Correcting Security error 5@ 015: Inconsistency in Authorization default values of a transaction for an object
The error:
Sometimes, when we try to change authorization data of a role containing a transaction (In this example /VIRSA/ZVRAT) in PFCG, we get an error like the below:
“Authorization default values of transaction /VIRSA/ZVRAT for object ZVRAT_0004 inconsistent”
This error has occurred because the authorisation fields in the value list in transaction SU24 (that updates the customer tables USOBT_C and USOBX_C) are different from those defined in SU21 for the object, in this case ZVRAT_0004.
If we check the objects and values in SU24 (which shows the data updated in table USOBT_C) for transaction /VIRSA/ZVRAT, we get the below
information for the object ZVRAT_0004:
We can display the concerned authorization object class in SU21 (in this case object class: ZVRA) to find out the inconsistency for the specific object
Click on Authorization objects to get the list of objects
Select the object ZVRAT_0004 and click on display to get the details as below:
Here we can see that while the object only has the field ZORGRULEID in SU21, the customer data in SU24 has an additional
field /VIRSA/ORG. Hence the inconsistency.
Remediation:
- In SU24, display check indicator for /VIRSA/ZVRAT and click on SAP defaults
- Go to edit mode
This gives a prompt for a workbench request
- Once the transport request has been created, we get the below screen. Select the object to delete and hit the delete button on the right
The object is deleted from the check indicator screen.
- To add the object again ( or any new object), click on Add auth object:
The object is added below.
By default, the check indicator points on “check” and not “check maintain as it was earlier. In this case if we click
on “Display field values”, we will not see this object.
Therefore, the check indicator needs to be changed to check/maintain:
Once the changes are saved, we can now click on to display the updated object status, which is consistent with
the SU21 value:
This resolves the error of inconsistent authorization.