How to Analyzing Authorization Checks for SAP User

 

Ifyou do not know the required authorizations for a transaction, you canuse the system trace or the authorization error analysis to determinethem.

● System Trace

1.      Choose Tools ® Administration ®  Monitor ® Traces ® SAP System trace.

2.      Choose the trace component Authorization check and then Trace on. The system then automatically writes the trace to disk.

3.      To restrict the system trace to your own sessions, choose Edit ® Filter ® General. In the dialog box displayed, enter your user ID in the field Trace for user only.

 4.      After you have completed your analysis, choose Trace off.

  5.      To display the results of the analysis, choose Goto ® Files/Analysis or choose the pushbutton File list. Position the cursor on the file that you want to analyze and choose Analyze file.

You will see authorization tests entries in the format <Authorization object>:<Field>=<Value tested>.

Youcan display a formatted view of an authorization check bydouble–clicking an entry. (You may need to scroll down in the displayto reach the formatted view of the entry.)

If no authorization entries exist or the system displays the message Authorizationentries skipped, check that you have set the trace switches correctly. If the switches are correct, then choose Tracefile ® Analyze file and ensure that Trace for authorizationchecks is selected.

●   Authorization error analysis

Youcan use transaction SU53to analyze an access-denied error in yoursystem that just occurred. It displays the last failed authorizationcheck, the user’s authorizations, and the failed HR authorization check.

You can use transaction SU53 from any of your sessions, not just the one in which the error occurred.

Forexample, you have selected a function, and the system responds with themessage "You are not authorized for this function." To display thechecked authorization object, enter SU53 or /nSU53 in the commandfield. The system then displays a comparison of the values of theobject that are in your user master record.

Note,as the administrator, that the data in the Failed Authorization Checkarea are from the time at which the user started transaction SU53 todetermine which authorization he or she is missing.

TheUser’s Authorization Data, on the other hand, is the data that was readdirectly from the user buffer at the time of analysis, when theadministrator views the user’s problem by choosing Display for OtherUsers.

Usetransaction SU56 to display all of your own authorizations or theauthorizations of another user. Call transaction SU56 by choosing Goto? Entered Authorization in User Buffer. This transaction shows whichauthorizations are currently assigned in the user's user master record.