*New documentation in SAP HANA SP10 also covers this and this documentation can be found here
Hi everyone,
My name is Man-Ted Chan and I’m from the SAP HANA product support team. While on the team we see a lot of issues involving permissions issues on a table or modeled view, in these scenarios we would request customers to turn on authorization tracing so that we can see which object did the user failed to get authorizations for (SAP Note 1809199).
Starting with SP9 the Authorization Dependency Viewer was introduced, this is a tool that will display the dependency graphically for stored procedures and calculation views. Use this tool when you see the following errors:
ExampleI have create an Analytic View under the user MAKER
When we try to view the data as the user RED
We get the following error
We can use the Authorization Dependency View to see is the missing permission
In order to use the viewer the user will need to have the either the CATALOG READ or DATA ADMIN system privilege.In the SAP HANA studio you would expand the system that contains the object you are having an issue with. In this case I’m going to be expanding the HANA system DEV
Expand the Catalog folder and expand the _SYS_BIC schema
In the ‘Column Views’ folder search for the object that is having the issue, in this case test/AN_TEST (this is the <package name>/<object name>)
Please note that if there are more than 1000 objects in the schema some of them will not appear and you will see the following
If you need to right click on the ‘Column View’ folder and select ‘Filters…’
Once selected fill in a string to find the object, in this case we are looking for test/AN_TEST so I will enter in ‘test/’
Right click on the object and select ‘Show Authorization’
The following graph appears
We can clean up the view by selecting the ‘Show missing authorization only’ button
It will now look like this
The following table is a legend for the authorization graph
Connection | Description |
Long dash line (– – – –) | An AND connection exists between the parent node and the child nodes. Access to the parent node requires authorization to all child nodes. |
Solid line (–––––) | An OR connection exists between the parent node and the parent nodes. Access to the parent node requires authorization to one of the child nodes. |
Black line | The authorization dependency status is valid, that is, the user has the required privilege to the child object and is authorized to grant it further. This is additionally indicated by the (AUTHORIZED GRANTABLE) icon. |
Red line | The authorization dependency status is invalid in some way. The following icons indicate the exact status:
|
So how do we debug this?
We can click on first line that shows an invalid connection
Check the properties window to see the issue, we see that there is a select issue
Select the line that connects to a schema
Now we see that the _SYS_REPO user is not authorized to select from the READER schema
To resolve this issue we would run
Grant select on schema READER to _SYS_REPO with grant option;
Refresh the authorization view
We can see now that we have access the schemas, but not the tables. If you checked the connection type it is OR meaning one of authorizations needs to be fulfilled.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
30 | |
19 | |
14 | |
12 | |
10 | |
8 | |
7 | |
7 | |
7 | |
7 |