A user tries to activate a function and a message such as "No authorization for ..." or "You are not authorized to ..." appears.
Error messages SF 261, SAP Easy Access, /SAPAPO/
SU53 reference user user buffer role profile
- 1. The most frequent cause is that the ABAP/4 program includes an authorization check (statement AUTHORITY-CHECK) against an authorization object with specific values, and the user does not have the appropriate authorization in his/her user master record.
Analysis:
- a) Call transaction SU53 (in a second session if possible). It shows which authorization object is checked and with which values. It also shows which authorizations the user has for the relevant object in his/her master record.
As of Basis Support Package 4.6B SP 25, 4.6C SP 15, 4.6D SP 06, the data is copied to the database by calling transaction SU53. A user administrator also can call SU53 for this user and analyze the missing authorizations herself/himself.
With another Support Package as of 4.6B or correction instruction 291726, display in SU53 is enhanced. In addition to the authorizations of the user, the profile or role via which the user has achieved the authorization is displayed as well.
With another Support Package as of 4.6C or correction instruction 291727, display in SU53 is enhanced. If the user has been given additional authorizations via the assignment of a reference user, this is displayed as well.
- b) Have your administrator run an authorization trace. This trace is part of the ABAP trace in Rel. 2.x and part of the SAP System trace in Rel. 3.0A. For more information, please see note no. 18529.
- 2. The user master record was supplemented, but the user needs to log off and back on first.
- 3. The user has been granted the required authorization, but has so many authorizations in his/her user master record that the user buffer overflows.
Analysis: Transaction SU53 or the authorization trace will show which authorization object is checked. The user info system can be used to display all the authorizations that a user has in his/her user master. With transaction SU56, the logged on test user can check which authorizations appear in the user buffer and compare them with the list from the user info system. If transaction SU56 displays fewer authorizations than the Info system, a buffer overflow has occurred.
- 4. A check was made outside the SAP authorization concept. In this case, the user does not meet the necessary requirements.
Analysis: Observe the long text of the error message or the documentation of the corresponding application.
- 5. As of Release 3.1G, a mirroring of the user buffer has been introduced in the database. This results in considerably increased performance for applications which make frequent RFC calls to other systems.
This can, unfortunately, lead to inconsistencies when users or profiles are transported. The result of this is that when a user attempts to log on whose data has been modified (using a transport), the system still draws on the old authorizations.
- 6. As of Rel. 4.6A, transactions are usually called from the SAP Easy Access menu. This new transaction call has been implemented internally with CALL TRANSACTION. Therefore, in some cases an incorrect error message may still occur.
Example: If a transaction has been locked by using transaction SM01, error message SF261 "You have no authorization for transaction &" is displayed instead of the correct error message 00034 "Transaction & is locked".
- 1. The user administrator needs to check whether the user needs to be granted authorization for the function. If necessary, the administrator should add to the user authorizations. This can be done by changing the user master record, a profile contained therein, or by changing an authorization. The exact procedure depends on the structure of the authorization environment.
- 2. Log off, log on again, and try the function again.
- 3. Try to reduce the number of authorizations in the affected master record by removing redundant authorizations and authorization profiles from the master record and/or grouping several individual authorizations together as one authorization object with a single authorization.
Or increase the system profile parameter auth/auth_number_in_userbuffer (also see note no. 10187).
- 4. To solve the problem, refer to the long text of the error message or the manual of the relevant application.
- 5. You need to reset the user buffers manually.
In Release 3.1G this is done within the "Maintain users" transaction (SU01) by choosing: Utilities -> Mass changes -> Reset all user buffers. It is also possible, from 3.1H, to reset these buffers without an authorization check taking place by choosing the following System -> User profile -> User defaults -> = Enter RSHU in the ok field -> ENTER.
Reason for this procedure: In certain situations it is unfortunately possible that no user has the authorization to reset the user buffers. It was therefore necessary to incorporate a way of resetting the buffers which was not subject to authorization checks. This is not a problem, since, as a consequence, the system reconstructs the buffer from new whenever a user logs on. It will just correspond to its performance before 3.1G at the first authorization check following the logon. Since unauthorized users will only have to carry out this procedure very rarely, we thought it best to "hide" the procedure as described.
As of version 4.0B, this function was stored in transaction SU01 for security reasons. Here you can now use the OK code "RSET" in every screen (including from the start screen) to reset the user buffer. This therefore restricts this function to administrative users.
- 6. Check whether it is possible to call the transaction displayed in the error message of the SAP Easy Access menu by entering it in the OK field with /O prior to the transaction.
Example:
When you call the transaction via the SAP Easy Access menu, the following error message is displayed:
You have no authorization for transaction /SAPAPO/SCEVERSCOMP Enter the following in the OK field:
Enter the following in the OK field:
/O/SAPAPO/SCEVERSCOMP
and press 'Enter'.
Using the correction described in Note 307641, the incorrect error message for locked transactions described above is eliminated.
No comments:
Post a Comment