ZSU53 – Missing authorization assistance
How many times have you and your colleagues come across the classic ‘You are not authorized to use transaction….’ error, ran SU53 and sent the screen shot of the same to your Basis Administrator or asked for it, to get the authorization issue resolved? Now you could execute this program and get the list of profiles/roles containing the authorization (yes! simple as that)! Your Basis Administrator could in turn assign you the one he/she feels appropriate for you to have.
The highlights of this tool are:
- Lists profiles/roles which contain the appropriate profiles
- Have the capability to list the users under the profile/users
- Only looks up active profiles/roles
- Looks up ALL authorization values (which could be up to 10) for an authorization failure!
Here is a sample comparison between SU53 and ZSU53
The screen shot above, elaborates how ZSU53 displays a list of profiles/roles containing the authorization object and respective attributes, where as the standard transaction SU53, only shows the authorization missing and list the profiles which came close to the authorization you actually need!
This tool searches through and filter profiles/roles which have partial authorization as well as powerful enough to actually consider ‘*’ or ‘Z*’ and the likes while looking for value ‘ZARM’, for example. This means that SAP_ALL and other powerful profile/roles would show up in the list every time an user executes the program. For that I would advice to set up a custom table that contains the list of all the profiles the general users should be allowed to have and exclude these sacred profiles/roles from that table OR only put these profiles/roles in that table and exclude them from your final list of profiles/roles before display.
The performance of this tool is an important factor (which is very much covered I must say) but if your organization have hundreds and thousands of profiles/roles than I would again advise you to create a custom table to maintain valid profiles/roles you could put a inner join on to drop unwanted profiles/roles and than display the refined list!
If you choose to show the users under the profiles/roles, you could actually see how profiles and roles have been assigned to users, if the users have the same responsibilities, you could decide to club the profiles together and create a role which would cover such and such responsibility. This tool could be used similar to SU53, the user could send a screen shot of it to e.g. the Basis Administrator or they could look up the last failure by pressing F5 or 
button, entering the user’s id to view the list of profiles and roles.
This tool has reduced lots of headache around obtaining the right authorizations to get the job done and I sincerely hope it would work miracles for your organization too!
Note: Those of you very familiar with SAP authorizations will know, that SU53 has it’s limitations (e.g. sequence of profiles checked, structure authorizations etc.) The same limitations apply to ZSU53 as well and it will not produce correct results in all situations.
Find more information, including the actual program code, in this article:
ZSU53 – Missing Authorization Assistance
thanks for publishing this program. Is there any chance that you would publish your program using SAP Link. Or am I the only one who thinks that publishing program by dumping source code to pdf is pretty weird in these days.
Cheers
Even a plain text version would be much better than the quaint PDF format.
http://code.google.com/p/zsu53/
BR,
Asim
Martin
I think blog itself was rather short. May be it could have been divided in two blogs explaining in details about the six new forms added in ZSU53.
And with reference to variable p_user (used to determine visibility of assigned users), would it be better if we can make it a parameter ID. This way, it can be set in user master data of individual users.
Overall a very useful utility.
I'll try to write up another blog explaining the newly introduced forms!
Just a note that the code being shared is a simplified form of the program we are actually running. In our implementation it is a parameter id and there are lots of other stuff including a custom table which limits the profiles/roles lookup making it very efficient etc
BR,
Asim
https://wiki.sdn.sap.com/wiki/display/Snippets/ZSU53+-+Missing+Authorization+Assistance
I am a BI person and don't know much about ABAP. I have downloaded the program and tried to implement it in the system. The tcode ZSU53 runs fine but does not give the list of users under the profile or role names. But the documents do suggest that p_user is by default 'X' and this gives the list of users. Is there any additional steps I need to perform ?
Not having much idea I uncommented these lines :
* IF p_user = 'X'." and lv_repeat = 0.
* ADD 1 TO g_node_key_role.
* CLEAR node.
* node-node_key = g_node_key_role.
* node-relatkey = g_node_key_num.
* node-relatship = cl_list_tree_model=>relat_last_child.
* node-n_image = 'BNONE'.
* node-isfolder = ' '.
* APPEND node TO node_table.
*
* CLEAR l_wa_node_table.
* l_wa_node_table-node_key = node-node_key.
* l_wa_node_table-isfolder = node-isfolder.
* l_wa_node_table-expander = node-expander.
* l_wa_node_table-agr_name = 'this is agr_name in bname'.
* INSERT l_wa_node_table INTO TABLE gt_nodes.
*
* CLEAR item.
* item-node_key = node-node_key.
* item-item_name = '01'.
* item-class = cl_list_tree_model=>item_class_text.
* item-alignment = cl_list_tree_model=>align_auto.
* item-font = cl_list_tree_model=>item_font_prop.
* item-text = 'No user assigned!'. "#EC *
* APPEND item TO item_table.
* ENDIF.
-------------
After which the nodes are coming in but again tells that "No user assigned!"
But I have run SUIM and the roles/profiles do have users list. The system has BI 7.0 support pack 23.
Please advise.
--Thanks & regards
Akashdeep Banerjee
Sorry for getting back to you a little late on this. The users are read from table UST04, you might want to put a break point and see if the internal table (lt_ust04) is being populated or not within form GET_RELATED_AUTH. If yes, then it should work (was working, last time I checked!). The user id and name is moved is then moved to another internal table IT_ALL, from there they get displayed under the profiles/roles.
The code you uncommented displays an additional node with text 'No user assigned'. In my opinion it is a bit annoying to expand a node under the profile/role and find that no user is assigned to it.
Anyways, let me know what the outcome was and we could take it from there.
Best regards,
Asim