cancel
Showing results for 
Search instead for 
Did you mean: 

Insufficient privilege setting up dbccuser.xssqlcc

0 Kudos

Iam trying to setup Database control center. Iam at the point where I need to configure dbccuser.xssqlcc. When I login to http://<hostname>:<port>//sap/hana/xs/admin with userid SYSTEM and click on sap, I get the message " insufficient privilege: not authorized' . I have attached the screenshot. Please note that I have provided all the necessary authorization to user SYSTEM as recommended in the guide. This includes all of these roles:

  • sap.hana.dbcc.roles::DBCCAdmin
  • sap.hana.uis.db::SITE_DESIGNER
  • sap.hana.xs.admin.roles::HTTPDestAdministrator
  • sap.hana.xs.admin.roles::JobAdministrator
  • sap.hana.xs.admin.roles::RuntimeConfAdministrator
  • sap.hana.xs.admin.roles::SQLCCAdministrator
  • sap.hana.xs.admin.roles::TrustStoreAdministrator

Can anyone provide any information on what could be missing?

Please let me know if anyone would like to see any specific logs.

Accepted Solutions (0)

Answers (5)

Answers (5)

rindia
Active Contributor
0 Kudos

Hi Joyee,

Have you followed the step by step process as mentioned in SAP DB Control Center Guide to setup DCC:

Here is the quick glance for you:

I. Download the HANA DBCC delivery unit - copy HANADBC.tgz file you extracted to a location accessible to you.

II. Add the DBCC system to HANA studio.

III. Install the HAN DBCC delivery unit using above .tgz file.

IV. Configure the SAP HANA XS Engine for DBCC:

Procedure

1.In SAP HANA studio, select the system running SAP DCC, then select Configuration and Monitoring - Open Administration.

2.Click the Configuration tab.

3.Right-click xsengine.ini and select Add Section.

4.Enter the name scheduler and click Next.

5.Enter assign values to System and click Next.

6.Enter key enabled and value true.

7.Click Finish.

8.Right-click xsengine.ini and select Add Section again.

9.Enter the name httpserver and click Next.

10.Enter assign values to System and click Next.

11.Enter key sessiontimeout and a large value (for example, 3600 sets a session timeout of one hour).

V. Assign the role DCCConfig to user SYSTEM (Security - Users - Granted Roles) which allows to complete initial configuration.

VI. Create new user (for example: DCC_ADM for admin, DCC_COLLECTOR) and grant the roles:

sap.hana.admin.roles::Monitoring

sap.hana.dbcc.roles::DBCCAdmin

DCC_USER has the roles:

sap.hana.admin.roles::Monitoring○

sap.hana.dbcc.roles::DBCCUser

VII. The passwords for above users can be updated by adding new system (right click the DBCC system - Add system with different user) update the password and remember the passwords for DCC_ADMIN, DCC_COLLECTOR, DCC_USER.

Now you should ready to use http://<hostname>:<port>//sap/hana/xs/admin with userid SYSTEM without any authorization issues.


Good luck.

Raj

0 Kudos

Hi Raj,

Yes , of course I have followed all of these steps.

former_member183326
Active Contributor
0 Kudos

Hello Joyee,

Can you confirm if this information we provided has solved your issue?

BR

Michael

0 Kudos

Hi Michael,

I could find out that the owner of the object is _SYS_REPO so I cannot actually logon with this userid to grant the privilege. Security guide tells me that I need to use a stored procedure to grant the privilege. However, I have been having difficulty executing the same:

call "_SYS_REPO"."GRANT_APPLICATION_PRIVILEGE"('"sap.hana.xs.admin.db::samlProviderSelect"::"Execute"','DBA')

Result is invalid CHAR or VARCHAR. Iam trying to find out exactly how to use this procedure.

former_member183326
Active Contributor
0 Kudos

You need to create a role via hdbrole which contains the access rights to these objects.

You then assign this role to the users who need it.

You have to create a .hdbrole file which which gives the access ( Development type of role, giving select, execute, insert etc access) on this schema.

BR

Michael

0 Kudos

Hi Michael,

I will try this. The Server is now down due to maintenance. I will let you know how it goes.

Regards

0 Kudos

Hi All,

I did make some progress following your suggestions, particularly KBA 2126689. I found that the user SYSTEM is not authorized to do execute on object "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect". Next step I tried to grant execute to user SYSTEM to this object. To this I get the error message which translates to " Userid not authorized to grant execute on object "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect". Basically, I created a copy of user SYSTEM using which I tried to provided the required authorization to user SYSTEM(SYSTEM can't provide auth to itself) but apparently this user is not allowed to grant authorization.

[18679]{302175}[1800/-1] 2015-11-20 18:11:04.541858 i Authorization SQLFacade.cpp(01327) : UserId(856135) is not authorized to grant EXECUTE on ObjectId(6,0,oid=150179)

[18679]{302175}[1800/-1] 2015-11-20 18:11:04.542021 i Authorization SQLFacade.cpp(01871) : check for GRANT/REVOKE

[18679]{302175}[1800/-1] 2015-11-20 18:11:04.542022 i Authorization SQLFacade.cpp(01873) :

  schemas and objects in schemas :

  SCHEMA-149903-HANA_XS_BASE : {} , {EXECUTE}

  PROCEDURE/FUNCTION-150179-sap.hana.xs.admin.db::samlProviderSelect : {EXECUTE} , {}

[18679]{302175}[1800/-1] 2015-11-20 18:11:04.542117 i Authorization query_check.cc(03386) : User DBA tried to execute 'grant EXECUTE on "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect" to SYSTEM'

[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177428 i TraceContext TraceContext.cpp(00923) : UserName=DBA, ApplicationUserName=jsen, ApplicationName=HDBStudio, ApplicationSource=csns.sql.editor.SQLExecuteFormEditor$2$1.run(SQLExecuteFormEditor.java:856);

[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177410 i Authorization SQLFacade.cpp(01327) : UserId(856135) is not authorized to grant EXECUTE on ObjectId(6,0,oid=150179)

[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177450 i Authorization SQLFacade.cpp(01871) : check for GRANT/REVOKE

[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177453 i Authorization SQLFacade.cpp(01873) :

  schemas and objects in schemas :

  SCHEMA-149903-HANA_XS_BASE : {} , {EXECUTE}

  PROCEDURE/FUNCTION-150179-sap.hana.xs.admin.db::samlProviderSelect : {EXECUTE} , {}

[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177466 i Authorization query_check.cc(03386) : User DBA tried to execute 'grant EXECUTE on "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect" to SYSTEM'

Any ideas , thoughts are greatly appreciated.

former_member183326
Active Contributor
0 Kudos

Hello, from looking at the error:

UserId(856135) is not authorized to grant EXECUTE on ObjectId(6,0,oid=150179)

You have to find the owner of Object ID 150179:

select * from objects where object_oid = '<oid>';

select * from objects where object_oid = '150179';

The owner of this object needs to grant the EXECUTE privilege to the User 856135 (SYSTEM).

This is explained in the link I provided earlier

BR


Michael

former_member183326
Active Contributor
0 Kudos

Hello Joyee

Please go this link. This link will help you troubleshoot the issue: http://wiki.scn.sap.com/wiki/display/TechTSG/Unauthorised+Privileges

Kind Regards, Michael

0 Kudos

Hi

If you increase the trace lever for authorization as detailed in NOTE  2126689 - insufficient privilege. Not authorized

And recreate the issue

You should then be able to see the missing permissions in the indexserver.trc file

Hope this helps

Dermot