How to troubleshoot SAP authorization issue

 In this sample, we'll use "SU53" to troubleshoot the authorization issue face by the user and follow by using "PFCG" to resolve it.

1) Login to the client where user had encounter authorization error

2) "SU53" to check the authorization error encounter by the user

3) Click  to switch user  to view the authorization error4) Example of error that cause by "object A_S_KOSTL" and the missing authorization value is either "BUKRS" (1132) or "KOSTL" (0001132000) 

5) To identify which role that relevant to the above object that causing the authorization error, Run TCODE: "SUIM" and expand “Roles”, select “Roles by Complex Selection Criteria”

6) Enter user ID and authorization object, then click "Execute" icon

7) The result show only one role match these filtering criteria

8) From this point, there are 2 options available:

     a. Make all the necessary authorization changes in QAS and once UAT is ready re-

         download the role to DEV and create transport report to deploy the role to QAS and DEV

     b. Make the authorization changes in DEV and transport to QAS for UAT and follow by 

         transport to PRD later on

9) Either option, run "PFCG" and enter the relevant role name for modification and click the "Pencil" icon

10) Click find "find" icon to search the authorization object that caused the error e.g. A_S_KOSTL, S_CTS_ADMI or BC_A

11) Add the missing value in the relevant authorization object parameter, then click "generate "icon" and exit

12) Done, the role is ready for UAT...

Comments