Tracing Authorization Issue in SAP

Identity Management and Data Security are very important concepts to be

dealt with in SAP to restrict users from accessing confidential information
within the system. SAP being the global ERP system in most of the clients, its
very important to make sure that proper authorizations are provided to each
user. For EX, person working in the sales team should or may not be provided
authorizations to be able to access Financial related transactions. SAP has
provided some good options to restrict users from accessing information in
any possible ways.
However, one of the most common issue we see is even the correct person
missing necessary authorizations. Like, a manufacturing person working on
the shop floor might be missing authorization to access a custom transaction
dealing with Operations for that Production Order. The purpose of this Blog is
to help either a functional or a technical SAP guy to identify the authorization
object which is missing due to which user is not able to access the
transaction.

Authorization Error Analysis Transaction: SU53

SU53 - In my experience, I can definitely say that this is one of the very
important and useful transaction for any person working on SAP system.

To restrict users from accessing a transaction, we use a concept called

Authorization object whereas only the users having that authorization object
in their profile will be able to access the transaction which checks that
Authorization object.

When you run a transaction in SAP, you might see a message as 'You Are
Not Authorized' or 'No Authoration' etc, next step you would need to do is
go to transaction SU53 where is shows the name of the authorization object
which has failed. If you are eligible you can just request for that authorization
object to be added to your profile.

Not just with custom transactions, sap standard transactions also use the
same concept, and this method helps you to identify the necessary
authorization objects which needs to be added to your profile to get access to
that transaction.
Another important point is, even if there is no Error Message on the screen if
you feel that some thing is weird, as soon as you run the transaction you can
check SU53 if any authorization object is failed. Like, there is SAP standard
transaction which should show a button to DELETE a row, now we can restrict
the visibility of that button using Authorzation-Object concept. In this case,
program will not show any error message, the output is that the user will not
be seeing that button. So if you feel that some buttons or some thing is
missing when you access a particular transaction, check SU53 immediately to
see as what is the issue.
Below screen shot shows a sneak peak of SU53. In that screen shot,
S_USER_PRO is the authorization object for which the check has failed.

This SU53 can be used even to check authorization issues of other users
using the Other Object button(3rd from left) on the screen shot above.

System Trace: - Using ST01

This is another way of tracing an authorization error.
You can use system trace function in transaction ST01 to trace authorization
error when a transaction is being ran in an external session but on the same
application server.
For EX: I have a webdynpro application which might have given some error
message on the screen. For this SU53 may not work all the times( as the
application is being ran on a browser), for which we can use the above
method. Another example would be, there might be Remote Function module
which is being called on a different system.

Process of steps is, go to transaction ST01 and check the Authorization Check
check box and click on Trace On button(As Shown below).
We do have an option to restirct the trace by User, Program or Transaction
using the General Filters button. If there are no filters, this transaction runs
wide open for all the users and transactions in that system.

After activating the trace, perform your process steps then come back to
ST01 and click on Trace Off Button and then click on the Analysis button to
display the trace. Output of the trace looks like the screen show shown
below,

In the above screen shot you can usee that, S_DEVELOP check was successful
with RC(Return Code) as 0 and S_PB_PAGE has failed with return code 12, so
to get access to that transaction, S_PB_PAGE needs to be added to that user's
profile.

I will try to post another blog about Authorization Objects and sap transaction
code SUIM but this is it for now :). Hope this helps you to solve some of the
critical issues on your system :).