Skip to Content
author's profile photo Former Member
Former Member

General Analytic Privilege to display generated HANA views in bw2hana

Hi,

In a BW on HANA development environment I have created a user in SU01 with a technical name "BW_HANA_AUTH" and given him full access to SAP BW (SAP_ALL profile). Also, in SU01 tab DBMS I have created a corresponding HANA DB user and assigned the pre-delivered MODELING role in HANA to this user.

One of the InfoCubes in SAP BW (0FIGL_C10) has been generated as an "External SAP HANA view for reporting", and can therefore be found as an Analytic View "FIGL_10" in HANA Studio in package "system-local.bw.bw2hana.0".

Also, during the view generation, HANA created a new catalog role "bw2hana/SAPABAP1_0FIGL_C10_REPORTING" specifically for accessing this analytic view. The role contains 3 catalog objects with "SELECT" and "EXECUTE" rights, as well as an analytic privilege.

When user "BW_HANA_AUTH" logs on to SAP HANA Studio and tries to preview data in analytic view FIGL_C10, he gets an authentication error SAP DBTech JDBC: [258] insufficient priveledge.

The reason for this error is that user "BW_HANA_AUTH" have not been assigned role "bw2hana/SAPABAP1_0FIGL_C10_REPORTING", or more specifically the analytic privilege "bw2hana/SAPABAP1_0FIGL_C10_REPORTING". If I add either the entire role or solely the missing analytic privilege to user "BW_HANA_AUTH", he can see the entire data set of the analytic view FIGL_C10.

If you look at the pre-delivered role "MODELING", it contains SELECT and EXECUTE rights on the entire _SYS_BIC schema as well as an analytic privilege "_SYS_BI_CP_ALL", which is supposed to overrule all other restrictions in analytic privileges and give the user full access to data models in HANA.

To solve the authorization issue, I could certainly start assigning "bw2hana/SAPABAP1_...." roles for every generated HANA view to every HANA user in the system who needs to see the data in that view. However, is there a way to define a general role in HANA which includes all "bw2hana/SAPABAP1..." analytic privileges and assign this role to developer users who need full rights to see all HANA views in package "system-local.bw.bw2hana.0"?

Thanks in advance!

Regards. Arseny

capture01.png (31.0 kB)
capture02.png (5.4 kB)
capture03.png (14.6 kB)
capture04.png (17.4 kB)
capture05.png (9.1 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • Posted on Sep 15, 2015 at 01:39 PM
    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Sep 16, 2015 at 10:38 AM

    Hi Arseny,

    The content.admin role can serve the purpose i guess. Please give a try .

    Regards,

    Tharun.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 12, 2015 at 07:33 AM

    Hi Arseny,

    You don't have to assign this HANA role (bw2hana...) manually. HANA Authorizations can be generated from BW and are automatically assigned to users in HANA. Though you need to make sure of certain things:

    • In tcode RS2HANA_VIEW, select Assignment Type = R. Its easier to maintain with this option.
    • If you are in BW 7.4 SP8 or above, you will find one more option "SAP HANA User Mapping" in RS2HANA_VIEW tcode. Better to select option "C" here. If you select "D", then you will have to ensure that your BW user has a DBMS user mapping (in SU01 tcode -> DBMS tab).

    In SP7 or earlier SP, system by default works as Option "C".

    • The BW user should be assigned to analysis authorization for your info provider. This analysis authorization should contain all necessary characteristics/nav attributes for your info provider.
    • After that you need to generate HANA authorizations for this user, for the info provider. For this use tcode RS2HANA_CHECK. With this tcode, the user would get bw2hana/.... role assigned in HANA automatically. You can run RS2HANA_CHECK tcode for multiple (or all) info providers / users for mass updates.

    Authorizations for Generating SAP HANA Views - Using the SAP HANA Database - SAP Library

    Please note that understand that MODELING role or _SYS_BI_CP_ALL is not needed for a user to see data from HANA views. You can create your own custom role and include only required privileges in it, i.e. SELECT on _SYS_BI, _SYS_BIC, etc. Also you don't have to include generated HANA roles bw2hana.... in this custom role.

    Regards,

    Nitesh Gupta

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.