Symptom
- Error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.'
- Error 'GET https://<xxx>.sapanalytics.cloud/s4hcremotes/test/sap/bw/ina/GetServerInfo 403 (Forbidden)' from Chrome Developer tool console.
- Error 'invalid_grant, Provided authorization grant is invalid. Exception was There is no trust between entities and <xxx>.sapanalytics.cloud in client <xxx>. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response.
- Error 'invalid_grant, Provided authorization grant is invalid. Exception was no user found with alias "user@email.com". For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response
Environment
- SAP Analytics Cloud
Reproducing the Issue
- Configure 'Live Data Connection to SAP S/4HANA Cloud Public Edition Edition via OAuth' according to SAC help guide https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/00f68c2e08b941f081002fd3691d86a7/0485d540e0b340a0bc0da86fe368997c.html
- Error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.' popup after click OK button.
Cause
Note that the error 'You are not authorized to query the remote system. Please ask your administrator to grant you the InA role.' is a generic error and may not be the underlying cause.
Collect Browser Network HAR trace in order to see the failed response message from the S4/HANA system using KBA 2280022 - How to collect a HTTP archive (HAR) file and Console Log file in SAP Analytics Cloud
Communication System, Communication Arrangement or Communication User in SAP S/4HANA Cloud Public Edition is not created with correct information
Resolution
If receiving error:
Error 'invalid_grant, Provided authorization grant is invalid. Exception was There is no trust between entities and <xxx>.sapanalytics.cloud in client <xxx>. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response.
- In some cases, if they are not created with all the correct information before they are saved for the first time, editing them does not reflect properly.
- If your SAC is CF tenant, please leave tenant ID blank. If your SAC is NEO, please use Chrome Developer tools to check one of the Pusher requests in the Network Tab. At the end of the Request URL, it tells you what the tenant is or please contact SAP Support
- Make sure OAuth 2.0 Identity Provider name in your Communication System is exactly copied from SAC connection provider name.
- [Optional] If you have Tenant Type to fill, please use C for SAC CF tenant and use A for SAC NEO tenant.
If Receiving error:
Error 'invalid_grant, Provided authorization grant is invalid. Exception was no user found with alias "user@email.com". For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545' from HTTP response
- Ensure in SAC > Administration > Security > Under Step 3, set the SAML User Mapping to Custom SAML User Mapping. Under Security > Users, the value in the Custom SAML User Mapping column must equal the User Data > User Name of the corresponding business user in the SAP S/4HANA system.
- Ensure that if using Custom SAML User Mapping, the IdP (Identity Provider) is also using "Login Name" (or equivalent) as the Subject Name Identifier (NameID attribute)
- "Exception was no user found with alias "user@email.com". Means that the S4/HANA system could not find a user associated with this "user@email.com" attribute that was passed from SAC.
See Also
- How to find User Assistance for SAP Analytics Cloud?
- Have a question? Ask it here on the SAP Community. Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening incidents with SAP Analytics Cloud (Hint: Use component LOD-ANA*)
- SAP Analytics Cloud > Learning > Guided Playlists
Your feedback is important to help us improve our knowledge base.
Keywords
authorization grant, invalid_grant, oAuth, OAuth 2.0, SAML, S4, s/4HANA, s4hana, s4hana cloud, live, connection, authorization, token, alias, nameID, identifier, username, saml2 identifier, communication, arrangement, outbound, inbound, Token Service User, Token Service password, Oauth scope, SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics , KBA , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , Problem