cancel
Showing results for 
Search instead for 
Did you mean: 

HANA Security

Former Member
0 Kudos

Hello Gurus:

Need help with the below issues

1.Security administrator had left the company and if i have to revoke the roles assigned by him to a user i am not able to. Please advise how do i go about it

2. When a user gets a no authorization message i go the trace file and do not see much information there. Please advise.

Thanks

Accepted Solutions (0)

Answers (2)

Answers (2)

Private_Member_25738
Participant
0 Kudos

Ups, is to late to answer this question:

Hi Abhilash,

1. Probably the role that you have assigned with PFCG, have the authorization objects S_USER_* restricted. If you are the unique person responsible to manage roles in your company, maybe you can create a Z rol specific to you with transaction PFCG with all authorizations in the required authorization objects.

2. You can two ways to check the authorization errors that the user has:

     - The most easy and fast, when the user has the authorization error, he should go to SU53 transaction and catch and screenshot that he should send to you, with this screenshot you can look what authorization objects are required by SAP when the user execute a specific transaction.

     - Also, while the user are execute the transaction you can trace it with ST01, the problem is that the user and you must do action in the same time.

Please check it and let us know with anything.

Best regards.

lbreddemann
Active Contributor
0 Kudos

Hi there!

For question (1) please see the documentation for how to use the HANA studio privileges dialogue.

It's all rather straight forward there. Open the respective user account by double clicking its name in the HANA studio navigator tree and use [+] button to add roles and privileges and the  [-] button to remove them.
Once you're done, click on the little green icon with the white arrow to "deploy" aka save your changes.
Question (2) is a bit trickier - not just from a technical point of view.
If neither you nor the user nor anybody else knows what permissions are required for what activities in your system, then you got a much bigger fish to fry than how to use the tools.
You're lacking documentation then.
Technically you could always use a authorization trace, but the resulting additional ouput is rather not user friendly.
Better use system views like effective_privileges to find out what privileges the user alreay has been granted. That way you should be able to make the connection with the failing activity and the error message.
- Lars
Former Member
0 Kudos

Thanks forthe explaination Lars, but the issue is the administrator who has assigned the role to user has left the company and when i try to remove the role from the end user , the red button (X) is greyed out. Do i need any specific privileges to my account so that i can remove this role from the user.

lbreddemann
Active Contributor
0 Kudos

Well obviously, your user account currently has not been assigned the proper roles.

Is the role ROLE ADMIN assigned to your user?

Former Member
0 Kudos

Thanks Lars. But the issue here is that i am able to remove the roles which i have assigned but not able to remove the ones which have been assigned by other administrator who has left.

lbreddemann
Active Contributor
0 Kudos

And that's exactly why you need to have the ROLE ADMIN role...

Former Member
0 Kudos

Hi Lars:

I did not find the ROLE ADMING role in my system but i have USER_ADMIN_ROLE assigned to me and this one has the ROLE ADMIN privilege assigned, but still i am having issues