Several customers ask which role is needed to be able to execute a certain action.

Of course the solution is easy and well known:

• get a user with no rights for a certain action
• try to execute the action
• run Tcode SU53, and you’ll see which role is missing, i.e. where did the authorization check failed.

On the other hand if you have a user which can execute a certain action, and you would like to find out which role of this user granted access to this action, there is also a way to find this out.

Authorization trace.

This is how it works:

I went to Tcode ST01. Checked the box ’Authorization check’ and pressed ’Trace on’:

When this was done I executed an example action. As I’m dealing with BW component I did selective deletion from a DataStoreObject (DSO).

Once this was done I switch off the trace in Tcode ST01 and pressed ’Analysis’:

The output looks like this on a BW 7.00SP31 system:

an very similar on BW 730SP10:

Based on this, selective deletion on a DSO requires S_RS_ODSO role with activity = 06.

The same method can be used to find out the needed roles for other activities as well.