During daily support users often have to request some information. By email or by corporate ticketing tool.
What system are you on? What were you doing? What transactions were you using when you received the error and so on
To facilitate these requests, in the SAP authorizations field, we can define a short user manual to publish, for example on the company intranet.
How should the user report the authorization issues?
Regarding the authorisation aspects the most useful information is that given by the SU53 transaction. This transaction allows to know all the necessary informations to solve the authorization problem.
Let’s see what they are:
- The user who has the problem, in the form of technical name
- The system and mandatory where the problem occurred
- The last authorization error (and the history of the last three hours)
- Stored Checks"(Shift+F5) - The chance to see the SU53 history (also on different application where the error occurred, once the authorization error has been saved (see OSS Note 1974803 - How to display failed authorization checks across application servers in SU53)
- Failed checks since - Allows you to see not only the last authorization error but those of the last three hours (see OSS Note 1671117 - SU53: Enhanced function and Web Dynpro suitability)
Particular cases
In some cases it is not possible to perform the SU53 transaction, or it is not immediate to identify the code of the transaction where you received the error.
Here are some examples:
- A transaction cover up the command field, how is it possible to perform SU53 transaction?
- simply press the top left corner of the SAP GUI to open a new window "generate session" and perform the SU53 transaction in this new way.
- simply press the top left corner of the SAP GUI to open a new window "generate session" and perform the SU53 transaction in this new way.
- How to identify the SAP transaction code?
- By clicking on the highlighted icon in the image below, in the bottom right of SAP GUI, is possible to identify the transaction used at the time of the error. This was especially useful when the SU53 did not show, directly in the log, the transactional code. In the most up-to-date systems this problem doesn't exist.
Look at the difference between SU53 from ten years ago and today.
- In the old one you only see the last authorization error
- In the new one there is also the transaction code (except for S_TCODE objects which are directly reported in the field)
Attention! In SAP HR Systems, especially in the past, authorization errors had to be analyzed by transaction ST01 o STAUTHTRACE (see also OSS 1916340 - Trace in ST01 instead of SU53 checking HR authorizations). In the most recent systems having a three-hour history this can be avoided
Here a short video to use in your company!
Also for SAP Fiori:
SU53 errors
In some situations, the transaction may report some authorization errors on technical and system objects, for example: S_CTS_ADMI, S_TRANSLAT, S_TCODE=PFCG, S_USER_AGR, etc.
Why does this happen?
It is explained in detail in the note OSS 1525134 - SU53 shows 'strange' results (for instance for S_CTS_ADMI, S_TRANSLAT,....) some functionalities that are checked at the start of transactions verify the presence of administrative functions. For this reason the objects above are checked. Attention, these objects must never be inserted in the basic role. Read here what the basic role should contain and, above all, what should not.
Is it correct that there are authorization errors even if everything is working properly? Yes, it can be correct because some objects have logic of hierarchical controls, for example the authorized objects for the tables' control S_TABU_DIS and S_TABU_NAM or the objects S_RFC o S_RFCACL see also OSS note 2656331 - S_RFC/S_RFCACL entries in authorization trace (SU53).
A practical example
During the AMS support we perform for our clients (AMS Security SAP Service) we prepared a document for end users, a presentation describing how to use the SU53, usually this document is published on the company intranet.
Download it now, customize it and spread it in your company!
Blog post originally translated from: https://www.aglea.com/blog/manuale-autorizzazioni-sap