Symptom
In XSS applications it is common to face authorization issues. Symptoms of these incidents are:
- Only a few users face the error
- XssMenuArea expired
- RFC errors
- etc.
Solution
First of all, it's necessary to isolate the issue. How? By assigning full authorization to affected user (for example: super_admin and SAP_ALL).
After that, it's necessary to assign each role and test. The idea is to find which role is throwing this issue.
As soon as you find the role with lack of authorization, you can open it via PFCG (if it's a backend role) or User Administration (if it's a Portal role).
It's common to have custom roles without S_SERVICE authorization object. Where it's necessary to assign it to users. For example:
Assign two parameters SERVICE_TYPE = 'WEBDYNPRO' and
SERVICE = <vendor>/<(><<)>dc>/<Application>, for example;
sap.com/pcui_gp~xssutils/XssMenuArea
must be set. For testing you can also assign '*' for SERVICE to your
user.
Also, it's common to forget to assign the role SAP_ERP_EMPLOYEE to ESS users.
* You can also check note 612585 (New: Authorization default values for ext. services) for more information.
* Example of full authorization user in ESS and MSS:
Assigned roles:
Unique Name: |
pcd:portal_content/com.sap.sandbox/d035508/com.sap.pct.erp.mss.manager_self_service |
Display Name: |
com.sap.pct.erp.mss.manager_self_service |
Unique Name: |
pcd:portal_content/com.sap.pct/every_user/com.sap.pct.erp.ess.bp_folder/com.sap.pct.erp.ess.roles/com.sap.pct.erp.ess.employee_self_service |
Display Name: |
com.sap.pct.erp.ess.employee_self_service |
Unique Name: |
pcd:portal_content/com.sap.pct/line_manager/com.sap.pct.erp.mss.bp_folder/com.sap.pct.erp.mss.roles/com.sap.pct.erp.mss.manager_self_service |
Display Name: |
com.sap.pct.erp.mss.manager_self_service |
Unique Name: |
pcd:portal_content/com.sap.pct/line_manager/com.sap.pct.erp.mss.bp_folder/com.sap.pct.erp.mss.13.bp_folder/com.sap.pct.erp.mss.13.roles/com.sap.pct.erp.mss.manager_self_service |
Display Name: |
com.sap.pct.erp.mss.manager_self_service |
Unique Name: |
pcd:portal_content/com.sap.pct/specialist/com.sap.pct.erp.srvadmin.bp_folder/com.sap.pct.erp.srvadmin.roles/com.sap.pct.erp.srvadmin.SRVAdministrator |
Display Name: |
com.sap.pct.erp.srvadmin.SRVAdministrator |