SU53 – Display Auth Data

Troubleshooting security issues is one of the daily tasks of any security administrator. The first method of investigating authorization failures is the ubiquitous SU53 transaction. It involves us asking the affected user to run the step(s) to replicate the issue and immediately on getting the error, execute /nsu53 through the command window. The screen-shots below show the sequence of actions.

The user tries to create another user through SU01 and gets an authorization error

SU01- Create User
SU01- Create User

The user gets a pop with the message that he doesn’t have authorization to create user.

SU01 - Authorization Error
SU01 - Authorization Error

Many times clicking the help button can provide important information about the background of the error.

SU01 Help Info
SU01 Help Info

To get the SU53 screen, we execute /nsu53 from the command window immediately after getting the error. The SU53 window shows the last check for an authorization which has returned a non zero value (authorization failure) for the user.

SU53
SU53

The biggest limitation of SU53 is the fact that it only shows the last authorization failure of an user. In a typical transaction, there can be an entire sequence of authorization checks, any of which might fail. To view the entire sequence of authorization checks, we use the authorization trace tool (transaction ST01).

42 thoughts on “SU53 – Display Auth Data

  • November 18, 2010 at 12:56 am
    Permalink

    Hey there this is a fantastic post. I’m going to e-mail this to my pals. I came on this while exploring on aol I’ll be sure to come back. thanks for sharing.

    Reply
    • November 18, 2010 at 2:52 am
      Permalink

      Ron and Leanne,

      Thanks so much for your comments. I just started the site a month back so I am still in update mode!

      Regards,
      Aninda

      Reply
  • January 20, 2011 at 5:08 am
    Permalink

    Mind if I ased where are you based ?
    You are doing a great job I have been expoloring this site for over
    2 hours now.
    Need to keep in touch with you.
    Cheers

    Reply
    • January 23, 2011 at 2:56 pm
      Permalink

      HI BlackPro,

      Glad that you like the site. I am based in India. In case you have a general security question which might benefit others as well, feel free to ask. I will surely try to include it in a future post.

      However, for very specific issues I have found the SAP sdn security forum to be more effective than a personal site like this as a huge number of security experts access it daily.

      Best Regards,
      Aninda

      Reply
  • April 12, 2011 at 11:37 pm
    Permalink

    Hi there,

    I started learning BASIS and I am concentrating on security. I am really glad that I visited this site today. Lot of information in simple terms with screenshots is a great idea and job well done. I decided to keep visiting this site to learn more and more.

    Thanks for creating this site. Good luck.

    -Vasu

    Reply
    • April 13, 2011 at 2:47 am
      Permalink

      Thanks!!! Hope you like security. There’s lots to learn and do in this area. Regards….Aninda

      Reply
  • June 29, 2011 at 3:53 pm
    Permalink

    Hi Aninda ,

    How are you ? Good Site . Great Job ..

    Reply
    • June 29, 2011 at 6:08 pm
      Permalink

      Hi Jerry,

      Great hearing from you man! I am doing ok but a little bit too busy with work. Haven’t had a chance to update the blog for quite some time now. How did you find the site?How are you and everyone? Since this is a public forum, won’t ask too much:-)

      Regards,
      Aninda

      Reply
  • July 18, 2011 at 8:02 am
    Permalink

    Hi Aninda,

    Could you please tell me how to clear the SU53 i.e if the user is facing an error and provided su53,how can we know which error the user is facing and how can we clear it?could you please explain me with an example

    Thanks in advance.

    Reply
    • July 23, 2011 at 5:49 pm
      Permalink

      Hi Pujitha,

      The SU53 transaction by design only shows the last authorization check failure for a user. If you suspect that there might be mutiple authorization failures for a single transaction, please use the security trace (tcode ST01) for the user under test. It will give you a list of authority checks faced by the user and can be used to troubleshoot complicated security scenarios.

      Regards,
      Aninda

      Reply
  • August 26, 2011 at 9:09 am
    Permalink

    Hai,

    This is one of the best site have seen for SAP Basis Security Concepts..All the Info Is Available in Simple Terms and Very Easy in Reading and Understanding the Concepts in SAP Basis Security..I Totally Liked it..Plz Do update More….Awesome and Excellent Stuff..

