Analyzing Authorization Checks (SAP Library - Users and Roles (BC-CCM-USR))

Analyzing Authorization Checks

Should you not find any documentation for an authorization, the system offers two ways to find out which authorizations are required:

System trace

You can use the system trace to record authorization checks in your own sessions and in other users' sessions. The trace records each authorization object that is tested, along with the object’s fields and the values tested.

For more information, see Tracing Authorizations with the System Trace.

Authorization error analysis

By entering Transaction SU53 in the command field, you can analyze an access-denied error in your system that just occurred.

You can use Transaction SU53 from any of your sessions, not just the one in which the error occurred. You cannot analyze an authorization error in another user’s logon session from your own session.

Example: Upon selecting a function, the system responds with the message "You are not authorized for this function." If you enter SU53 or /nSU53 in the command field, the system displays the authorization object that was just tested and the authorizations, if any, that you possess for that object.

To deactivate this function, set the system profile parameter auth/check_value_write_on to 0.