cancel
Showing results for 
Search instead for 
Did you mean: 

Analytical Privilege and Role File Issue in Web IDE XSA for HANA

former_member210043
Participant
0 Kudos
1,250

Hi Team,

I am getting the below error while building the APRole.hdbrole.

The file requires "db://AP_POC_WEBIDE::AP_POC_WEBIDE" which is not provided by any file [8212001] at "src/APRole.hdbrole" (0:0)

1. I was able to successfully create the AP_POC_WEBIDE.hdbanalyticprivilege

2. created the APRole.hdbrole and tried to build it but got the error as " The file requires "db://AP_POC_WEBIDE::AP_POC_WEBIDE" which is not provided by any file [8212001] at "src/APRole.hdbrole" (0:0) "

APRole.hdbrole file Code :

{

"role": { "name":"start123.startHDB::Analytical_Privilege_Role",

"schema_privileges":[{ "privileges": [ "SELECT"] }],

"schema_analytic_privileges": [

{ "privileges":[ "AP_POC_WEBIDE" ]

}]

}

}

Please help in this regard and also help with whole process to complete successfully assign the Analytical Privilege to a specific User.screen.png

-Using the Web IDE XSA for HANA on Primise.

Followed below link to create the analytical privilege and role file .

https://blogs.sap.com/2019/02/17/analytical-privileges-on-cv-for-restricted-data-access-in-reporting...

Accepted Solutions (0)

Answers (8)

Answers (8)

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Nikil,

this sounds very strange. Especially so because you said before that "I found the other table T_NO_SCHEMA_ROLES".

I think this should better be handled by an incident, so colleagues can look into your system.

Best,

Jan

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Nikil,

this is very strange as you said that "T_NO_SCHEMA_ROLES" would exist in your system. What HANA revision are you on?

Can you run SELECT statements successfully in the admin SQL console on _SYS_DI.TT_SCHEMA_ROLES or _SYS_DI.T_NO_SCHEMA_ROLES ?

Best,

Jan

former_member210043
Participant
0 Kudos

Hi Jan,

HANA Version : 2.00.043.00.1569560581

select * from _SYS_DI.T_NO_SCHEMA_ROLES; - Giving the error as Unresolved Table

Thanks ,

Nikil

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Nikil,

you seem to open a normal SQL console. If you right-click on your database you have the option "Open SQL Console (Admin)" This should return you a current_user that ends in "_DT" and not "_RT"

Best,

Jan

former_member210043
Participant
0 Kudos

Hi Jan,

I tried as per your comments opened the sql admin of the HDI Container of the project did the below steps.

SELECT current_user from dummy - Successfully executed

set schema POC3_SCHEMA_2_993BCOYK1573J80U1YQRJIP93_DT; -- Successfully executed

CREATE LOCAL TEMPORARY COLUMN TABLE #ROLES LIKE _SYS_DI.T_NO_SCHEMA_ROLES; - Getting the error as unresolved Table T_NO_SCHEMA_ROLES


Attached screen shot for reference.screen6.png



Thanks ,

Nikil

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Nikil,

sorry, my answer was not complete. I have changed it meanwhile and highlighted the changes in bold. In short:

- use the SQL admin console

- select the current_user you should see something like "_DT" at the end. set this as the schema

- add "#DI" to the container schema when calling the procedure

Best,

Jan

former_member210043
Participant
0 Kudos

Hi Jan,

First opened the sql console of the project HDI container and i tried as you mentioned in the above points but stuck at creation of #Roles Temporary Table itself.

added screen shot for your reference what exactly i tried and error what i am getting..screen5.png

please help in this regard.

Thanks,

Nikil

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Nikil,

if you want to use the SQL API it is probably better to use a dedicated container administrator user for it (see e.g., here )

If you want to use the admin SQL console of your hdi-container you will need to use the respective schema of the user. You can find out this e.g., by running

SELECT current_user from dummy;

set this schema at the beginning:

set schema <schema>;
CREATE LOCAL TEMPORARY COLUMN TABLE #ROLES LIKE _SYS_DI.TT_SCHEMA_ROLES;
INSERT INTO #ROLES ( ROLE_NAME, PRINCIPAL_SCHEMA_NAME, PRINCIPAL_NAME ) VALUES ( 'simpleRole', '', 'SYSTEM' );
CALL <containerSchema>#DI.GRANT_CONTAINER_SCHEMA_ROLES(#ROLES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #ROLES;

Best,

Jan

former_member210043
Participant
0 Kudos

Hi Jan ,

Good Day...!

i tried steps as u mentioned in above ans but still i am getting the same insufficient privileges.

