Analyzing Authorization Checks 

If you do not know the required authorizations for a transaction, you can determine them in the following ways:

·        System trace

You can use the system trace function (transaction ST01) to record authorization checks in your own and in external sessions, if the trace and the transaction to be traced are running on the same application server. The trace records each authorization object that is tested, along with the object’s fields and the values tested.

For more information, see Tracing Authorizations with the System Trace.

·        Authorization error analysis

You can use transaction SU53 to analyze an access-denied error in your system that just occurred.

You can use Transaction SU53 from any of your sessions, not just the one in which the error occurred. You cannot analyze an authorization error in another user’s logon session from your own session.

For example, you have selected a function, and the system responds with the message "You are not authorized for this function." To display the checked authorization object, enter SU53 or /nSU53 in the command field. The system then displays a comparison of the values of the object that are in your user master record.

Use transaction SU56 to display all of your own authorizations or the authorizations of another user.