Skip to Content
author's profile photo Former Member
0
Former Member

authorization failure

Posted on Oct 18, 2006 at 04:46 PM 448 Views

hi,

I am trying to help a person, till we are waiting for our security admin to takeover.

I have a user who is executing the t-code "ABAPDOCU" - but it fails on authorization error. I do not want to give him SAP_ALL as well. Is there any other role, i can assign him, so he can have authorization for ABAPDOCU?

here is the partial output of SU53 after the failure.

The following authorization object was checked: Object S_TCODE Transaction Code Check at Transaction Start

Object class AAAB Cross-application Authorization Objects

Any help is appreciated.

thanks

Esan

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Oct 18, 2006 at 04:59 PM
    1

    Hello Esan,

    Create a role in transaction PFCG. Assign transaction code ABAPDOCU to this role. And then generate the profile of the role.

    Assign this role to the user and ask him to logout and relogin.

    Hope this works. Please award points for useful info.

    Regards.

    Ruchit.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 18, 2006 at 05:59 PM
    0

    Hi Esan,

    If you want changes to only that user then you can manually add that T-code in s_tcode authorization object or add that t-code in menu tab of that role and generate the profile.

    Award points if it is helpfull.

    Regards,

    Jagan

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 18, 2006 at 07:21 PM
    0

    I would not recommend changing any of the security admin's roles. Adding ABAPDOCU to the role menu might also bring in more other authorizations which you do not want the user to have. (E.g. they can give themself SAP_ALL). The security admin might get very upset about it when they return.

    But if it is urgent, use transaction SUIM to search the roles for one with object S_TCODE value 'ABAPDOCU' and as little else as possible and assign that to the user. In higher SAP releases (6.10+) they will probably not have to logon and logoff again for the new access to take affect.

    But chances are also good that doing this will not solve the problem. SU53 is showing you the last failed authorization check made (remotely it shows the last failed authorization check made before the user ran SU53 the last time... so they could even trick you if they wanted to...). This last failed data which SU53 delivers is often not the one which caused the user to get a "You are not authorized" error or warning. This is particularly true in the case of popups or other screens where the user has to go back to expose the ok-code field to enter /nsu53, or if the user displayed more information on the error message but were not authorized to go further.

    If time allows, I would recommend that the user go to help.sap.com and take a look at the abapdocu there until the security admin can analyze the problem in detail and add the required authorizations to the role.

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member
      Oct 18, 2006 at 09:57 PM

      Another after-thought is that if you havent applied support packs regularly, then granting ABAPDOCU will result in the user being able to execute almost any transaction / report in the system without necessarily being authorized to start them.

      They might access the initial screens of:

      SE11

      SE16

      SE38

      SE80

      SE37

      SM59...?

      RZ10...?

      SM50...?

      SU01...?

      PFCG...?

      SESS...?

      But these transactions still behave as expected / designed, if the user has the correct authorizations.

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.