Analyzing Authorization Checks 

Function

If you do not know the required authorizations for a transaction, you can use the system trace or the authorization error analysis to determine them.

●      System Trace

You can use the system trace function (transaction ST01) to record authorization checks in your own and in external sessions, if the trace and the transaction to be traced are running on the same application server. The trace records each authorization object that is tested, along with the object’s fields and the values tested.

For more information: Analyzing Authorizations with the System Trace

●      Authorization error analysis

You can use transaction SU53to analyze an access-denied error in your system that just occurred. It displays the last failed authorization check, the user’s authorizations, and the failed HR authorization check.

You can use transaction SU53 from any of your sessions, not just the one in which the error occurred.

For example, you selected a function, and the system reported: “You are not authorized to perform this function”. To display the checked authorization object, enter SU53 or /nSU53 in the command field. The system then displays a comparison of the values of the object that are in your user master record.

Note, as the administrator, that the data in the Failed Authorization Check area are from the time at which the user started transaction SU53 to determine which authorization he or she is missing.

The User’s Authorization Data, on the other hand, is the data that was read directly from the user buffer at the time of analysis, when the administrator views the user’s problem by choosing Display for Other Users.

Use transaction SU56 to display all of your own authorizations or the authorizations of another user. Call transaction SU56 by choosing Goto ® Entered Authorization in User Buffer. This transaction shows which authorizations are currently assigned in the user's user master record.

For more information: User Error Analysis Functions.