Skip to Content
Mar 11, 2013 at 06:00 PM

Getting the correct Authorizations without endless SU53 screens


Hello Security experts,

I am a developer and I am a bit displeased with the cycle I seems to run into whenever I request a new t-code being added to a role.

1. I request a t-code be added to a role.

2. I test the t-code and run su53.

3. Basis adds missing authorizations

4. Repeat steps 2 & 3 until complete

My problems with this approach:

  • SU53 doesn't always tell the basis team the correct authorizations.
  • If the program has done authorization checks to make decisions nothing will show in SU53 and the program will not execute correctly and I am then left to go searching through code to find with authorization checks are there and what is being checked.
  • The ownership feels to be on my shoulders to identify everything for Basis rather than basis knowing the correct authorizations to assign (though could just be my area).
  • I am expected to test every possible area and function of the t-code with the hopes that all the missing authorizations have been identified.

I am told this is the best practice so the user is only getting the "exact" authorizations needed, no more, no less.

I can appreciate the need to get correct authorizations but I wish there was a less time consuming way (for me and my basis team).

If this has been addressed already I would love to see what the solution is. Otherwise I would love ideas I would be able to present to my basis team.