Missing Authorizations Scenario (SU53) in GRC AC 10

Hello Gurus,
Good evening !!
I was wondering how can GRC AC 10 system help when an end user has missing authorizations ??
General scenario is if an end user hits a transaction and gets "Not Authorized" , he will send a SU53 screenshot and depending on that the Basis/Security person will assign a role or directly add a transaction to his "Base/Default" roles.
I am unable to visualize , how can we handle this scenario of missing authorizations in CUP or BRM .
Please provide me your inputs on the same.
Thanks in advance.
Regards,
Victor

Hi Victor.
Am I correct in understanding that your concern is more about how the Security admin will determine which role/access to assign to the user given the SU53 report?
Personally, I would still use a report like SUIM within the local system to determine the correct role to assign to the user (if they should have it in the first place). Obviously ensure that the required roles are imported into the GRC system.
In summary, use your "As-is" process to identify what the authorization issue is, as well as the method for determining which role to provide to the user to resolve the issue, but the only thing that has changed is the "how to assign the access" i.e. you are not using SU01/PFCG as it would be hoped that you are using the GRC Access Request functinality to submit the role request/s.
I hope that has cleared up the initial misunderstanding I had.

Similar Messages

  • Troubleshooting missing Authorization.

    Dear All,
         One of the project member reported a problem that she could not upload a document to solution manager. I have verified su53 and it says that authorization check failed. Authorization object --> S_IWB (Knowledge warehouse)
      Object class BC_C Basis -Development environment.
      Can any body suggest how to start troubleshooting and adding missing authorization object please ?
    Many Thanks,
    Nick

    Hi Nick,
    Please go through the docs in help.sap.com.
    http://help.sap.com/saphelp_nw04/helpdata/en/02/4af54075198431e10000000a1550b0/frameset.htm
    Also what roles did you assign to the user. Please check if there are authorization objects related to uploading documents in Soultion Manager.
    Please reward some points.
    Regards,
    Kiran.

  • Missing authorizations in QAS for each n every t code

    Hello All,
                   i have created one role in QAS adding tcodes to it when i tested it it is showing missing authorizations for every tcode when i see in su53 and i tried to assign manually in su24 also but it is saying no changes are permitted in this client so if create a new role in DEV and transport that role to QAS if so how can give me steps in detail as if iam new to security plz do help me.
    Regards
    upendar.D

    he means on pfcg when role is designed and when generating profile, for object you already know you can assign what you want then for field that you don't understand what it is for leave it blank first. assign the role to the user. login as the user then try the transaction if it failed on authorization check go to su53 directly by using /nsu53, check what object is being error and what value expected by the transaction. edit and regenerate profile for the role again. try transaction again. repeat until success.
    Christian Rose wrote:
    Hello,
    >
    > just adding transaction to a role is not enough, within the role you have to go to tab "Authorizations", goto "Maintain Authorization Data and Generate Profiles" in change mode and generate the profiles via the according button.
    >
    > regards
    >
    > Christian
    Edited by: Henry Hsu on Oct 13, 2011 12:12 PM

  • Missing authorization already filled in

    Hi forum experts
    im having a problem with some authotizations on the CO class.
    despistes the values are filled in when we maintain in PFCG, when the user runs the tcode (KS13, KSBT), theres always the message "missing authorization". We run the SU53 the missing values are already filled in (Actvt, Kokrs, Kostl, Kstar).
    all of the cost centers are active, and even when the fields have *, the su53 returns missing auths.
    TY

    TY - You can check the buffer of a particular user via SU56. The missing Auth object that is displayed in SU53 can be checked for its values in this tcode. Press F5 is you would like to check other users buffer .. Perform a user comparision and such things should get resolved. Hope it helps.
    ~Sri

  • Toubleshooting on missing authorization.

    Hi SAP all gurus,
    I have a problem regarding troubleshooting on missing authorization issues.
    I got a ticket to solve the missing authorization, i tried with SU53 to solve that. and I got 20 similar roles regarding the missing authorization when I check with SUIM. My question is which role I want to assign the end user from those 20 roles. FYI all 20 roles have that missing authorization identity.I'm confused which role is helpful for me. Please give me your valuble suggestions and its very helpful to me.
    Thanks in advance,
    Sridhar

