Solved: Re: Authorization issue - help request

Former Member · ‎2008 Jan 09

Hi guys,

One of the consultants is having an authorization issue ( He is not abele to run a t-code)

I ask him to run a su53 report and i am not sure how to proceed with this.

Please help.

Here are the details from the SU53 report.

DISPLAY AUTHORIZATION DATA FOR USER VYXXXX

User : VYXXX profile parameter authorization buffering 4

Authorization Object: F_KNA1_GRP

Description

Authorization check failed:

+ Authorization object F_KNA1_GRP Customer Account Group Authorization

Activity 08

Customer Account Group ZM01

Users Authorization Data :

+ Authorization object F_KNA1_GRP Customer Account Group Authorization

Authorization T-PD19002300

Authorization T-UG39000900

Authorization T-UG39001000

Please help me guys what need to be performed.

Regards,

Vamsi.

Former Member · ‎2008 Jan 10

Hi Vamsi,

-A good start would be to trace the user. Check the entire cycle of the process and see what objects are failing /being checked.

-Check what roles are assigned to the user for this Tcode.

-Analyze the trace and propose a role update accordingly (tricky...can lead to SU24 update, be cautious for this or better..just consult)

-Follow the company process for role updation, e.g. get back to the business team for approval, get someone to test it in a staging/test system.

Just a simple start.... there will many opinions to follow

-Abhishek

Former Member · ‎2008 Jan 10

Hi Vamsi,

-A good start would be to trace the user. Check the entire cycle of the process and see what objects are failing /being checked.

-Check what roles are assigned to the user for this Tcode.

-Analyze the trace and propose a role update accordingly (tricky...can lead to SU24 update, be cautious for this or better..just consult)

-Follow the company process for role updation, e.g. get back to the business team for approval, get someone to test it in a staging/test system.

Just a simple start.... there will many opinions to follow

-Abhishek

Former Member · ‎2008 Jan 10

Hi Abhishek,

Thanks for your reply and for your time.

I am unable to understand what you said can you plese tell em step by step if possible and possible tcode.

Your help regarding this would be appreciated.

Kind Regards,

Vamsi.

Former Member · ‎2008 Jan 10

Hi Vamsi,

SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.

Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).

Then check-> which auth object is failing.

RC=4 means a object value is failing.

RC=12 means an object is missing!

Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.

You can check the SAP documentation on running traces on the help portal of SAP. I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!

Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.

Let me know if you have any questions

EOD for me 😛 . take care

Abhishek

Former Member · ‎2008 Jan 10

Hi Vamsi,

As you can see from SU53 that following object value missing

Description

Authorization check failed:

Authorization object F_KNA1_GRP Customer Account Group Authorization

Activity 08

Customer Account Group ZM01

Add this into user profile.

-Pinkle

Former Member · ‎2008 Jan 10

Hi Vamsi,

Go to the individual profile of particular consultant in change mode....

Once u enter into the role , there u can find the tab - Manually.There u add the Object - F_KNA1_GRP .

After that u add that Object you can find the open the values under FI , there u assign Activity : 08 and Customer Account Group : ZM01.

after that save and generate.

Hope this helps ur doubt.

Rgds

Former Member · ‎2008 Jan 10

Hi Vasmi

In order to troubleshoot the authorization problem, first, you have to find out the role which is attached with the consultant, then go to the PFCG and define the attached role which is attached with the consultant, go to the change authorization data and add the manually required object in the role and define all authorization value which you have been noted by the SU53.

Also, you can set the authorization trace by the st01 for the specific user with the filter..share..and define the user. then you can analyze the require authorization object which is required to complete the process.

Regards

Anwer Waseem

SAP BASIS

Former Member · ‎2008 Jan 10

Hi guys,

Many thanks for your effort and now the problem is solved.

My apologies to GADDE as your reply solved my problem mistakenly i gave points to abhishek. I reallly apologise for that.

once again many thanks for your effort guys.

Hi GADDE your surname look familiar to me r u from vijayavada?

I am sorry once again.

Kind Regards,

Vamsi.

Former Member · ‎2008 Jan 10

Hi Vamsi,

Well, thanks for giving me the points , I don't know how to transfer this to Hai, else I would.

My point is to help you better in finding the answers yourself, thats why I emphasized more on the approach than the giving spoon fed answer.

I would also request to avoid regional statements: AKA -

Hi GADDE your surname look familiar to me r u from vijayavada?

Perhaps our strength is our diversity!

Please take it in the best spirits, thank you.

and happy SDN'ing... 😛

Abhishek

Former Member · ‎2008 Jan 11

Hi Abhishek,

thansk for your help and suggestions.

Kind Regards,

Many thanks for you time.

Vamsi.

Former Member · ‎2008 Jan 11

thanks dude for understanding

you take care....n keep posting

-Abhishek

Former Member · ‎2008 Jan 11

Hi Abhishek ,

Your points taken.

And answer to Vamsi is NO ., RJY.

Rgds,

Gadde.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Authorization issue - help request