SU53 – Display Auth Data
Troubleshooting security issues is one of the daily tasks of any security administrator. The first method of investigating authorization failures is the ubiquitous SU53 transaction. It involves us asking the affected user to run the step(s) to replicate the issue and immediately on getting the error, execute /nsu53 through the command window. The screen-shots below show the sequence of actions.
The user tries to create another user through SU01 and gets an authorization error
The user gets a pop with the message that he doesn’t have authorization to create user.
Many times clicking the help button can provide important information about the background of the error.
To get the SU53 screen, we execute /nsu53 from the command window immediately after getting the error. The SU53 window shows the last check for an authorization which has returned a non zero value (authorization failure) for the user.
The biggest limitation of SU53 is the fact that it only shows the last authorization failure of an user. In a typical transaction, there can be an entire sequence of authorization checks, any of which might fail. To view the entire sequence of authorization checks, we use the authorization trace tool (transaction ST01).
Really nice post,thank you
Hey there this is a fantastic post. I’m going to e-mail this to my pals. I came on this while exploring on aol I’ll be sure to come back. thanks for sharing.
Ron and Leanne,
Thanks so much for your comments. I just started the site a month back so I am still in update mode!
Regards,
Aninda
Mind if I ased where are you based ?
You are doing a great job I have been expoloring this site for over
2 hours now.
Need to keep in touch with you.
Cheers
HI BlackPro,
Glad that you like the site. I am based in India. In case you have a general security question which might benefit others as well, feel free to ask. I will surely try to include it in a future post.
However, for very specific issues I have found the SAP sdn security forum to be more effective than a personal site like this as a huge number of security experts access it daily.
Best Regards,
Aninda
Hi there,
I started learning BASIS and I am concentrating on security. I am really glad that I visited this site today. Lot of information in simple terms with screenshots is a great idea and job well done. I decided to keep visiting this site to learn more and more.
Thanks for creating this site. Good luck.
-Vasu
Thanks!!! Hope you like security. There’s lots to learn and do in this area. Regards….Aninda
Hi Aninda ,
How are you ? Good Site . Great Job ..
Hi Jerry,
Great hearing from you man! I am doing ok but a little bit too busy with work. Haven’t had a chance to update the blog for quite some time now. How did you find the site?How are you and everyone? Since this is a public forum, won’t ask too much:-)
Regards,
Aninda
hi
excellent presentation thanks, give more like presentations
Hi Aninda,
Could you please tell me how to clear the SU53 i.e if the user is facing an error and provided su53,how can we know which error the user is facing and how can we clear it?could you please explain me with an example
Thanks in advance.
Hi Pujitha,
The SU53 transaction by design only shows the last authorization check failure for a user. If you suspect that there might be mutiple authorization failures for a single transaction, please use the security trace (tcode ST01) for the user under test. It will give you a list of authority checks faced by the user and can be used to troubleshoot complicated security scenarios.
Regards,
Aninda
Hai,
This is one of the best site have seen for SAP Basis Security Concepts..All the Info Is Available in Simple Terms and Very Easy in Reading and Understanding the Concepts in SAP Basis Security..I Totally Liked it..Plz Do update More….Awesome and Excellent Stuff..
Kumar
Thanks
Hi Aninda,
Thnx a lot 4 creating a web lyk dis.Dis web is one of the best web for beginner ly me…
I had gone through every article u had posted..
Again thnx a lot 4 d help.
Can u post any document related to GRC,BI & BW..
Tnx in advance.
Most of the docs I have are SAP copyrighted ones so it would not be right for me to post these on a public forum. I have found the installation guides for GRC that you download from SAP marketplace to be very informative.
Hi,
I have a problem in SU53 screen shot checking ,means after getting su53 screen shot from customer what we need to check in that and what we need to find the solution on that screen shot .
