07-29-2009 11:00 AM
Hi everyone,
I wonder if soemone can help.
a user cannot access eforms, and error message is no authorisation
Loos to me its something around P_ASRCONT/S_SERVICE RC=4 auths
and
RFC's HRXSS_SER_GETMEN/HRXSS_SER_INITSE
I dont know what it could be just yet?
its to do with self service.
07-29-2009 11:41 AM
I suggest that you run a trace using ST01 and having a look at the failed auths there. You can then add these in one by one to see what effect they have on the users ability to see the eForm. You should be able to model this in your QA environment to avoid having to push through lots of transports before the issue is fixed.
07-29-2009 11:41 AM
I suggest that you run a trace using ST01 and having a look at the failed auths there. You can then add these in one by one to see what effect they have on the users ability to see the eForm. You should be able to model this in your QA environment to avoid having to push through lots of transports before the issue is fixed.
07-29-2009 1:59 PM
Hi Andy,
I am changing and adding objects and values, but still no luck,
What aret the RFC authorisations I may need?
07-29-2009 2:08 PM
Hi,
It's almost impossible to say what you will need as setup will very much dictate what is needed.
Can we now assume that if you run a trace, all the return codes = 0 and it is still not working?
Does it work if you add S_RFC = * ?
07-29-2009 2:24 PM
Hi Alex,
I have made the authorisation check for RFC ACCESS AS SET TO Full access. and not just EXECUTE.
In OBJECT S_RFC i have added all the values too.
I cannot find any dunps? I switched on ST01, and log into the portal but why isnt the dump registered?
If i can see the DUMP I will be able to add all the objects that are failing.
is there a way in the authorisation I can make it work unlike giving SAP_ALL, but to test it for myself, like giving it all access?
07-29-2009 3:51 PM
Hi Aalex
her ei sthe message
RFC_NO_AUTHORITY
im not sure what this is and what to make work?
07-29-2009 7:16 PM
RFC_NO_AUTHORITY is typically related to the S_RFC authorisations. Are there any batch users/system users involved in the chain who do not have the relevant auths?
If this the the case then I am surprised that it is not being picked up in ST01, do you have more than 1 application server where you might need to activate it for?
07-29-2009 8:20 PM
Hi Alex.
I was told to use ST05 which I will in the morning.
I am not aware of any serviers. Do i need to create a new OBJECT, or must I in the already created object R_RFC just keep adding values? thats all I have been doing? As soon as I give the user SAP_ALL, it works perfectly?
Can I not give SAP_ALL, and in the S_RFC object make it * for everything?
In my ROLE I have the following Alex
AUTHORISATION CHECK FOR RFC ACCESS
(the ACTIVITY is saying ALL ACTIVITIES)
(NAME OF THE RFC TO BE PROTECTED is saying *
(TYPE OF RFC OBJECT TO BE PROTECTED is saying ALL VALUES
There is also
CHECK AT START OF EXTERNAL SERVICES
(PROGRAM TRANSACTION OR FUNCTION
TYPE OF CHECK FLAG AUTHORITY
Im not sure whether i need other OBJECTS?
Many thanks for you help
RFC_NO_AUTHORITY is typically related to the S_RFC authorisations. Are there any batch users/system users involved in the chain who do not have the relevant auths?
If this the the case then I am surprised that it is not being picked up in ST01, do you have more than 1 application server where you might need to activate it for?
07-29-2009 8:22 PM
apologies Alex
you asked
Are there any batch users/system users involved in the chain who do not have the relevant auths?
How can I check this?
what if I want to make them relevant?
is this done in THE ROLE itself?
07-29-2009 9:21 PM
I understand that your question is marked closed, but if SAP_ALL is not to be the solution then I have a small comment:
>eforms
and
>RFC_NO_AUTHORITY
...makes it suspect for me that this is infact the lesser known client side RFC check (object S_ICF) and not it's more common server side cousin (object S_RFC). Also because no function group was mentioned.
Please activate the SM19 audit log using the dynamic profiles for successfull and failed RFC calls. Distribute it to all servers. Then run your "eform" and evaluate the log in SM20/SM20N to find the destination name. My guess is that this is actually a BSP service started via the ICF. Check in transaction SICF for an activated service by the same or similar name.
Then take a look in transaction SM59 at that RFC destination's "Login and Security" tab. Is there an "Authorization Group" value on it?
