Find failed authorization object in ST01 and SU53
You do not know what authorization object fails though you are aware or simply suspicious that an issue on CRM is caused by failed authorization check. For example, there is an authorization failure error. This blog explains how to find it.
Option 1 – SU53
- You may trace the failed authorization object in SU53. This report shows all the authorization objects checked after logon with a time stamp.
- In details, it shows when the authorization object is checked for what value.
- You may go to SU56, browse the same object to see why it fails.
- For example, CRM_ORD_LP fails in SU53 when checking if logon user can create (activt=01) transaction type ZZOP or ZYOP (pr_type = OPPT, ZZOP, ZYOP) at about 18:03:10. In SU56, there is no such entry with same values maintained for CRM_ORD_LP. Thus the authorization check fails and logged in SU53.
Option 2 – ST01
- Authorization check can be traced in ST01 too. This is a better option than SU53 as you turn on the trace right before an operation on WebUI and turn it off after you finish the operation.
- You may follow steps below.
- Run tcode ST01. Check [Authorization check]. You may specify to trace for a specify logon user ID in [General Filters] – [Trace for user only]. Finally click on [Trace on] to activate the trace.
- Perform operation on WebUI or GUI by which an authorization error is raised or in which you suspect a failed authorization check.
- After it, click on [Trace off] to stop trace.
- Click on [Analysis] to collect trace log. Select Authorization check; Set From and To; User name and Client.
- RC=0 means success and RC=4 indicates failure.