Objective
If you cannot find documentation about authorization for a transaction, or if a failed authorization check is always reported when you execute a transaction, there are two ways in which you can determine the required authorizations:
With the authorization error analysis and transaction code SU53.
With the system trace for authorization checks STAUTHTRACE.
In the next example, a transaction from the FI area was executed and terminated due to a missing authorization. The system message is: You are not authorized for this function.
To analyze this error, choose the menu path System → Utilities → Display Authorization Check or enter transaction code SU53 in the command field.
You can now analyze the last error in your system that occurred due to a missing authorization. You can call transaction SU53 in any session, not just in the session in which the error occurred.
Example: In the previous figure, the user calls transaction VA07. The message "You are not authorized for transaction VA07" appears.
Then, the user calls transaction SU01 and will display the user data of another user. In this case, the authorization object S_USER_GRP is checked. The authorization object is assigned to the user, but the required authorization values (activity "03" and user group "Training") are not assigned.
To analyze the missing authorization, the user enters transaction code SU53 in the command field and the system displays the authorization object that caused the last failed authorization checks. The system displays the value of the authorization object that the program required.
In the case of missing authorization values for a specific authorization object, you can check which other authorization values are assigned to the user.
Transaction SU53 displays the maximum of 100 failed authorization checks for each user in the upper area. It displays these for the last three hours at most. If there are very many active users and very many failed authorization checks, the number of checks and the period that is covered can also be smaller for a user. In addition, it displays the context in which the check occurred (that is, the transaction, RFC function module, or service). In the lower area, the authorizations of the user are displayed for all of the authorization objects that are displayed.
The system uses a ring buffer in the shared memory of the application server for saving failed authorization checks. Web Dynpro applications can also access this memory area.
The size of the buffer depends on the number of work processes, which is defined by profile parameters. It consists of 100 authorization checks for each work process in the standard system. This number can be changed by setting the profile parameter auth/su53_buffer_entries. The profile parameter can be maintained using transactions RZ11 and RZ10.
The user can also use transaction SU56 to view which authorizations are currently in his or her buffer.
Hint
If the user was prevented from executing an action, and the authorization error analysis shows: All authorization checks have so far been successful, the problem is not an authorization problem. The problem has another cause.
If transaction SU53 does not provide a satisfactory result, you can still use the system trace for authorization checks (STAUTHTRACE).
If you do not know the required authorization, you can use the system trace or the authorization error analysis to determine them. You can use the system trace function to record authorization checks in your own and in external sessions using the system trace function : System Trace for Authorization Checks STAUTHTRACE. As an alternative, you can also use the system trace: Tools → Administration → Monitor → Traces → System Trace (transaction ST01).
The trace records each authorization object that is tested, along with the object's fields and the values tested.
Note
The system trace allows the recording of internal SAP system activities. The system trace is primarily used when an authorization trace is required. Besides authorization checks, the following components can be monitored using the system trace: kernel functions, kernel modules, database accesses, table buffers, RFC calls, and lock operations.
The system trace for authorization checks (transaction STAUTHTRACE) provides an optimized user interface to trace authorization checks. It works in the same way as the system trace (transaction ST01). However, it only evaluates authorization checks.
The evaluation of the system trace for authorization checks can be performed for the current server. It is also possible to start and stop the system trace for authorization checks on all servers or on selected servers of a system. When you display the authorization checks that were performed, the system displays an additional column containing the name of the server.
You can analyze authorizations using the system trace for authorization checks as follows:
If necessary, set Trace Only for User and start the trace by choosing Activate Trace. The system writes the trace data in the current trace file.
Execute the application as fully as possible in a separate session on the same application server.
Deactivate the trace by choosing Deactivate Trace.
You can optionally restrict the results display with the options under Restrictions.
Choose Evaluate.
The system trace (transaction ST01) offers a variety of tracing options. Among others, you can trace authorization checks. For evaluation of the system trace, it is necessary that the trace and the transaction to be traced are running on the same application server.
You can analyze authorizations as follows:
Choose Tools → Administration → Monitor → Traces → System Trace or transaction ST01.
Choose the Authorization Check trace component.
To restrict the trace function to your own sessions, choose Edit → Filter → Shared. Enter your user ID in the Trace for user only field in the displayed dialog box.
Start the trace by choosing the Trace on button. The trace is automatically written to the hard disk.
Execute the relevant system actions.
Once you have completed the analysis, choose Trace off.
To display the results of the analysis, choose Goto → Analysis or the Analysis button. Select the desired file and choose Start Reporting.
The results of the authorization check are displayed in the following format (see also the previous figure):
<authorization object><return code>:::<field>=<tested value>
The return code shows whether or not the authorization code was successful.
Hint
The return code "0" (dark green) means that the check at this point was "successful". Any other result means that an error occurred, which may have various causes, depending on the programming (see SAP Note 209899).
You should not immediately implement the result of a trace or of transaction SU53 as new roles or profiles. First, analyze the system for existing settings. The Information System and the Audit Info System (which is used by auditors) are available to the administrator for this purpose.
You can use the User Information System to obtain an overview of the authorizations and users in your SAP system at any time using search criteria that you specify. In particular, you can display lists of users to which authorizations classified as critical are assigned. You can also use the User Information System to do the following.
Compare roles and users
Display change documents for the authorization profile of a user
Display the transactions contained in a role
Create where-used lists
We recommend that you regularly check the various list that are important for you. Define a monitoring procedure and corresponding checklists to make sure that you continually review your authorization plan. We especially recommend that you determine which authorizations you consider critical and regularly review which users have these authorizations in their profiles.
