Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Message GR587 despite sufficient authorization

former_member181995
Active Contributor
0 Kudos

Hi All,

I'm running the report S_ALR_87013618 .Although i assigned all the authorizations for a specific user. But still users are getting message GR587.

I'm not much in security or Basis related issues.I could only debug the report and i can get from where this message were raised, but unfortunately i didn't found much.I also found few OSS 171384, 195256 but they are not relevant for our System. we are in ECC 6.00.

Can anybody shed some light please?

Thank you,

Amit.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hello there Amit,

Take a look at the attributes of the generated program which is giving you this message. It might date back to way back then, although that would be a long way back.

According to the foot note in SAP Note 171384, you need to regenerate them after applying the advance corrections or "Hotfixes" from the past. SAP note 78109 goes on further to explain.

I also checked in an ECC 6.0 system (although the SP's are almost a year old already on it) and the message is still there (T100) but no longer used anywhere (no where-used-list reference).

Check that and see what you find?

Cheers,

Julius

18 REPLIES 18

Former Member
0 Kudos

Hello there Amit,

Take a look at the attributes of the generated program which is giving you this message. It might date back to way back then, although that would be a long way back.

According to the foot note in SAP Note 171384, you need to regenerate them after applying the advance corrections or "Hotfixes" from the past. SAP note 78109 goes on further to explain.

I also checked in an ECC 6.0 system (although the SP's are almost a year old already on it) and the message is still there (T100) but no longer used anywhere (no where-used-list reference).

Check that and see what you find?

Cheers,

Julius

0 Kudos

>

> I also checked in an ECC 6.0 system (although the SP's are almost a year old already on it) and the message is still there (T100) but no longer used anywhere (no where-used-list reference).

Thanks Julius for your response.

I also checked (where-used-list), and found message is no longer used. This behavior is because message is populating from Macros.

But if you see the include FGRWSF10 line 138,It calls a message GR587.I believe from this include Iu2019m getting the message.

Although Note 78109 looked promising, but no luck though even after regenerating the report group from GR55.

However I'm(From my user-id) able to run the report without any warning messages(I've SAP_ALL), but some of the users are getting warning message (GR587),And we can't give them SAP_ALL.

It looks we missed some authorization for those users. But not sure which authorization causing the problem.Although i can see our custom role(Z_CO_REPORTS) for FICO reports is well assigned in there user-id.

Edit:And from Attributes of Generated program i can only see the info


Last changed by        01/12/2009       GUJARGOUDA 
Authorization Group   RW_1VK  
Package               $TMP

Any more hints please?

Cheers,

Amit.

0 Kudos

Hi

It looks we missed some authorization for those users. But not sure which authorization causing the problem.

Try doing a system trace using the id of one of the users impacted - you should be able to work out which objects/values need to be added.

Regards

Charmaine

0 Kudos

Hi Charmaine,

Which System Trace you are referring?

I already checked SU53 and itu2019s not showing me any "Authorization check failed"

Can you please bit elaborate with your answer for System Trace?

Cheers,

Amit.

0 Kudos

Amit,

Use transaction ST01 to perfor the auth trace, once you are in there it is pretty self explanatory. This will let you execute a transaction and trace the authorisation checks performed.

With an S_ALR* report I would trace it using your SAP_ALL (or other powerful ID). You can compare this to the role you have created and make a call to add in the different auth objects & values listed.

An alternative is to trace using an ID with the original role, you may need to report the process a few times depending how the particular code is written.

0 Kudos

Thanks Alex,

Yes i did ST01 for authorization trace, and found the difference which was:

K_REPO_CCA RC=0  KOKRS=0100;KOSTL=*;KSTAR=*;ACTVT=27;             
K_CCA      RC=0  CO_ACTION=3027;RESPAREA=KS01000148412010;KSTAR= ;

Above are two Auth Object which are getting checked with SAP_ ALL(Means with my ID), but not with end-users ID.

After this evaluation i added these two Auth Objects to those user-ID, but unfortunately same message still comes.

And yes i activated the roles also.

Can you please tell me was i missed somthing?

I found one OSS 15211, the same thing about these roles is mentioned in OSS. But No Luck. I know Iu2019m missing somewhere pretty obvious thing. But not succeed yet

Cheers,

Amit.

0 Kudos

Hi Amit,

I don't have a system infront of my, but could imagine that the message is not reacting to an authority-check, but rather some exception is being passed on to a variable which is then throwing the message if found.

There is a feature in the ST01 trace which you will like. Once you find the object for which the return code is not 0, double-click on the line in the trace file. At the top left hand corner is little "jump to" icon which looks like a bar bill for a [Paneer sandwich|http://www.indianfoodforever.com/bachelor-cooking/paneer-sandwiches.html], 2 beers and a packet of smokes.

Click on it. It will take you to the source code location of the check itself, and not the message.

If you set a break point there, and take a look at how the program reacts to the check, then it might help you further.

I am curious now as well, so will try to track down a system to check it.

Alternately we can move it to the ABAP General after a while. Perhaps someone knows how to delete the message from T100...

Cheers,

Julius

BTW: Also take a quick check in ST22 for dumps. It might be using SLST??

Edited by: Julius Bussche on Jan 13, 2009 12:27 AM

0 Kudos

Hi Julius,

At-least you leaved a bit laugh on my face today.

There is no Auth failed in ST01 which returned with return code is not 0.All returned with 0.

