How to Analyzing Authorization Checks for SAP User

 If
you do not know the required authorizations for a transaction, you can
use the system trace or the authorization error analysis to determine
them.

● System Trace

1.      Choose Tools®Administration ®  Monitor®Traces®SAP System trace.

2.      Choose the trace component Authorization check and then Trace on. The system then automatically writes the trace to disk.

3.      To restrict the system trace to your own sessions, choose Edit ® Filter ® General. In the dialog box displayed, enter your user ID in the field Trace for user only.

 4.      After you have completed your analysis, choose Trace off.

  5.      To display the results of the analysis, choose Goto ® Files/Analysis or choose the pushbutton File list. Position the cursor on the file that you want to analyze and choose Analyze file.

You will see authorization tests entries in the format <Authorization object>:<Field>=<Value tested>.

You
can display a formatted view of an authorization check by
double–clicking an entry. (You may need to scroll down in the display
to reach the formatted view of the entry.)

If no authorization entries exist or the system displays the message Authorizationentries skipped, check that you have set the trace switches correctly. If the switches are correct, then choose Tracefile®Analyze file and ensure that Trace for authorizationchecks is selected.

● 
4000
 Authorization error analysis

You
can use transaction SU53to analyze an access-denied error in your
system that just occurred. It displays the last failed authorization
check, the user’s authorizations, and the failed HR authorization check.

You can use transaction SU53 from any of your sessions, not just the one in which the error occurred.

For
example, you have selected a function, and the system responds with the
message "You are not authorized for this function." To display the
checked authorization object, enter SU53 or /nSU53 in the command
field. The system then displays a comparison of the values of the
object that are in your user master record.

Note,
as the administrator, that the data in the Failed Authorization Check
area are from the time at which the user started transaction SU53 to
determine which authorization he or she is missing.

The
User’s Authorization Data, on the other hand, is the data that was read
directly from the user buffer at the time of analysis, when the
administrator views the user’s problem by choosing Display for Other
Users.

Use
transaction SU56 to display all of your own authorizations or the
authorizations of another user. Call transaction SU56 by choosing Goto
? Entered Authorization in User Buffer. This transaction shows which
authorizations are currently assigned in the user's user master record.