Trouble shooting and Trace in SAP Security

This topic helps you to  analyze problems that arise in connection with authorizations.Usually if user facing ANY issue in SAP then everyone think that it is related to authorization. Immediately they will contact S&A team for requesting access.
In this case S&A team has to work smartly by resolving these type of issues.
You can follow these procedures to find out which authorizations a user requires to carry out a transaction or activity to fulfill the requirement.We can determine authorization failure by using SU53 & ST01.

Using SU53:
1. When user receive an authorization error, request the user to enter /nSU53 in the same session .
2. Ask the user to expand all the nodes and to forward the screen print to S&A team.
3.in SU53 it clearly shows "what T-code,authorization object, authorization filed or activity.
4.Based on the missing objects S&A team will take necessary action.












NOTE: We can determine the root cause  based on SU53 missing authorization. but it shows only last failed authorizations by the user. we cant get all the details .
Ex: if user tries to access more t-codes but user getting authorization error, at this time SU53 can capture only last failed authorization ,it wont show all the 3 t-codes details in SU53.
So to determine all these activities its better to switch the TRACE .
Steps for switch on the trace:
1) Go to ST01




 . 












2.Click on General filters then it will navigate to another window .enter user id and click on continue.





3. Click on AUTHORIZATION Check 



4.Now Switch on the trace






5.now go to Analysis tab to view the trace record.







6. now enter the user id ,client ,date & time and click on execute .













7. will get all the trace record of user with all activities.











based on missing authorizations find out the suitable role using SUIM or AGR*tables.

No comments: