Solved: Toubleshooting on missing authorization.

Former Member · ‎09-27-2010

Hi SAP all gurus,

I have a problem regarding troubleshooting on missing authorization issues.

I got a ticket to solve the missing authorization, i tried with SU53 to solve that. and I got 20 similar roles regarding the missing authorization when I check with SUIM. My question is which role I want to assign the end user from those 20 roles. FYI all 20 roles have that missing authorization identity.I'm confused which role is helpful for me. Please give me your valuble suggestions and its very helpful to me.

Thanks in advance,

Sridhar

Former Member · ‎09-30-2010

This is really specific to the job function & use dependent, if your'e not sure and want to add this so before adding just check that this missing - Tcode / Authorization object etc., is already assigned to the users which are available in this 20 roles. If you found that in this 20 roles 1 role is having 5 users whcih they already have above authorization with another role then you can go ahead and modify this role.

Or if you don't find any user who's having above authorization within all 20 roles then you have to create a seperate role for this because if you add this in any of this roles where already users are assigned then they can also execute this which can be a breach.

Regards;

sdipanjan · ‎09-27-2010

Can you please provide access to your SAP system to any of us so that we can see those 20 roles you are talking about?

keeping joke apart.....

You are the best person to decide which role applies based on the SU53 missing authorization. How we can say which one would be the best when we don't have idea even on the SU53 and the failed authorization and even the TCode also. Please check with your IT Owner and/OR try to simulate those 20 roles one by one which one doesn't create any SOD issue (if you have a compliance management software in place).

Regards,

Dipanjan

Edited by: Dipanjan Sanpui on Sep 27, 2010 3:27 PM

Former Member · ‎09-27-2010

Thanks Dipanjan,

Sridhar

Former Member · ‎09-27-2010

Hi Sridhar,

These questions usually come when you are relatively new to the project and do not understand the functionality of each role and what is its use functionality wise.

Your best bet is to understand what is the functionality of that missing authorization and what role would probably correspond to that functionality. something like looking at the roles of other user from the same department who has the same functionality as this user might help in further downsizing your list.

Bottomline understand the roles that have been created, understand the transaction that is causing the error and understand the missing authorization object or values and then make a wise decision.

Former Member · ‎09-27-2010

Thank you Nishanth,

As you said, "something like looking at the roles of other user from the same department who has the same functionality as this user might help in further downsizing your list." and FYI Its functionality related to the FICO Role.

I agree with your answer I'm new to this project. Thank you very much for a Valuiable suggestion.

Sridhar

Former Member · ‎09-28-2010

Hi Sridhar,

Even when looking at the other users of the same department having same functionality, you might downsize the list further by checking if some of the roles are used at all or not. Some might be obsolete roles which are no longer assigned to users. But for final decision you can always refer to the role owner.

Hope this helps you in your decision making !

Dipesh

Former Member · ‎09-28-2010

Hi Sridhar

Running an SU53, finding an authorisation failure and then hunting for an additional role to assign isn't the answer really (well - there are no perfect answers - just different ways of doing things).

Say the user is running ME22N everyday and, when trying to change one particular purchase order one day they get a 'you are not authorised' message. They complain bitterly to their work colleagues who say 'well I can do it'. then to their manager who looks at the screen, tuts, and tells the user to fire off an email or log a call with the help desk right away as it's stopping them doing their job.

That user may have been working perfectly well for many years, doing the same task until today, their colleagues (who can run the transaction) have joined recently, having moved positions in the business and can access the purchase order no problem.

The thing is - should they really be able to change this one purchase order or not? They've managed fine, processing perfectly as expected with no complaints from any other person in the procurement chain.

Having an authorisation failure and getting it fixed isn't always the thing to do, the user may actually have the correct access and all the other people may have too much access. In this example the user may have failed on doc type UB when all they should be accessing is doc type NB, the more recent joiners have access because of badly controlled access requests or legacy access..

You need to use logic (and hopefully some competent role owners) to make sure you aren't assigning any old role just to clear a logged ticket.

Hope this helps a little bit!

Kind regards

David

Former Member · ‎09-30-2010

This is really specific to the job function & use dependent, if your'e not sure and want to add this so before adding just check that this missing - Tcode / Authorization object etc., is already assigned to the users which are available in this 20 roles. If you found that in this 20 roles 1 role is having 5 users whcih they already have above authorization with another role then you can go ahead and modify this role.

Or if you don't find any user who's having above authorization within all 20 roles then you have to create a seperate role for this because if you add this in any of this roles where already users are assigned then they can also execute this which can be a breach.

Regards;

Former Member · ‎10-01-2010

The below points are very helpful in downsizing my list.

1)those 20 roles one by one which one doesn't create any SOD issue (if you have a compliance management software in place).

2)Depend on functionality of role we can give the authorization after get the confirmation from role owner.

3)something like looking at the roles of other user fom same department who has same functionality as this user might help in further downsizing your list.

4)Even looking at the other users roles of the same department having same functionality, you might downsize the list further by checking if some of the roles are used at all or not.Some roles might be obsolete roles which are no longer assigned to users. But for final decision you can always refer to the role owner.

5)When the requested user have missing authiuzation, he is working for a long time to that company and and their colleagues can access the particular transaction with out issues, and then there be a problem with old role.

6)you don't find any user who's having above authorization within all 20 roles then you have to create a seperate role for this because if you add this in any of this roles where already users are assigned then they can also execute this which can be a breach

Thanks SAPgurus for posting your valuable discussions on this. If any point is there to downsize my list other than above answers please post to this forum, It would be very helpful for me.

Regards,

Sridhar

Former Member · ‎10-03-2010

Hi

What was the SU53 error and which transaction was being run please?

Is the business process being followed by the user or are they exceeding their job?

Cheers

David

Edited by: David Berry on Oct 3, 2010 8:22 PM