11-05-2008 9:44 AM
Gurus,
What is the authorization needed to change parameters in SU3 ?
I have them in change mode in one environment and only in display mode in another one.
Thanks for your help,
Olivier
11-06-2008 11:50 AM
> What is the authorization needed to change parameters in SU3 ?
> I have them in change mode in one environment and only in display mode in another one.
Are any of your systems in a Central User Administration environment? If so, check the CUA settings. Maybe one environment is configured in such a way the parameters need to be maintained in the CUA master.
I ran transaction SU3 in my MiniSAP ( SAP NetWeaver 2004s ) with a trace in the background, changed some stuff and saved, and it only checked S_TCODE. I doubt if this is an authorization issue so in my opinion you can safely ignore the list of objects posted as the second reply.
Jurjen
11-05-2008 8:09 PM
Hi ...
Check transaction 'SU53' after the 'SU3' authorization fail.
This will give the list of objetct/s that are need to be in your authorization group.
Thanks,
Aditya. V
11-06-2008 11:17 AM
Hi Olivier,
The following is the list of auth objects which are checked for tcode SU3 :
B_ALE_MODL ALE: Distribution Model Maintenance
B_ALE_RECV ALE/EDI: Receiving IDocs via RFC
PLOG Personnel Planning
S_ADDRESS1 Business Address Services: Address Type 1 (Org. Addresses)
S_ADMI_FCD System Authorizations
S_ALV_LAYO ALV Standard Layout
S_BCSETS BC Set Authorization Object
S_BDS_DS BC-SRV-KPR-BDS: Authorizations for Document Set
S_BTCH_ADM Background Processing: Background Administrator
S_BTCH_JOB Background Processing: Operations on Background Jobs
S_C_FUNCT C calls in ABAP programs
S_CARRID Authorization Object for Airlines
S_CTS_ADMI Administration Functions in Change and Transport System
S_DATASET Authorization for file access
S_DEVELOP ABAP Workbench
S_DOKU_AUT SE61 Documentation Maintenance Authorization
S_FLBOOK Authorization Object for Flight Bookings (Demo)
S_FRA_AREA Framework Registry: Area
S_FRA_SP Framework Registry: Service Provider
S_FRA_SPS Framework Registry: Element Type
S_GUI Authorization for GUI activities
S_IWB Knowledge Warehouse
S_IWB_ADM Knowledge Warehouse: Administration
S_OC_DOC SAPoffice: Authorization for an Activity with Documents
S_OC_ROLE SAPoffice: Office User Attribute
S_OC_SEND Authorization Object for Sending
S_OLE_CALL OLE calls from ABAP programs
S_PACKSTRU Internal SAP Use: Package Structure
S_PRO_AUTH IMG: New authorizations for projects
S_PROJECT Project Management: Project authorization
S_RFC Authorization Check for RFC Access
S_RZL_ADM CCMS: System Administration
S_SCMG_CAS Case Management: Case
S_SCMG_FLN Case Management: Authorization by Field
S_SCMG_STA Case Management: Status
S_SCMG_TXT Case Management: Text Notes
S_SPO_DEV Spool: Device authorizations
S_SRMGS_CT Records Management: Authorizations for Document Content
S_SRMGS_PR Records Management: Authorizations for Attributes
S_SRMSY_CL SAP Records Management : General Authorization Object
S_TABU_CLI Cross-Client Table Maintenance
S_TABU_DIS Table Maintenance (via standard tools such as SM30)
S_TCODE Transaction Code Check at Transaction Start
S_TRANSLAT Translation environment authorization object
S_TRANSPRT Transport Organizer
S_TWB Test Workbench structure maintenance
S_USER_AGR Authorizations: Role Check
S_USER_GRP User Master Maintenance: User Groups
S_USER_PRO User Master Maintenance: Authorization Profile
S_USER_SAS User Master Maintenance: System-Specific Assignments
S_WFAR_OBJ ArchiveLink: Authorizations for access to documents
S_WFAR_PRI SAP ArchiveLink: Authorization to Access Print Lists
the best thing to find out which ones missing can be to run tcode SU53 or ST01 - system trace
Best,
Suchitra
11-06-2008 2:59 PM
>
> S_CARRID Authorization Object for Airlines
>
?<sub name>?<sub name>?<sub name>?<sub name>?<sub name>?<sub name>?<sub name>?<sub name>?<sup name>?<sup name>?<sup name>?<sup name>?<sup name>?<sup name>?<sup name>?<sup name>?<sup name>?<sup name>?<sub name>?<sub name>?<sub name>?<sub name>?<sub name>?<sub name><sub name>?<sub name><sub name>?<sub name><sub name>?<sub name><sub name>?<sub name><sub name>?<sub name><sub name>?<sub name>?<sup name><sup name>?<sup name><sup name>?<sup name><sup name>?<sup name><sup name><sup name>?<sup name><sup name><sup name>?<sup name><sup name><sup name>?<sup name><sup name><sup name>?
