Skip to Content
avatar image
Former Member

Toubleshooting on missing authorization.

Hi SAP all gurus,

I have a problem regarding troubleshooting on missing authorization issues.

I got a ticket to solve the missing authorization, i tried with SU53 to solve that. and I got 20 similar roles regarding the missing authorization when I check with SUIM. My question is which role I want to assign the end user from those 20 roles. FYI all 20 roles have that missing authorization identity.I'm confused which role is helpful for me. Please give me your valuble suggestions and its very helpful to me.

Thanks in advance,

Sridhar

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Sep 30, 2010 at 09:15 AM

    This is really specific to the job function & use dependent, if your'e not sure and want to add this so before adding just check that this missing - Tcode / Authorization object etc., is already assigned to the users which are available in this 20 roles. If you found that in this 20 roles 1 role is having 5 users whcih they already have above authorization with another role then you can go ahead and modify this role.

    Or if you don't find any user who's having above authorization within all 20 roles then you have to create a seperate role for this because if you add this in any of this roles where already users are assigned then they can also execute this which can be a breach.

    Regards;

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi

      What was the SU53 error and which transaction was being run please?

      Is the business process being followed by the user or are they exceeding their job?

      Cheers

      David

      Edited by: David Berry on Oct 3, 2010 8:22 PM

  • avatar image
    Former Member
    Sep 27, 2010 at 07:26 PM

    Can you please provide access to your SAP system to any of us so that we can see those 20 roles you are talking about?

    😊

    keeping joke apart.....

    You are the best person to decide which role applies based on the SU53 missing authorization. How we can say which one would be the best when we don't have idea even on the SU53 and the failed authorization and even the TCode also. Please check with your IT Owner and/OR try to simulate those 20 roles one by one which one doesn't create any SOD issue (if you have a compliance management software in place).

    Regards,

    Dipanjan

    Edited by: Dipanjan Sanpui on Sep 27, 2010 3:27 PM

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 27, 2010 at 07:33 PM

    Hi Sridhar,

    These questions usually come when you are relatively new to the project and do not understand the functionality of each role and what is its use functionality wise.

    Your best bet is to understand what is the functionality of that missing authorization and what role would probably correspond to that functionality. something like looking at the roles of other user from the same department who has the same functionality as this user might help in further downsizing your list.

    Bottomline understand the roles that have been created, understand the transaction that is causing the error and understand the missing authorization object or values and then make a wise decision.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Sridhar,

      Even when looking at the other users of the same department having same functionality, you might downsize the list further by checking if some of the roles are used at all or not. Some might be obsolete roles which are no longer assigned to users. But for final decision you can always refer to the role owner.

      Hope this helps you in your decision making !

      Dipesh

  • avatar image
    Former Member
    Sep 28, 2010 at 06:17 PM

    Hi Sridhar

    Running an SU53, finding an authorisation failure and then hunting for an additional role to assign isn't the answer really (well - there are no perfect answers - just different ways of doing things).

    Say the user is running ME22N everyday and, when trying to change one particular purchase order one day they get a 'you are not authorised' message. They complain bitterly to their work colleagues who say 'well I can do it'. then to their manager who looks at the screen, tuts, and tells the user to fire off an email or log a call with the help desk right away as it's stopping them doing their job.

    That user may have been working perfectly well for many years, doing the same task until today, their colleagues (who can run the transaction) have joined recently, having moved positions in the business and can access the purchase order no problem.

    The thing is - should they really be able to change this one purchase order or not? They've managed fine, processing perfectly as expected with no complaints from any other person in the procurement chain.

    Having an authorisation failure and getting it fixed isn't always the thing to do, the user may actually have the correct access and all the other people may have too much access. In this example the user may have failed on doc type UB when all they should be accessing is doc type NB, the more recent joiners have access because of badly controlled access requests or legacy access..

    You need to use logic (and hopefully some competent role owners) to make sure you aren't assigning any old role just to clear a logged ticket.

    Hope this helps a little bit!

    Kind regards

    David

    Add comment
    10|10000 characters needed characters exceeded