11.7    Troubleshooting Authorization Problems

The most common authorization problems identified when administrating an SAP BW/4HANA system relate to missing authorizations.

There are three types of problems:

  1. Missing authorizations for standard authorization objects
  2. Missing authorizations for analysis authorizations
  3. Missing Java portal authorizations

The last of these, SAP NetWeaver AS Java authorization errors, aren’t common in SAP BW/4HANA, so we won’t discuss them at length in this section. If they do occur, the result is normally a clear message stating which object the user doesn’t have access to. It’s then possible to assign access to the object via the user management engine (UME).

Let’s look more closely at the other two types of errors.

11.7.1    Standard Authorization Errors

When executing tasks via SAP GUI, you can always get details for authorization errors by executing Transaction SU53, which is shown in Figure 11.13. Several items are displayed here, including the check authorization and the roles and authorizations assigned to the user. This makes it easy to analyze whether the error is caused by a missing role or a missing authorization in an existing role.

Transaction SU53, Last Authorization Check Success or Failure

Figure 11.13    Transaction SU53, Last Authorization Check Success or Failure

You can also use Transaction ST01 (Standard Authorization Trace) to analyze errors related to standard authorization objects, as shown in Figure 11.14. This is especially helpful when errors occur in reporting and their sources aren’t obvious based on the error messages.

Make sure that you set the type of trace 1 and a general filter 2 before activating the trace to avoid tracing for all users active in the system. To do this, click the General Filters button and then set the user that should be traced, as shown in Figure 11.14.

Transaction ST01, Standard Authorization Trace

Figure 11.14    Transaction ST01, Standard Authorization Trace

Once this is set, click the Trace On button and execute the tasks that caused the authorization errors. Once the tasks are completed, remember to switch off the trace; otherwise, it continues to trace the user activity.

Once the trace has been recorded, it can be analyzed via the Analysis button. To find the trace, limit the selection by the user that was traced and the date and time that the trace was recorded.

The trace report should be read as follows:

Based on the result from either Transaction SU53 or Transaction ST01, you can assign the missing authorizations or roles related to the authorization error message.

11.7.2    Analysis Authorization Errors

SAP BW/4HANA analysis authorization errors can be analyzed using the analysis log in Transaction RSECADMIN. The log provides a detailed breakdown of the analysis authorizations checked during the query execution, including the checked values.

As shown in Figure 11.15, there are two ways to analyze authorization errors: either by executing a query as another user or by configuring the log recording for a user and then asking the user to execute the query while recording is on.

Transaction RSECADMIN, Analysis Log Options

Figure 11.15    Transaction RSECADMIN, Analysis Log Options

Both options result in a detailed authorization log, which can become quite hard to read if you perform too many authorizations or navigations. We recommend that you use bookmarks in either Transaction RSRT or the SAP BEx tools to create the shortest possible log.

The authorization log has three sections:

  1. Header: Contains basic information for the execution
  2. InfoProvider check: Contains the access check for the InfoProvider
  3. Authorization checks: Contains the main checks for the analysis authorizations

These are separated into subnumbers based on the checks required by the structures in the query definition. The number of subnumbers depends on the complexity of the query executed; hundreds of subnumbers are possible.

Note

You can see that the log may display an unsuccessful partial check in the first iteration steps but that the check as a whole is successful. The important result is the one delivered after the last step. However, if a subselection isn’t authorized, the system displays the following lines:

  • All Authorizations Tested
  • Message EYE 007: You Do Not Have Sufficient Authorization (in yellow)
  • No Sufficient Authorization for This Sub Selection (SUBNR) (in yellow)

Let’s consider the two options for analyzing authorization errors.

Execute as Other User

Executing as a different user allows a security or system administrator to execute a query with the authorizations of another user. Figure 11.16 shows the execution as another user, JESPER, and the With Log option selected.

Executing Query as Another User

Figure 11.16    Executing Query as Another User

If you execute as another user with a log recording activated, you can analyze it for errors.

The default way to execute the query is via Transaction RSRT (Query Monitor), which allows for selecting a query or a bookmark, as shown in Figure 11.17.

Tip

Use the function module RSEC_GET_USERNAME to avoid problems with authorization user exit variables when executing them as another user from Transaction RSECADMIN.

Executing Query in Transaction RSRT

Figure 11.17    Executing Query in Transaction RSRT

The functionality for executing the authorization check as another user can be secured via authorization object S_RSEC by setting the value for authorization field ACTVT equal to 16 and the value for authorization field RSECADMOBJ equal to RSUDO. We recommend that you assign this functionality only to security administrators.

Configure Authorization Log

The other primary option for troubleshooting authorization errors is to activate an authorization log recording for a specific user to enable troubleshooting of authorization errors. To do, enter Transaction RSECADMIN and go to Analysis tab • Authorization log.

Once the user has been activated, recording logs are generated for all actions performed by that user, as shown in Figure 11.18. Therefore, remember to deactivate the recording immediately once the required log has been generated.

Activating Authorization Log Recording for User

Figure 11.18    Activating Authorization Log Recording for User

SAP BW/4HANA provides advanced functionality to define and manage users and access to functionality and business information. The security definition must be a part of the initial system design to ensure that it’s incorporated into the solution, thus avoiding costly rework down the road.