Tracing Authorization Issue in SAP:
Identity Management and Data Security are very important concepts to be dealt within SAP to restrict users from accessing confidential information within the system. SAP being the global ERP system in most of the clients, its very important to make sure that proper authorizations are provided to each user. For EX, person working in the sales team should or may not be provided authorizations to be able to access Financial related transactions. SAP has provided some good options to restrict users from accessing information in any possible ways.
However, one of the most common issue we see is even the correct person missing necessary authorizations. Like, a manufacturing person working on the shop floor might be missing authorization to access a custom transaction dealing with Operations for that Production Order. The purpose of this Blog is to help either a functional or a technical SAP guy to identify the authorization object which is missing due to which user is not able to access the transaction.
Authorization Error Analysis Transaction: SU53
SU53 - In my experience, I can definitely say that this is one of the very important and useful transaction for any person working on SAP system.
To restrict users from accessing a transaction, we use a concept called Authorization object whereas only the users having that authorization object in their profile will be able to access the transaction which checks that Authorization object.
When you run a transaction in SAP, you might see a message as 'You Are Not Authorized' or 'No Authoration' etc, next step you would need to do is go to transaction SU53 where is shows the name of the authorization object which has failed. If you are eligible you can just request for that authorization object to be added to your profile.
Not just with custom transactions, sap standard transactions also use the same concept, and this method helps you to identify the necessary authorization objects which needs to be added to your profile to get access to that transaction.
Another important point is, even if there is no Error Message on the screen if you feel that some thing is weird, as soon as you run the transaction you can check SU53 if any authorization object is failed. Like, there is SAP standard transaction which should show a button to DELETE a row, now we can restrict the visibility of that button using Authorzation-Object concept. In this case, program will not show any error message, the output is that the user will not be seeing that button. So if you feel that some buttons or some thing is missing when you access a particular transaction, check SU53 immediately to see as what is the issue.
Below screen shot shows a sneak peak of SU53. In that screen shot, S_USER_PRO is the authorization object for which the check has failed.
This SU53 can be used even to check authorization issues of other users using the Other Object button(3rd from left) on the screen shot above.
System Trace: - Using ST01
This is another way of tracing an authorization error.
You can use system trace function in transaction ST01 to trace authorization error when a transaction is being ran in an external session but on the same application server.
For EX: I have a webdynpro application which might have given some error message on the screen. For this SU53 may not work all the times( as the application is being ran on a browser), for which we can use the above method. Another example would be, there might be Remote Function module which is being called on a different system.
Process of steps is, go to transaction ST01 and check the Authorization Check check box and click on Trace On button(As Shown below).
We do have an option to restirct the trace by User, Program or Transaction using the General Filters button. If there are no filters, this transaction runs wide open for all the users and transactions in that system.
After activating the trace, perform your process steps then come back to ST01 and click on Trace Off Button and then click on the Analysis button to display the trace. Output of the trace looks like the screen show shown below,
In the above screen shot you can usee that, S_DEVELOP check was successful with RC(Return Code) as 0 and S_PB_PAGE has failed with return code 12, so to get access to that transaction, S_PB_PAGE needs to be added to that user's profile.
I will try to post another blog about Authorization Objects and sap transaction code SUIM but this is it for now :). Hope this helps you to solve some of the critical issues on your system :).