cancel
Showing results for 
Search instead for 
Did you mean: 

Where to find the error logs for Authorization related issues?

Former Member
0 Kudos

Hi All,

Can someone please point out where I can find the relevant server logs to help debug permission issues? This is particularly frustrating to find when accessing some hana objects via exposed oData or xsjs services.

For example, say an end user is invoking an oData service. This service, refers to a calculation view, which in turn has SQL script code with a bunch of SQL code referring to different database objects or other information views. Is there one place where I can see the log to see exactly where the permissions issue came from?

I did sit with our BASIS guy to dig through some logs (for example indexserver and xsengine trace files), but we didnt see anything. Perhaps there need to be specific configuration that needs to be setup before these permission related errors are even saved to log/trace files?

Separately, if there are guides out there outlining a structured approach debugging authorization issues, please point me towards them as well.

thanks,

Nitin

Accepted Solutions (1)

Accepted Solutions (1)

suresh_devarajan
Explorer
0 Kudos

Turn on authorization trace for the user as per the support note '1809199 - SAP HANA DB: Debugging user authorization errors'. Once it is enabled, authorization issues will be logged in a trace file with context name given in the tracing.

Hope this helps ..

Answers (1)

Answers (1)

Former Member
0 Kudos

It appears like you are looking for 'Authorization Dependency Viewer'.

It is graphical tool and might be helpful to pinpoint the exact privilege that the end user might be missing.

Step #1

Use Authorization Dependency Viewer to see where exactly it is failing

(note this requires system privilege CATALOG READ or DATA ADMIN.)

(for more details search Resolve Errors Using the Authorization Dependency Viewer in Admin guide)

Step # 2

I would start with reviewing Roles / Object privileges at high level for that specific user.

The method I approach is first list out the roles / privs that user needs to access your objects..i know that's what you are trying to figure out but having list of roles / privs that user MUST have comes handy..and then deep dive..else the dependency viewer might be confusing sometimes..

some queries below that might be of help

--All privileges granted to the specified user both directly and indirectly through roles are listed separately.

SELECT * FROM "PUBLIC"."EFFECTIVE_PRIVILEGES" where USER_NAME = 'Enter User Name Here';

--All roles granted to the specified user both directly and indirectly through other roles are listed separately.

SELECT * FROM "PUBLIC"."EFFECTIVE_ROLES" where USER_NAME = 'Enter User Name Here'

--All application privileges granted to the specified user both directly and indirectly through roles are listed separately.

select * from "SYS"."EFFECTIVE_APPLICATION_PRIVILEGES" where USER_NAME='Enter User Name Here';

--All views that the user is authorized to access are listed.

SELECT * from "PUBLIC"."ACCESSIBLE_VIEWS" where USER_NAME = 'Enter User Name Here';

Please let us know how it goes..good luck