Maintaining this field in combination with object S_ICF, you can control who can call the RFC connection (invoked by the ABAP statement DESTINATION) and not which function module name or group it should be called via.
Might be worth a try.
Cheers,
Julius
Edited by: Julius Bussche on Jul 29, 2009 10:25 PM
07-29-2009 11:09 PM
Aside from Julius' good information, you will need to speak to your Basis or team to find out if the setup requires any different users. Sometimes this is the case with portalised content and is another thing to check for. If this is the situation then check that the user has the S_RFC auths (and S_ICF it appears) too.
Have you established that it works OK with a really wide access user?
07-30-2009 10:06 AM
Hi Julius,
Many thanks fo ryour good reply.
I would like to do this step by step so I dont make a mistake.
What I have done in SU01 for the user, is I have in the ROLE created a new OBJECT called
AUTHORISATION CHECK FOR ICF.
There are 2 fileds,
INTERNET COMMUNICATION FRAMEWORK
DEST Destination Authorization
PROXY System Proxy Setting
SERVICE Internet Communication Framework Service
The above are all ticked
__________ ____________________________________________________________
INTERNET COMMUNICATION FRAMEWORK
I have put a * for this one.
What else should I had in the S_ICF object?
what will my next step be?
Manually Cross-application Authorization Objects
Manually Authorization Check for ICF Access
Manually Authorization Check for RFC Access
Manually Check at Start of External Services
07-30-2009 11:59 AM
There is not enough information in this to know what is going on on your side.
Is there a service in the ICF and what are the logon data settings for it (or a node higher up in the hierarchy)?
Is there an RFC destination protected by an authorization group?
Have you traced the execution of the eform? What did it say?
Cheers,
Julius
07-31-2009 12:54 PM
Hi Julius,
I did get a trace log surprisngly, and the message was as follows this is from ST22.
Short text
User "louise" has no RFC authorization for function group
What happened?
The user "What happened?
The user "louise" attempted to execute a function module from
the function group "HRASR00_WDA_SET_GET_DATA", but does not have the
appropriate
RFC authorization.
Error in the ABAP Application Program
The current ABAP program "SAPLHRASR00_WDA_SET_GET_DATA" had to be terminated
because it has
come across a statement that unfortunately cannot be executed." attempted to execute a function module from
the function group "HRASR00_WDA_SET_GET_DATA", but does not have the
appropriate
RFC authorization.
Error in the ABAP Application Program
What can you do?
The user "louise" has no RFC authorization for the function gr
"HRASR00_WDA_SET_GET_DATA". Please contact your system administ
you
the RFC authorization for the required function groups (such as
"HRASR00_WDA_SET_GET_DATA").
The RFC authorization object is S_RFC.
If the problem persists, proceed as follows:
Note down which actions and inputs caused the error.
To process the problem further, contact you SAP system
administrator.
Using Transaction ST22 for ABAP Dump Analysis, you can look
at and manage termination messages, and you can also
keep them for a long time.
I have created an ICF object, and checked all items, and added a "CHECK" to the ICF VALUE.
and I have gone into SM59, and in the ABAP CONNECTION, under the system and under LOGON and SECURITY i have typed in there "CHECK"
But i cannot make it still work?
I am desparate to make this work, I feel with your help I am almost there, and learning alot from this.
what else could it be, or can you advice me?
07-31-2009 3:18 PM
Everything in that error message points towards the user having insufficient S_RFC authorisations.
In addition to the full S_RFC access (where you have * for the function groups), try giving a separate instance of the object with the actual value in the short dump. There are some situations (though I have not seen it in S_RFC) where * is evaluated a * character rather than the wildcard.
08-02-2009 8:49 PM
So it is a Web Dynpro ABAP application...
Without knowing what's going on there and your config, I would recommend external debugging if this is a test environment.
If it is in PROD, then consider opening a SAP customer¨message, however it might be faulty config which is not really software support necessarily...
Cheers,
Julius
08-03-2009 9:14 AM
Hi Alex,
what do you mean by saying.............
*try giving a separate instance of the object with the actual value in the short dump. There are some situations (though I have not seen it in S_RFC) where * is evaluated a * character rather than the wildcard.*
08-03-2009 10:15 AM
Sometimes * values are read as the character "*". It is not often the case, but if you have already given full S_RFC auths to the user then it is a possibility.
What you could do is add another instance of the object to a temporary role for the user containing activity 16, RFC Type = FUGR and RFC name = HRASR00_WDA_SET_GET_DATA to see if this dump still occurs when you provide the exact authorisation it is requesting.
