Authorization Issue in SM50

niteshgupta87 · ‎04-30-2015

Hi All,

One of our user is facing authorization issue in SM50. He goes to SM50 and tries to open a work process. This is where he gets message "You are not authorized to use function Work Process List".

When I check the trace, I see only missing access for SM04. I checked trace for my own id (with no error) and found that SM04 is not even checked for my id and rest all authorization checked are same for both ids.

I assigned a BASIS role to this user and that resolved the issue. But strange thing is still that user's trace shows SM04 missing. (SM04 is not there in that Basis role).

Now I don't understand what exactly is the missing authorization for this user. Definitely SM04 is not the one and I can't assign this basis role to him. Could any one guide with this issue? Below is the trace for the user in both cases (without Basis role assigned and with this role assigned).

former_member74904 · ‎04-30-2015

Hi Nitesh,

Is that the complete trace for the user that's encountering the issue? It seems that there are not that many entries for the transaction as you describe it.

There have been cases with SM50/51 where a user which does not have the correct values for the S_DATASET object causes a runtime error. Could it be that it's missing from your user?

Good luck!

Dimitri.

niteshgupta87 · ‎05-04-2015

Hi Dimitri,

Yes, thats the complete trace for the user and I don't see any missing authorization for S_DATASET. I can check by adding it once though.

Thanks

Former Member · ‎04-30-2015

Hi Nitesh,

If User will access t-code SM51 and from there if user tries to access user list (User logged in specific server), It will call t-code SM04 internally. So you have to give access to SM04 in that case.

Thanks-

Guru

Former Member · ‎05-02-2015

Hi Nitesh,

Create a Test ID with SAP_ALL and SAP_NEW profiles and perform the required activity while trace is on.

You can then analyze the trace and see objects being pulled specific to your activity.

Assign those to your original role and see if it works.

Thanks & Regards,

V!

niteshgupta87 · ‎05-04-2015

Hi V!,

Actually my id has SAP_ALL and I comparated the user's trace with my trace while doing exactly same activity.

Thanks.

Former Member · ‎05-03-2015

With reasonable certainty you can assume here that the two users are not doing the same thing in SM50. Your behaviour in addition to your authorizations can influence how a transaction behaves.

But SAP definitely did add these authority-checks on SM04 etc to the task handlers in this area. So the request for the authorization is plausible and correct.

Cheers,

Julius

niteshgupta87 · ‎05-04-2015

Hi Julius,

I created a test id with same rights as the user. My id has SAP_ALL assigned. Now I am doing exactly same activity (double click on same work process). But I don't see SM04 access being checked for my id.

Even if I assume that I am doing something different than the user. The thing which is strange to me is: when I assigned a basis role which doesn't have SM04 access, to the test user, I still see the same trace results but this time there is no authorization error. I don't think there are authorization checkes which are not recorded in ST01 trace.

There could be one tiny possibility that SM50 is throwing an error message (authorization error) but its not triggered through failed authorization check, instead based on some other condition. For that I would need to bedug the tcode. But that doesn't seem likely as this is a standard and widely used tcode.

Thanks

Former Member · ‎05-05-2015

Perhaps there is a difference between your own work process and that of a different user? Like it is in SM04 as well when generating / deleting / navigating to your own user context vs. that of another user.

So you need to decide whether the role with this authorization is that of an administrator of the SAP processes of all users (basis) or only their own (end user).

Cheers,

Julius