Skip to Content

HANA 2.0 webide login - forbidden

Oct 24, 2017 at 01:31 PM


avatar image

Dear experts

I'm getting an error message "Forbidden" whilst trying to login to the webide.

HANA Release is
Webide is up and running: webide STARTED 1/1 512 MB <unlimited> https://fqdn:port

The login was performed as XSA_ADMIN

Any ideas ?



10 |10000 characters needed characters left characters exceeded

Ok, did you check already the authorization that you are able to use the IDE with the XS_ADMIN user?


Yes, the XSA_ADMIN user has the IDE authorizations assigned.


Can you share that information to be able to counter check?


I've attached a screenshot.xsa-admin-roles.png


These are the privileges for the SAP HANA Web-based Development Workbench (XS classic), not for SAP Web IDE for SAP HANA (XS advanced).

XS classic has been deprecated for SAP HANA 2.0 SPS 02.

What tool (URL) are you trying to access with XSA_ADMIN?

* Please Login or Register to Answer, Follow or Comment.

2 Answers

Denys van Kempen
Oct 25, 2017 at 08:47 AM

Hi Marian,

The XSA_ADMIN user is equivalent to the root user at the operating system level or the SYSTEM user at database level. As a super administrator, it should only be used to perform super administrator tasks using super administrator tools.

For this reason (security), XSA_ADMIN does not have access to the WebIDE.

This is the default configuration, by design and best kept as-is.

You should use a lesser-privileged user to connect to the WebIDE, e.g. XSA_DEV or any other user that has the WebIDE_Developer role granted.


Two screen captures to illustrate this (XS Admin tool, connected as XSA_ADMIN):

Showing Role Collections: 2 roles for WebIDE: DEVX_DEVELOPER and DEVX_ADMINISTRATOR

XSA_ADMIN does not have the DEVX_DEVELOPER role assigned. For this reason, you get 'Forbidden'.


Denys / SAP HANA Academy

Subscribe to our YouTube Channel
Join us on LinkedIn
Follow us on Twitter
Github code samples

Show 11 Share
10 |10000 characters needed characters left characters exceeded

Florian Pfeffer , Denys van Kempen : now it's clear to me what must be done.

Now I have the following issue: login as XSA_ADMIN to the xsa-admin is not working (password is accepted but after login the page remains blank and nothing happens.)
The xsa-admin is running: xsa-admin STARTED 1/1 128 MB <unlimited> https://FQDN:51023
I tried different browsers but unfortunately no luck. What might be the culprit?


What's the environment? Cloud or local VM / installation? How much memory allocated?


Local installation, HANA 2.0 on premise Installation; 64GB Mem Allocation (Setup for testing purposes.)


Excellent. One might not expect any memory issues then.

The issue is that you cannot connect to the XSA Administration application as XSA_ADMIN user. Login page displays and the user is authenticated but a blank page displays. Curious, no idea.

Below some general health checks but I have no further suggestions at this stage if the URL is correct and all the applications are up and running.

Does the controlller page display [API_URL]? What port to xsa-admin is diplayed?

https://FQDN:3<instance number>30 

Can you connect on the command line using the same API URL as XSA_ADMIN and query app URLs?

xs l

xs apps

If you get an SSL validation error, run

xs l --skip-ssl-validation

The controller page is properly displaying.

The displayed port for XSA-ADMIN is 51023.

After entering the "xs l" command line I'm getting the API_URL and I'm required to authenticate.

I'm entering the correct password and get the following infos displayed: ORG, SPACE, API endpoint, User, Org, Space.
XS apps(no SSL validation error) is also showing that the xsa-admin and webide have the state STARTED.


Hi Marian,

Sounds good.

Yet, you have an issue connecting to web-ide (as xsa_dev) or xsa-admin (as xsa_admin), correct?

The (account) assumes SAP HANA, express edition.

Does the URL redirect to the UAA page (for login)?


Hi Denys

The main goal is to maintain the users and authorizations via xsa-admin and later to provide webide access to other users.

In order to achieve this I first have to logon to the xsa-admin as the xsa_admin user and this is currently not working.

Please be advised that this is a standard HANA 2.0 on Premise installation and this is not the SAP HANA express edition,


Thanks Marian,

The account used to connect on the command-line with 'xs l', also provides access to the xsa-admin web application.

I understand that the on command-line access is provided but that there is an issue with the web.

You have mentioned that the xs controller web page displays correctly: https://hostname:3<instance-number>30

What happens when you click the xsa-admin URL on that page?

Are you redirected to the UAA page? Is the URL still using the same <hostname>?

Is the port used in the URL for the UAA accessible (not blocked by firewall)?

If the UAA page displays correctly (login), what happens after you provide XSA_ADMIN user name and password (same as for xs l)?


If I click the xsa-admin URL then the page will open and I will get the login mask (the page displays correctly).

The URL is still using the same FQDN.

A firewall issue can be excluded(telnet is working).

The UAA page display correctly (login) and I can provide the credentials (XSA_ADMIN and PW) but after selecting login the page remains blue and nothing is beeing displayed.uaa-login.png

uaa-login.png (25.4 kB)

Appears to be an issue with the particular Java app.

Do other Java apps display correctly? E.g. Database Explorer?

At this stage, I would reinstall XSA but you may have other options. Did you already create a support ticket?


The database explorer is working (checked it via SAP HANA Cockpit).

So next attempt will be a resintall ...

I did not open a support ticket yet but will consider it depending on the results of the reinstall action.

Florian Pfeffer
Oct 25, 2017 at 05:39 AM

The roles you have assigned to your user (which you described in the comments of that question) are the XS classic roles for the HANA web-based development workbench. For the SAP Web IDE for SAP HANA the process is a little bit different. Details on how to do that can be found in the SAP HANA Developer Guide for XS Advanced: Enabling Access to the SAP Web IDE Administration and Development Tools


10 |10000 characters needed characters left characters exceeded