In this document we will learn about two different methods to identify authorization issues.
- SU53 or /nSU53
- ST01
SU53 or /nSU53
Using this transaction you can analyze an access denied error in your system that just occurred. It displays the last failed authorization check, the user’s authorization and the failed HR authorization check.
Scenario:
User gets an authorization error on releasing a notification from IW22 transaction
IW22:
On clicking the release icon, users gets below error message
Press Enter or Click the green tick
Type /nSU53 in transaction code area
Press Enter
Now we will be able to identify the missing authorization objects and values for the user
| Authorization Object | Authorization Field | Authorization Field Values |
|---|---|---|
| I_VORG_MEL | BETRVORG | PMM2 |
| QMART | M1 |
These values can be used in SUIM transaction to identify the roles which you can assign to user.
ST01
ST01 is one of the primary tools in the SAP Security Module. ST01 gives us a peek inside running ABAP program or standard transaction to record the SAP Authorization checks in your own or external system. The trace records each authorization objects, along with the object’s fields and the values tested.
Scenario:
User is having access to perform “Do not Execute” in the work order, need to restrict the user with the functionality.
This particular access cannot be captured via SU53
IW32:
When the Work order is in CRTD status, system will allow you to set “Do Not Execute” from the Path Order – Functions – Complete - Do not Execute
To identify the access provide to this user, you can identify via Trace
ST01
Make sure you check Authorization check and select All
Click General Filters
Enter the Trace for User Only "PM01" and click the green tick or press enter
PM01 is the user ID i have created for my testing
Click Settings to Save
Before starting the Trace, request the user to be in IW32 transaction with the order number entered, this will reduce the trace length
Now Click
Request the user to execute “Do not Execute” function for the work order. Once the action is performed, click
You have successfully taken the trace. Click
Enter the User Name, Client. Date From/To and Select Authorization Check and All
Click Execute
Do check the value RC = 4 (No Authorization) and Double click the line item
Here you will be able to get the Authorization Field and Values.
| Authorization Object | Authorization Field | Authorization Field Value |
|---|---|---|
| I_VORG_ORD | BETRVORG | BABL |
| AUFART | PM01 |
Restricting above authorization access, will give no access to "Do not Execute" business transaction.
These values can be used in SUIM transaction to identify the roles which is giving access to user.