SAP Data Analytics
Trace after missing permissions
Delete invalid SU24 Checkmarks: This function deletes all records that contain an unknown value as a check mark. This is either C (Check) or N (Do Not Check).
In the SU53 you get the entry of the user that is stored there, and this may be old. So it is better to let the user himself display the authorization error via the menu. Maybe you create a small docu for all your users how to display the error and where to send it, so a "Cooking Recipe: How To...". In the SU53 error excerpt, the first thing that is displayed is the authorization that the user is missing. So this object has to be analyzed. In the further part of the error message, the permissions assigned to the user are displayed. This information can be used to classify the user with his role set, where he belongs etc. Finally, in our case 1, we now have the missing authorization and must now clarify whether the user should receive this authorization or not. In addition the specialist department must be contacted, which has to decide whether the user receives the permission! It can happen that the problem reported by the user is not an authorization problem at all. Then the last authorization error is displayed in the SU53 area, which is not the cause of the error at all. Therefore, it is always good to have a screen image of the actual error message sent to you as well. It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.
Identify Executable Transaction Codes
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.
SAP authorizations are a security-critical and thus an immensely important topic in companies. They are used not only to control the access options of users in the SAP system, but also the external and internal security of company data depends directly on the authorizations set.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Since the organisational criteria are found in several tables, this eligibility check need not be bound to specific tables and can be defined across tables.