For Example I am upload one screen shot
Evaluation of Last Failed Authorization Check of User LSUWESTJ
Description Authorization values
————————————————————————————————————————-
User Name LSUWESTJ Authorization Object V_KNA1_VKO
System ECP Client 500
Date 23.09.2011 Time 10:31:07
Instnce pfecpa3 Profile Parameter auth/new buffering 4
———————————————————————————————–
Authorization check failed
Object Class SD Sales and Distribution
Authorization Obj. V_KNA1_VKO Customer: Authorization for Sales Organizations
Authorization Field ACTVT Activity
01
Authorization Field SPART Division
81
Authorization Field VKORG Sales Organization
8000
Authorization Field VTWEG Distribution Channel
81
User’s Authorization Data LSUWESTJ
Object Class SD Sales and Distribution
Authorization Object V_KNA1_VKO Customer: Authorization for Sales Organizations
Authorizat. T-ED49123900 Customer: Authorization for Sales Organizations
Profl. T-ED491239 Profile for role TV_GLB_ECC_CD_0002_ORGL
Role TV_GLB_ECC_CD_0002_ORGL PF:Customer/Vendor Master Maintenance (Central)
Authorization Field ACTVT Activity
01, 02, 03, 05, 06, 08
Authorization Field SPART Division
01, 41
Authorization Field VKORG Sales Organization
1000, 3000, 4001
Authorization Field VTWEG Distribution Channel
01, 41
Regards,
Sushant
In the first portion SU53 screenshot above, SAP system is checking for V_KNA1_VKO object with the values given. The next portion of su53 (below User’s Authorization Data LSUWESTJ) mentions the authorizations for the same object which is present with the user. The check fails as the exact values checked by the system are not present in the user master.
Awesome work mate. Kudos for you.
Waiting for your newer posts and updates.
You simply rock in SAP Security.
🙂
HI ANINDA
GOOD WORK.
IS IT POSSIABLE SEE THE END USER SU53 SCREEN IN SAP SECURITY CONSULTANT SYSTEM. END USER AND SECURITY CONSULTANT HAVING SAME SEVER.. POSSIABLE? HOW? SHOW ME SCREENS ??????????
Hi Bathi,
There is button in the tool bar of Su53 transaction which allows you to switch users. Use it.
Aninda
Hi aninda
how can we judge or confirm the screen shot(su53) send by end user is his last authorization failure.
Date and time is the only way or is der another option
Regards
Syed
Hi Syed,
The Su53 screenshot is designed by SAP to return the last authorization failure for a user. However, basing your analysis on Su53 can be misleading in a large number of cases. A ST01 trace is a much better bet in such cases.
Regards,
Aninda
Really Nice.I am new to SAP security and learning lot from this blog .
Thankyou
Hi Aninda,
Your website is really great. Excellent work.
Keep posting.
Thank You.
hi aninda,
can u update the system aduit logs and reports .. i mean (sm19 & sm20)srcreen shoot.
thank u very much 4r dis site.
thank u
Hi Bathi,
I will remember your request but I don’t think I can create anything on this in the next few months.
Aninda
i include se11 in development role assign to one user which should have ACTIVIT 01,02 (create and change).but running su53 for that screen error showing that ACTIVIT 03 display should include in S_develope obj. how can i restrict 03 display for that development role ?
where i need to change default value in s_develop.
I need help please…………..
SU53 is often misleading. Try a trace ST01. Also giving change/create in S_DEVELOP without display doesn’t make much sense.
A simple and inenlligett point, well made. Thanks!
THANKS lot ANINDA…..
Hi Aninda,
Could you plz tell me how to analyse a SU53 Screenshot?For example user tells that he has no Authorization to create users and he sent you the above screenshot,then what will you do?
Hi Aninda,
I have an issue with SU53 not recording the last authorization failure. I created a user with no authorizations, logged in with that user, executed a transaction and it says the user has no authorization to use that transaction. Then I logged in as a user that has authorization to execute SU53, switched users to the user that doesn’t have any authorizations and it didn’t show any authorization failures. Any idea what the problem may be? I’ve never seen SU53 not work.
So SU53 doesn’t work at all in the system? In such a case you can investigate the profile parameters which control SU53. If its just for the one case you mentioned then I am not sure about the problem. But would you ever actually face this problem in a real scenario?
can u please post any practical scenario to handle a sap missing authorization ticket step by step process as same as in real tym… basically im not an xpert in security..i tried ..finally i found u..expecting a post from u.. its a request from ur regular viewer..
thanks in advance
I thought the posts were pretty detailed. But I don’t have anything more on SU53 or trace than what’s already there on the site.
Hi Aninda,
Great Blog!
I have a request,can you also please post some tricky SAP Security interview questions?
Thank You!
My suggestions would be to learn the subject instead of preparing answers to questions.
Hi Aninda,
Do you have any idea SU53 data stores in any table for temporally or permanently.
or it will not have any table. i was wondering.
Rayudu
I am sure that there would be some table which stores the data, but I have no idea which one
Hi Aninda,
In my view , su53 data are not stored in any table , instead its there in memory only.
Let me know if you come across the table which stores su53 failed attempts .
Useful topic and answers.
thank YOU