Several customers ask which role is needed to be able to execute a certain action.
Of course the solution is easy and well known:
- get a user with no rights for a certain action
- try to execute the action
- run Tcode SU53, and you’ll see which role is missing, i.e. where did the authorization check failed.
On the other hand if you have a user which can execute a certain action, and you would like to find out which role of this user granted access to this action, there is also a way to find this out.
Authorization trace.
This is how it works:
I went to Tcode ST01. Checked the box ’Authorization check’ and pressed ’Trace on’:
When this was done I executed an example action. As I’m dealing with BW component I did selective deletion from a DataStoreObject (DSO).
Once this was done I switch off the trace in Tcode ST01 and pressed ’Analysis’:
The output looks like this on a BW 7.00SP31 system:
an very similar on BW 730SP10:
Based on this, selective deletion on a DSO requires S_RS_ODSO role with activity = 06.
The same method can be used to find out the needed roles for other activities as well.