Skip to Content
Author's profile photo Asim Mian

ZSU53 – Missing authorization assistance

How many times have you and your colleagues come across the classic ‘You are not authorized to use transaction….’ error, ran SU53 and sent the screen shot of the same to your Basis Administrator or asked for it, to get the authorization issue resolved? Now you could execute this program and get the list of profiles/roles containing the authorization (yes! simple as that)! Your Basis Administrator could in turn assign you the one he/she feels appropriate for you to have.

The highlights of this tool are:

  • Lists profiles/roles which contain the appropriate profiles
  • Have the capability to list the users under the profile/users
  • Only looks up active profiles/roles
  • Looks up ALL authorization values (which could be up to 10) for an authorization failure!

Here is a sample comparison between SU53 and ZSU53

Standard transaction SU53

 

ZSU53 - Missing authorization assistance

The screen shot above, elaborates how ZSU53 displays a list of profiles/roles containing the authorization object and respective attributes, where as the standard transaction SU53, only shows the authorization missing and list the profiles which came close to the authorization you actually need!

This tool searches through and filter profiles/roles which have partial authorization as well as powerful enough to actually consider ‘*’ or ‘Z*’ and the likes while looking for value ‘ZARM’, for example. This means that SAP_ALL and other powerful profile/roles would show up in the list every time an user executes the program. For that I would advice to set up a custom table that contains the list of all the profiles the general users should be allowed to have and exclude these sacred profiles/roles from that table OR only put these profiles/roles in that table and exclude them from your final list of profiles/roles before display.

The performance of this tool is an important factor (which is very much covered I must say) but if your organization have hundreds and thousands of profiles/roles than I would again advise you to create a custom table to maintain valid profiles/roles you could put a inner join on to drop unwanted profiles/roles and than display the refined list!

If you choose to show the users under the profiles/roles, you could actually see how profiles and roles have been assigned to users, if the users have the same responsibilities, you could decide to club the profiles together and create a role which would cover such and such responsibility. This tool could be used similar to SU53, the user could send a screen shot of it to e.g. the Basis Administrator or they could look up the last failure by pressing F5 or User button button, entering the user’s id to view the list of profiles and roles.

This tool has reduced lots of headache around obtaining the right authorizations to get the job done and I sincerely hope it would work miracles for your organization too!

Note: Those of you very familiar with SAP authorizations will know, that SU53 has it’s limitations (e.g. sequence of profiles checked, structure authorizations etc.) The same limitations apply to ZSU53 as well and it will not produce correct results in all situations.

Find more information, including the actual program code, in this article:
ZSU53 – Missing Authorization Assistance

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Voros
      Martin Voros
      Hi,

      thanks for publishing this program. Is there any chance that you would publish your program using SAP Link. Or am I the only one who thinks that publishing program by dumping source code to pdf is pretty weird in these days.

      Cheers

      Author's profile photo Former Member
      Former Member
      Let me second this request.

      Even a plain text version would be much better than the quaint PDF format.

      Author's profile photo Asim Mian
      Asim Mian
      Blog Post Author
      Sorry about that guys, here is the saplink!

      http://code.google.com/p/zsu53/

      BR,
      Asim

      Author's profile photo Martin Voros
      Martin Voros
      Thanks,
      Martin
      Author's profile photo Rashid Javed
      Rashid Javed
      Amazing Stuff. I hope this utility became part of standard SAP ERP because it could be very helpful to Basis/GRC consultants. Till that time we can implement ZSU53.

      I think blog itself was rather short. May be it could have been divided in two blogs explaining in details about the six new forms added in ZSU53.

      And with reference to variable p_user (used to determine visibility of assigned users), would it be better if we can make it a parameter ID. This way, it can be set in user master data of individual users.
      Overall a very useful utility.

      Author's profile photo Asim Mian
      Asim Mian
      Blog Post Author
      Thanks Rashid!
      I'll try to write up another blog explaining the newly introduced forms!

      Just a note that the code being shared is a simplified form of the program we are actually running. In our implementation it is a parameter id and there are lots of other stuff including a custom table which limits the profiles/roles lookup making it very efficient etc

      BR,
      Asim

      Author's profile photo Former Member
      Former Member
      Brilliant idea. Very nicely developed. Makes everybody's life much easier. Great work Asim!
      Author's profile photo Asim Mian
      Asim Mian
      Blog Post Author
      For those who don't use saplink as yet and find the code in the pdf cumbersome... hope this helps

      https://wiki.sdn.sap.com/wiki/display/Snippets/ZSU53+-+Missing+Authorization+Assistance

      Author's profile photo Former Member
      Former Member
      Super, its really helpful. Making thing much easier.
      Author's profile photo Former Member
      Former Member
      Hi Asim,

      I am a BI person and don't know much about ABAP. I have downloaded the program and tried to implement it in the system. The tcode ZSU53 runs fine but does not give the list of users under the profile or role names. But the documents do suggest that p_user is by default 'X' and this gives the list of users. Is there any additional steps I need to perform ?

      Not having much idea I uncommented these lines :
      *        IF p_user = 'X'." and lv_repeat = 0.
      *          ADD 1 TO g_node_key_role.
      *          CLEAR node.
      *          node-node_key   = g_node_key_role.
      *          node-relatkey   = g_node_key_num.
      *          node-relatship  = cl_list_tree_model=>relat_last_child.
      *          node-n_image    = 'BNONE'.
      *          node-isfolder   = ' '.
      *          APPEND node TO node_table.
      *
      *          CLEAR l_wa_node_table.
      *          l_wa_node_table-node_key       = node-node_key.
      *          l_wa_node_table-isfolder       = node-isfolder.
      *          l_wa_node_table-expander       = node-expander.
      *          l_wa_node_table-agr_name        = 'this is agr_name in bname'.
      *          INSERT l_wa_node_table INTO TABLE gt_nodes.
      *
      *          CLEAR item.
      *          item-node_key   = node-node_key.
      *          item-item_name  = '01'.
      *          item-class      = cl_list_tree_model=>item_class_text.
      *          item-alignment  = cl_list_tree_model=>align_auto.
      *          item-font       = cl_list_tree_model=>item_font_prop.
      *          item-text       = 'No user assigned!'.            "#EC *
      *          APPEND item TO item_table.
      *        ENDIF.

      -------------
      After which the nodes are coming in but again tells that "No user assigned!"

      But I have run SUIM and the roles/profiles do have users list. The system has BI 7.0 support pack 23.

      Please advise.

      --Thanks & regards
      Akashdeep Banerjee

      Author's profile photo Asim Mian
      Asim Mian
      Blog Post Author
      Hi Akash,
      Sorry for getting back to you a little late on this. The users are read from table UST04, you might want to put a break point and see if the internal table (lt_ust04) is being populated or not within form GET_RELATED_AUTH. If yes, then it should work (was working, last time I checked!). The user id and name is moved is then moved to another internal table IT_ALL, from there they get displayed under the profiles/roles.
      The code you uncommented displays an additional node with text 'No user assigned'. In my opinion it is a bit annoying to expand a node under the profile/role and find that no user is assigned to it.
      Anyways, let me know what the outcome was and we could take it from there.

      Best regards,
      Asim