Simplify HR Authorizations with Transactions SU53 and SU56

  • by Tero Tukiainen, SAP Authorizations Consultant, SAPORT Consulting
  • June 15, 2008
Empower users to troubleshoot missing authorizations error messages with transactions SU53 and SU56. Ensure that users can determine the source of an error message and resolve it with ease.
Key Concept

Authorization checks occur under various conditions in the SAP system. When you run a transaction, SAP ERP executes a series of checks to ensure that you have the appropriate authorizations. First, the system determines whether you are authorized to begin a transaction. Authorization object S_TCODE contains the authorization field TCD. You must have the authorization for the transaction code that you want to run. Next, the system checks whether an authorization object is assigned to the transaction code. If this is the case, the system further checks if the user has an authorization for this object. If any of these steps fail, then the transaction cannot begin and you’ll receive an error message about missing authorizations.

“You are not authorized for this function.” Sound familiar? This system message appears when a transaction is attempted and then terminated because of a missing authorization. You can alleviate authorization headaches and prevent users from wasting time searching for missing authorizations by simply employing transactions SU53 (display authorization check) and SU56 (user buffer).

Authorizations are designed to protect potentially sensitive or confidential HR data, such as an employee’s address or salary. Without the proper authorization, a user cannot perform a desired function. SAP ERP generates error messages automatically to inform users of missing authorizations, which they can submit to an authorization administrator for further clarification.

If you encounter such a message, you must employ transaction SU53 to determine the reason for the error message. Transaction SU53 should be included in all users’ authorizations and is practically the only method of revealing missing authorizations. It is important to keep in mind that missing authorizations might be intentional because that user should not have access to a particular transaction. Transaction SU56 provides a list of all authorizations (authorization objects and authorization values within authorization objects) that are assigned to any user. This simple transaction is especially valuable for users to verify their assigned authorizations.

I’ll explain how to use and interpret results from transaction SU53 to find what is causing a user’s authorization problem. Then I’ll step through an example of an SU53 output so you can gain an understanding of when you should use it, when it’s not helpful, and how to avoid misinterpreting the results. Evaluate a few shortcomings of transaction SU53 in the sidebar, “4 Limitations to Keep in Mind.”

Tero Tukiainen

Tero Tukiainen is the managing partner of SAPORT Consulting Inc, which he founded in 2009. He is an SAP HR-certified consultant who has specialized in SAP security and authorizations since 2000. Tero has spoken at SAP HR conferences in both Europe and the US since 2005.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.