In this document we will learn about two different methods to identify authorization issues.

  1. SU53 or /nSU53
  2. ST01

SU53 or /nSU53


     Using this transaction you can analyze an access denied error in your system that just occurred. It displays the last failed authorization check, the user’s authorization and the failed HR authorization check.

Scenario:

User gets an authorization error on releasing a notification from IW22 transaction

IW22:

Pic1.png

On clicking the release icon, users gets below error message

Pic 2.png

Press Enter or Click the green tick

Type /nSU53 in transaction code area

Pic 3.png

Press Enter

Now we will be able to identify the missing authorization objects and values for the user

pic 4.png

                                                                                                                                                                                                                                    

Authorization Object Authorization Field Authorization Field Values
I_VORG_MEL BETRVORG PMM2
QMART                M1

These values can be used in SUIM transaction to identify the roles which you can assign to user.

ST01

          ST01 is one of the primary tools in the SAP Security Module. ST01 gives us a peek inside running ABAP program or standard transaction to record the SAP Authorization checks in your own or external system. The trace records each authorization objects, along with the object’s fields and the values tested.

Scenario:


          User is having access to perform “Do not Execute” in the work order, need to restrict the user with the functionality.


This particular access cannot be captured via SU53


IW32:


When the Work order is in CRTD status, system will allow you to set “Do Not Execute” from the Path Order – Functions – Complete – Do not Execute

Pic.JPG

To identify the access provide to this user, you can identify via Trace

ST01

pic 6.png

Make sure you check Authorization check and select All

Click General Filters

pic 7.png

Enter the Trace for User Only “PM01” and click the green tick or press enter

PM01 is the user ID i have created for my testing

pic 8.png

Click Settings to Save

Before starting the Trace, request the user to be in IW32 transaction with the order number entered, this will reduce the trace length


Now Click

Pic10.png

Request the user to execute “Do not Execute” function for the work order. Once the action is performed, click

pic 11.png

You have successfully taken the trace. Click

pic 12.png

pic 9.png

Enter the User Name, Client. Date From/To and Select Authorization Check and All

Click Execute

pic 14.png

Do check the value RC = 4 (No Authorization) and Double click the line item

pic 15.png

Here you will be able to get the Authorization Field and Values.

Authorization Object Authorization Field Authorization Field Value
I_VORG_ORD BETRVORG BABL
AUFART PM01

Restricting above authorization access, will give no access to “Do not Execute” business transaction.

These values can be used in SUIM transaction to identify the roles which is giving access to user.

To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply