https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334472#M1538642 <HTML><HEAD></HEAD><BODY><P>Hi Laurent</P><P></P><P>I know how you feel <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Don't rely too heavily on an SU53 (especially an S_* object/FDKUSER/others I can't remember - it only shows the last failure and may not be relevant to the tcode you are working on, try also running ST01 just in case/if you don't trust the SU53.</P><P></P><P>Cheers</P><P>David</P></BODY></HTML> Tue, 02 Nov 2010 18:49:55 GMT Former Member 2010-11-02T18:49:55Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334471#M1538641 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I was thinking I have understood for a long time authorization checks. But no.</P><P>So Here's my question.</P><P></P><P>When I ahd a transaction in PFCG menu, PFCG gets the authorization objects to maintain automatically (from SU24 checks). OK.</P><P></P><P>When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?</P><P></P><P>i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain =&gt; OK</P><P></P><P>When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.</P><P></P><P>Thx.</P><P>Laurent</P></BODY></HTML> Tue, 02 Nov 2010 17:31:17 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334471#M1538641 Former Member 2010-11-02T17:31:17Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334472#M1538642 <HTML><HEAD></HEAD><BODY><P>Hi Laurent</P><P></P><P>I know how you feel <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Don't rely too heavily on an SU53 (especially an S_* object/FDKUSER/others I can't remember - it only shows the last failure and may not be relevant to the tcode you are working on, try also running ST01 just in case/if you don't trust the SU53.</P><P></P><P>Cheers</P><P>David</P></BODY></HTML> Tue, 02 Nov 2010 18:49:55 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334472#M1538642 Former Member 2010-11-02T18:49:55Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334473#M1538643 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><PRE><CODE><P></P><P>&gt; When testing the role in ECC : : error. SU53 qays that authorization objects are missing. How the tests are working regarding SU53 and PFCG ?</P><P></P></CODE></PRE><P></P><P>The auth checks performed are dependent on lots of things: system config, functional config, master data setup, use of the transaction.</P><P>The config in SU24 can't cater for all of those options so SAP gives us the ability to make them more accurate for our particular situations.</P><P></P><PRE><CODE><P></P><P>&gt; i.e tcode_de = MDBT in PFCG, PFCG gets M_MTDI_ORG object to maintain =&gt; OK</P><P>&gt; </P><P>&gt; When testing my role, SU53 says that other objects is missing, i.e S_ADMI_FCD. I don't understand because this object is checked with 'NO' in ECC.</P><P></P></CODE></PRE><P></P><P>You can't deactivate a check on an S_ or P_ auth object. These auths are fundamental methods of protecting the SAP application (S_) and personal data (P_)</P><P></P><P>As David says, the SU53 only shows the last auth failure and there is often lots of spurious stuff reported that isn't required to allow the transaction to process. In this respect ST01 is more useful as it (usually) shows you all the auth checks being evaluated so you can more easily focus on the important ones.</P></BODY></HTML> Tue, 02 Nov 2010 19:12:25 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334473#M1538643 Former Member 2010-11-02T19:12:25Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334474#M1538644 <HTML><HEAD></HEAD><BODY><P>in most of Functional tcode, authority check is done with values in some master tables....</P><P></P><P>so such failures show STRANGE check failure in SU53.......</P><P></P><P>the object may be in no way related to your tcode and adding that object, will also not resolve the issue.....</P><P></P><P>what i do in such cased is debug......... Breakpoint at...... 'Message'</P><P></P><P>regards,</P><P>Surpreet</P></BODY></HTML> Wed, 03 Nov 2010 04:12:19 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334474#M1538644 Former Member 2010-11-03T04:12:19Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334475#M1538645 <HTML><HEAD></HEAD><BODY><P>In such cases, and especially if you are finding it a hard time to go through the program itself and looking for "Authority check" statements, its easier to perform ST01 auth traces against the test user, as pointed out in an earlier reply, and rely on the findings of missing auths on the report produced.</P><P></P><P>If the issue is with an Z-transaction, would advise updating the SU24 entry for that code to reflect the missing auths found.</P></BODY></HTML> Wed, 03 Nov 2010 16:32:09 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-objects-vs-su53-checks/m-p/7334475#M1538645 Former Member 2010-11-03T16:32:09Z