Troubleshooting HANA Privilege Issues – Using SQL Procedure

In this blog, you will learn how to troubleshoot HANA DB authorizations / privileges errors using SQL Script procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS

SAP introduced a procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS with HANA 2.0 SP04 to simplify HANA related privileges and access issues

Earlier security administrators had to troubleshoot privileges and access issue using User-specific trace. This trace generates a log, and the security administrators had to read through the trace log file to identify missing privileges

We can still use the trace option to troubleshoot access issues if required

However, with the introduction of SQL script procedure, we don’t need to use User-specific trace.

When users get privileges related error, the system generates a GUID. The error will be something like below:

insufficient privilege: Detailed info for this error can be found with guid ‘<GUID>’

E.g%20Error%20with%20GUID

Eg. Error with GUID

After a user gets “insufficient error” and gets a GUID, the GUID is provided to security administrator who then passes this GUID as a parameter in the procedure to get the information on the missing privileges for the user

The syntax for the procedure is:

CALL SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS(‘<GUID>’, ?)

Note:

  • You have to prefix the procedure with schema SYS
  • GUID has to be specified between single quotes ‘ ‘

Also, security administrators should be granted Execute privilege on the procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS to use the procedure

A detailed explanation on how to use the procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS is described in this video

Simple and easy method of troubleshooting privileges / authorizations issues in HANA instead of using User-specific trace

  • Stored procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS
  • Users executing the procedure should also have it granted to them with the Execute privilege
  • No need for activating the User-specific trace

Also, please refer to this blog from Michael Devine:

Simplified Authorization Troubleshooting in SAP HANA

Any feedback, thoughts and comments on this topic are welcome.