Analysis of Authorization Errors in SAP HANA

Analysis of Authorization Errors in SAP HANA

The SAP HANA database is the strategic platform for SAP business applications such as SAP S/4HANA or SAP BW/4HANA or native applications that do not require SAP NetWeaver ABAP application servers.

Using an SQL statement or analytical application, such as SAP Analytics Cloud, Analysis for Office etc., users can – provided they have a user in the SAP HANA database with the appropriate authorizations (more information on this can be found here in our German blog) – carry out evaluations, forecasts or applications directly. Apart from the application level, it may now be necessary to localize and correct any errors at the database level. This blog post shows the available options for an error analysis in a SAP HANA database.

Should you, for example, encounter an error message stating that a user is not authorized, up to and including SAP HANA 2.0 SPS03, when executing an application by using SAP LUMIRA, SAP Analysis for Microsoft Excel or XS Engine from SAP HANA, the only available option is to create an authorization trace. You often encounter error messages, as shown in the example below.

Explore related questions

Ein Bild, das Text enthält.Automatisch generierte Beschreibung
Ein Bild, das Text enthält.Automatisch generierte Beschreibung
Figure 1/2: HANA Cockpit – Error message with details

The authorization trace can be created by using the HANA Studio or the HANA Cockpit. The name (context) of the trace file, application or database user should be stored. The trace component is ‘Authorization’ of the index server. The procedure in the HANA Cockpit is shown below as an example.

Figure 3: HANA Cockpit – Call database explorer
Figure 4: Trace Configuration
Ein Bild, das Tisch enthält.
Figure 5: Start trace

The user will then be asked to repeat the previously unsuccessful action so that the trace file can be created in the background.

Figure 6: HANA DB Explorer – Tracefiles Indexserver

The context (trace file) name can now be used to determine which authorization the application user is missing:

Figure 7: Tracefile with authorization errors

Since this variant of the evaluation is very complex, there has been a new possibility of evaluation since SAP HANA 2.0 SPS04: the error analysis using GUID. It is not necessary to activate the trace and call it up again. With the help of the GUID, the cause of the error can be traced by default. The HANA Cockpit from version 2.0 SP11 also conveniently provides its own application to simplify the analysis (see: User Management and Security Administration – SAP Help Portal).

Ein Bild, das Text enthält.Automatisch generierte Beschreibung
Figure 8: HANA Cockpit application

Authorization administrators who want to use this application to read the authorization check require the «EXECUTE» privilege for the stored procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS from the standard SYS schema.

Figure 9: HANA Cockpit – Application Insufficient Privilege Details

Initially, only the SYSTEM user has this privilege. For the analysis to be carried out by other users, it is best practice to initially assign this privilege to the user _SYS_REPO so that this authorization can be made available to the authorization administrators via a repository role. The process in order to achieve this is described below.

Ein Bild, das Tisch enthält.
Figure 10: HANA Cockpit – Assignment privileges

Alternatively, the assignment via SQL statement is also possible:

GRANT EXECUTE ON SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS TO _SYS_REPO WITH GRANT OPTION

A repository role with the object EXECUTE privilege will be subsequently created for the procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS and assigned to the authorization administrators. The creation of repository roles is only possible via the HANA Studio (developer perspective) or via the Web IDE XS Classic. Alternatively, the privilege object can be assigned directly to a user, but this should be avoided, as it is not recommended. Read more on this topic in our German SAP security blog Options for role administration in SAP HANA.

Figure 11: Web IDE XS – Classic role creation

If an authorization error occurs, the authorization administrator only needs the GUID that is displayed to the user with the error message. You can find an example here:

Ein Bild, das Text enthält.Automatisch generierte Beschreibung
Figure 12: Authorization error HANA Database Explorer

After entering the GUID in the HANA Cockpit application mentioned at the beginning, the missing privilege will be displayed. In addition, the list of the existing roles that contain the missing privilege will appear.

Figure 13: GUID Evaluation HANA Cockpit

The Insufficient Privilege Details application allows the privilege to be assigned directly to the user. As described above, this is not recommended. Instead, it is possible to assign an existing role.

Ein Bild, das Text enthält.Automatisch generierte Beschreibung
Figure 14: Dialog Assignment Role Insufficient Privilege Details

With the introduction of this feature, the following new parameters were added to the global.ini configuration file with SAP HANA 2.0 SPS04, which are relevant for error analysis and should be taken into account.

  • enable_insufficient_privilege_error_details_procedure
    Activation / deactivation of the procedure for automatic error logging via GUID
  • insufficient_privilege_error_details_retain_duration
    Retention period of the error details
  • insufficient_privilege_error_details_retain_records
    Max. number of entries of logged error events
Figure 15: Configuration parameters in global.ini for Insufficient Privilege error

Do you need support in the administration of your SAP HANA authorizations? Are you frequently confronted with error situations, and would you like to reduce them significantly? Xiting has extensive expertise and experience with a focus on SAP HANA security. We would be happy to discuss your specific requirements with you and how we can support you with our SAP HANA services. Do not hesitate to contact us for an initial discussion.

Further information can be found on our website:

SAP Security Consultant | SAP HANA Services at Xiting AG
Volker is a Principal Technical Consultant and SAP Trainer since the first SAP HANA releases, in charge of HANA Database administration and security. He has worked in the field since 1998, focused on SAP System Administration and RUN SAP.

More Resources

See All Related Content