Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HANA Error - User not allowed to grant privilege SELECT

former_member646608
Explorer

‎12-03-2019 8:01 PM

0 Kudos

In HANA we occasionally get authorization errors. The trace has: User X is not allowed to grant privilege SELECT for TABLE XXXX

This is similar to OSS Note 2619013

The user that is in the trace is a different user from the user running the view.

From what I can tell, this occurs with a view that does a select on a different schema, and the schema owners are different.

For example, ID A created a view on schema A. This does a select on a table on schema B, owned by ID B. ID ID C runs the report it fails because ID A does not have access to grant Select access to table on schema B.

The question is what is the combination of events to make this occur? Also, what is the logic behind this authorization check?

The OSS Note mentions creating the view as a repository object, but that is not possible in our situation.

1 REPLY 1

jegadesh_k
Participant

‎02-04-2020 9:41 PM

0 Kudos

The question is what is the combination of events to make this occur?

Fact:

When you have a catalog object, that object is owned by whoever created it. So the table on schema B is owned by user B.

When user C runs the view under Schema A,

1.the system checks if the user has access to run view under schema A

2.runs the view

3.Makes a call for the table on schema B

4.Checks if user A does have access access to table under schema B

5.If the user doesn't have access, throw error that user cannot grant access.

One way to solve is by user B granting select access to that table for user A & C. Easier way is obviously by creating repository object as the table/Schema owned by the system (_SYS_REPO) instead of the user.

grant select on table.schemaB for _SYS_REPO with grant option
or
grant select on table.schemaB for User B & User C

You can assign those objects [View from Schema A & table from Schema B] to users C's object privilege before having the user try.

Let me know if this works,

Thanks

Jega