You can use the following procedures to determine which authorizations a user requires to carry out a transaction:
You can use Trace function, ST01, you can trace the user activity and from the log you can see the authorization missing.
Start an authorization trace using the ST01 transaction and carry out the transaction with a user who has full authorizations. On the basis of the trace, you can see which authorizations were checked.
This procedure generally works well. However, sometimes
the result is very surprising because certain programs can and do ignore
some authorization checks by using preliminary checks and buffered results.
In such cases, these methods are not very effective. You can recognize
these cases because certain fields of the corresponding programs are specified
with * or DUMMY at some point of the authorization check.
Analyzing authorization problems in an unknown program
The most frequently used method to analyze authorization
problems in an unknown program involves you setting the Debugger breakpoints
to the AUTHORITY-CHECK and MESSAGE commands. Then execute the program and
analyze its behavior.
Determining all the authorizations a user has for an authorization object
When troubleshooting, it is often helpful to find out
all the authorizations a specified user has for a specific authorization
object. A simple method of reading these authorizations as raw data from
the user master record is to execute the GET_AUTH_VALUES function module
in the SUSR function group. Use the SE37 transaction or SE80 in test mode
to do so. The result table is not formatted for output, but is very compact
and easy to understand for authorization experts.
Analyzing an authorization problem that occurs for only one user
It is often the case that a certain authorization problem occurs for only one specific user. This kind of authorization problem generally affects users with no Debugging authorization. If you want to assign a user Debugging authorization without changing the HR authorizations, you can add the S_A.DEVELOP authorization profile (if available) to the user’s authorization profiles. In production systems, note that changes such as these to authorizations enable users (with relevant knowledge of the development environment) to access any system data easily (especially in other clients).
