SU53 authorization checks

Similar Messages

• Authorization check failed

  hello experts!
  i created a program via smartforms but when my user try to generate a printed form an error message appear than FORM
  cannot be displayed. when i check Tcode: SU53 Authorization check failed.
  Object Class HR Human Resources
  Authorization Obj. P_ABAP  HR Reporting\
  Authorization Field COARS Degree of simplification for authorizaton check       1
  Authorization field REPID ABAP program name     ZHRPY00018C
  Please help on this one...
  How to fixed this
  Thank you

  hello...
  actually this report has 2 display a List display and via smartforms...
  we laready add this program  in her authorization profile... the only problem
  is when she try to generate the report via smartform she cannot produced the
  the output print docu. because an error appears that my FORM cannot be display.
  But when i check it in the development i can produced a test document.
  please help...

• Disabling authorizations checks for transactions SU53 and/or SU56.

  Greetings.
  I seem to remember reading that there was either a system profile parameter or a table entry that can be used to disable all authorizations checks for transactions SU53 and/or SU56.
  Any truth in this or is my mind playing tricks on me?

  Hi,
  I guess theres is profile param auth/tcodes_not_checked(I guess thats right), this will exclude SU53/SU56 from checks on transaction code.
  This can be done using RZ10 and need to restart the system.
  Rakesh

• 'DUMMY' value of the field in Authorization Check

  Hello everyone!
  I have some misunderstanding. I made an authorization check in transaction SU53 and i see a class, an object and the field which need to be DUMMY. What does it mean? What Value of this field I  have to choose when I give an authorization for myself?

  Sorry, but that's not correct.
  "DUMMY" is equivalent to "don't care" or "any value".
  That is different from requesting a SPACE value (which is just one distinct value).
  If a "dummy" value is requested, actually no value is requested - any value will satisfy the request.
  See <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm">ABAP Online Documentation</a>.

• Authorization Check on Radio Button

  Hi,
  I have a custom report which has a radio button. Can I provide the authorization on this radio button, meaning only selected no. of users can run this report with radio button checked. I know it's possible through maintaining a list of users in custom table, But I want to check if we can do it using authorization object/group etc...

  Birendra, you're absolutely correct that we need to consider future maintenance efforts. But this is exactly a weak side of the parameter approach that you've suggested. The jet analogy is impressive, but way out of proportion in this case.
  Using authority check command in ABAP code and modifying screen elements is not hard-coding. The parameter approach also requires writing some code, so it has no advantage here.
  Also it requires someone (a Basis admin?) to update the user profile and a table entry that you've mentioned. To use the standard authorizations, only one authorization object will need to be created (although it may even be possible to use another, existing object if it's the same authorization level). It won't take more space or more time to create than an SM30 entry. Updating the roles might be more of a hassle than updating the user parameter, but the difference can hardly be considered significant and it's a one-time thing anyway.
  It is a matter of preference whether to hide a control, disable it or display a message. (By the way, in many standard transactions you'll find that controls or menu options are hidden/disabled based on authorization, so it is nothing exotic.) But I stand by my suggestion of using standard authorization check functionality specifically because it makes the future maintenance easier.
  1) Basis admins most likely already maintain some document regarding the role assignment. It might be actually easier to them to maintain the roles than to keep track of the additional profile parameter and remember it in future.
  2) Imagine years from now you're gone and all the new people are maintaining the system. The user gets a 'no authorization' message and, naturally, contacts a system admin. Again, naturally, admin will check security trace. Now guess what - your parameter thingy cannot be tracked anywhere. No one knows about it and it will take an ABAPer to figure this out.
  With standard approach it will only take a second to run SU53 and a few minutes to resolve an issue by a Basis admin. Additionally, authorization objects have 'where used' button, so it would be easy to check if and where the object is used (e.g. if the report has been changed/deleted it will be easy to spot the 'orphaned' object). With the profile parameter sooner or later someone will have to wonder what the heck it is for and might accidentally delete it. By the way, sometimes users actually have access to their own parameters, so it's not a very secure option either.
  I understand you mean well, but, unfortunately, in my work quite frequently I have to deal with some things that were developed by well-meaining consultants who overlooked some long-term effects of their approach.

• Authorization-check P_PCR fails...

  Hey Guys,
  I have a little authorization problem... 
  I created a role with authorizationobject P_PCR. 
  Payroll Area                   B8    
  Activity                       Change
  In my program i have following code to check authorization :
  GET pernr.
    AUTHORITY-CHECK OBJECT 'P_PCR'
      ID 'ABKRS' FIELD pernr-abkrs
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc NE 0.
      REJECT.
    ENDIF.
  * further processing..
  Everytime i execute this code, sy-subrc eq 4... :(.
  When i look into SU53 :
  The authorization check failed
    Authorization obj. <i>P_PCR</i>  HR: Payroll Control Record
      Object Class <i>HR</i>  Human Resources
                                      B8
        Activity                      02
  My user is added to the role, so i don't see anymore why i can't execute this report ...  Does anyone has an idea for me ?
  Thanks,
  Kind Regards,
  Tom

  Bon...  Found the error...
    AUTHORITY-CHECK OBJECT 'P_PCR'
      ID 'ABKRS' FIELD pernr-abkrs
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc NE 0.
      REJECT.
    ENDIF.
  In object P_PCR the field is not AB<b>KR</b>S, but the field is AB<b>RK</b>S.
  So, problem solved...
  Greetz,
  Tom

