How to Setup Hana Authorization Trace
How to activate an Authorization Trace in case of authorization Problems:
(something similar to Transaction ST01 in Netweaver ABAP)
Go to Hana System Administration, Trace Configuration:
User Specific Trace, select New Configuration (small Icon ‘Create’ upper right Corner of User-Specific Trace)
Context Name is a description for this user-defined-trace
select Indexserver, select ‘Show all components’, select authorization
can be set to ‘INFO’ (this is optional, error is the default)
click on Finish
now trace is active
now Switch to the relevant user an produce the error
go to diagnosis Files and select the tracefile
example
[66898]{410859}[124/-1] 2015-08-14 12:32:42.216756 i Authorization SQLFacade.cpp(01353) : UserId(2637946) is not authorized to do SELECT on ObjectId(2,0,oid=141224)
[66898]{410859}[124/-1] 2015-08-14 12:32:42.217089 i Authorization SQLFacade.cpp(01750) :
schemas and objects in schemas :
SCHEMA-141016-_SYS_BI : {} , {SELECT}
TABLE-141224-BIMC_ALL_CUBES : {} , {SELECT}
[66898]{410859}[124/-1] 2015-08-14 12:32:42.217415 i Authorization query_check.cc(03287) : User AUTHTEST tried to execute ‘select * from _SYS_BI.BIMC_ALL_CUBES WHERE CUBE_NAME = ‘AN_M2MEVAL’ AND CATALOG_NAME = ‘swisscom.its.m2m”
SAP DBTech JDBC: [258]: insufficient privilege: insufficient privilege: Not authorized at ptime/query/checker/query_check.cc:3290
Great Doc
What security permissions do I need to have access to New Configuration. In my screen, the New Configuration is greyed out.
Thanks.
To configure traces, you must have the system privilege TRACE ADMIN
also look at:
http://wiki.scn.sap.com/wiki/display/TechTSG/SAP+HANA+Traces
I can confirm that this works perfectly fine for analyzing authorization issues that originated from a studio or client connection, but for authorization issues reported by XSengine I never managed to get useful information out of the trace.
Hi Jörg,
very useful. It has worked for me a number of times.
Unfortunately, in one recent case, nothing happens.
I tried to delete a repository role (right click on role, delete). A message appeared -
(Security) Deleting role 'MARCHAMB.Repository_Roles::Modeling' failed: Error in deleting an existing role: insufficient privilege: Cannot drop activated roles: line 1 col 11 (at pos 10)
It set up the trace as described in your post. But all I could find in the log were the set and unset commands with which I set up and then removed the trace configuration.
Any ideas how to make this work?
Did you try setting the trace to DEBUG and see does it record anything?
A more detailed blog can be seen here:
https://blogs.sap.com/2015/10/11/troubleshooting-sap-hana-authorisation-issues/
Hi Michael,
I wasn't expecting a reply 12 months later. Thanks!
Unfortunately, I no longer have access to the system which produced the error - got a new one now. But using the DEBUG option is something I will definitely keep in mind.
Regards,
Martin
Thanks for this Joerg !!
Greets from South Africa
-Pierre du Plessis
Thanks for the information.
I'm trying to use the option user specific trace but appears a triangle yellow
Anybody knows What's means this?
Thanks for your help!
Thanks for sharing very help document