Analysis of authorization errors in SAP HANA
The SAP HANA database is the strategic platform for SAP business applications such as SAP S/4HANA or SAP BW/4HANA or native applications that do not require SAP NetWeaver ABAP application servers.
Using an SQL statement or analytical application, such as SAP Analytics Cloud, Analysis for Office etc., users can – provided they have a user in the SAP HANA database with the appropriate authorizations (more information on this can be found here in our German blog) – carry out evaluations, forecasts or applications directly. Apart from the application level, it may now be necessary to localize and correct any errors at the database level. This blog post shows the available options for an error analysis in a SAP HANA database.
Should you, for example, encounter an error message stating that a user is not authorized, up to and including SAP HANA 2.0 SPS03, when executing an application by using SAP LUMIRA, SAP Analysis for Microsoft Excel or XS Engine from SAP HANA, the only available option is to create an authorization trace. You often encounter error messages, as shown in the example below.
The authorization trace can be created by using the HANA Studio or the HANA Cockpit. The name (context) of the trace file, application or database user should be stored. The trace component is ‘Authorization’ of the index server. The procedure in the HANA Cockpit is shown below as an example.
The user will then be asked to repeat the previously unsuccessful action so that the trace file can be created in the background.
The context (trace file) name can now be used to determine which authorization the application user is missing:
Since this variant of the evaluation is very complex, there has been a new possibility of evaluation since SAP HANA 2.0 SPS04: the error analysis using GUID. It is not necessary to activate the trace and call it up again. With the help of the GUID, the cause of the error can be traced by default. The HANA Cockpit from version 2.0 SP11 also conveniently provides its own application to simplify the analysis (see: User Management and Security Administration – SAP Help Portal).
Authorization administrators who want to use this application to read the authorization check require the «EXECUTE» privilege for the stored procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS from the standard SYS schema.
Initially, only the SYSTEM user has this privilege. For the analysis to be carried out by other users, it is best practice to initially assign this privilege to the user _SYS_REPO so that this authorization can be made available to the authorization administrators via a repository role. The process in order to achieve this is described below.
Alternatively, the assignment via SQL statement is also possible:
GRANT EXECUTE ON SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS TO _SYS_REPO WITH GRANT OPTION
A repository role with the object EXECUTE privilege will be subsequently created for the procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS and assigned to the authorization administrators. The creation of repository roles is only possible via the HANA Studio (developer perspective) or via the Web IDE XS Classic. Alternatively, the privilege object can be assigned directly to a user, but this should be avoided, as it is not recommended. Read more on this topic in our German SAP security blog Options for role administration in SAP HANA.
If an authorization error occurs, the authorization administrator only needs the GUID that is displayed to the user with the error message. You can find an example here:
After entering the GUID in the HANA Cockpit application mentioned at the beginning, the missing privilege will be displayed. In addition, the list of the existing roles that contain the missing privilege will appear.
The Insufficient Privilege Details application allows the privilege to be assigned directly to the user. As described above, this is not recommended. Instead, it is possible to assign an existing role.
With the introduction of this feature, the following new parameters were added to the global.ini configuration file with SAP HANA 2.0 SPS04, which are relevant for error analysis and should be taken into account.
- enable_insufficient_privilege_error_details_procedure
Activation / deactivation of the procedure for automatic error logging via GUID - insufficient_privilege_error_details_retain_duration
Retention period of the error details - insufficient_privilege_error_details_retain_records
Max. number of entries of logged error events
Do you need support in the administration of your SAP HANA authorizations? Are you frequently confronted with error situations, and would you like to reduce them significantly? Xiting has extensive expertise and experience with a focus on SAP HANA security. We would be happy to discuss your specific requirements with you and how we can support you with our SAP HANA services. Do not hesitate to contact us for an initial discussion.
Further information can be found on our website:
- HDI roles in SAP HANA – Is everything easier now? - 9. December 2022
- Analysis of authorization errors in SAP HANA - 12. August 2021