• Authorization Check Failed for HR P_ORGIN on VDSK1

  Hi Experts,
  We have an issue where an HR secretary is making an address change to an employee via pa30.  She is successfully able to save the change with no warning on the screen.  However, when we run /nsu53 immediately after, we see that there was an authorization check failed.  The check failed is in class HR, object P_ORGIN.  The field is VDSK1.  We have values defined there, whereas SAP is requesting a *.  We do not want to use the *, but the value in VDSK1 is correct and should not be failing.
  Anyone ever see this issue before?
  Thanks
  Shane

  Hi Shane,
  Since the secretary was able to save the record I assume there is no issue with the role. SU53 always shows last failed authorisation check. Even if transaction has been succesful you normally find failed authorisation checks from SU53. In your case I assume that PA30 checks first that if user happens to have P_ORGIN with * value in VDSK1. If not then it checks employees infotype 0001 and organisational key and tries to match that to the value in the role. If you pass this check SU53 will still show failed check where VDSK1=*.
  So this is normal behaviour for SU53 and nothing to be worried about. Annoying is when SU53 gives something sill as last check after error. Annoying are SU53 reports from users to add S_DEVELOP with Debug object because programmer has decided to leave break-point to program.
  cheers, s

• Authorization check in BW

  Hi,
    I need to run authorization check  for another user in BW ..How can i do it
    if i run SU53 it is doing the authorization check for my account
  Thanks

  Hi Super,
                 You can check Authorization check in BW or in SAP using SU53 and enter user name of the already executed SU53 in the following way
  > enter SU53 -
  > then click on Copy button on left top side----
  > enter the user ID of executed user, you can see SU53 report this is one way you can retrive others SU53 reports. So in the BW authorization check can be done in the following way
  > enter RSSM----
  > in the bottom there is button of trace or error logs -
  > Enter user ID and run the trace or error logs
         Hope you understood, let me know if you need more details
  Thanks
  Qureshi

• Sales Document initial load Authorization check.

  Hi Guys,
  I am trying to do an initial download of all the Sales Documents from R/3 to CRM but I get the error "An authorization check could not be executed".
  SU53 is not showing any authorization failure for the corresponding user.
  Thanks in advance,
  Regards,
  Siva.

  Hi Siva,
  As SU53 is not showing you anything, means there could be problem with rights of RFC user.
  Check if your RFC user have all the required rights.
  Best Regards,
  Pratik Patel
  Reward with points if it is of any help to you!

• SU53 Authorization

  Hi,
  When SU53 is assigned to user X, SAP Admin can see SU53 log of user X also. But when SU53 authorization of X is removed, it's not possible to watch SU53 log of X. Can anyone tell me the reason behind?
  Thank you.
  Prasad

  The data (whatever it is at that point in time for the user) is loaded from the system's memory. That memory is held within the context of the user ID.
  * Get result of last authorization check
    GET PARAMETER ID 'XU1' FIELD usr07key.                    "#EC EXISTS
    GET PARAMETER ID 'XU2' FIELD usr07val1.                   "#EC EXISTS
    GET PARAMETER ID 'XU7' FIELD usr07val2.                   "#EC EXISTS
  So it "belongs" to that user until they run SU53 to make it available to the admin.
  Running another user's SU53 for them would require that you know <b>when</b> to run it and <b>how</b> to run it under their ID... If you find a new way of doing this, you should report it to SAP
  Cheers,
  Julius

• Authorization Check for Storage Location

  Hi Experts,
  I have the following requirement :-
  I have Plant : P081 created under Company Code : P110.
  I have got various Storage Locations under this Plant for example
  KT01 - Main Stores
  KT24 - Remote Store.
  The KT24 store is basically a remote location store. I have activated the Authorization for the Storage Location KT24 in the SPRO Settings
  Material Management --> Inventory Management and Physical Inventory --> Authorization Management --> Authorization check for storage location.
  I have maintain the following authorizations for the Object M_MSEG_LGO as follows :-
  1. OBJECT : M_MSEG_LGO.
  >> 2. USER ID : 081Store
  >> 3. PLANT : P081
  >> 4. STORAGE LOCATION : Kt24
  >> 5. ACTIVITY : 01-03
  >> 6. MOVEMENT : 101, 102, 201, 221, 261
  and authorization for T_code MIGO_GR and MIGO_GI . I want to restrict the user for transaction only for this storage location but the system is allowing the user to post GR document for KT01 stores also.
  Can any one suggest a solution or settings that need to be done for the user to be restricted to prepared GR for Storage Location KT24 only.
  Thanks in advance.
  AJ

  Hi,
  You set the authorizations to users with tcode PFCG. To know the reason of deny some access run tcode SU53 after SAP denies the access to some documents / objects.
  Regards,
  Eduardo

• Error :Authorization check for caller assignment to J2EE security role whil

  Hi Experts,
               i m working as a portal resource .
  after the deployment of standered Sap e-rec package .
  i m getting some error. i have assigned the recruiter role to one test user.
  Now i m getting two issue:
  1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
  2) I m able to see few iview for the test user but those are also in detailed navigation view.
     And few ivews are giving following error :
    i)Internal error
  ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
  Full Message Text
  ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  please suggest what can be  done or what is pending from my side.

  Prajakta2602 wrote:
  Hi Experts,
  >
  > the previous issue got solved..
  > it was due to servies pack miss match and applying notes
  > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
  > notes 1445294 and 1175239 were applied.
  > now the issue is:
  >
  >
  >  After implemetation and  i assigning the standerd sap roles
  > 1)Recruiter Administrator
  > 2)Recruiter
  > to the test user .
  > but for few iview it is showing error as in
  > 1) you are not a authorized user
  > 2) internal error
  >
  > please help experts.
  >
  >  i m working on portal side have i to assign any role to that test user..
  >
  >
  > Thnaks & Regards,
  > Prajakta
  You can run a quick check using the below steps:
  1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
  2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
  Regards,
  Mahesh

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan