Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 
MTerence
Active Contributor

In this document we will learn about two different methods to identify authorization issues.

  1. SU53 or /nSU53
  2. ST01

SU53 or /nSU53


     Using this transaction you can analyze an access denied error in your system that just occurred. It displays the last failed authorization check, the user’s authorization and the failed HR authorization check.

Scenario:

User gets an authorization error on releasing a notification from IW22 transaction

IW22:

On clicking the release icon, users gets below error message

Press Enter or Click the green tick

Type /nSU53 in transaction code area

Press Enter

Now we will be able to identify the missing authorization objects and values for the user

                                                                                                                                                                                                                                    

Authorization Object Authorization FieldAuthorization Field Values
I_VORG_MELBETRVORGPMM2
QMART                M1

These values can be used in SUIM transaction to identify the roles which you can assign to user.

ST01

          ST01 is one of the primary tools in the SAP Security Module. ST01 gives us a peek inside running ABAP program or standard transaction to record the SAP Authorization checks in your own or external system. The trace records each authorization objects, along with the object’s fields and the values tested.

Scenario:


          User is having access to perform “Do not Execute” in the work order, need to restrict the user with the functionality.


This particular access cannot be captured via SU53


IW32:


When the Work order is in CRTD status, system will allow you to set “Do Not Execute” from the Path Order – Functions – Complete - Do not Execute

To identify the access provide to this user, you can identify via Trace

ST01

Make sure you check Authorization check and select All

Click General Filters

Enter the Trace for User Only "PM01" and click the green tick or press enter

PM01 is the user ID i have created for my testing

Click Settings to Save

Before starting the Trace, request the user to be in IW32 transaction with the order number entered, this will reduce the trace length


Now Click

Request the user to execute “Do not Execute” function for the work order. Once the action is performed, click

You have successfully taken the trace. Click

Enter the User Name, Client. Date From/To and Select Authorization Check and All

Click Execute

Do check the value RC = 4 (No Authorization) and Double click the line item

Here you will be able to get the Authorization Field and Values.

Authorization ObjectAuthorization FieldAuthorization Field Value
I_VORG_ORDBETRVORGBABL
AUFART PM01

Restricting above authorization access, will give no access to "Do not Execute" business transaction.

These values can be used in SUIM transaction to identify the roles which is giving access to user.

17 Comments
Labels in this area