Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SU53 doesn't capture RFC calls authorisation check

Go to solution
former_member185943
Participant

‎04-20-2006 11:36 AM

0 Kudos

Hi!

I am calling a BAPI from an external application (creating sales order), and I'm getting a return message "No authorization for maintaining sales documents". This is fine, but when I try to check SU53 for the user involved, I get nothing. Seems like SU53 doesn't capture authorisation checks from RFC calls. How can I find which authorisation object is missing? I don't mean only this particular one (although I could use it too), but generally.

Thanks!

Kind regards,

Igor

1 ACCEPTED SOLUTION

Go to solution
Peter_Inotai
Active Contributor

‎04-20-2006 12:17 PM

0 Kudos

What I would suggest:

- Try to grant SAP_ALL or something really powerful to the user and see if your problem is really authorization related.

- Set an external breakpoint in the BAPI and try to debug it (maybe breakpoint on AUTHORITY-CHECK would help).

Peter

14 REPLIES 14

Go to solution
Former Member

‎04-20-2006 11:43 AM

0 Kudos

Maybe there is a better way, but I would suggest you check that the RFC user has the required authorizations for the Sales order transactions (or whichever transaction is to be executed).

Sudha

Go to solution
naimesh_patel
Active Contributor

‎04-20-2006 11:46 AM

0 Kudos

Hello,

May be first perform operation on the destination with the user which is there in the RFC connection.

Regards,

Naimesh

Go to solution
former_member185943
Participant
In response to naimesh_patel

‎04-20-2006 11:52 AM

0 Kudos

Sudha and Naimesh,

I am calling a BAPI from external application, not a transaction, and this "required authorisations", "whichever transaction" and "operation" from your replies are exactly my questions. I don't know which particular authorisations or transactions are required, and I'd like to see if I can have the liberty to stay ignorant. Well, if everything else fails, yes - I'll go and search for that, but I'd like to avoid painful manual work like this if possible. I need a general solution if there is one.

Thanks for your replies anyway!

Regards,

Igor

Go to solution
Former Member
In response to naimesh_patel

‎04-20-2006 11:58 AM

0 Kudos

Igor,

You can use transaction PFCG in the SAP system to check which authorizations would be required for your RFC user to successfully post the document.

In PFCG you can search for roles by the transaction code (eg: VA01 for create sales order), and then check if the user is assigned the role. Here I am guessing that the user would require some sales order profile to be able to succesfully post the document. Otherwise you will have to search the development profiles (S_DEVELOP)?

Like I said, I am not aware of any other 'general solution' for this.

Hope this helps.

Sudha

Message was edited by: Sudha Mohan

Go to solution
former_member185943
Participant
In response to naimesh_patel

‎04-20-2006 12:33 PM

0 Kudos

Sudha,

I tried to add VA01 to the role menu, and it generated tons of authorisation objects, like I expected. I have two options now:

1. check each of them one by one, which is hard because I am not a functional specialist

2. Assign "Full" to all of them, which is a security risk.

I don't exactly fancy any of these options, but it's a good start.

Is there something better?

Thanks!

Regards,

Igor

Go to solution
Former Member
In response to naimesh_patel

‎04-20-2006 12:58 PM

0 Kudos

Igor,

I agree, it is indeed irksome to sort through the list.But you could try with a few ones that sound generic, for eg: SAP_LO_SD_SALES_ORD_PROCESSING. If it works, its a bonus. If not, well, it was worth a try.

Btw, have you looked at the BAPI documentation? Does that suggest anything?

Peter's idea sounds good too. Let the forum know if it works.

Sudha

Go to solution
former_member185943
Participant
In response to naimesh_patel

‎04-20-2006 1:05 PM

0 Kudos

Sudha,

I deleted all the new authorisation objects that I didn't recognize at glance and left only the basic one: creating sales order. And it did the trick. The BAPI works now.

Not a general solution, but an acceptable workaround.

Peter, if it's not too much work, could you still post something on external breakpoints?

Thanks!

Regards,

Igor

P.S. I still wonder why SU53 doesn't capture RFC calls.

Go to solution
Peter_Inotai
Active Contributor
In response to naimesh_patel

‎04-20-2006 1:10 PM

0 Kudos

<i>Peter, if it's not too much work, could you still post something on external breakpoints? </i>

I'm not an expert on the topic, but used several times for RFC-enabled FMs in BSP.

You can find a lot of details in the Online help, however the main focus there is web applications, however it works fine also for remote function modules:

http://help.sap.com/saphelp_erp2005/helpdata/en/af/0cb5403fd63426e10000000a1550b0/frameset.htm

Peter

Go to solution
Peter_Inotai
Active Contributor

‎04-20-2006 12:17 PM

0 Kudos

What I would suggest:

- Try to grant SAP_ALL or something really powerful to the user and see if your problem is really authorization related.

- Set an external breakpoint in the BAPI and try to debug it (maybe breakpoint on AUTHORITY-CHECK would help).

Peter

Go to solution
former_member185943
Participant
In response to Peter_Inotai

‎04-20-2006 12:20 PM

0 Kudos

Peter,

SAP_ALL works. Besides, there's an explicit return message saying that authorisation is missing.

External breakpoint is an interesting idea. How do I set one?

Thanks!

Regards,

Igor

Go to solution
Peter_Inotai
Active Contributor
In response to Peter_Inotai

‎04-20-2006 12:34 PM

0 Kudos

Hi Igor,

Thanks for the feedback. I'm on R/3 4.70 (WAS 6.20), where you can activate external debugging via SE38, Menu Utilities-> Settings. ABAP Editor, Debugging. Set the Actv flag.

If you set a breakpoint in the source code, the system will ask if you'd like an external or session breakpoint.

(In NW 2004s/ ABAP 7.00 there is already two separate button for this in the application toolbar)

In 46C it was also possible to debug RFC as I did it, but don't really remember the details. I'm sure I was logon on to the system via SAPGUI and I had the breakpoint set.

Maybe check the online help for details and hints:

http://help.sap.com/saphelp_46c/helpdata/en/22/042619488911d189490000e829fbbd/frameset.htm

Peter

Go to solution
Former Member

‎01-14-2007 1:26 AM

0 Kudos

Hi Igor,

You can try this:

- open a session on the remote system with the user you're going to use in you RFC

- run you RFC, the system will try to perform the Bapi on the remote system. At this time you have 2 opened sessions.

- your RFC will faill as usual but you still have an active session on the remote system. Run SU53 and the system should give you what your're expecting !

I used this method with RFC but not with RFC and Bapi. Nevertheless I'm pretty sure it works.

Go to solution
athavanraja
Active Contributor
In response to Former Member

‎01-14-2007 7:14 AM

0 Kudos

did you try SM21?

Raja