Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SU53 Authorization

Go to solution
Former Member

‎12-18-2006 8:13 AM

0 Kudos

Hi,

When SU53 is assigned to user X, SAP Admin can see SU53 log of user X also. But when SU53 authorization of X is removed, it's not possible to watch SU53 log of X. Can anyone tell me the reason behind?

Thank you.

Prasad

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-18-2006 8:21 AM

0 Kudos

With or without authorizations for SU53, the admin will only see the <b>last</b> failed authority check prior to the user also running SU53.

This is why the admin cannot see the <b>new</b> last failed authority check when the user cannot run SU53.

10 REPLIES 10

Go to solution
Former Member

‎12-18-2006 8:21 AM

0 Kudos

With or without authorizations for SU53, the admin will only see the <b>last</b> failed authority check prior to the user also running SU53.

This is why the admin cannot see the <b>new</b> last failed authority check when the user cannot run SU53.

Go to solution
Former Member

‎12-18-2006 8:28 AM

0 Kudos

Thanks,

It means user must have SU53. But admin has all authorizations(SAP_ALL), then why is the restriction imposed on user to have SU53 authorization?

Thanks

Prasad

Go to solution
morten_nielsen
Active Contributor
In response to Former Member

‎12-18-2006 8:37 AM

0 Kudos

Hi Prasad

In fact you can deactivate the authorization check for SU53 (And SU56) with the system parameter auth/tcodes_not_checked.

You set this parameters in you default or instance profile using RZ10 (it requires a restart of your SAP system to take effect).

Regards

Morten Nielsen

Go to solution
Former Member
In response to Former Member

‎12-18-2006 8:54 AM

0 Kudos

Hi Prasad,

SAP does not care whether the admin has SAP_ALL or not. It cares whether the user can load the table (USR07) with the data of the last failed auth check. If the user does not run SU53, the data is not loaded. It simply is not there.

>> why is the restriction imposed on user to have SU53 authorization?

SU53 is a "troubleshooting" transaction, but also a "trouble-causer" (it is often misinterpreted because the <b>last</b> failed auth check is not necessarily the one which caused the user from being prevented from doing something) and a "trouble-maker" (by provoking the system into telling them what they fail on, they can find out all the authorizations which they do have...)

For "trouble-shooting" I would give it to them on a temporary basis. There are many different ways of doing that.

Cheers,

Julius

Go to solution
Former Member

‎12-18-2006 9:46 AM

0 Kudos

Thanks !!!

Where is the data get loaded from in USR07?

Is there any way to see last authorization check of user not having SU53?

Thanks,

Prasad

Go to solution
morten_nielsen
Active Contributor
In response to Former Member

‎12-18-2006 9:58 AM

0 Kudos

Hi Prasad

The data is loaded into USR07 by SU53 - So no SU53 - No data in USR07.

Of course there's always the possibility of activating the authorization trace in ST01 - however I would advice strongly against this option (Performance etc)! - So you really don't have any other options than to use SU53.

Regards

Morten Nielsen

Go to solution
Former Member
In response to Former Member

‎12-18-2006 10:10 AM

0 Kudos

The data (whatever it is at that point in time for the user) is loaded from the system's memory. That memory is held within the context of the user ID.

* Get result of last authorization check
  GET PARAMETER ID 'XU1' FIELD usr07key.                    "#EC EXISTS
  GET PARAMETER ID 'XU2' FIELD usr07val1.                   "#EC EXISTS
  GET PARAMETER ID 'XU7' FIELD usr07val2.                   "#EC EXISTS

So it "belongs" to that user until they run SU53 to make it available to the admin.

Running another user's SU53 for them would require that you know <b>when</b> to run it and <b>how</b> to run it under their ID... If you find a new way of doing this, you should report it to SAP

Cheers,

Julius

Go to solution
Former Member

‎12-18-2006 10:11 AM

0 Kudos

Hi Morten,

When I tried with SU53, I found that when user do not have SU53 and authorization check fails, data get saved somewhere(Which I want to know). I observed table USR07 also and when SU53 is reassigned to user data get loaded in USR07(It shows <b>latest</b> authorization check failure). That means, data in USR07 is not updated untill and unless user perform SU53.

So where is the authorization check failure data saved for period when user is not having SU53?

Thanks,

Prasad

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎12-18-2006 10:17 AM

0 Kudos

<b>SU53</b> always only shows the <u>latest</u> authorization check failure - and it requires the <u>user</u> to take action.

<b>ST01</b> allows to analyse authorization checks (<u>all</u> failed <u>and</u> successful ones) by tracing. Notice: ST01 works server instance specific; you'll have to run it once per server instance to obtain a system-wide trace result.

Regards, Wolfgang

Go to solution
Former Member

‎12-18-2006 10:39 AM

0 Kudos

Thanks Julius,

I got the answer.

Thanks to all for help.

Thanks,

Prasad