SAP NetWeaver Authorization Troubleshooting

SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com

2007 SAP AG 1
Applies to:
This document applies specifically to SAP ECC6 Kernel 700, utilizing the Role based Authorization Concept
as recommended by SAP. However this document may also relate to other versions of SAP utilizing the Role
based Authorization Concept.
Summary
This paper is to introduce the reader into troubleshooting Authorization issues using standard SAP
Transactions to analyze, identify and rectify authorization failures.
Author: Ashley Day
Company: Siemens
Created on: 07 August 2007
Author Bio
Ashley Day working for Siemens Industrial Turbomachinery Ltd in the UK. I am an SAP BASIS Administrator,
working on R/3 and ECC6 platforms I specialise in SAP Security, Authorizations and Audit Compliancy.


2007 SAP AG 2
Table of Contents
Applies to:........................................................................................................................................ 1
Summary.......................................................................................................................................... 1
Author Bio........................................................................................................................................ 1
Introduction.................................................................................................................................. 2
Authorization Failure Analysis...................................................................................................... 2
Figure 1.0................................................................................................................................. 2
Authorization Failure, or not?....................................................................................................... 3
Figure 1.1................................................................................................................................. 3
Figure 1.2................................................................................................................................. 4
What are the options?.................................................................................................................. 4
Figure 1.3................................................................................................................................. 5
What type of authorization issue is this?...................................................................................... 5
Figure 1.4................................................................................................................................. 6
Figure 1.5................................................................................................................................. 6
Im using a Profile based Authorization Concept......................................................................... 6
Figure 1.6................................................................................................................................. 7
Fixing the actual problem............................................................................................................. 7
Related Content............................................................................................................................... 7
Disclaimer and Liability Notice......................................................................................................... 8

Introduction
Probably the best standard SAP Transactions you can use for troubleshooting authorizations are ST01,
SU53, SU56 and SUIM. Used together these enable you to see authorizations loaded into a User Master
Record, authorization failures and authorization checks made by the SAP Kernel. This document will take
you through using these Transactions in a combined way to effectively deal with Authorization failures.
Authorization Failure Analysis
The transaction code SU53 is used for viewing Authorization failures, the details displayed include the
Authorization Object in question, its Class, and the options/fields which were checked within that object.
Figure 1.0 shows the logical structure of authorizations, objects and classes.
Figure 1.0
Authorization Class
Authorization Object 1
Authorization Field 1

Authorization Object 2



2007 SAP AG 3

An SAP Authorization Object can have up to 10 Fields, which may be Activities such as; Change, Display
etc, or can be a Company Code 1234 for example. These options allow customized authorizations
(Authorizations are instances of Authorization Objects which live in a Profile) to be created.

This deep level customization also means that authorization mismatches will occur, especially when a new
Role/Profile is constructed for a new purpose as the exact requirements may not be known until the
transactions are used for the first time. However in this scenario it is not preferable to use SU53 repeatedly
for each authorization failure until complete, instead of this you can utilize SAP System Trace (Transaction
ST01) which allows a log to be written of each authorization check the SAP Kernel makes, you can use this
information to build Roles/Profiles accurately. For further information on using SAP System Trace
(Transaction ST01) please see the following SAP Help Link
(http://help.sap.com/saphelp_nw70/helpdata/en/52/6716c0439b11d1896f0000e8322d00/frameset.htm).

Authorization Failure, or not?
For most suspected authorization failures, the first step should be to ascertain whether the issue is actually
an authorization failure or not. Transaction SU53 also confirms this as it will only show authorization objects
upon an authorization check failure. If you see the message The last authorization check was successful
then up to now your authorization checks have passed without fail, in the event of a failure you will see the
details of the object involved.

Figure 1.1 shows SU53 in the event of an authorization failure, please note the screenshot shows SU53 in its
default layout (Tree).

It is possible for SU53 to have 1 of 2 layouts, the instance shown in Figure 1.1 is called Tree, this gives the
structured view as shown. It is also possible to have the layout Classic, this has a raw text feel but provides
additional information such as the Authorization Class the object is in, the System ID and the Client number,
see Figure 1.2.
Figure 1.1



2007 SAP AG 4
Figure 1.2

What are the options?
Once an authorization failure is confirmed then the next step should be to ascertain the options available for
the Authorization Object in question. Without understanding the options and their affect you cannot
correspond with the business to effectively adjust the authorizations.

