewer – SAP HANA Administration Guide – SAP Library

Hi everyone,

My name is Man-Ted Chan and I’m from the SAP HANA product support team. While on the team we see a lot of issues involving permissions issues on a table or modeled view, in these scenarios we would request customers to turn on authorization tracing so that we can see which object did the user failed to get authorizations for (SAP Note 1809199).

Starting with SP9 the Authorization Dependency Viewer was introduced, this is a tool that will display the dependency graphically for stored procedures and calculation views. Use this tool when you see the following errors:

• NOT AUTHORIZED (258)
• INVALIDATED VIEW (391)
• INVALIDATED PROCEDURE (430)

ExampleI have create an Analytic View under the user MAKER

When we try to view the data as the user RED

We get the following error

We can use the Authorization Dependency View to see is the missing permission

In order to use the viewer the user will need to have the either the CATALOG READ or DATA ADMIN system privilege.In the SAP HANA studio you would expand the system that contains the object you are having an issue with. In this case I’m going to be expanding the HANA system DEV

Expand the Catalog folder and expand the _SYS_BIC schema

In the ‘Column Views’ folder search for the object that is having the issue, in this case test/AN_TEST (this is the <package name>/<object name>)

Please note that if there are more than 1000 objects in the schema some of them will not appear and you will see the following

If you need to right click on the ‘Column View’ folder and select ‘Filters…’

Once selected fill in a string to find the object, in this case we are looking for test/AN_TEST so I will enter in ‘test/’

Right click on the object and select ‘Show Authorization’

The following graph appears

We can clean up the view by selecting the ‘Show missing authorization only’ button

It will now look like this

The following table is a legend for the authorization graph

Connection	Description
Long dash line (– – – –)	An AND connection exists between the parent node and the child nodes. Access to the parent node requires authorization to all child nodes.
Solid line (–––––)	An OR connection exists between the parent node and the parent nodes. Access to the parent node requires authorization to one of the child nodes.
Black line	The authorization dependency status is valid, that is, the user has the required privilege to the child object and is authorized to grant it further. This is additionally indicated by the   (AUTHORIZED GRANTABLE) icon.
Red line	The authorization dependency status is invalid in some way. The following icons indicate the exact status: The user does not have the required privilege for the child object. The user has the required privilege for the child object but is not authorized to grant it further because he is missing WITH GRANT OPTION. The user has the required privilege for the child object but is not able to grant it further because it itself is not grantable. This fact determines the dependency status of the parent object even if the parent object has an OR connection to another child object with valid authorization. The user does not have the required privilege for the child object or the child object is invalidated. This fact determines the dependency status of the parent object even if the parent object has an OR connection to another child object with a valid dependency status.

So how do we debug this?

We can click on first line that shows an invalid connection

Check the properties window to see the issue, we see that there is a select issue

Select the line that connects to a schema

Now we see that the _SYS_REPO user is not authorized to select from the READER schema

To resolve this issue we would run

Grant select on schema READER to _SYS_REPO with grant option;

Refresh the authorization view

We can see now that we have access the schemas, but not the tables. If you checked the connection type it is OR meaning one of authorizations needs to be fulfilled.