on 11-19-2015 2:59 PM
Iam trying to setup Database control center. Iam at the point where I need to configure dbccuser.xssqlcc. When I login to http://<hostname>:<port>//sap/hana/xs/admin with userid SYSTEM and click on sap, I get the message " insufficient privilege: not authorized' . I have attached the screenshot. Please note that I have provided all the necessary authorization to user SYSTEM as recommended in the guide. This includes all of these roles:
Can anyone provide any information on what could be missing?
Please let me know if anyone would like to see any specific logs.
Hi Joyee,
Have you followed the step by step process as mentioned in SAP DB Control Center Guide to setup DCC:
Here is the quick glance for you:
I. Download the HANA DBCC delivery unit - copy HANADBC.tgz file you extracted to a location accessible to you.
II. Add the DBCC system to HANA studio.
III. Install the HAN DBCC delivery unit using above .tgz file.
IV. Configure the SAP HANA XS Engine for DBCC:
Procedure
1.In SAP HANA studio, select the system running SAP DCC, then select Configuration and Monitoring - Open Administration.
2.Click the Configuration tab.
3.Right-click xsengine.ini and select Add Section.
4.Enter the name scheduler and click Next.
5.Enter assign values to System and click Next.
6.Enter key enabled and value true.
7.Click Finish.
8.Right-click xsengine.ini and select Add Section again.
9.Enter the name httpserver and click Next.
10.Enter assign values to System and click Next.
11.Enter key sessiontimeout and a large value (for example, 3600 sets a session timeout of one hour).
V. Assign the role DCCConfig to user SYSTEM (Security - Users - Granted Roles) which allows to complete initial configuration.
VI. Create new user (for example: DCC_ADM for admin, DCC_COLLECTOR) and grant the roles:
sap.hana.admin.roles::Monitoring
sap.hana.dbcc.roles::DBCCAdmin
DCC_USER has the roles:
sap.hana.admin.roles::Monitoring○
sap.hana.dbcc.roles::DBCCUser
VII. The passwords for above users can be updated by adding new system (right click the DBCC system - Add system with different user) update the password and remember the passwords for DCC_ADMIN, DCC_COLLECTOR, DCC_USER.
Now you should ready to use http://<hostname>:<port>//sap/hana/xs/admin with userid SYSTEM without any authorization issues.
Good luck.
Raj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Joyee,
Can you confirm if this information we provided has solved your issue?
BR
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Michael,
I could find out that the owner of the object is _SYS_REPO so I cannot actually logon with this userid to grant the privilege. Security guide tells me that I need to use a stored procedure to grant the privilege. However, I have been having difficulty executing the same:
call "_SYS_REPO"."GRANT_APPLICATION_PRIVILEGE"('"sap.hana.xs.admin.db::samlProviderSelect"::"Execute"','DBA')
Result is invalid CHAR or VARCHAR. Iam trying to find out exactly how to use this procedure.
You need to create a role via hdbrole which contains the access rights to these objects.
You then assign this role to the users who need it.
You have to create a .hdbrole file which which gives the access ( Development type of role, giving select, execute, insert etc access) on this schema.
BR
Michael
Hi All,
I did make some progress following your suggestions, particularly KBA 2126689. I found that the user SYSTEM is not authorized to do execute on object "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect". Next step I tried to grant execute to user SYSTEM to this object. To this I get the error message which translates to " Userid not authorized to grant execute on object "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect". Basically, I created a copy of user SYSTEM using which I tried to provided the required authorization to user SYSTEM(SYSTEM can't provide auth to itself) but apparently this user is not allowed to grant authorization.
[18679]{302175}[1800/-1] 2015-11-20 18:11:04.541858 i Authorization SQLFacade.cpp(01327) : UserId(856135) is not authorized to grant EXECUTE on ObjectId(6,0,oid=150179)
[18679]{302175}[1800/-1] 2015-11-20 18:11:04.542021 i Authorization SQLFacade.cpp(01871) : check for GRANT/REVOKE
[18679]{302175}[1800/-1] 2015-11-20 18:11:04.542022 i Authorization SQLFacade.cpp(01873) :
schemas and objects in schemas :
SCHEMA-149903-HANA_XS_BASE : {} , {EXECUTE}
PROCEDURE/FUNCTION-150179-sap.hana.xs.admin.db::samlProviderSelect : {EXECUTE} , {}
[18679]{302175}[1800/-1] 2015-11-20 18:11:04.542117 i Authorization query_check.cc(03386) : User DBA tried to execute 'grant EXECUTE on "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect" to SYSTEM'
[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177428 i TraceContext TraceContext.cpp(00923) : UserName=DBA, ApplicationUserName=jsen, ApplicationName=HDBStudio, ApplicationSource=csns.sql.editor.SQLExecuteFormEditor$2$1.run(SQLExecuteFormEditor.java:856);
[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177410 i Authorization SQLFacade.cpp(01327) : UserId(856135) is not authorized to grant EXECUTE on ObjectId(6,0,oid=150179)
[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177450 i Authorization SQLFacade.cpp(01871) : check for GRANT/REVOKE
[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177453 i Authorization SQLFacade.cpp(01873) :
schemas and objects in schemas :
SCHEMA-149903-HANA_XS_BASE : {} , {EXECUTE}
PROCEDURE/FUNCTION-150179-sap.hana.xs.admin.db::samlProviderSelect : {EXECUTE} , {}
[18802]{302195}[1773/-1] 2015-11-20 18:11:33.177466 i Authorization query_check.cc(03386) : User DBA tried to execute 'grant EXECUTE on "HANA_XS_BASE"."sap.hana.xs.admin.db::samlProviderSelect" to SYSTEM'
Any ideas , thoughts are greatly appreciated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello, from looking at the error:
UserId(856135) is not authorized to grant EXECUTE on ObjectId(6,0,oid=150179)
You have to find the owner of Object ID 150179:
select * from objects where object_oid = '<oid>';
select * from objects where object_oid = '150179';
The owner of this object needs to grant the EXECUTE privilege to the User 856135 (SYSTEM).
This is explained in the link I provided earlier
BR
Michael
Hello Joyee
Please go this link. This link will help you troubleshoot the issue: http://wiki.scn.sap.com/wiki/display/TechTSG/Unauthorised+Privileges
Kind Regards, Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
If you increase the trace lever for authorization as detailed in NOTE 2126689 - insufficient privilege. Not authorized
And recreate the issue
You should then be able to see the missing permissions in the indexserver.trc file
Hope this helps
Dermot
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.