Tracing User Authorizations

Tracing user authorizations for a consultant is as routine as debugging code for errors or figuring out why something isn’t working. In any case, this process is nothing extraordinary, and I’ll try to show that.

The demonstration will be based on an example of a user who is assigned a specific role in the system. In their user menu, the user tries to launch a transaction but receives an error message.

From the error itself, it’s easy to guess what’s going on. The user lacks the necessary authorizations to execute the transaction. To find out exactly which authorizations are missing, the consultant needs to launch transaction ST01.

On the ST01 transaction screen, click the button General Filters and enter the username for which the authorization check should be performed.

On the main ST01 screen, also enable the Authorization check option.

Other options may be activated as needed. Click the button Trace On. Now the user must reproduce the actions that led to the error (alternatively, the consultant can perform the actions themselves, assuming the test user is assigned the same role). Once the actions have been repeated, the consultant should stop the trace by clicking the Trace Off button.

Now it's time to review the logs! Open them by clicking the button Analysis.

Pay attention to the Username field and the date and time fields. The Username field must contain the name of the user for whom tracing was enabled. Also check the date and time fields, as the system’s default suggestions might differ from the actual values—this could prevent the system from locating the trace logs correctly. Now let’s run the log viewer.

Primarily on entries where RC=12 and RC=4. In the example provided in this article, there is only one such entry. If you double-click it, you’ll see a detailed view:

The missing authorization object is P_TCODE. The specific value that is missing within this object is PPPM.

Add the missing authorization object to the user’s role and ask the user to try performing the operation again.

To add the missing authorization object to the user’s role, open transaction PFCG, edit the role assigned to the user, and adjust its authorization profile.

In the authorization profile editing screen, click the button Manually to manually add the missing object, and enter its name.

Then, add the missing value for that authorization object.

Generate the profile by clicking the button Generate Profile. Continue testing the changes and adjusting authorizations until the user is able to complete the required action in the system.

N.B. Sometimes, to more quickly identify missing user authorizations, transaction SU53 can be helpful. If the user encounters an authorization issue, they can open SU53 in a new SAP Logon window and send a screenshot to the consultant. At the same time, the consultant can open transaction SU53, press F5, and enter the username to view the last failed authorization check for that user.