    Hi Sridhar
    Running an SU53, finding an authorisation failure and then hunting for an additional role to assign isn't the answer really (well - there are no perfect answers - just different ways of doing things).
    Say the user is running ME22N everyday and, when trying to change one particular purchase order one day they get a 'you are not authorised' message. They complain bitterly to their work colleagues who say 'well  I can do it'. then to their manager who looks at the screen, tuts, and tells the user to fire off an email or log a call with the help desk right away as it's stopping them doing their job.
    That user may have been working perfectly well for many years, doing the same task until today, their colleagues (who can run the transaction) have joined recently, having moved positions in the business and can access the purchase order no problem.
    The thing is - should they really be able to change this one purchase order or not? They've managed fine, processing perfectly as expected with no complaints from any other person in the procurement chain.
    Having an authorisation failure and getting it fixed isn't always the thing to do, the user may actually have the correct access and all the other people may have too much access. In this example the user may have failed on doc type UB when all they should be accessing is doc type NB, the more recent joiners have access because of badly controlled access requests or legacy access..
    You need to use logic (and hopefully some competent role owners) to make sure you aren't assigning any old role just to clear a logged ticket.
    Hope this helps a little bit!
    Kind regards
    David

  • Missing authorization for transaction VC/2 (Sales summary)

    Hi Expert,
    I am running transaction VC/2, but I get the message VB500 "the list is incomplete due to missing authorizations".
    Via transaction SU53, I see that it is object M_INFO_MCB with auth. field MCINF which is missing.
    Do you know what this object field is about?
    Thank you.
    Kind regards,
    Linda

    Hi,
    First goto SUIM T.Code.
    click on "Authorisation Objects".
    Select "Authorization Objects by Complex Selection Criteria".
    Enter "M_INFO_MCB" as "Authorization object".
    Execute.
    It shows that this is related to "Evaluation: Evaluation Structure".
    The path is:
    SPRO>Logistics General>Logistics Information system(LIS)>Flexible Analyses>Select layout reports for evaluation structures.
    Maintain values here.
    Save.
    Regards,
    Krishna.

  • How to trace the missing authorizations using NWBC at object level

    Hi all,
    In SAP R/3 any authorization issue can be tracked down till authorization object level using SU53 tcode and ST01 tcode.
    1 - I have a super user who has all the roles in Solution manager system and test user which I created with just 1 role Incident management role. But when I login with Super user ID I can see in tcode (WDY_APPLICATION - Incident Management ) I have 4 tabs (Overview,Messages,Reports and Queries) but when I execute the same tcode using test ID I can only see Overview and Messages tab. Report and Query tab were missing . Please advice on how to trace the missing authorizations using NWBC at object level? or how to solve this issue......
    2 - How to add a Web dynpro Transaction code (example WDY_APPLICATION - Incident Management )while building a role in PFCG?
    Thanks
    LAK

    Hi Gurus,
    Can anyone please help me with my questions.
    In addition here are few more info that I need
    How to bring in the new authorizations without logiing off and logging in back in NWBC ( Equivalent to Menu-->Refresh in SAP GUI)
    Thanks
    LAK

  • PA42 missing authorizations

    postion S  was created  12.06.2013 . But HR admin (user) was not able run PA42 requested action due to missing authorizations to
    object S.
    what whould be the root cause for such issues

    here is the screen shot through SU53.

  • 'Document store operation failed due to missing authorization'

    Hi all,
      I am getting the error message 'Document store operation failed due to missing authorization' when trying to save the workbook as the existing Workbook after changing the structure for it. We are using the Authorization Hierarchies.
    What is the problem and how can I fix it, PLEASE ???
    Thanks.
    Message was edited by: Venkat Kodi

    check out the related thread:
    What is this error

  • Missing authorization for the plant - Message no. ME303

    Missing authorization for the plant - Message no. ME303
    I am getting the above error while creating the PO.
    what is the cause of error?
    How do I rectify this?
    I have used the right data, till yday it was working fine. I doubt some config change has happened

    Hi,
    Check with your basis  consultant whether the authorization is change ?
    Regards,
    Chetan.

  • Missing authorization for plant ' '

    User is missing authorization for plant ' '
    User trace gives the following missing authorization
    Object:
    M_IS_WERKS RC=4 MCINF=S039;WERKS=' '
    Can anybody help me out to find the meaning of space( ' ' ) in plant or any field?
    thank you in advace

    *  Prüfung, ob Berechtigung für die Werke existiert
      SELECT * FROM T001W INTO TABLE AW_HLP_T001W
                          WHERE WERKS IN AW_WERKS.
      DESCRIBE TABLE AW_WERKS LINES SY-TFILL.
      IF SY-TFILL > 0.
        FLG_SELECT = 'X'.
      ENDIF.
    <b> clear aw_hlp_t001w-werks.                       " note 124769, ver.04
      collect aw_hlp_t001w.                           " note 124769, ver.04</b>
      LOOP AT AW_HLP_T001W.
        AUTHORITY-CHECK OBJECT 'M_IS_WERKS'
                 ID 'MCINF' FIELD AW_MCINF
                 ID 'WERKS' FIELD AW_HLP_T001W-WERKS.
    There must be a reason to add an empty line, which causes the silly authority check. As far as I understand Note 124769 you have got to add  plant ' '. See Note 408003: ."Create an authorization for the authorization object M_IS_WERKS which contains the value WERK =  . Refer to Note 124769."

