Dear Dirk,
Dear Thomas,
just to let you know: I experience the very same problem. I wrote procedures to connect HANA to an Identity Management system and the procedure meant to revoke roles throws this exception.
Maybe it is a problem with SP 102.00-02.
According to my tests (Creating a fresh user, assigning the role, revoking the role - all done via procedures called by the same script):
- the exception is not thrown in 1.00.097.01.1436865239 (1 system tested)
- the exception is not thrown in 1.00.101.00.1435831484 (1 system tested)
- but it is thrown in 1.00.102.00.1442292917 (only one system available to me/tested)
- the exception is not thrown in 1.00.102.03.1449674847 (4 systems tested)
Does one of you have the chance to test the same scenario on different SPs?
Can you also see your problem disappear with 102.03?
Further observations:
- I do not see any authorization issues in my traces
- Activating auditing, I found that the procedure "_SYS_REPO"."REVOKE_ACTIVATED_ROLE" is being called and executes the REVOKE ROLE statement, but fails. Maybe it fails during the adjustments _SYS_REPO tries to make to the system as part of the REVOKE_ACTIVATED_ROLE execution.
Best regards,
Ralf
p.s.: My testscript looks like this:
call "...::P_New_User"('TEST_USER','TEST','M','_',?,?,?);
call "...::P_Grant_UserRole" ('TEST_USER','sap.hana.admin.roles::Monitoring',?,?,?);
call "...::P_Revoke_UserRole"('TEST_USER','sap.hana.admin.roles::Monitoring',?,?,?);
call "...::P_Delete_User"('TEST_USER',?,?,?);
very uniform across the different SPs.
The third procedure executes _SYS_REPO.REVOKE_ACTIVATED_ROLE. On 102.00 I tried both using an indirect exec 'call _SYS_REPO.ACTIVATED_ROLE(...'; and the standard direct call in SqlScript - no difference.