SAP Security: Troubleshooting Authorization Errors

SAP Security: Troubleshooting SAP Authorization Errors

SAP has provided some important tools for troubleshooting or analyzing the authorization errors. Those are system trace (ST01) and authorization error analysis (SU53). These two tools are most frequently used to determine the authorization errors.

System Trace (ST01):

ST01 transaction code is used to execute the system trace functionality. This will record the authorization checks for the users. The system trace option is executed in the application server where the transaction code is executing by the user. Basically trace and transaction to be traced should be on the same application server. The system trace records each and every authorization object, fields and field values. 

To use system trace functionality Go to Tools-->Administration-->Monitoring-->Trace-->System Trace or execute transaction ST01.

Select the Authorization check box under the Trace Components to record the security authorizations.


There is an option for filtering the security trace for a particular user. For this option, click on the General Filters and enter the user id that requires security trace. This will record the authorizations particular to that user.


Once the security trace is done, the trace needs to analyzed. Click on the Analysis tab in ST01 transaction code. Below screen appears. Click on execute icon to see the details of security trace.


Below is the detailed sample output of the system security trace.



Authorization error analysis (SU53):

This is the another functionality provided by SAP for analyzing the authorization errors. SU53 transaction code is used for this functionality. This will display only the last failed authorization checks.

This will compare the user's authorizations with the user buffer. User buffer is where it contains all the authorizations that are assigned to user. This user buffer loads when the user log on to the system. SU56 transaction code displays the user buffer. It contains what are all the transaction codes are assigned to user master record.

User has to execute /nSU53 immediately after getting the authorization error and sent to user administrator for analysis. Below is a sample screen shot of SU53.


Watch the below demo video on how to take system trace using ST01.




Comments

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: How to set auto Logoff for Inactive users in SAP

SAP GRC Security Consultant Roles and Responsibilities