Show TOC

 Analyzing Authorization ChecksLocate this document in the navigation structure

Function

If you do not know the required authorizations for a transaction, you can use the system trace or the authorization error analysis to determine them.

  • System Trace

    You can use the system trace function (transaction ST01) to record authorization checks in your own and in external sessions, if the trace and the transaction to be traced are running on the same application server. The trace records each authorization object that is tested, along with the object's fields and the values tested.

    For more information: Analyzing Authorizations with the System Trace

  • Authorization error analysis

    You can use transaction SU53 to analyze an access-denied error in your system that just occurred. It displays the last failed authorization check, the user's authorizations, and the failed HR authorization check.

    You can use transaction SU53 from any of your sessions, not just the one in which the error occurred.

    Tip

    For example, you selected a function, and the system reported: "You are not authorized to perform this function". To display the checked authorization object, enter SU53 or /nSU53 in the command field. The system then displays a comparison of the values of the object that are in your user master record.

    Note

    Note, as the administrator, that the data in the Failed Authorization Check area are from the time at which the user started transaction SU53 to determine which authorization he or she is missing.

    The User's Authorization Data, on the other hand, is the data that was read directly from the user buffer at the time of analysis, when the administrator views the user's problem by choosing Display for Other Users.

    Use transaction SU56 to display all of your own authorizations or the authorizations of another user. Call transaction SU56 by choosing Goto → Entered Authorization in User Buffer. This transaction shows which authorizations are currently assigned in the user's user master record.

    For more information: User Error Analysis Functions