SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 1 SAP NetWeaver Authorization Troubleshooting Applies to: This document applies specifically to SAP ECC6 Kernel 700, utilizing the Role based Authorization Concept as recommended by SAP. However this document may also relate to other versions of SAP utilizing the Role based Authorization Concept. Summary This paper is to introduce the reader into troubleshooting Authorization issues using standard SAP Transactions to analyze, identify and rectify authorization failures. Author: Ashley Day Company: Siemens Created on: 07 August 2007 Author Bio Ashley Day working for Siemens Industrial Turbomachinery Ltd in the UK. I am an SAP BASIS Administrator, working on R/3 and ECC6 platforms I specialise in SAP Security, Authorizations and Audit Compliancy. SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 2 Table of Contents Applies to:........................................................................................................................................ 1 Summary.......................................................................................................................................... 1 Author Bio........................................................................................................................................ 1 Introduction.................................................................................................................................. 2 Authorization Failure Analysis...................................................................................................... 2 Figure 1.0................................................................................................................................. 2 Authorization Failure, or not?....................................................................................................... 3 Figure 1.1................................................................................................................................. 3 Figure 1.2................................................................................................................................. 4 What are the options?.................................................................................................................. 4 Figure 1.3................................................................................................................................. 5 What type of authorization issue is this?...................................................................................... 5 Figure 1.4................................................................................................................................. 6 Figure 1.5................................................................................................................................. 6 Im using a Profile based Authorization Concept......................................................................... 6 Figure 1.6................................................................................................................................. 7 Fixing the actual problem............................................................................................................. 7 Related Content............................................................................................................................... 7 Disclaimer and Liability Notice......................................................................................................... 8
Introduction Probably the best standard SAP Transactions you can use for troubleshooting authorizations are ST01, SU53, SU56 and SUIM. Used together these enable you to see authorizations loaded into a User Master Record, authorization failures and authorization checks made by the SAP Kernel. This document will take you through using these Transactions in a combined way to effectively deal with Authorization failures. Authorization Failure Analysis The transaction code SU53 is used for viewing Authorization failures, the details displayed include the Authorization Object in question, its Class, and the options/fields which were checked within that object. Figure 1.0 shows the logical structure of authorizations, objects and classes. Figure 1.0 Authorization Class Authorization Object 1 Authorization Field 1 Authorization Field 2
Authorization Object 2 Authorization Field 1
SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 3
An SAP Authorization Object can have up to 10 Fields, which may be Activities such as; Change, Display etc, or can be a Company Code 1234 for example. These options allow customized authorizations (Authorizations are instances of Authorization Objects which live in a Profile) to be created.
This deep level customization also means that authorization mismatches will occur, especially when a new Role/Profile is constructed for a new purpose as the exact requirements may not be known until the transactions are used for the first time. However in this scenario it is not preferable to use SU53 repeatedly for each authorization failure until complete, instead of this you can utilize SAP System Trace (Transaction ST01) which allows a log to be written of each authorization check the SAP Kernel makes, you can use this information to build Roles/Profiles accurately. For further information on using SAP System Trace (Transaction ST01) please see the following SAP Help Link (http://help.sap.com/saphelp_nw70/helpdata/en/52/6716c0439b11d1896f0000e8322d00/frameset.htm).
Authorization Failure, or not? For most suspected authorization failures, the first step should be to ascertain whether the issue is actually an authorization failure or not. Transaction SU53 also confirms this as it will only show authorization objects upon an authorization check failure. If you see the message The last authorization check was successful then up to now your authorization checks have passed without fail, in the event of a failure you will see the details of the object involved.
Figure 1.1 shows SU53 in the event of an authorization failure, please note the screenshot shows SU53 in its default layout (Tree).
It is possible for SU53 to have 1 of 2 layouts, the instance shown in Figure 1.1 is called Tree, this gives the structured view as shown. It is also possible to have the layout Classic, this has a raw text feel but provides additional information such as the Authorization Class the object is in, the System ID and the Client number, see Figure 1.2. Figure 1.1
SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 4 Figure 1.2
What are the options? Once an authorization failure is confirmed then the next step should be to ascertain the options available for the Authorization Object in question. Without understanding the options and their affect you cannot correspond with the business to effectively adjust the authorizations.