I think I asked earlier but don't recall you providing the info, does this work when you run it with a user with very wide authorisations (e.g. SAP_ALL in your non-production system)?
08-03-2009 10:32 AM
Hi Alex,
let me try this.
answrering your earlier question, apologies if I never, but if I give SAP_ALL, than everything works perfectly and all my forms are loaded, as soon aS i TAKE OFF SAP_ALL, than it falls over again?
Edited by: Julius Bussche on Aug 3, 2009 11:34 AM
Sentence completed..
08-03-2009 12:26 PM
Hi Alex,
so it could never be anything to do with setting in SM59 or in SICF, as as soon as i give SAP_ALL to the user it all works?
I surely must be missing some kind of authorisation OBJECTS, these are the ones I have currently in the S_RFC( ACTVT) is EXECUTE. and S_RFC( RFC NAME) is showing the following OBJECTS..............
HRASR00_WDA_SET_GET_DATA
HRHAP_UI_DOCUMENT_PORTAL
HRWPC_OADP_UI
HRXSSCE
HRXSS_SER_AUTHORITHY_CHECK
HRXSS_SER_MENUCONFIG
SFW_COMMON
SWRC
SYST
HRMSS_ADDTL_SERVICES
HRMSS_EMPLOYEEPROFILE
HRMSS_PROFILEMATCHUP
HRMSS_UTIL_PROFILES
HRSSC00TRACKING
and within S_ICF, i have for the field ICF_FIELD, all values or for the specific values for
DEST Destination Authorization
PROXY System Proxy Setting
SERVICE Internet Communication Framework Service
for the ICF_VALUE its set as "*" or just a * without any other symbols.
thanks
08-03-2009 12:39 PM
OK, thanks for confirming that it works with SAP_ALL.
There are 2 things I would suggest doing:
1. With a wide access userID, run the process with an auth trace activated (ST01). Reconcile the list of object values checked in there against what the user has (you could use SU56).
This give you a known good user and the trace will pick up all auth checks performed on that user. You can then merge the differences into your user who is having an error.
2. To speed things up, you could assign S_RFC to your user where RFC_NAME = * to see if this gets past the problem. If it does then we will know that it is that particular object causing the problem.
08-03-2009 12:54 PM
Dear Alex,
I see what you mean, correct me if im wrong.
You wnat me to do the following....
The user which has SAP_ALL, I run transaction SU56 and see what objects he has got, and than I enter those objects to the user whom is having the problems?
I think that may be better option for me?
08-03-2009 1:35 PM
What you should do is
1. log in with SAP_ALL user
2. Switch on authorisation trace
3. Process the eform
4. Stop the trace
5. Compare the objects & values in the trace file against the user who is having the problem. You can use SU56 to easily see what auth objects and values the problem user is having.
Is that more clear?
08-03-2009 2:08 PM
Hi Koser,
I am gaining the impression that this is not anything real on your side with real details, possible even a real system and eform... but rather a learning excersize?
Am I correct?
Cheers,
Julius
08-03-2009 2:29 PM
Dear Julius,
This is a development issue im having and not a learning excercise which your indicating
goodbye
thanks
08-03-2009 2:56 PM
thanks Alex,
I shall undertake this and see what happens, i think I may have done it, but will test later,
08-03-2009 7:20 PM
Alex,
Job done! many many thanks, its was the SM59 that did it, by checking all the objects.
I appreciate your help here.
thanks for answering those questions,
10 points to you!
08-03-2009 7:46 PM
Ahh, I should have seen that. Missed it completely...
You just saved the object field in the missing value and then generated the SM59 authorization back again so that the function group synced itself with the eForm.
Cool. Thanks for sharing...
Cheers,
Julius
12-23-2009 3:45 PM
Can I ask where you got this list?
HRASR00_WDA_SET_GET_DATA
HRHAP_UI_DOCUMENT_PORTAL
HRWPC_OADP_UI
HRXSSCE
HRXSS_SER_AUTHORITHY_CHECK
HRXSS_SER_MENUCONFIG
SFW_COMMON
SWRC
SYST
HRMSS_ADDTL_SERVICES
HRMSS_EMPLOYEEPROFILE
HRMSS_PROFILEMATCHUP
HRMSS_UTIL_PROFILES
HRSSC00TRACKING
I have turned on rfc_authority_check=1 and everytime I fix one of the above another dumps. looking for another entry from your list. Thanks