You can start the Information System from the SAP Menu by choosing Tools → Administration → User Maintenance → Information System. You can also branch to the Information System authorizations from the User Maintenance transaction (SU01) by choosing the menu path Information → Information System.
You can find elements of the authorization system using different selection criteria.
The Information System (RSUSR998) and parts of the Information System can be called as executable reports using transaction SA38. Here are a few examples:
RSUSR002; Users by complex selection criteria
RSUSR008; By critical combinations of authorizations at transaction start
RSUSR008_009_NEW; List of users with critical authorizations
RSUSR020; Profiles by complex selection criteria
RSUSR030; Authorizations by complex selection criteria
RSUSR040; Authorization objects by complex selection criteria
RSUSR070; Roles by complex selection criteria
RSUSR100; Change Documents for Users
RSUSR101; Change Documents for Profiles
More detailed analyses can also be started using Reports:
RSUSR003; Check the Passwords of Users "SAP*" and "DDIC" in All Clients
RSUSR200; List of Users by Logon Data and Password Change
Another way to read information from the system is a special role concept for auditing (previously done using Audit Information System).
The content of the concept has been revised by the auditing and risk management working group of the German-Speaking SAP User Group e.V. (DSAG), in cooperation with customers and partners. This group has considered a wide range of information from external and internal auditors, IT specialists, and consultants who examine SAP applications or whose companies implement SAP software. For more information, see http://www.sap.com/germany/discsap/revis/index.htm.
The Audit Information System (AIS) is a checking tool for:
System checks
Audit (business audit)
Tax audits
Internal auditing
External auditing
The AIS role concept improves the flow and quality of the check.
The Audit Information System is a tool used by auditors to optimize a system and examine any weak points. The old menu-based version (AUDIT area menu) was replaced by a role-based environment. The role concept used now includes the same collections, structuring, and defaults for standard SAP programs, but is easier to scale. The content is defined using the transaction PFCG ( → Tools → Administration → User Maintenance → Role Administration); the old transaction SECR is no longer used.
Hint
For more information about the technology behind the program, see SAP Note 451960. 451960.
The roles are constructed to match the flow of the check for different check fields with default control data/evaluation programs for the area "Business" and "System Audit". The roles can be found in PFCG with the ID "SAP*AUDITOR*".
The delivered single roles are split into two groups:
Authorization roles
Transaction roles
The authorization roles are easy to identify. The role names always end with the suffix "*_A". This means that all roles that do not end with a simple "A" are the corresponding menu roles.
Accordingly, the following condition applies:
The authorization roles contain (manual) authorization values, but do not have a menu (such as SAP_AUDITOR_BA_SD_A).
The transaction roles contain a menu, but do not have any authorization values (such as SAP_AUDITOR_BA_SD).
If you are now asking yourself "Why not use a single role with menu and authorizations?", there is a simple explanation.
What happens when you enter a transaction code in the role menu and then display the authorization data? Correct. Default authorization values are displayed for objects and fields. In many cases, however, there are too many defaults for auditing purposes, since the authorization goes far beyond just "Display Authorization". If you were to modify these defaults for your own requirements, the time and effort needed to make changes to the content would be much too high (note: maintenance status "Changed").
Hint
Finally, note again the following: As an administrator, remain focused on your authorization concept every time you receive a new request from the user departments.
Avoid an unnecessarily large number of roles or profiles.
Not every error that is displayed is connected to authorizations.
When you receive requests, first search for authorizations to see if they have already been created.
Clarify whether these can be reused.
Only create something new in response to a requested authorization if nothing suitable already exists.
The purpose is to demonstrate how to use trans S_BCE_68002111 to define critical authorizations.
Execute transaction S_BCE_68002111.
On the initial screen, choose Critical Authorizations. In change mode, double-click the second critical authorization folder and choose the New Entries button.
Enter the Authorization ID, that is, ZID_00. Also, enter text in the text column and choose a color in the color field. Leave the transaction code field empty. Save your entries.
Select the entry that you just created and double-click the authorization data.
Choose Continue to confirm the pop up Individual entries not added to the change request, then choose New Entries.
In the GROUP column, enter A001 in the first three rows. In the GROUP column, enter A002 in the next two rows, and A003 in the next row.
In the OBJECT column, enter S_TCODE in the first three rows. In the OBJECT column, enter S_DEVELOP in the next three rows.
In the FIELD NAME column, enter TCD in the first three rows. In FIELD NAME column, enter objtype in the next two rows. Enter ACTVT in the next row.
Enter the following values in the FROM column, one value per row: SE80, SE37, SE38, PROG, FUGR, and 02. Leave the To column blank.
In the AND/OR column, enter the OR operand in all rows. Save you entries.
Now, create a variant by double-clicking the folder Variants for Critical Authorizations. Choose New Entries.
Enter ZVAR00 as the variant name, then enter a description. Save your entries.
Assign the ID of the critical authorizations to the variant that you just created.
Select the variant you just created. Now, choose the Critical Authorizations folder right below the Variants for Critical Authorizations folder. Choose New Entries.
Use the input help to choose the ID ZID_00. Save your entries.
On the initial screen of transaction S_BCE_68002111, choose the option for Critical Authorizations.
Use the input help to select the variant ZVAR00, then choose Execute.
Note
If you have access to a practice system, you can now execute this exercise.
During your daily work as an administrator, you will regularly search for special settings, authorization values, roles, and other important things. You can find these in the user information system.
Log in to track your progress & complete quizzes