For report,Strange thing for me is that why K_REPO_CCA and K_CCA didn't called with end-user's ID, but these are called and checked with my User-ID which has SAP_ALL!!

Although i already assigned both Auth Object to them!!

Is this Behavior causing a problem?

I think i have to do Triple click on trace file , might be it will take me somewhere from i can get some help, though double click didnu2019t help much

I am curious now as well, so will try to track down a system to check it.

I will [appreciate|http://www.collegehumor.com/picture:1895754] you if you can login into your system.

Alternatively i can get the access key of FGRWSF10 and put halt for line 138 with condition if 1 = 2

Cheers,

Amit.

0 Kudos

> Strange thing for me is that why K_REPO_CCA and K_CCA didn't called with end-user's ID, but these are called and checked with my User-ID which has SAP_ALL!!

That would indicate that it is not even reaching these objects to check. It is somthing in the coding or config which is missing for them.

I will try to find someone or a system during coffee break tomorrow who used report writer and is still willing to talk to me, and let you know if I find anything.

As background: Is this a new ECC 6.0 system, or one which was upgraded from x.xx over time?

Also, did you find anything in ST22?

Another possibility (on your side, which we cannot see) is that report trees and groups can be protected by authorization groups (S_PROGRAM). This is not only limited to those which are typical as attributes in the ABAP Editor. Take a look in report RSCSAUTH whether there is some protection to start the generated report ID? (at the start of the program, the tables are mentioned).

Cheers,

Julius

0 Kudos
Is this a new ECC 6.0 system

Yes,

Not Very much new but 9 months old

Don't know what is the need to go through to ST22,i'm not getting any Exception or dump. Iu2019m getting warning message only for authorization. Do i need to see anymore with ST22 apart from Exception or Dump?

And we didn't maintained with RSCSAUTH . But I tried now to check whether there is some protection to start the generated report ID or not, but its not taking any selection. But will take a closer look on report.

Thanks a lot for your time Julius.

Please let me know if you found any.

Cheers,

Amit.

0 Kudos

Hi Amit,

Okay, ignore the ST22 suggestion then. I thought perhaps something was dumping in the background.

It looks as if this message is used to just warn you that for some reason (expected to be authority) the output will now contain all data which your selection criteria requested.

You can just accept the warning by hitting "Enter".

To test it, enter the single values of the Cost Center groups and Statistical Key Figure groups which the user does have to eliminate the discrepency between the selection screen and available data.

Does the message go away then?

Cheers,

Julius

0 Kudos

Hi Julius,

Yes, the message is just tend to warn us, But unfortunately after "enter" no data been selected,nothing fetched. I tried all possible combination already, no Luck.

What i was thinking as i said in my earlier posting :

"ST01 analysis indicates :K_REPO_CCA and K_CCA didn't called with end-user's ID, but these are called and checked with my User-ID " Although these both Objects i already assigned to our Role of FI reporting which is Z_ROLE_FI and i assigned the role Z_ROLE_FI to Them(end Users).But still both Auth Objects not getting checked or trigger with their userid!!

So is there any possibility, are these objects getting checked with another Role except Z_ROLE_FI?

If yes than how can i know from which Role these are getting trigger?

So that we can assign that particular role to users also.

Thanks for Your Time Again.

Cheers,

Amit.

0 Kudos

If the warning message that not all possible data selected is infact deleting the selection, then I think you should open a customer message with SAP becasue it does not sound right. You would be forced to give full authority...

If the user is infact missing authority, then to find your options regarding another possible role to add, use transaction SUIM => Roles by complex selection criteria. But you would need to know which authorization objects with values you are looking for, and as the trace does not reach these 2 objects, you don't really know.

Another possibility (which has explained strange behaviour here in the past) is that there is a check table with user lists in it somewhere, or some other mechanism quivalent to a sy-uname check?

Cheers,

Julius

0 Kudos

>

> Another possibility (which has explained strange behaviour here in the past) is that there is a check table with user lists in it somewhere, or some other mechanism quivalent to a sy-uname check?

Hi Julius,

Yes, thats the exact reason was .

The Custom Code which was written in some Exit,and that piece of code was getting triggered behind the Report-writer, before a way back some other programmer done the code in Exit. After numourous debugging fortunately i got my Eye on the piece of code which was really unnecessary.

Thanks a lot for your help.

Cheers,

Amit.

0 Kudos

Real pity that one. Should have thought of it earlier though.

So did you add the ID to the table, or did you make the original developer wash the dishes?

Cheers,

Julius

0 Kudos

Hi Julius,

No, There were no Custom table for checking the User-id and put the user-id in .

Should have thought of it earlier though.

True, But I didnu2019t get enough time to dig in since last one week. Yesterday before going tto bed i thought i should debug and look for the exit for report-writer. Soon i found my eye on exit there that piece of code were well placed

Actually they were checking the Auth (SAP_ALL) and based on that they were processing the further flow of report.

So i removed this specific piece of code and moved on....

Cheers,

Amit.

0 Kudos

Ah yes... that is the famous self-inflicted concept where basis, developers and super-users cannot work without SAP_ALL

ps: What I meant is that I should have thought of it earlier, because I regularly scan for sy-uname constructs when doing code reviews and find it often enough.

I will add this to our "sticky thread" for others to learn from as well.

Cheers,

Julius

0 Kudos

>

> Ah yes... that is the famous self-inflicted concept where basis, developers and super-users cannot work without SAP_ALL

Well said.

Also, That is what happen when no documentation maintained specially for Exit and customer enhancements

Cheers,

Amit.