Skip to Content

Z Tcode not executing after changes in Master and Derived roles

Hello SAP Masters,

There is an issue with master and derived roles in our production system

Below table shows Master role and its derived roles.

Each derived role has its own plant value as shown in below table.

Master Role Derive Role User ID CO Code Plant Plant Description M_MM_DEPT__ACTIVITY D_MM_DEPT__ACTIVITY_LTEDM GOPALN
NEETIKAM
PRIYESHR
RAHULV
RAJESHKS
RAKESHR
SANJEEVK
VARUNS 1005 1003 LTEDM -East Delhi Mall
D_MM_DEPT__ACTIVITY_LTPDL1 AMITF
CHANDRAKD
GAUTAMA
MANDEEPS
MANMEETS
ROHITB
SUBHASHG
UMAS
UTSAVG
KHUSHBOOA
MANOJR 1007 1007 LTPDL1 -Delhi Airport
D_MM_DEPT__ACTIVITY_RFHED ANILV
BHOLAM
DINESHKY
GANESHB
MAHESHS
NARENDERU
RAKHIR
TUSHARB
VAISHALIT 1011 1023 RFHED - East Delhi

Summary:

User sanjeevk faced authorization issue for plant 1003.

Initially user asked us to add plant value 1003 and 1007 to master role.

Later we realized it should be added individually to each derived roles. So I removed the plant value from master role and added it in derived role.

After this activity, now user is not able to execute the ZMM_ISSUE_MAT TCode itself.

Hence I tried to revert back the changes and again added plant value to master role.

Even after reverting back the changes, now user is not able to execute the ZMM_ISSUE_MAT Tcode.

Now let me explain issue in detail with screenshot:

In TCode ZMM_ISSUE_MAT, after inserting below values, transaction is not executing.

Change History of Master Role M_MM_DEPT__ACTIVITY

Change History of Derived Role D_MM_DEPT__ACTIVITY_LTEDM:

We don’t see authorization issue in ST01 Trace for user SANJEEVK

In STAUTHTRACE also we don’t see any authorization issue.

We are 100% sure that ZMM_ISSUE_MAT Tcode was working before we changed the role settings.

It’s still working with BASIS ID (In production system SFP)

Surprisingly, for testing we copied the roles from production to quality (SFP to SFQ), the Tcode is not executing even with BASIS ID (BASIS ID has SAP_ALL) in quality system

SU01 screen for user SANJEEVK

Please let me know if you need any other details from my end.

1.png (9.4 kB)
2.png (73.7 kB)
3.png (90.3 kB)
4.png (85.0 kB)
5.png (329.6 kB)
6.png (42.2 kB)
7.png (45.3 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Mar 27 at 05:26 AM

    I see your question has been open some time but...

    Surprisingly, for testing we copied the roles from production to quality (SFP to SFQ), the Tcode is not executing even with BASIS ID (BASIS ID has SAP_ALL) in quality system

    sounds like there is an issue with the code and not security. I would be looking into a developer debugging the program to see what issue is. The only authorisation not in SAP_ALL is trusted RFC (and potentially any custom objects if SAP_ALL has not been generated)

    Add comment
    10|10000 characters needed characters exceeded