Solved: authorization failure

Former Member · ‎10-18-2006

hi,

I am trying to help a person, till we are waiting for our security admin to takeover.

I have a user who is executing the t-code "ABAPDOCU" - but it fails on authorization error. I do not want to give him SAP_ALL as well. Is there any other role, i can assign him, so he can have authorization for ABAPDOCU?

here is the partial output of SU53 after the failure.

The following authorization object was checked: Object S_TCODE Transaction Code Check at Transaction Start

Object class AAAB Cross-application Authorization Objects

Any help is appreciated.

thanks

Esan

Former Member · ‎10-18-2006

Hello Esan,

Create a role in transaction PFCG. Assign transaction code ABAPDOCU to this role. And then generate the profile of the role.

Assign this role to the user and ask him to logout and relogin.

Hope this works. Please award points for useful info.

Regards.

Ruchit.

Former Member · ‎10-18-2006

Hello Esan,

Create a role in transaction PFCG. Assign transaction code ABAPDOCU to this role. And then generate the profile of the role.

Assign this role to the user and ask him to logout and relogin.

Hope this works. Please award points for useful info.

Regards.

Ruchit.

Former Member · ‎10-18-2006

Hi Esan,

If you want changes to only that user then you can manually add that T-code in s_tcode authorization object or add that t-code in menu tab of that role and generate the profile.

Award points if it is helpfull.

Regards,

Jagan

Former Member · ‎10-18-2006

I would not recommend changing any of the security admin's roles. Adding ABAPDOCU to the role menu might also bring in more other authorizations which you do not want the user to have. (E.g. they can give themself SAP_ALL). The security admin might get very upset about it when they return.

But if it is urgent, use transaction SUIM to search the roles for one with object S_TCODE value 'ABAPDOCU' and as little else as possible and assign that to the user. In higher SAP releases (6.10+) they will probably not have to logon and logoff again for the new access to take affect.

But chances are also good that doing this will not solve the problem. SU53 is showing you the last failed authorization check made (remotely it shows the last failed authorization check made before the user ran SU53 the last time... so they could even trick you if they wanted to...). This last failed data which SU53 delivers is often not the one which caused the user to get a "You are not authorized" error or warning. This is particularly true in the case of popups or other screens where the user has to go back to expose the ok-code field to enter /nsu53, or if the user displayed more information on the error message but were not authorized to go further.

If time allows, I would recommend that the user go to help.sap.com and take a look at the abapdocu there until the security admin can analyze the problem in detail and add the required authorizations to the role.

Cheers,

Julius

Former Member · ‎10-18-2006

Another after-thought is that if you havent applied support packs regularly, then granting ABAPDOCU will result in the user being able to execute almost any transaction / report in the system without necessarily being authorized to start them.

They might access the initial screens of:

SE11

SE16

SE38

SE80

SE37

SM59...?

RZ10...?

SM50...?

SU01...?

PFCG...?

SESS...?

But these transactions still behave as expected / designed, if the user has the correct authorizations.