Skip to Content

How to activate an Authorization Trace in case of authorization Problems:

(something similar to Transaction ST01 in Netweaver ABAP)

Go to Hana System Administration, Trace Configuration:


User Specific Trace, select New Configuration (small Icon ‘Create’ upper right Corner of User-Specific Trace)

Context Name is a description for this user-defined-trace

select Indexserver, select ‘Show all components’, select authorization

can be set to ‘INFO’ (this is optional, error is the default)


click on Finish

now trace is active

now Switch to the relevant user an produce the error


go to diagnosis Files and select the tracefile



[66898]{410859}[124/-1] 2015-08-14 12:32:42.216756 i Authorization    SQLFacade.cpp(01353) : UserId(2637946) is not authorized to do SELECT on ObjectId(2,0,oid=141224)

[66898]{410859}[124/-1] 2015-08-14 12:32:42.217089 i Authorization    SQLFacade.cpp(01750) :

    schemas and objects in schemas :

SCHEMA-141016-_SYS_BI : {} , {SELECT}


[66898]{410859}[124/-1] 2015-08-14 12:32:42.217415 i Authorization : User AUTHTEST tried to execute ‘select * from _SYS_BI.BIMC_ALL_CUBES WHERE CUBE_NAME = ‘AN_M2MEVAL’ AND CATALOG_NAME = ‘swisscom.its.m2m”

SAP DBTech JDBC: [258]: insufficient privilege: insufficient privilege: Not authorized at ptime/query/checker/

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Former Member

    I can confirm that this works perfectly fine for analyzing authorization issues that originated from a studio or client connection, but for authorization issues reported by XSengine I never managed to get useful information out of the trace.

  2. Martin Chambers

    Hi Jörg,

    very useful. It has worked for me a number of times.

    Unfortunately, in one recent case, nothing happens.

    I tried to delete a repository role (right click on role, delete). A message appeared –

    (Security) Deleting role ‘MARCHAMB.Repository_Roles::Modeling’ failed: Error in deleting an existing role: insufficient privilege: Cannot drop activated roles: line 1 col 11 (at pos 10)

    It set up the trace as described in your post. But all I could find in the log were the set and unset commands with which I set up and then removed the trace configuration.

    Any ideas how to make this work?

    1. Martin Chambers

      Hi Michael,

      I wasn’t expecting a reply 12 months later. Thanks!
      Unfortunately, I no longer have access to the system which produced the error – got a new one now. But using the DEBUG option is something I will definitely keep in mind.



Leave a Reply