Troubleshooting Authorization Problems
Use
The procedures described in this section are designed to help you analyze problems that arise in connection with authorizations.
Determining minimum authorization
You can use the following two procedures to determine which authorizations a user requires to carry out a transaction:
This procedure generally works well. However, sometimes the result is very surprising because certain programs can and do ignore some authorization checks by using preliminary checks and buffered results. In such cases, these methods are not very effective. You can recognize these cases because certain fields of the corresponding programs are specified with
Analyzing authorization problems in an unknown program
The most frequently used method to analyze authorization problems in an unknown program involves you setting the Debugger breakpoints to the
AUTHORITY-CHECK and MESSAGE commands. Then execute the program and analyze its behavior.Determining all the authorizations a user has for an authorization object
When troubleshooting, it is often helpful to find out all the authorizations a specified user has for a specific authorization object. A simple method of reading these authorizations as raw data from the user master record is to execute the GET_AUTH_VALUES function module in the SUSR function group. Use the SE37 transaction or SE80 in test mode to do so. The result table is not formatted for output, but is very compact and easy to understand for authorization experts.
Analyzing an authorization problem that occurs for only one user
It is often the case that a certain authorization problem occurs for only one specific user. This kind of authorization problem generally affects users with no Debugging authorization. If you want to assign a user Debugging authorization without changing the HR authorizations, you can add the S_A.DEVELOP authorization profile (if available) to the user’s authorization profiles. In production systems, note that changes such as these to authorizations enable users (with relevant knowledge of the development environment) to access any system data easily (especially in other clients).
Analyzing an authorization problem that occurs for only one personnel number
Authorization problems that occur for a single personnel number are caused almost always by incorrect settings in the environment of the
P_PERNR authorization object.Authorization problems that are user-independent and occur for a single personnel number are caused almost always by a specialized organizational assignment (or even an incorrect organizational assignment). In this case, you should check the data of the Actions (0000) and Organizational Assignment (0001) infotypes and the relationships with the organizational structure (actively integrated systems) thoroughly.
Analyzing authorization problems in connection with locking and unlocking infotype records
Authorization problems that occur in connection with locking and unlocking infotype records are often caused by the CHECK_AUTH_SET_ENQ (SAPFP50M) form.
Localizing the cause of authorization problems after the import of HR Support Packages
The majority of code for the HR Master Data authorization check is localized in the CL_HRPAD00AUTH_CHECK_STD and CL_HRPAD00AUTH_CHECK_FAST classes, the SAPFP50P report, and the HRAC function group. You can also find smaller parts of code in the SAPDBPAP, SAPDBPNP, and SAPFP50M reports. If authorization problems are caused by HR Support Packages, a good place to start looking for changes to the code is in the above-mentioned classes and reports.
Useful questions for solving authorization problems
Over 90% of SAP’s incoming messages about authorization problems are consulting problems. What is more, in many cases customers are convinced that an error is causing their problems when in fact the problem is due to a misunderstanding of the functions of the corresponding protection mechanism. When analyzing authorization problems, it is therefore important that you can answer the following questions: