AGLEA Blog

SAP Authorization Manual

Written by Marta Ortona | Oct 20, 2022 10:00:00 PM

 

During daily support users often have to request some information. By email or by corporate ticketing tool.

 

 

 

What system are you on? What were you doing? What transactions were you using when you received the error and so on 

 

To facilitate these requests, in the SAP authorizations field, we can define a short user manual to publish, for example on the company intranet. 

 

How should the user report the authorization issues?

Regarding the authorisation aspects the most useful information is that given by the SU53 transaction. This transaction allows to know all the necessary informations to solve the authorization problem. 

 

 

Let’s see what they are:

 

Particular cases

In some cases it is not possible to perform the SU53 transaction, or it is not immediate to identify the code of the transaction where you received the error.

 

Here are some examples: 

 

  • A transaction cover up the command field, how is it possible to perform SU53 transaction?
    • simply press the top left corner of the SAP GUI to open a new window "generate session" and perform the SU53 transaction in this new way. 
  • How to identify the SAP transaction code?
    • By clicking on the highlighted icon in the image below, in the bottom right of SAP GUI, is possible to identify the transaction used at the time of the error. This was especially useful when the SU53 did not show, directly in the log, the transactional code. In the most up-to-date systems this problem doesn't exist. 

Look at the difference between SU53 from ten years ago and today.

  • In the old one you only see the last authorization error
  • In  the new one there is also the transaction code (except for S_TCODE objects which are directly reported in the field) 

 

 

Attention! In SAP HR Systems, especially in the past, authorization errors had to be analyzed by transaction ST01 o STAUTHTRACE (see also OSS 1916340 - Trace in ST01 instead of SU53 checking HR authorizations). In the most recent systems having a three-hour history this can be avoided

 

Here a short video to use in your company!

 

 

Also for SAP Fiori:

 

SU53 errors

In some situations, the transaction may report some authorization errors on technical and system objects, for example: S_CTS_ADMI,  S_TRANSLAT, S_TCODE=PFCG, S_USER_AGR, etc.

 

Why does this happen?

 

It is explained in detail in the note OSS 1525134 - SU53 shows 'strange' results (for instance for S_CTS_ADMI, S_TRANSLAT,....) some functionalities that are checked at the start of transactions verify the presence of administrative functions. For this reason the objects above are checked. Attention, these objects must never be inserted in the basic role. Read here what the basic role should contain and, above all, what should not.

 

Is it correct that there are authorization errors even if everything is working properly? Yes, it can be correct because some objects have logic of hierarchical controls, for example the authorized objects for the tables' control S_TABU_DIS and S_TABU_NAM or the objects S_RFC o S_RFCACL see also OSS note 2656331 - S_RFC/S_RFCACL entries in authorization trace (SU53).

 

A practical example

During the AMS support we perform for our clients (AMS Security SAP Service) we prepared a document for end users, a presentation describing how to use the SU53, usually this document is published on the company intranet.

 

Download it now, customize it and spread it in your company!

 

Blog post originally translated from: https://www.aglea.com/blog/manuale-autorizzazioni-sap

 

 
View full post