Question:
Hi,
As you know many time su53 shows irrelevant authorisation objects. For example, if a user needs to run ME22n, it show s_develop missing some authorisations. If you don't assign it, it won't pass to show the real ME object which is missing. After you assign the ME object and deleted the s_develop one it works.
Question is why this BC object shows up in the first place? if it is checked, why authorisation eventually ignores it?
Answer:
Working as designed when the user does not follow the instructions. You must enter /nSU53 or /oSU53 when you get the first authorizaton error. If the user hits the help or double clicks on the message at the bottom of the screen other checks are performed.
Answer:
Working as designed when the user does not follow the instructions. You must enter /nSU53 or /oSU53 when you get the first authorizaton error. If the user hits the help or double clicks on the message at the bottom of the screen other checks are performed.
Thanks again John for your always quick reply.
For this case, actually I ran the su53 too, using /nsu53 or /osu53. It is still showing the same thing.
Answer:
Did you read the error message detail first?
Some access is toggle switch and you will have to encounter these to get to the real error. It is a FEATURE in SAP.
Answer:
Did you read the error message detail first?
Some access is toggle switch and you will have to encounter these to get to the real error. It is a FEATURE in SAP.
error message details?-- double click on the error message?
Answer:
Yes, error message detail . When you encounter an authorization error SAP will send a message tot eh screed at the bottom left corner. If you click on this to "expand" the message you will encounter a S_DEVELOP check. If the Error message is a pop-up and you press the "help" button then you encounter a S_DEVELOP.
If neitehr are the case, SAP has some Toggle switch checks that do not stop the code but change the GUI or other option on the screen.
Answer:
no John, we did not click on anything else after getting the error and before running /nsu53.
Same cases have been happening for other transactions as well, it looks like very common. for example, sometimes it needs sm02.
Answer:
I think this has to do with how the ABAP code is written.
As I understand it SU53 holds the details of the last failed authority-check.
But a failed authority check (i.e. an AUTHORITY-CHECK statement returning an SY_SUBRC value <> 0) does not automatically mean that the user sees an error message.
Usually in SAP standard code the authority-check is followed by an explicit MESSAGE statement, but this is not always the case.
I've seen a few cases where the system does not issue a message after a failed authority-check, but instead it diverts into a different branch of an IF.
E.g.
Usually you would find
...
AUTHORITY-CHECK on S_PROGRAM with P_ACTION=submit ...
if sy-subrc ne 0.
message e... . "you are not authorized to ...
endif.
...
In this case the SU53 would be correct, indicating the user needs S_PROGRAM with submit rights.
But you there also cases where the system does something like this:
...
AUTHORITY-CHECK on S_PROGRAM with P_ACTION=submit ...
if sy-subrc ne 0.
AUTHORITY-CHECK on S_PROGRAM with P_ACTION=variant ...
if sy-subrc ne 0.
message e... . "you are not authorized to ...
endif.
endif.
...
In this case the system will first check if the user has the rights to submit the program. If not, it will check if the user has 'variant' rights for it (don't ask me why, but it did...).
If not, it will output an error message.
SU53 will now say that the user needs VARIANT instead of SUBMIT.
Cheers,
K .