Several customers ask which role is needed to be able to execute a certain action.

Of course the solution is easy and well known:

  • get a user with no rights for a certain action
  • try to execute the action
  • run Tcode SU53, and you’ll see which role is missing, i.e. where did the authorization check failed.

On the other hand if you have a user which can execute a certain action, and you would like to find out which role of this user granted access to this action, there is also a way to find this out.

Authorization trace.

This is how it works:

I went to Tcode ST01. Checked the box ’Authorization check’ and pressed ’Trace on’:

ST01.jpg

When this was done I executed an example action. As I’m dealing with BW component I did selective deletion from a DataStoreObject (DSO).

Once this was done I switch off the trace in Tcode ST01 and pressed ’Analysis’:

ST01_off.jpg

ST01_analyse.jpg

The output looks like this on a BW 7.00SP31 system:

ST01_output.jpg

an very similar on BW 730SP10:

ST01_output_730.jpg

Based on this, selective deletion on a DSO requires S_RS_ODSO role with activity = 06.

The same method can be used to find out the needed roles for other activities as well.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply