Skip to Content

Ever wondered how to find out which role is needed to execute a certain action?

Several customers ask which role is needed to be able to execute a certain action.

Of course the solution is easy and well known:

  • get a user with no rights for a certain action
  • try to execute the action
  • run Tcode SU53, and you’ll see which role is missing, i.e. where did the authorization check failed.

On the other hand if you have a user which can execute a certain action, and you would like to find out which role of this user granted access to this action, there is also a way to find this out.

Authorization trace.

This is how it works:

I went to Tcode ST01. Checked the box ’Authorization check’ and pressed ’Trace on’:

ST01.jpg

When this was done I executed an example action. As I’m dealing with BW component I did selective deletion from a DataStoreObject (DSO).

Once this was done I switch off the trace in Tcode ST01 and pressed ’Analysis’:

ST01_off.jpg

ST01_analyse.jpg

The output looks like this on a BW 7.00SP31 system:

ST01_output.jpg

an very similar on BW 730SP10:

ST01_output_730.jpg

Based on this, selective deletion on a DSO requires S_RS_ODSO role with activity = 06.

The same method can be used to find out the needed roles for other activities as well.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.