topic Re: Roles - Authorization Issue in Application Development and Automation Discussions

Roles - Authorization Issue

Former Member — Fri, 14 Sep 2007 09:27:14 GMT

Hi ,

I have some set of roles. I assigned those set of roles to an user for his QA and production access. In QA he is able to do but with the same set of roles in production he is not able to do. In QA system he is able to perform rehiring action through PA40 but in production he is not able to do so.

Please through some light why system is behaving like this and more over our QA system is a recent refresh of production system.

With the same set of roles and some additional roles another user is able to do this but this is user is not able to do?

Thanks and Regards,

Visali.Malepati

Re: Roles - Authorization Issue

Former Member — Fri, 14 Sep 2007 11:17:40 GMT

What does SU53 say ?

Re: Roles - Authorization Issue

former_member74904 — Fri, 14 Sep 2007 12:45:04 GMT

please also check the usergroup parameter (UGR) if QA and PRD values are the same.

Re: Roles - Authorization Issue

Former Member — Fri, 14 Sep 2007 18:36:03 GMT

I would also run PFUD to make sure all users have the current version of the role. Then check the Profile tab and make sure there is no additional profile that is giving access to one user and not the other... like SAP_ALL (Ohh no NOT that one!!!).

Hope that helps.

Regards,

Paul

Re: Roles - Authorization Issue

Former Member — Fri, 14 Sep 2007 20:34:18 GMT

Excellent suggestions from all the replies above. If you still can't figure it out, run a trace ST01. Then research the missing authorization.

Good Luck.

Re: Roles - Authorization Issue

Former Member — Fri, 14 Sep 2007 20:55:27 GMT

Hi,

I would like to suggest you , do role comparison and make sure roles in both the system are same, then try to figure out with SU53 or ST01 trace.

which I am sure will help you. In case you still have doubts , then reply back

Regards

Puneet

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 02:20:18 GMT

Hi Dimitri,

User group parametr is same in UAT and Production that is 25,

UAT is rcent refresh of production.

Thanks and Regards

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 02:21:43 GMT

Hi Paul,

User is not having authorization to use this transaction PFUD in production.

Thanks and Regards.

Visali Malepati.

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 02:23:55 GMT

Hi John,

As mention before user is not authorised to use ST01 in production.

Thanks and Regards

Visali Malepati.

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 02:37:00 GMT

Hi Puneet and Chaitanya,

Reagrding SU53.

It is showing

Authorization level = W

Infotype = 0000

Personnel Area = *

Employee Group = *

Employee Subgroup = *

Subtype = *

Organization Key = *

User is having more than this required in two roles.

1 <b>Z_CC-ESS</b>

Authorization level = *

Infotype = 0000

Personnel Area = JTC* ( We have only with JTC*)

Employee Group = *

Employee Subgroup = *

Subtype = *

Organization Key = ESS ( We have two organization keys one is ESS and other one Prof)

in and in another role ( <b>Z_CC-Prof</b> )

Authorization level = *

Infotype = 0000

Personnel Area = JTC*

Employee Group = *

Employee Subgroup = *

Subtype = *

Organization Key = Prof

Both these roles are assisgend to the user and both roles user compare is done in production.

I read in one thread about Buffer over flow. Do any one have any idea about Buffer over flow. Please throw some light on Buffer overflow.

In SU53 Tcode there is one option under menu tab authorisation values that is Reset user buffer. what is this for?

Thanks and Regards,

Visali Malpeati.

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 06:08:59 GMT

Users will be able to get authorization from First 312 Profiles ( In some verson only 300 Profiles ) assigned to users.

Check the number of profiles that user is having in Production?

If it is Greater then 312 then user will not get the access of that excedding Profiles.

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 06:22:47 GMT

Hi,

By your su53, it is asking

Personnel Area = *

and in your existing two roles u got JTC*

1 Z_CC-ESS

Personnel Area = JTC* ( We have only with JTC*)

in and in another role ( Z_CC-Prof )

Personnel Area = JTC*.

Check this field.

I hope it will work.

Regards

Suresh

Re: Roles - Authorization Issue

Former Member — Mon, 17 Sep 2007 16:45:49 GMT

Visali,

That is a good start "User cannot run ST01". At least you have secured this transaction from the general user population. You will be running ST01 and not the user.

I will read the rest of the thread and reply if your question haven't been answered.

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 05:55:37 GMT

Hi John,

I think we need to run ST01 using users login id right. I am an ABAPer so i seldom use this transaction code. User is not having authorization to use this Transaction.

I would like to know the impact if I do reset user buffer in SU53 in production system. I am afraid will it cause any side effect. Even I raised to OSS message also but no reply.

Thanks and Regards,

Visali.Malepati

Message was edited by:

visali malepati

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 06:00:40 GMT

Hi Sushil,

I checked the user's profiles under profile tab of SU01 screen. Records are not even 30. So is there any other thing that is over riding in production for this user.

Thanks and Regards

Visali Malepati.

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 06:12:26 GMT

The answer is in your Su53

The SAP system requests * for Personnel Area and Organisation Key so pls create role with that wide autorisation and retest.

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 06:22:16 GMT

Hi Auke,

We have personnel Areas starting with "JTC" only and we have only two Organisation Key that is ESS and PROF. Both these ascess are given to the user through two seperate roles and mire over with this same set of roles the user is able to do in QA system and development system.And more over another user is able to perform PA40 with this set of roles even in production. But I am facing problem with this User only.

Thanks and Regards

Visali Malepati

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 06:55:56 GMT

Are you using structural Authorization also in Production System ?

If this is the case it will not show missing authorization in SU53.

Sushil

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 07:04:38 GMT

I suggest to try to create a role with values star and test to see if it solves the issue. As in SU53 it demands the star value.

Re: Roles - Authorization Issue

Former Member — Tue, 18 Sep 2007 07:19:13 GMT

Hi Sushil

If we use structural authorizations then how to get missing authorization.

I strongly believe that there is no missing authorization for that user.It is some where some settings i need to do or need to reset user buffer in SU53 transaction code. Before resetting user buffer, I want to do the impact analysis of that as the problem is in production server. I am afraid if any thing happens, user will make noise. If you have any idea please let me know.

Thanks and Regards

Visali Malepati.