Solved: You are not authorized to start service...

Former Member · ‎10-02-2013

Hi all,

I'm having an issue in a system right now where I'm getting the following error:

You are not authorized to start service sap.com/ess~rem/PaySlip2

Now, in QA1 system, I have taken away the role that allows me the authorization to view the Pay Statement.

In QA2 system, I am getting the same error, but I have the role assigned to myself, the service has been added in the S_SERVICE object, in fact, the roles between the two systems are identical. When I give myself the role in QA1, my access works.

I have run ST01 in both QA systems. In QA1, the trace shows that I don't have authorization to run the service. In QA2, ST01 is empty. There is absolutely nothing coming through.

Anyone have an issue like this before? Know where to take a peek that I haven't done yet?

Thanks,

Kevin

Former Member · ‎10-02-2013

I place my bets on the SICF definition of the service in QA2 system has a "hardwired" user in the logon and security data which is running the service, and QA1 is using the calling user (that is you).

That would also explain why the trace is empty for you.

ps: Note that SICF is a hierarchy which inherits settings from higher nodes. The setting might also be higher up in the tree... You can use report RSICFCHK to check and compare the settings.

Cheers,

Julius

Former Member · ‎10-02-2013

I place my bets on the SICF definition of the service in QA2 system has a "hardwired" user in the logon and security data which is running the service, and QA1 is using the calling user (that is you).

That would also explain why the trace is empty for you.

ps: Note that SICF is a hierarchy which inherits settings from higher nodes. The setting might also be higher up in the tree... You can use report RSICFCHK to check and compare the settings.

Cheers,

Julius

Former Member · ‎10-02-2013

Hi Julius,

The service that is being called is a WD Java service in the portal, so, there is nothing in SICF that shows that service.

Thanks,

Kevin

Former Member · ‎10-02-2013

Then the setting is in the service on the portal... or are both QA1 and QA2 calling the same service on the same portal?

Temporarily turn the trace on for all users and check which user ID the service is making it's calls to on the backend.

Cheers,

Julius

Former Member · ‎10-02-2013

Hey Julius,

We have separate portals for each environment. I'll turn on the trace and let you know what we find.

Kevin

Former Member · ‎10-02-2013

Little tip: If the call-back on QA1 is with an SSO2 logon ticket issued by the portal and accepted by the backend, then I suspect an authentication error on QA2 (hence no trace at all, otherwise you should at least see the the S_SERVICE failing, which indicates an authorization error.

If you are using logon tickets, then I would like to revise by bet about what the problem is. The message is then actually misleading (that happens sometimes... :-).

Cheers,

Julius

Former Member · ‎11-12-2013

Hey Julius,

Sorry for not posting this sooner...

So the problem we were having had to do with the set up of the JCo Destinations. Where one should have been using SSO, it was hard coded...

Problem solved.

Cheers,

Kevin

Former Member · ‎10-02-2013

Hi Kevin,

I am asking this out of curiosity and it has nothing to do with the issue that you have posted; What is the business reason that you are having two QA systems!

Thank you,

Nagarajan

Former Member · ‎10-03-2013

hi kevin,

can u chk with other pernr ...if it is getting , as u might been missing some authorizations for that service in portal ....and once chk the tracing also ..did it displaying in r3 the payslip for that employee once chk and chk hrforms also ......