Blogs
ZSU53 - Missing authorization assistance
 |
|
How many times have you and your colleagues come across the classic 'You are not authorized to use transaction....' error, ran SU53 and sent the screen shot of the same to your Basis Administrator or asked for it, to get the authorization issue resolved? Now you could execute this program and get the list of profiles/roles containing the authorization (yes! simple as that)! Your Basis Administrator could in turn assign you the one he/she feels appropriate for you to have.
The highlights of this tool are:
- Lists profiles/roles which contain the appropriate profiles
- Have the capability to list the users under the profile/users
- Only looks up active profiles/roles
- Looks up ALL authorization values (which could be up to 10) for an authorization failure!
Here is a sample comparison between SU53 and ZSU53
The screen shot above, elaborates how ZSU53 displays a list of profiles/roles containing the authorization object and respective attributes, where as the standard transaction SU53, only shows the authorization missing and list the profiles which came close to the authorization you actually need!
This tool searches through and filter profiles/roles which have partial authorization as well as powerful enough to actually consider '*' or 'Z*' and the likes while looking for value 'ZARM', for example. This means that SAP_ALL and other powerful profile/roles would show up in the list every time an user executes the program. For that I would advice to set up a custom table that contains the list of all the profiles the general users should be allowed to have and exclude these sacred profiles/roles from that table OR only put these profiles/roles in that table and exclude them from your final list of profiles/roles before display.
The performance of this tool is an important factor (which is very much covered I must say) but if your organization have hundreds and thousands of profiles/roles than I would again advise you to create a custom table to maintain valid profiles/roles you could put a inner join on to drop unwanted profiles/roles and than display the refined list!
If you choose to show the users under the profiles/roles, you could actually see how profiles and roles have been assigned to users, if the users have the same responsibilities, you could decide to club the profiles together and create a role which would cover such and such responsibility. This tool could be used similar to SU53, the user could send a screen shot of it to e.g. the Basis Administrator or they could look up the last failure by pressing F5 or 
button, entering the user's id to view the list of profiles and roles.
This tool has reduced lots of headache around obtaining the right authorizations to get the job done and I sincerely hope it would work miracles for your organization too!
Note: Those of you very familiar with SAP authorizations will know, that SU53 has it’s limitations (e.g. sequence of profiles checked, structure authorizations etc.) The same limitations apply to ZSU53 as well and it will not produce correct results in all situations.
Find more information, including the actual program code, in this article:
ZSU53 - Missing Authorization Assistance
Asim Rasheed Mian is a App. business analyst for SAP America (IT Dept) and have been working in the SAP ABAP world since Aug 2003. He started his SAP career with Siemens Pakistan.
Add to: del.icio.us | Digg | Reddit
There could be tons of ideas you could drive from this. It would be great if you could share your opinion as well as your ideas on this and more!
Comment on this weblog
| Showing messages 1 through 9 of 9. | ||
|
|
||
| Titles Only | Main Topics | Oldest First |
- Awesome..!
2009-11-12 23:56:08 Ramakrishna Sirasanagundla Business Card [Reply]
Super, its really helpful. Making thing much easier.
- Code share
2009-11-12 12:23:46 Asim Mian
Business Card
[Reply]
For those who don't use saplink as yet and find the code in the pdf cumbersome... hope this helps
https://wiki.sdn.sap.com/wiki/display/Snippets/ZSU53+-+Missing+Authorization+Assistance
- Brilliant
2009-11-11 06:31:47 Mohammad Zeeshan Business Card [Reply]
Brilliant idea. Very nicely developed. Makes everybody's life much easier. Great work Asim!
- Well Done Asim
2009-11-10 22:01:07 Rashid Javed Business Card [Reply]
Amazing Stuff. I hope this utility became part of standard SAP ERP because it could be very helpful to Basis/GRC consultants. Till that time we can implement ZSU53.
I think blog itself was rather short. May be it could have been divided in two blogs explaining in details about the six new forms added in ZSU53.
And with reference to variable p_user (used to determine visibility of assigned users), would it be better if we can make it a parameter ID. This way, it can be set in user master data of individual users.
Overall a very useful utility.- Well Done Asim
2009-11-11 06:25:20 Asim Mian
Business Card
[Reply]
Thanks Rashid!
I'll try to write up another blog explaining the newly introduced forms!
Just a note that the code being shared is a simplified form of the program we are actually running. In our implementation it is a parameter id and there are lots of other stuff including a custom table which limits the profiles/roles lookup making it very efficient etc
BR,
Asim
- SAP Link
2009-11-10 14:26:39 Martin Voros Business Card [Reply]
Hi,
thanks for publishing this program. Is there any chance that you would publish your program using SAP Link. Or am I the only one who thinks that publishing program by dumping source code to pdf is pretty weird in these days.
Cheers- SAP Link
2009-11-11 06:26:46 Asim Mian
Business Card
[Reply]
Sorry about that guys, here is the saplink!
http://code.google.com/p/zsu53/
BR,
Asim
- SAP Link
2009-11-11 01:46:25 Markus Milleder Business Card [Reply]
Let me second this request.
Even a plain text version would be much better than the quaint PDF format.
| Showing messages 1 through 9 of 9. |