11-06-2008 11:50 AM
> What is the authorization needed to change parameters in SU3 ?
> I have them in change mode in one environment and only in display mode in another one.
Are any of your systems in a Central User Administration environment? If so, check the CUA settings. Maybe one environment is configured in such a way the parameters need to be maintained in the CUA master.
I ran transaction SU3 in my MiniSAP ( SAP NetWeaver 2004s ) with a trace in the background, changed some stuff and saved, and it only checked S_TCODE. I doubt if this is an authorization issue so in my opinion you can safely ignore the list of objects posted as the second reply.
Jurjen
11-06-2008 3:15 PM
11-06-2008 3:33 PM
SU3 is a all or nothing transaction. You either have access to it (S_TCODE will have SU3) or you don't.
As to why you see it in display mode in one system versus change mode in another; Jurjen's analysis is right. The most likely reason is your CUA settings allow parameter maintenance only central system. And if that really is the case, it is counter-productive.
Think about it. SU3 is meant to allow users to be able to maintain their own parameter ID's. It's like personalization. What's the point in giving them access to tcode SU3 but maintain your CUA settings such that parameter ID's can be changed only through central system!
11-06-2008 5:25 PM
Absolutely agree on that Ashutosh!
Thing is the client is NOT always right but he's the one to decide. Even the IT guys feel that it is a nonsense.
You know the drill !
11-06-2008 8:40 PM
Hmmm.... but they will soon realize that there is potentially a lot of work involved and / or user unhappiness...
Perhaps you could mention to them that if there are specific PIDs which they are concerned about (as these determine more than just user preferences for re-using parameters) then they should raise those concerns with SAP.
These forums are not really intended for "bug reports", but some PID related concerns have been raised in the past, and an interesting discussion about security design (which leads to a correction) has happened before as well...
Cheers,
Julius
08-29-2013 10:00 PM
Many years have passed since this post was opened and something has changed. I don't know exactly which Support Package introduced this, but now, SU3 checks S_RZL_ADM / ACTVT = 03. I'm on SAPKB70107 and getting big dumps whenever user touches Defaults tab in SU3 if not having this auth. FYI. Anyone know which support pack brought this?
08-29-2013 10:07 PM
That is illogical and I have not seen that. Perhaps something was modified it an exit is active?
Check table PRGN_CUST and SSM_CUST for any suspect entries. I place my bets of it coming from there..
Cheers,
Julius
ps: such a pity that my answer to "S_CARRID " was toasted by the new platform formating 😞
08-30-2013 4:33 AM
same here. nothing in those tables.
Termination occurred in the ABAP program "SAPLSPFC" - in "PFL_GET_PARAMETER".
The main program was "SAPMSUU0O ".
In the source code you have the termination point in line 45
of the (Include) program "LSPFCU15".
(Function Module PFL_GET_PARAMETER)
40 AUTHORITY-CHECK OBJECT 'S_RZL_ADM'
41 ID 'ACTVT' FIELD '03'.
42 if sy-subrc <> 0.
43 AUTHORITY-CHECK OBJECT 'S_TCODE'
44 ID 'TCD' FIELD 'RZ11'.
>>> IF sy-subrc <> 0. RAISE authorization_missing. ENDIF.
46 endif.
10-01-2013 3:10 PM