  • EDMS: 'Missing authorization for this functionality' when searching user

    Hi,
    I've activated ALC authorization for DMS. In EDMS, when trying to add an user to a DIR with search function an error occurres as below.
    'Missing authorization for this functionality'
    BTW, the user has contains SAP_ALL profile. It can't be any authorization reasons.
    Regards,
    Yemi

    Hi,
    authorization checks will not happen if the search help from sap-gui.I
    think the problem is releted to missing implementation of "check
    function module" from your side. If the search help is linked to a
    "master data table" (type A) a check function must be implemented to
    check the permission of the user.
    This function module is read from table BAPIF4T.                 Please
    check the following link:                                 http://help.sa
    p.com/saphelp_nw04/helpdata/en/a5/3eca044ac011d189
    4e0000e829fbbd/content.htm
    http://wiki.sdn.sap.com/wiki/display/PLM/Object+Link+search+in+EasyDMS
    Regards,
    Hari

  • Workbook: Document store operation failed due to missing authorization

    Hello authorizer gurus,
    I have got 3.5.
    I have transported.
    I try to open a workbook.
    I am getting a Error Message:
               Document store operation failed due to missing authorization
    Newly saved Queries as workbook can be openend.
    What's wrong ?
    Thank You
    Martin Sautter

    Martin,
    To get a detailed message about the error (including which authorization objects the user needs to have to be able to perform the action that caused the error) use ST22. It sounds like they are missing the Open authorization for workbooks.
    Cheers,
    Rusty

  • Missing authorizations for authorization object UIU_COMP

    I have generated the pfcg role for a business role using report CRMD_UI_ROLE_PREPARE and assigned the pfcg role to a user.
    The user is apparently able to perform navigation as required. However, when a ST01 trace is run for the user, there are few missing authorizations for UIU_COMP. Could anyone please explain the reason for this? No changes have been made to object UIU_COMP  i.e. only values generated by the report is present there. Should the missing authorizations be added manually to the role?

    I would recomend that you define for component UIU_COMP in your pfcg role full access (all set to *), because this authorization object is used for access to web ui components. Even thou if you define this object to full access users will still see just components defined in business role.
    Regards.

  • Profit center and comapny code missing authorization problem.

    Could you help any body,i have some missing authorization problem with profit center and company code,
    How to search the roles  which having require profit and company code values.
    Is there any way to search.
    Please let us know very fast.
    Thanks in advance

    Another, and probably much easier way, is just to use Ctrl + Y... and use subsets of the selections in the SUIM reports.
    But I can well understand the temptation to use tables or at least double-check the SUIM output against them.
    The bugger with tables is that you can easy make the same mistakes or more than the SUIM reports do, or use old obsolete tables, or incorrect logic when interpreting single fields of the user tables.
    Personally,  I would normally check the exits first. Developers don't always raise self-explanatory messages...
    Cheers,
    Julius

Maybe you are looking for

  • Issue with Start Routine

    Hi Experts, I searched in the forum, but no Start Routine found which includes lot of code,as i know it's not gud to post code here, but i am not finding solution, pls help me. I have small issue with the following code, pls specify changes.Original

  • Increasing the hight time of a single pulse

    I am quite new in using Labview, and have bumped in to this annoying problem: Basically I would like to create single ttl pulses with a user specified high time of anything from 0.5 ms to 100 ms, and repeat this procedure every (1 s -10 s) a certain

  • Ethernet on my laptop x86

    I don't know why, but when the installation is finish I can't use my internet connection because the OS don't install my ethernet pot.....someone can halp me?

  • Lightroom 2.1-PhotoFrame 4.1-PS CS4 64 bit issue

    OnOne tells me that PS CS4 64 bit is not supported in PhotoFrame 4.1. When I try to use PhotoFrame from LR, it attempts to open the images in PS CS4 64 bit. Is there any way to get LR to default to launching the non-64 bit version of PS (which is als

  • Lightroom 5 wont delete files

    So I recently just upgraded from Lightroom 4 to LR 5. Whenever I go to permanently delete files from my hard drive, I get a message saying "The files are on a volume that does not support Trash. Would you like to permanently delete them?"  I click th