Skip to Content

How to activate an Authorization Trace in case of authorization Problems:

(something similar to Transaction ST01 in Netweaver ABAP)



Go to Hana System Administration, Trace Configuration:

Trace_Configuration.jpg

User Specific Trace, select New Configuration (small Icon ‘Create’ upper right Corner of User-Specific Trace)

Context Name is a description for this user-defined-trace

select Indexserver, select ‘Show all components’, select authorization

can be set to ‘INFO’ (this is optional, error is the default)

User_defined_trace.jpg

click on Finish

now trace is active

now Switch to the relevant user an produce the error

/wp-content/uploads/2015/08/error_message_770934.jpg

go to diagnosis Files and select the tracefile

/wp-content/uploads/2015/08/diagnosis_files_770935.jpg

example

[66898]{410859}[124/-1] 2015-08-14 12:32:42.216756 i Authorization    SQLFacade.cpp(01353) : UserId(2637946) is not authorized to do SELECT on ObjectId(2,0,oid=141224)

[66898]{410859}[124/-1] 2015-08-14 12:32:42.217089 i Authorization    SQLFacade.cpp(01750) :

    schemas and objects in schemas :

SCHEMA-141016-_SYS_BI : {} , {SELECT}

TABLE-141224-BIMC_ALL_CUBES : {} , {SELECT}

[66898]{410859}[124/-1] 2015-08-14 12:32:42.217415 i Authorization    query_check.cc(03287) : User AUTHTEST tried to execute ‘select * from _SYS_BI.BIMC_ALL_CUBES WHERE CUBE_NAME = ‘AN_M2MEVAL’ AND CATALOG_NAME = ‘swisscom.its.m2m”

SAP DBTech JDBC: [258]: insufficient privilege: insufficient privilege: Not authorized at ptime/query/checker/query_check.cc:3290

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Sandy Assum

    What security permissions do I need to have access to New Configuration.  In my screen, the New Configuration is greyed out.

    Thanks.

    (0) 
  2. Florian Wittmann

    I can confirm that this works perfectly fine for analyzing authorization issues that originated from a studio or client connection, but for authorization issues reported by XSengine I never managed to get useful information out of the trace.

    (0) 
  3. Martin Chambers

    Hi Jörg,

    very useful. It has worked for me a number of times.

    Unfortunately, in one recent case, nothing happens.

    I tried to delete a repository role (right click on role, delete). A message appeared –

    (Security) Deleting role ‘MARCHAMB.Repository_Roles::Modeling’ failed: Error in deleting an existing role: insufficient privilege: Cannot drop activated roles: line 1 col 11 (at pos 10)


    It set up the trace as described in your post. But all I could find in the log were the set and unset commands with which I set up and then removed the trace configuration.

    Any ideas how to make this work?

    (0) 
    1. Martin Chambers

      Hi Michael,

      I wasn’t expecting a reply 12 months later. Thanks!
      Unfortunately, I no longer have access to the system which produced the error – got a new one now. But using the DEBUG option is something I will definitely keep in mind.

      Regards,
      Martin

      (1) 

Leave a Reply