12-18-2006 8:13 AM
Hi,
When SU53 is assigned to user X, SAP Admin can see SU53 log of user X also. But when SU53 authorization of X is removed, it's not possible to watch SU53 log of X. Can anyone tell me the reason behind?
Thank you.
Prasad
12-18-2006 8:21 AM
With or without authorizations for SU53, the admin will only see the <b>last</b> failed authority check prior to the user also running SU53.
This is why the admin cannot see the <b>new</b> last failed authority check when the user cannot run SU53.
12-18-2006 8:21 AM
With or without authorizations for SU53, the admin will only see the <b>last</b> failed authority check prior to the user also running SU53.
This is why the admin cannot see the <b>new</b> last failed authority check when the user cannot run SU53.
12-18-2006 8:28 AM
Thanks,
It means user must have SU53. But admin has all authorizations(SAP_ALL), then why is the restriction imposed on user to have SU53 authorization?
Thanks
Prasad
12-18-2006 8:37 AM
Hi Prasad
In fact you can deactivate the authorization check for SU53 (And SU56) with the system parameter auth/tcodes_not_checked.
You set this parameters in you default or instance profile using RZ10 (it requires a restart of your SAP system to take effect).
Regards
Morten Nielsen
12-18-2006 8:54 AM
Hi Prasad,
SAP does not care whether the admin has SAP_ALL or not. It cares whether the user can load the table (USR07) with the data of the last failed auth check. If the user does not run SU53, the data is not loaded. It simply is not there.
>> why is the restriction imposed on user to have SU53 authorization?
SU53 is a "troubleshooting" transaction, but also a "trouble-causer" (it is often misinterpreted because the <b>last</b> failed auth check is not necessarily the one which caused the user from being prevented from doing something) and a "trouble-maker" (by provoking the system into telling them what they fail on, they can find out all the authorizations which they do have...)
For "trouble-shooting" I would give it to them on a temporary basis. There are many different ways of doing that.
Cheers,
Julius
12-18-2006 9:46 AM
Thanks !!!
Where is the data get loaded from in USR07?
Is there any way to see last authorization check of user not having SU53?
Thanks,
Prasad
12-18-2006 9:58 AM
Hi Prasad
The data is loaded into USR07 by SU53 - So no SU53 - No data in USR07.
Of course there's always the possibility of activating the authorization trace in ST01 - however I would advice strongly against this option (Performance etc)! - So you really don't have any other options than to use SU53.
Regards
Morten Nielsen
12-18-2006 10:10 AM
The data (whatever it is at that point in time for the user) is loaded from the system's memory. That memory is held within the context of the user ID.
* Get result of last authorization check
GET PARAMETER ID 'XU1' FIELD usr07key. "#EC EXISTS
GET PARAMETER ID 'XU2' FIELD usr07val1. "#EC EXISTS
GET PARAMETER ID 'XU7' FIELD usr07val2. "#EC EXISTS
So it "belongs" to that user until they run SU53 to make it available to the admin.
Running another user's SU53 for them would require that you know <b>when</b> to run it and <b>how</b> to run it under their ID... If you find a new way of doing this, you should report it to SAP
Cheers,
Julius
12-18-2006 10:11 AM
Hi Morten,
When I tried with SU53, I found that when user do not have SU53 and authorization check fails, data get saved somewhere(Which I want to know). I observed table USR07 also and when SU53 is reassigned to user data get loaded in USR07(It shows <b>latest</b> authorization check failure). That means, data in USR07 is not updated untill and unless user perform SU53.
So where is the authorization check failure data saved for period when user is not having SU53?
Thanks,
Prasad
12-18-2006 10:17 AM
<b>SU53</b> always only shows the <u>latest</u> authorization check failure - and it requires the <u>user</u> to take action.
<b>ST01</b> allows to analyse authorization checks (<u>all</u> failed <u>and</u> successful ones) by tracing. Notice: ST01 works server instance specific; you'll have to run it once per server instance to obtain a system-wide trace result.
Regards, Wolfgang
12-18-2006 10:39 AM