Blog - Shortcut IT

Direkt zum Seiteninhalt

Oh no.. missing authorizations

Shortcut IT
Veröffentlicht von in Sc4SAP · 16 Januar 2020
This article deals with a usually unpopular topic: authorizations.

A lack of authorization is usually an unbridgeable hurdle, so that it is not possible to make any progress with the completion of our task. Maybe a colleague has the missing authorization and can help out, but it usually boils down to the fact that you have to apply for the missing authorization somehow - after identifying a suitable role - and then (hopefully) get it after a while.

This might be ok if there is some time to complete our task. If it can be done also next day or week, ok, let's wait for the approval.
But it may also be necessary to obtain the missing authorization as soon as possible, for example
  • during a go-live: usually very tightly planned, usually carried out on a weekend and with no reserves in the schedule. The approvers may not be available at the weekend. The entire schedule and with it the timely availability of the system is at risk!
  • in normal productive operation. For example, an imported transport request may cause a further authorization check to be processed. A missing authorization for a system user immediately brings an interface to a standstill. The system may be flooded with thousands of short dumps. In such a situation, there is usually no time for time-consuming authorization requests or role changes in the development system and subsequent transport into the quality and production system. Hey, your business is at harm!

"Shortcut for SAP systems" (Sc4SAP) offers some possibilities to help you.

1.: Assign a role and/or a profile
This could be suitable approach in case you know which role or profile is missing. Simply assign the role or profile to the user and the authorization is given.

This function needs a user with the appropriate authorizations for role assignment (S_USER_AGR, S_USER_GRP etc.). The impact and the routines behind are the same as used in transactions SU01 or PFCG, including change documents for the assignment. However, an authorization allocator is not needed on-site, because in Sc4SaP you can also use a system user. Thus, this is an appropriate method to assign missing authorizations in case there is no authorization allocator and/or there is no way or time to follow the regular approval process for authorizations (e.g. a go-live at the weekend).

2.: Assign a "hidden" authorization
This could be suitable approach in case there is no role or profile available for the needed authorization or the role or profile is too extensive or would cause an overflow (see SAP note 410993). Because this function can be used for addressing other clients it might also be a solution in case you don't have access to a user in the targeted client with the necessary authorizations for the 1st function (see paragraph above).

There are 2 options to assign the missing authorization:
1.: you can assign a full authorization for a given authorization object.
2.: you can assign the authorizations of a role.
For the user used in the connection it is not necessary to have the authorizations for role / profile assignment. The method behind it is completely different from the regular role / profile assignment. In case your SAP system uses more than 1 application server there could be a latency for the given authorization to be effective (usually up to 2 minutes, depending on the value of profile parameter rdisp/bufreftime).
This method has some peculiarities that you should be aware of:
  1. There will be no change documents for the assignment. So if you want everything to be correct, you should document it accordingly and have it approved (retrospectively) if necessary. Hint: all actions in Sc4SAP are logged in the "logs" directory, so you can catch up this afterwards when there is time to do so.
  2. The user will not be listed in the SUIM reports when you search for users with the assigned authorization!
  3. The authorizations assigned this way will disappear at the next time the user buffer for the user will be refreshed. This could be caused for example by a "normal" role assignment for the user, a user comparison run or the first login of the user, and there might be some more possible reasons.  

3.: Assign a reference user
This is an appropriate method to fix authorization problems in the system without spending time to find the concrete missing authorizations. Of course also an assignment of profile SAP_ALL would be a possibility, but maybe there are some reasons for avoiding this (for example, a strict ban on the assignment of SAP_ALL, impending costly compliance tasks, etc.). In that case using a "reference user" might be a solution. In a nutshell: if there is a user A and for this user a user B is maintained as a reference user this will have the impact, that user A has all authorizations from user B additionally.
A reference user can be maintained in transaction SU01, but there could be some hurdles to avoid or restrict this possibility (for example, SAP notes 330067, 513694). These hurdles focus on maintenance of the reference user in SU01 and SU10. But even if it is not possible to assign a reference user via SU01 and SU10, it still works in Sc4SAP via the "Update table data" function.

For getting the authorizations of the reference user beeing effective the user has to log into the system again. At login the system considers the given reference user for all upcoming authorization checks during the session.

Finally, I would like to mention that these possibilities (especially the 2nd and 3rd) should be used with caution. And: please do not forget to tidy up again. Only temporarily needed permissions should be revoked when they are no longer needed, and permanently needed permissions should be assigned in a regular way.
But in the end it is much more important that your go-live is back on track resp. your production system is running smoothly again, isn't it?



Kein Kommentar
Shortcut IT GmbH
Kreuzberger Straße 8
31226 Peine
Tel.: 0170/9377125
Zurück zum Seiteninhalt