Security and Identity Management
Page tree
Skip to end of metadata
Go to start of metadata

Display multiple authority-checks, source code location and return & reason-codes when analyzing users

Contrary to popular belief, SU53 displays the last failed authority-check statement and not necessarily the authority which needs to be added to the role to solve the problem (or make the faulty configuration go away).
What would be very useful for analysis is to be able to collect information similar to the ST01 trace from a user specific transaction similar to SU53, such that the authorization support can see the transaction context of the user at the time, the report ID, the dynpro number (basically, the source code location) as well as the kernel return code and a reason code for it should the kernel have changed the return code. This would help to solve a lot of misunderstandings about ABAP authorizations and point to better configuration solutions.

Update: This request was implemented in SAP Note 1373111 - Improvements to authorization trace.  Thank you SAP!

2 Comments

  1. Dipanjan Sanpui

    Multiple Authority-Check can be found by using the report:  RSABAPSC

    • Default level of search is 5.
    • To get full list of Authority-Check statements and associated Authorization Objects you need to increase the level.
    • If you keep the field blank, you will get the full list. In that case, execute the report in Background.

    Source code location can be found by using report:  RSANAL00

    • RSANAL00 is a very useful report to get various information for a particular program.
    • It gives details of Source Code.
    • Conversions
    • Variables associated with Field Names, Type etc.
    • Subroutines
    • External Tables from where data is fetched or updated
    • A long range of output format as per our own choice.

    Return Codes for Authorization failures should be analyzed at the first stage with ST01 to analyze the different status requirements of Authorization Objects for each Tcodes under consideration. Still this is the best approach to start the first level of analysis.

    Regards,
    Dipanjan

  2. Former Member

    Hi Dipanjan,

    The main reason behind this request is to be able to evaluate a reason code together with the return code and context, from the kernel.

    You can debug some kernel functions or use SAP's tracing function (RZ11=auth/athorization_trace) to some extent, but it is not reasonable to expect that as an admin tool (which is also documented in RZ11).

     SU53 and ST01 on their own (seperate functionality) cause more trouble than good in my opinion (smile)

     Cheers,

    Julius