Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorizations for Tcode Execution

Former Member

‎04-03-2007 4:21 AM

0 Kudos

Hi.

I understand that users assigned a particular Tcode eg. PFCG might not be able to execute this Tcode if he is not assigned the corresponding Authorization object and related activity field values for the PFCG transaction to work.

One tedious method of verifying that the user does indeed have authorization is to require the user to login and execute the transaction PFCG itself.

Is there a faster way for the Administrator to check if the end-users does have the relevant authorizations/authorization_objects to support the execution of a tcode PFCG? This applies to all other tcodes.

Thank you very much.

7 REPLIES 7

Former Member

‎04-03-2007 5:58 AM

0 Kudos

Hi,

Login to the system and run transaction PFCG.

Go to su53 and see the object which is missing.

Add the Auth. object and it should work.

Regards and reward with points if suitable you can give max of 10 points.

Mantosh

Former Member

‎04-03-2007 6:40 AM

0 Kudos

Hi Chong,

When ever a tcode is added in PFCG, it brings up the authorizations that are check and maintained in SU24. And every user would be given access to SU53. So if the user is not able to run transaction, Ask user to run transaction SU53 immedeatly which will catch the Authorization object that is missing. Than the object should be fixed.

If the problem is not fixed with SU53, than you should trace the transaction using ST01.

To learn more about SU53 and ST01, please visit:

http://www.sapsecurityonline.com/tutorials/authorization_analysis.htm

Hope it helps.

Please award points if it is useful.

Thanks & Regards,

Santosh

Former Member

‎04-03-2007 6:58 AM

0 Kudos

Hi,

One of the ways to find out is the Tcode SUIM. This gives you a wide range of cross checking functionalities for exam

Users authorized for a Tcode

Tcodes for a user

Roles containing a Tcode and many more.

Explore the different permutaions available under this tcode yourself and you will enjoy that.

Pl dont forget to award points.

Regards

Former Member
In response to Former Member

‎04-03-2007 7:09 AM

0 Kudos

Hi.

Thank you for the suggestions.

The administrator would need to know which authorization objects must be assigned to the user in order for the corresponding T_Code to execute successfully.

Is there a Tcode that can help us find out which authorization objects must be assigned to the user in order for the corresponding T_Code to execute successfully?

Thank you very much.

Former Member
In response to Former Member

‎04-03-2007 7:32 AM

0 Kudos

Hi,

Normally while creating roles authorizatin objects are not assigned individually to make a tcode work. Rather the tcode is assigned to the role which in turn assigns the corresponding authorization objects automatically. For this create a role in PFCG go to MENU tab click on TRANSACTION tab and it will let u add the tcodes. This will automatically assign the underlying authorization objects .

In some circumstances if u need to know which authorization objects are checked by a certain tcode go to SE11 . Open the table USOBT. Give the Tcode name and it will show the authorization objects.

In some cases it may happen some authorization may fail. If a tcode fails and throws a msg "Missing authorization" immediately run tcode /nSU53. This will show which autho obj is missing. So while creating roles we assign tc ode SU53 tcode to all roles.

Hope this clarifies your querry.

Apart from these explore two more tcodes su21 and su24.

Pl encourage by awarding suitable points.

Regards

Former Member
In response to Former Member

‎04-03-2007 9:57 AM

0 Kudos

Hi Chong,

SAP delivers the tables USOBX and USOBT.

Table USOBX defines which authorization checks are to be performed within a

transaction and which not. This table also determines which authorization checks are maintained in the Profile Generator.

Table USOBT defines for each transaction and for each authorization object which

default values an authorization created from the authorization object should have

in the Profile Generator.

The tables are maintained in transaction <b>SU24</b>. This transaction displays the check indicators of a transaction. Check indicators determine if an authorization check will run within the transaction or not. Any object with CM(Check/Maintain) status will be pulled into PFCG when you add a transaction.

To check this:

Enter transaction SU24-->Enter any transaction which you want to check in "Transaction Code"->execute->Display check indicator-->Display field values.

This would show you the authorzation objects along with there field values which will be pulled into a role when you add a transaction.

Hope it helps.

Please award points if it is useful.

Thanks & Regards,

Santosh

Former Member
In response to Former Member

‎04-03-2007 11:56 AM

0 Kudos

> Is there a Tcode that can help us find out which

> authorization objects must be assigned to the user in

> order for the corresponding T_Code to execute

> successfully?

The easiest way to find this is if you follow the instructions on using ST01 that Santosh provided. The information provided in SU24/USOB* is only partially correct as the path that the authorisation check follows depends to some extent on your use of the transaction and associated configuration.

When using ST01, you also need to keep in mind that the trace reveals the objects that have been checked, which is sometimes a bit more than what the transaction needs to complete.