To understand a particular Authorization Object we should read its documentation. Most SAP Authorization
Objects have documentation to explain their purpose, fields, options etc. This can be found in several ways,
the easiest is by using Transaction SUIM.

Transaction SUIM is the User Information System which comprises many useful reports. Using the report
Authorization Objects >>By object name, text we can enter the name of the Authorization Object and
execute. If we select the correct Authorization Object and click Documentation an additional window will
display the details in a standard SAP Help screen, see Figure 1.3 for example of Object S_ADMI_FCD.



2007 SAP AG 5
Figure 1.3

The above figure in this example shows the Field System Administration has several options; NADM, PADM
etc. Importantly these options are also explained so we can understand their affect, and using these we can
effectively communicate authorization changes to the business/users.

What type of authorization issue is this?
There are 2 main possibilities when we consider an authorization failure, the first is that the user in question
has the Authorization Object but its fields/options do not have the correct configuration for what is required,
and the second is the user does not have the Authorization Object at all.

But how do we confirm the type of issue? If you are using a Role based Authorization Concept then this can
be established using Transaction SUIM. Within SUIM the option Roles >>Roles by Complex Selection
Criteria will present a method of searching for Roles by many different types of search criteria.

Using this SUIM report (See Figure 1.4 for User ID entry and Figure 1.5 for Auth Object) we can pass a User
ID and Authorization Object as our Selection Criteria, if we receive any Roles as a result then this tells us
that particular User ID has that particular Authorization Object. In this scenario it is possible the Object is not
configured for the needs.


2007 SAP AG 6
Figure 1.4

Figure 1.5

If from this we received no results, the message No data was selected will be shown in the status bar, and
we can safely assume that no Role is providing this User ID with the Authorization Object in question. A tip:
If you use or have ever used a Profile based Authorization Concept it would be worth checking this User ID
does not have a Profile assigned to them that is providing this Object, profiles should only be assigned per
Role if using a Role based concept.

Im using a Profile based Authorization Concept
If your system is currently running on a Profile based Authorization Concept, you can use alternative SUIM
Reports Profiles >>Profiles by Complex Selection Criteria. In this Report you can provide an Authorization
Object and any Authorization Field options as before, but this time any results will basically show any Profile
which has this Object and options. To ensure we get the correct results we should uncheck the boxes for
Maint Version and Generated profiles, this will exclude inactive profiles and profiles which are assigned by
Roles. If we take the first column (Figure 1.6) of the results and copy them into SUIM Report Users >>Users
by Complex Selection Criteria >>By Profiles in field Profile Name, when executing this Report we will get all
Users with the Profiles we listed.


2007 SAP AG 7
Figure 1.6

This should provide you with a list of Users which have the Authorization Object you specified via an
Authorization Profile.

Fixing the actual problem
Now we have the results of our reports; we have established whether or not the User ID has the
Authorization Object in question, we also know what options were checked by the SAP Kernel and what
options are available to us from this Authorization Object.

At this point a decision needs to be made based on your local Authorization Concept, this decision is not
usually made by an administrator but by a specialist who knows the Role to Business mapping and
understands which users need what access. However for these specialists the information you have just
collected is vital for solving the issue. You may be asked for additional information such as; a list of Roles
which have the Object options/fields which were checked, this can be easily achieved in SUIM using Roles
by Complex Selection Criteria and provide only the Authorization Object and its options/fields as show in the
SU53 screen.

So for example, it has been decided for us that the User ID in question is missing a Role which they should
have. If the user should be performing a task which is mapped to a Role in the system, and this user does
not have the Role then this is an obvious fix. We can simply use SU01 or PFCG to assign the Role to the
User ID. Alternatively it could be that a particular Role needs to be modified to add or change the
Authorization Object.

Related Content
Authorization Objects a Simple Guide
SAP Application Security
SAP Security eLearning


2007 SAP AG 8
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces
and therefore is not supported by SAP. Changes made based on this information are not supported and can
be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods
suggested in this document, and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of
this technical article or code sample, including any liability resulting from incompatibility between the content
within this document and the materials and services offered by SAP. You agree that you will not hold, or
seek to hold, SAP responsible or liable with respect to the content of this document.

SAP NetWeaver Authorization Troubleshooting

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP NetWeaver Authorization Troubleshooting

Uploaded by

Copyright:

Available Formats

SAP NetWeaver Authorization Troubleshooting

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com

You might also like