09. Checking Assignment of Authorization Groups to Tables

Checking Assignment of Authorization Groups to Tables

You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

Analyze Authorization check SU53

1.     Choose the menu path System -> Utilities -> Display Authorization Check or transaction code SU53. You now can analyze an error in your system that just occurred because of a missing authorization.

2.     You can call Transaction SU53 in all sessions, not just in the session in which the error occurred. Authorization errors in other users' sessions, however, cannot be analyzed from your own session.

3.     In the below example, user Bob calls Transaction VA03 (display sales order). The message "You do not have authorization for Transaction VA03" appears. User Bob now chooses transaction code /nSU53 and the system displays the authorization object that was just checked and, for comparison purposes, the values of the object that user Bob has in its user master record. In this case the user Bob don’t have VA03 assigned to any of his role.

4.     Transaction SU56 allows the user to see what current authorizations are in his buffer

Authorization Trace ST01

You can analyze authorizations as follows: Choose Tools -> Administration -> Monitor -> Traces -> SAP System Trace or Transaction ST01.

Choose trace component Authorization check and pushbutton Trace on. The trace is automatically written to the hard disk.

To limit the trace function to your own sessions, choose Edit -> Filter -> Shared. Enter your user ID in field Trace for user only in the displayed dialog box.

Once the analysis is completed, choose Trace off.

To display the results of the analysis, choose Goto -> Files/Analysis or the pushbutton File list Select the required file and choose Analyze.

The results of the authorization check are displayed in the following format: <Authorization object>:<Field>=<Tested value>

The return code shows whether or not the authorization code was successful. ST01 Return Code

0 Authorization check passed

1 No Authorization

2 Too many parameters for authorization check

3 Object not contained in user buffer

4 No profile contained in user buffer

6 Authorization check incorrect

7,8,9 Invalid user buffer

System Profile Parameters for Managing Users and Authorizations

Parameters directly affecting the user management functions are as follows:

1.     login/fails_to_session_end : Indicates the number of times that a user can enter an incorrect password before the system closes the logon window. The default value is 3, but you can set it to any value between 1 and 99.

2.     login/fails_to_user_lock : This parameter sets the number of times a user can enter an incorrect password before the system automatically locks the user out. If this happens, the user is automatically unlocked at midnight. The default value is 12. Possible values are from 1 to 99.

3.     login/system_client :  Sets the default system client. This client is automatically filled in the client field of the logon screen, although users can overwrite it.

4.     login/min_password_lng. Specifies the minimum password length. Default value is 3, but you can specify any value between 2 and 8.

5.     login/password_expiration_time : Indicates in number of days the period of validity for passwords. When the expiration time arrives, the user is asked to enter a new password.

6.     login/no_automatic_user_sapstar : Disables special properties for user SAP* when this parameter is set to a value greater than 0.

7.     rdisp/gui_auto_logout : Specifies the number of seconds a user session can be idle before being automatically logged off by the system. This parameter is deactivated by setting the value to 0. A user session is considered in an idle state during the period of time in which its terminal process (SAPGUI) does not transfer or communicate with the application server. By default, this option is not activated.For example, developers working in the ABAP editor for a long period of time can be considered idle to the system if they do not perform any function other than editing.

8.     auth/no_check_in_some_cases : This parameter is set to switch off special authorization checks by customers, and is the main parameter for activating the Profile Generator tool. Values can be either Y (yes) or N (no).

9.     auth/no_check_on_tcode : If this parameter is set to value Y (yes), then the system does not perform an authorization check on object S_TCODE.

To make the parameters globally effective in a SAP system, set them in the default profile,

To make them instance specific, you must set them in the profiles of each application server in your SAP system.