SAP Knowledge Base Article - Public

2805974 - Error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.' when creating live connection to S4/HANA Cloud in SAP Analytics Cloud (SAC)

Symptom

  • Error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.'
  • Error 'GET https://<xxx>.sapanalytics.cloud/s4hcremotes/test/sap/bw/ina/GetServerInfo 403 (Forbidden)' from Chrome Developer tool console.
  • Error 'invalid_grant, Provided authorization grant is invalid. Exception was There is no trust between entities  and <xxx>.sapanalytics.cloud in client <xxx>. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response.
  • Error 'invalid_grant, Provided authorization grant is invalid. Exception was no user found with alias "user@email.com". For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response

Environment

  • SAP Analytics Cloud

Reproducing the Issue

  1. Configure 'Live Data Connection to SAP S/4HANA Cloud Public Edition Edition via OAuth' according to SAC help guide https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/00f68c2e08b941f081002fd3691d86a7/0485d540e0b340a0bc0da86fe368997c.html
  2. Error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.' popup after click OK button. 

Cause

Note that the error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.' is a generic error and may not be the underlying cause.
Collect Browser Network HAR trace in order to see the failed response message from the S4/HANA system using KBA 2280022 - How to collect a HTTP archive (HAR) file and Console Log file in SAP Analytics Cloud

Communication System, Communication Arrangement or Communication User in SAP S/4HANA Cloud Public Edition is not created with correct information

Resolution

If receiving error:
Error 'invalid_grant, Provided authorization grant is invalid. Exception was There is no trust between entities  and <xxx>.sapanalytics.cloud in client <xxx>. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response.

  • In some cases, if they are not created with all the correct information before they are saved for the first time, editing them does not reflect properly.
  • If your SAC is CF tenant, please leave tenant ID blank. If your SAC is NEO, please use Chrome Developer tools to check one of the Pusher requests in the Network Tab. At the end of the Request URL, it tells you what the tenant is or please contact SAP Support
  • Make sure OAuth 2.0 Identity Provider name in your Communication System is exactly copied from SAC connection provider name.
  • [Optional] If you have Tenant Type to fill, please use C for SAC CF tenant and use A for SAC NEO tenant.

If Receiving error:
Error 'invalid_grant, Provided authorization grant is invalid. Exception was no user found with alias "user@email.com". For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response

  • Ensure in SAC > Administration > Security > Under Step 3, set the SAML User Mapping to Custom SAML User Mapping. Under Security > Users, the value in the Custom SAML User Mapping column must equal the User Data > User Name of the corresponding business user in the SAP S/4HANA system.
  • Ensure that if using Custom SAML User Mapping, the IdP (Identity Provider) is also using "Login Name" (or equivalent) as the Subject Name Identifier (NameID attribute)
  • "Exception was no user found with alias "user@email.com". Means that the S4/HANA system could not find a user associated with this "user@email.com" attribute that was passed from SAC.

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

authorization grant, invalid_grant, oAuth, OAuth 2.0, SAML, S4, s/4HANA, s4hana, s4hana cloud, live, connection, authorization, token, alias, nameID, identifier, username, saml2 identifier, communication, arrangement, outbound, inbound, Token Service User, Token Service password, Oauth scope, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics , KBA , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , Problem

Product

SAP Analytics Cloud 1.0 ; SAP S/4HANA Cloud 1905