1.SET SCHEMA START123_HDI_STARTHDB_1; - successfully executed

then i tried to check for the table TT_SCHEMA_ROLES i didnt get it but i found the other table T_NO_SCHEMA_ROLES with same structure so used this table.

CREATE LOCAL TEMPORARY COLUMN TABLE #ROLES LIKE _SYS_DI.T_NO_SCHEMA_ROLES;

but the i got the same error as i mentioned insufficient privileges once i try to execute the above statement.


please help in this regard to complete the process of Assigning the AP to a specific User : ABC using Web IDE XSa for HANA(On Primise)


ERROR :

Could not execute 'CREATE LOCAL TEMPORARY COLUMN TABLE #ROLES LIKE _SYS_DI.T_NO_SCHEMA_ROLES'
Error: (dberror) [258]: insufficient privilege: Detailed info for this error can be found with guid '084BEA8D509D6F43AA5B3071C660F020'.

Thanks ,

Nikilscreen3.png

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Nikil,

as said there are several ways. For example, if you want to assign the role to a database user, you could use user SYSTEM (or any user with privilege ROLE ADMIN) and execute

GRANT <schemaOfContainer>.<roleName> to X

You can determine your <schemaOfContainer> by looking at the deploy log, or run a query like:

select * from roles where role_name ='<nameOfRole>'

If you want to use the API you can find instructions here

Or you do the role management in HANA Database Cockpit (Role Assignment).

Best,

Jan

former_member210043
Participant
0 Kudos

Hi Jan ,

tried to follow the SQL API .

opened the sql console of project hdi container(attached screen shot for ref) tried to to start the execute sql statements one by one as in below link got error in first statement it self.

https://blogs.sap.com/2019/02/17/analytical-privileges-on-cv-for-restricted-data-access-in-reporting...

1 . create local temporary column table "#Roles" like "_SYS_DI" ."T_NO_SCHEMA_ROLES";

got the error as unresloved then i set the schema

set schema POC3_SCHEMA_2;

then again tried to execute the statement

create local temporary column table "#Roles" like "_SYS_DI" ."T_NO_SCHEMA_ROLES";

Got the error as below

Could not execute 'create local temporary column table "#Roles" like "_SYS_DI" ."T_NO_SCHEMA_ROLES"'
Error: (dberror) [258]: insufficient privilege: Detailed info for this error can be found with guid 'BFF37FF8A04A6B44842959CD7C5E4708'

Using the Web IDE XSA fro HANA (On Premise)

User having roles : Role Admin, User Admin, XS_Autherization_Admin, Develper Role, etc.

Thanks

Nikilscreen2.png

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

there are several ways how you can grant the role: with new versions of HANA Database Cockpit, with a user that has system privilege Role Admin using SQL (grant <role_name> to user), using the HDI SQL API. If you want to assign it to your "modeling-user" you might make use of the development_debug_role. For details see topic "How do I assign analytic privileges to the user that runs a data preview in Web IDE?" at

https://blogs.sap.com/2019/11/13/faq-modeling-in-web-ide/

Best,

Jan

former_member210043
Participant
0 Kudos

Thanks Jan for the updates on assigning the role to user but i could not able to proceed with available points in shared link ,could you please help with more details and step by step process to complete the assignment of the new role(crerated using APRole.hdbrole) to the user .

jan_zwickel
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

the error message seems to suggest that your analytic privilege is actually named differently. Is there a namespace involved? Can you paste the definition of your AP?

Best,

Jan

former_member210043
Participant
0 Kudos

Thanks alot Jan .. , i have updated the name space for the Analytical privilege name in APRole file as below then i was able to build the role file successfully .

{

"role": { "name":"start123.startHDB::Analytical_Privilege_Role",

"schema_privileges":[{ "privileges": [ "SELECT"] }],

"schema_analytic_privileges": [

{ "privileges":[ "start123.startHDB::AP_POC_WEBIDE" ]

}]

}

}

my next question in same thread was - could you please help with how to grant this role other User to apply this AP with details process

- Uising the Web IDE XSA for HANA on Primise