How Do You Display Authorization Data In SAP Tcode?

Here is a detailed guide on how to display authorization data in SAP T-codes, broken down by use case and focusing on the depth and explanation you requested.

Overview of SAP authorizations

Before diving into the T-codes, it's essential to understand the components of the SAP authorization concept:

• User: An individual who logs into the SAP system.
• Role (PFCG): A collection of transactions, reports, and authorizations that represent a user's job function. Roles are maintained with the T-code PFCG.
• Authorization Profile: A technical object automatically generated by PFCG when a role is configured. It contains the actual authorization data.
• Authorization Object: A security object containing a set of fields that must be checked against a user's assigned values to determine access. The check is performed by the AUTHORITY-CHECK statement in the underlying ABAP code.
• Authorization Fields: The individual components of an authorization object (e.g., ACTVT for activity, BUKRS for company code).

Method 1: Use the SAP User Information System (SUIM)

The most comprehensive tool for displaying authorization data is the User Information System (SUIM). It offers a structured reporting tree to find detailed information about users, roles, profiles, and authorizations.

To display a user's authorization data via SUIM:

1. Enter T-code SUIM in the command field and press Enter.
2. Expand the Users node.
3. Choose By Complex Selection Criteria.
4. Enter the User ID in the "User" field. You can use wildcards (e.g., * or ?).
5. On the same screen, scroll down to the Authorizations section.
6. To find users with a specific authorization, expand the Authorizations node from the main SUIM screen and select the desired search criteria, such as By Authorization Values or By Authorization Object.
7. Execute the report. The output will list the user and their assigned roles.
8. To view the full details of a user's roles, double-click the user in the results list to go to T-code SU01.

Key reports in SUIM for displaying authorization data:

• Roles -> By Authorization Values: Finds all roles containing a specific authorization object and field value.
• Roles -> Roles by Complex Selection Criteria: Lists roles based on descriptions, transaction codes, or users.
• Authorizations -> Objects -> By Object Name: Displays details of a specific authorization object.

Method 2: Display user authorizations via User Maintenance (SU01)

If you already know the user ID and have the necessary administrative privileges, SU01 provides a direct, comprehensive view of a user's master data, including their assigned roles and profiles.

To display a user's authorizations via SU01:

1. Enter T-code SU01 and press Enter.
2. Enter the User ID and click the Display button.
3. Go to the Roles tab to see all assigned single and composite roles.
4. Go to the Profiles tab to view the technical authorization profiles assigned to the user, either directly or via roles.
5. To see the specific authorization objects within a role, double-click the role name on the Roles tab. This will take you to T-code PFCG.

Method 3: Analyze roles with the Profile Generator (PFCG)

PFCG is the primary transaction for creating and maintaining roles. It also serves as a critical tool for displaying the detailed authorization data contained within them.

To display authorization data for a role via PFCG:

1. Enter T-code PFCG and press Enter.
2. Enter the Role Name and click the Display button.
3. Navigate to the Authorizations tab.
4. Click the Display Authorization Data button.
5. This will show a hierarchical tree of authorization objects contained within the role.
6. Expand the tree to see the specific authorization objects, fields, and assigned values. A green icon indicates that the field values have been maintained, while a yellow icon shows that manual maintenance is needed.

Method 4: Diagnose failed authorization checks (SU53)

SU53 is a crucial diagnostic tool for end-users and security administrators. If a user encounters an authorization error, typing /nsu53 in the command field immediately displays the last failed authorization check.

How to use SU53:

1. When a user receives an "You are not authorized" message, instruct them to immediately enter T-code /nsu53 in the command field.
2. The screen displays the authorization object, field, and value that caused the check to fail.
3. Users can screenshot this information and send it to the security team.
4. Security administrators can run SU53 for another user by using the menu path User -> Display Authorization Values from within SU53, provided they have the necessary administrative access (Authorization Object S_USER_AUT).

Method 5: Trace authorization checks in real-time (STAUTHTRACE)

For a more comprehensive analysis of a user's session, the authorization trace tool STAUTHTRACE is invaluable. Unlike SU53, it records every single authorization check, not just the last failed one.

How to use STAUTHTRACE:

1. Enter T-code STAUTHTRACE and press Enter.
2. Enter the User ID of the user you wish to trace in the "Trace for user only" field.
3. Click Activate Trace.
4. Have the user perform the required actions in their own session.
5. Return to the STAUTHTRACE screen and click Deactivate Trace.
6. Click Evaluate to see a detailed report of all authorization checks performed during the trace, including successes and failures.

Method 6: Analyze authorizations for a specific T-code (SU24)

If you need to know which authorization objects are typically checked by a particular T-code, SU24 is the perfect tool. This is helpful for building new roles and performing impact analysis.

How to use SU24:

1. Enter T-code SU24 and press Enter.
2. Enter the Transaction Code you are interested in (e.g., MM01).
3. Click Execute.
4. The system displays a list of all authorization objects checked by that transaction.
5. You can double-click an object to see its details, such as the relevant fields and proposed values.

Summary table of T-codes for displaying authorization data