Skip to Content
Author's profile photo Jörg Knaus

How to Setup Hana Authorization Trace

How to activate an Authorization Trace in case of authorization Problems:

(something similar to Transaction ST01 in Netweaver ABAP)



Go to Hana System Administration, Trace Configuration:

Trace_Configuration.jpg

User Specific Trace, select New Configuration (small Icon ‘Create’ upper right Corner of User-Specific Trace)

Context Name is a description for this user-defined-trace

select Indexserver, select ‘Show all components’, select authorization

can be set to ‘INFO’ (this is optional, error is the default)

User_defined_trace.jpg

click on Finish

now trace is active

now Switch to the relevant user an produce the error

/wp-content/uploads/2015/08/error_message_770934.jpg

go to diagnosis Files and select the tracefile

/wp-content/uploads/2015/08/diagnosis_files_770935.jpg

example

[66898]{410859}[124/-1] 2015-08-14 12:32:42.216756 i Authorization    SQLFacade.cpp(01353) : UserId(2637946) is not authorized to do SELECT on ObjectId(2,0,oid=141224)

[66898]{410859}[124/-1] 2015-08-14 12:32:42.217089 i Authorization    SQLFacade.cpp(01750) :

    schemas and objects in schemas :

SCHEMA-141016-_SYS_BI : {} , {SELECT}

TABLE-141224-BIMC_ALL_CUBES : {} , {SELECT}

[66898]{410859}[124/-1] 2015-08-14 12:32:42.217415 i Authorization    query_check.cc(03287) : User AUTHTEST tried to execute ‘select * from _SYS_BI.BIMC_ALL_CUBES WHERE CUBE_NAME = ‘AN_M2MEVAL’ AND CATALOG_NAME = ‘swisscom.its.m2m”

SAP DBTech JDBC: [258]: insufficient privilege: insufficient privilege: Not authorized at ptime/query/checker/query_check.cc:3290

Assigned tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Great Doc

      Author's profile photo Former Member
      Former Member

      What security permissions do I need to have access to New Configuration.  In my screen, the New Configuration is greyed out.

      Thanks.

      Author's profile photo Jörg Knaus
      Jörg Knaus
      Blog Post Author

      To configure traces, you must have the system privilege TRACE ADMIN

      also look at:

      http://wiki.scn.sap.com/wiki/display/TechTSG/SAP+HANA+Traces

      Author's profile photo Former Member
      Former Member

      I can confirm that this works perfectly fine for analyzing authorization issues that originated from a studio or client connection, but for authorization issues reported by XSengine I never managed to get useful information out of the trace.

      Author's profile photo Martin Chambers
      Martin Chambers

      Hi Jörg,

      very useful. It has worked for me a number of times.

      Unfortunately, in one recent case, nothing happens.

      I tried to delete a repository role (right click on role, delete). A message appeared -

      (Security) Deleting role 'MARCHAMB.Repository_Roles::Modeling' failed: Error in deleting an existing role: insufficient privilege: Cannot drop activated roles: line 1 col 11 (at pos 10)


      It set up the trace as described in your post. But all I could find in the log were the set and unset commands with which I set up and then removed the trace configuration.

      Any ideas how to make this work?

      Author's profile photo Michael Healy
      Michael Healy

      Did you try setting the trace to DEBUG and see does it record anything?

      Author's profile photo Michael Healy
      Michael Healy

      A more detailed blog can be seen here:

      https://blogs.sap.com/2015/10/11/troubleshooting-sap-hana-authorisation-issues/

      Author's profile photo Martin Chambers
      Martin Chambers

      Hi Michael,

      I wasn't expecting a reply 12 months later. Thanks!
      Unfortunately, I no longer have access to the system which produced the error - got a new one now. But using the DEBUG option is something I will definitely keep in mind.

      Regards,
      Martin

      Author's profile photo Alcino Faria
      Alcino Faria

      Thanks for this Joerg !!

       

      Greets from South Africa

       

      -Pierre du Plessis

      Author's profile photo Amparo Gomez Salazar
      Amparo Gomez Salazar

      Thanks for the information.

       

      I'm trying to use the option user specific trace but appears a triangle yellow

       

      Anybody knows What's means this?

       

      Thanks for your help!

      Author's profile photo Prabhat Singh
      Prabhat Singh

      Thanks for sharing very help document