To understand a particular Authorization Object we should read its documentation. Most SAP Authorization Objects have documentation to explain their purpose, fields, options etc. This can be found in several ways, the easiest is by using Transaction SUIM.
Transaction SUIM is the User Information System which comprises many useful reports. Using the report Authorization Objects >>By object name, text we can enter the name of the Authorization Object and execute. If we select the correct Authorization Object and click Documentation an additional window will display the details in a standard SAP Help screen, see Figure 1.3 for example of Object S_ADMI_FCD.
SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 5 Figure 1.3
The above figure in this example shows the Field System Administration has several options; NADM, PADM etc. Importantly these options are also explained so we can understand their affect, and using these we can effectively communicate authorization changes to the business/users.
What type of authorization issue is this? There are 2 main possibilities when we consider an authorization failure, the first is that the user in question has the Authorization Object but its fields/options do not have the correct configuration for what is required, and the second is the user does not have the Authorization Object at all.
But how do we confirm the type of issue? If you are using a Role based Authorization Concept then this can be established using Transaction SUIM. Within SUIM the option Roles >>Roles by Complex Selection Criteria will present a method of searching for Roles by many different types of search criteria.
Using this SUIM report (See Figure 1.4 for User ID entry and Figure 1.5 for Auth Object) we can pass a User ID and Authorization Object as our Selection Criteria, if we receive any Roles as a result then this tells us that particular User ID has that particular Authorization Object. In this scenario it is possible the Object is not configured for the needs. SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 6 Figure 1.4
Figure 1.5
If from this we received no results, the message No data was selected will be shown in the status bar, and we can safely assume that no Role is providing this User ID with the Authorization Object in question. A tip: If you use or have ever used a Profile based Authorization Concept it would be worth checking this User ID does not have a Profile assigned to them that is providing this Object, profiles should only be assigned per Role if using a Role based concept.
Im using a Profile based Authorization Concept If your system is currently running on a Profile based Authorization Concept, you can use alternative SUIM Reports Profiles >>Profiles by Complex Selection Criteria. In this Report you can provide an Authorization Object and any Authorization Field options as before, but this time any results will basically show any Profile which has this Object and options. To ensure we get the correct results we should uncheck the boxes for Maint Version and Generated profiles, this will exclude inactive profiles and profiles which are assigned by Roles. If we take the first column (Figure 1.6) of the results and copy them into SUIM Report Users >>Users by Complex Selection Criteria >>By Profiles in field Profile Name, when executing this Report we will get all Users with the Profiles we listed. SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 7 Figure 1.6
This should provide you with a list of Users which have the Authorization Object you specified via an Authorization Profile.
Fixing the actual problem Now we have the results of our reports; we have established whether or not the User ID has the Authorization Object in question, we also know what options were checked by the SAP Kernel and what options are available to us from this Authorization Object.
At this point a decision needs to be made based on your local Authorization Concept, this decision is not usually made by an administrator but by a specialist who knows the Role to Business mapping and understands which users need what access. However for these specialists the information you have just collected is vital for solving the issue. You may be asked for additional information such as; a list of Roles which have the Object options/fields which were checked, this can be easily achieved in SUIM using Roles by Complex Selection Criteria and provide only the Authorization Object and its options/fields as show in the SU53 screen.
So for example, it has been decided for us that the User ID in question is missing a Role which they should have. If the user should be performing a task which is mapped to a Role in the system, and this user does not have the Role then this is an obvious fix. We can simply use SU01 or PFCG to assign the Role to the User ID. Alternatively it could be that a particular Role needs to be modified to add or change the Authorization Object.
Related Content Authorization Objects a Simple Guide SAP Application Security SAP Security eLearning SAP NetWeaver Authorization Troubleshooting
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com
2007 SAP AG 8 Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.
Knight's Microsoft Business Intelligence 24-Hour Trainer: Leveraging Microsoft SQL Server Integration, Analysis, and Reporting Services with Excel and SharePoint