Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ZSU53 - Missing authorization assistance

former_member186695
Explorer
‎11-10-2009 7:56 AM

How many times have you and your colleagues come across the classic 'You are not authorized to use transaction....' error, ran SU53 and sent the screen shot of the same to your Basis Administrator or asked for it, to get the authorization issue resolved? Now you could execute this program and get the list of profiles/roles containing the authorization (yes! simple as that)! Your Basis Administrator could in turn assign you the one he/she feels appropriate for you to have.

The highlights of this tool are:

  • Lists profiles/roles which contain the appropriate profiles
  • Have the capability to list the users under the profile/users
  • Only looks up active profiles/roles
  • Looks up ALL authorization values (which could be up to 10) for an authorization failure!

Here is a sample comparison between SU53 and ZSU53

 

The screen shot above, elaborates how ZSU53 displays a list of profiles/roles containing the authorization object and respective attributes, where as the standard transaction SU53, only shows the authorization missing and list the profiles which came close to the authorization you actually need!

This tool searches through and filter profiles/roles which have partial authorization as well as powerful enough to actually consider '*' or 'Z*' and the likes while looking for value 'ZARM', for example. This means that SAP_ALL and other powerful profile/roles would show up in the list every time an user executes the program. For that I would advice to set up a custom table that contains the list of all the profiles the general users should be allowed to have and exclude these sacred profiles/roles from that table OR only put these profiles/roles in that table and exclude them from your final list of profiles/roles before display.

The performance of this tool is an important factor (which is very much covered I must say) but if your organization have hundreds and thousands of profiles/roles than I would again advise you to create a custom table to maintain valid profiles/roles you could put a inner join on to drop unwanted profiles/roles and than display the refined list!

If you choose to show the users under the profiles/roles, you could actually see how profiles and roles have been assigned to users, if the users have the same responsibilities, you could decide to club the profiles together and create a role which would cover such and such responsibility. This tool could be used similar to SU53, the user could send a screen shot of it to e.g. the Basis Administrator or they could look up the last failure by pressing F5 or  button, entering the user's id to view the list of profiles and roles.

This tool has reduced lots of headache around obtaining the right authorizations to get the job done and I sincerely hope it would work miracles for your organization too!

Note: Those of you very familiar with SAP authorizations will know, that SU53 has it’s limitations (e.g. sequence of profiles checked, structure authorizations etc.) The same limitations apply to ZSU53 as well and it will not produce correct results in all situations.

Find more information, including the actual program code, in this article:
ZSU53 - Missing Authorization Assistance

11 Comments
Labels in this area
Popular Blog Posts