04-20-2006 11:36 AM
Hi!
I am calling a BAPI from an external application (creating sales order), and I'm getting a return message "No authorization for maintaining sales documents". This is fine, but when I try to check SU53 for the user involved, I get nothing. Seems like SU53 doesn't capture authorisation checks from RFC calls. How can I find which authorisation object is missing? I don't mean only this particular one (although I could use it too), but generally.
Thanks!
Kind regards,
Igor
04-20-2006 12:17 PM
What I would suggest:
- Try to grant SAP_ALL or something really powerful to the user and see if your problem is really authorization related.
- Set an external breakpoint in the BAPI and try to debug it (maybe breakpoint on AUTHORITY-CHECK would help).
Peter
04-20-2006 11:43 AM
Maybe there is a better way, but I would suggest you check that the RFC user has the required authorizations for the Sales order transactions (or whichever transaction is to be executed).
Sudha
04-20-2006 11:46 AM
Hello,
May be first perform operation on the destination with the user which is there in the RFC connection.
Regards,
Naimesh
04-20-2006 11:52 AM
Sudha and Naimesh,
I am calling a BAPI from external application, not a transaction, and this "required authorisations", "whichever transaction" and "operation" from your replies are exactly my questions. I don't know which particular authorisations or transactions are required, and I'd like to see if I can have the liberty to stay ignorant. Well, if everything else fails, yes - I'll go and search for that, but I'd like to avoid painful manual work like this if possible. I need a general solution if there is one.
Thanks for your replies anyway!
Regards,
Igor
04-20-2006 11:58 AM
Igor,
You can use transaction PFCG in the SAP system to check which authorizations would be required for your RFC user to successfully post the document.
In PFCG you can search for roles by the transaction code (eg: VA01 for create sales order), and then check if the user is assigned the role. Here I am guessing that the user would require some sales order profile to be able to succesfully post the document. Otherwise you will have to search the development profiles (S_DEVELOP)?
Like I said, I am not aware of any other 'general solution' for this.
Hope this helps.
Sudha
Message was edited by: Sudha Mohan
04-20-2006 12:33 PM
Sudha,
I tried to add VA01 to the role menu, and it generated tons of authorisation objects, like I expected. I have two options now:
1. check each of them one by one, which is hard because I am not a functional specialist
2. Assign "Full" to all of them, which is a security risk.
I don't exactly fancy any of these options, but it's a good start.
Is there something better?
Thanks!
Regards,
Igor
04-20-2006 12:58 PM
Igor,
I agree, it is indeed irksome to sort through the list.But you could try with a few ones that sound generic, for eg: SAP_LO_SD_SALES_ORD_PROCESSING. If it works, its a bonus. If not, well, it was worth a try.
Btw, have you looked at the BAPI documentation? Does that suggest anything?
Peter's idea sounds good too. Let the forum know if it works.
Sudha
04-20-2006 1:05 PM
Sudha,
I deleted all the new authorisation objects that I didn't recognize at glance and left only the basic one: creating sales order. And it did the trick. The BAPI works now.
Not a general solution, but an acceptable workaround.
Peter, if it's not too much work, could you still post something on external breakpoints?
Thanks!
Regards,
Igor
P.S. I still wonder why SU53 doesn't capture RFC calls.
04-20-2006 1:10 PM
<i>Peter, if it's not too much work, could you still post something on external breakpoints? </i>
I'm not an expert on the topic, but used several times for RFC-enabled FMs in BSP.
You can find a lot of details in the Online help, however the main focus there is web applications, however it works fine also for remote function modules:
http://help.sap.com/saphelp_erp2005/helpdata/en/af/0cb5403fd63426e10000000a1550b0/frameset.htm
Peter
04-20-2006 1:11 PM
Maybe this example is closer to yours:
http://help.sap.com/saphelp_erp2005/helpdata/en/d7/0b404136128839e10000000a1550b0/frameset.htm
Peter
04-20-2006 12:17 PM
What I would suggest:
- Try to grant SAP_ALL or something really powerful to the user and see if your problem is really authorization related.
- Set an external breakpoint in the BAPI and try to debug it (maybe breakpoint on AUTHORITY-CHECK would help).
Peter
04-20-2006 12:20 PM
Peter,
SAP_ALL works. Besides, there's an explicit return message saying that authorisation is missing.
External breakpoint is an interesting idea. How do I set one?
Thanks!
Regards,
Igor
04-20-2006 12:34 PM
Hi Igor,
Thanks for the feedback. I'm on R/3 4.70 (WAS 6.20), where you can activate external debugging via SE38, Menu Utilities-> Settings. ABAP Editor, Debugging. Set the Actv flag.
If you set a breakpoint in the source code, the system will ask if you'd like an external or session breakpoint.
(In NW 2004s/ ABAP 7.00 there is already two separate button for this in the application toolbar)
In 46C it was also possible to debug RFC as I did it, but don't really remember the details. I'm sure I was logon on to the system via SAPGUI and I had the breakpoint set.
Maybe check the online help for details and hints:
http://help.sap.com/saphelp_46c/helpdata/en/22/042619488911d189490000e829fbbd/frameset.htm
Peter
01-14-2007 1:26 AM
Hi Igor,
You can try this:
- open a session on the remote system with the user you're going to use in you RFC
- run you RFC, the system will try to perform the Bapi on the remote system. At this time you have 2 opened sessions.
- your RFC will faill as usual but you still have an active session on the remote system. Run SU53 and the system should give you what your're expecting !
I used this method with RFC but not with RFC and Bapi. Nevertheless I'm pretty sure it works.
01-14-2007 7:14 AM