    Kumar

    Reply
  • September 6, 2011 at 11:49 am
    Permalink

    Hi Aninda,

    Thnx a lot 4 creating a web lyk dis.Dis web is one of the best web for beginner ly me…

    I had gone through every article u had posted..

    Again thnx a lot 4 d help.

    Can u post any document related to GRC,BI & BW..

    Tnx in advance.

    Reply
    • September 7, 2011 at 7:55 am
      Permalink

      Most of the docs I have are SAP copyrighted ones so it would not be right for me to post these on a public forum. I have found the installation guides for GRC that you download from SAP marketplace to be very informative.

      Reply
  • October 13, 2011 at 9:29 am
    Permalink

    Hi,

    I have a problem in SU53 screen shot checking ,means after getting su53 screen shot from customer what we need to check in that and what we need to find the solution on that screen shot .
    For Example I am upload one screen shot
    Evaluation of Last Failed Authorization Check of User LSUWESTJ

    Description Authorization values
    ————————————————————————————————————————-
    User Name LSUWESTJ Authorization Object V_KNA1_VKO
    System ECP Client 500
    Date 23.09.2011 Time 10:31:07
    Instnce pfecpa3 Profile Parameter auth/new buffering 4
    ———————————————————————————————–
    Authorization check failed
    Object Class SD Sales and Distribution
    Authorization Obj. V_KNA1_VKO Customer: Authorization for Sales Organizations
    Authorization Field ACTVT Activity
    01
    Authorization Field SPART Division
    81
    Authorization Field VKORG Sales Organization
    8000
    Authorization Field VTWEG Distribution Channel
    81
    User’s Authorization Data LSUWESTJ
    Object Class SD Sales and Distribution
    Authorization Object V_KNA1_VKO Customer: Authorization for Sales Organizations
    Authorizat. T-ED49123900 Customer: Authorization for Sales Organizations
    Profl. T-ED491239 Profile for role TV_GLB_ECC_CD_0002_ORGL
    Role TV_GLB_ECC_CD_0002_ORGL PF:Customer/Vendor Master Maintenance (Central)
    Authorization Field ACTVT Activity
    01, 02, 03, 05, 06, 08
    Authorization Field SPART Division
    01, 41
    Authorization Field VKORG Sales Organization
    1000, 3000, 4001
    Authorization Field VTWEG Distribution Channel
    01, 41

    Regards,
    Sushant

    Reply
    • October 17, 2011 at 9:48 am
      Permalink

      In the first portion SU53 screenshot above, SAP system is checking for V_KNA1_VKO object with the values given. The next portion of su53 (below User’s Authorization Data LSUWESTJ) mentions the authorizations for the same object which is present with the user. The check fails as the exact values checked by the system are not present in the user master.

      Reply
  • November 3, 2011 at 9:47 am
    Permalink

    Awesome work mate. Kudos for you.
    Waiting for your newer posts and updates.
    You simply rock in SAP Security.
    🙂

    Reply
  • April 9, 2012 at 4:23 pm
    Permalink

    HI ANINDA
    GOOD WORK.
    IS IT POSSIABLE SEE THE END USER SU53 SCREEN IN SAP SECURITY CONSULTANT SYSTEM. END USER AND SECURITY CONSULTANT HAVING SAME SEVER.. POSSIABLE? HOW? SHOW ME SCREENS ??????????

    Reply
    • April 22, 2012 at 5:37 am
      Permalink

      Hi Bathi,

      There is button in the tool bar of Su53 transaction which allows you to switch users. Use it.

      Aninda

      Reply
  • April 30, 2012 at 5:39 pm
    Permalink

    Hi aninda
    how can we judge or confirm the screen shot(su53) send by end user is his last authorization failure.
    Date and time is the only way or is der another option
    Regards
    Syed

    Reply
    • May 5, 2012 at 4:40 pm
      Permalink

      Hi Syed,

      The Su53 screenshot is designed by SAP to return the last authorization failure for a user. However, basing your analysis on Su53 can be misleading in a large number of cases. A ST01 trace is a much better bet in such cases.

      Regards,
      Aninda

      Reply
  • June 19, 2012 at 10:15 am
    Permalink

    Really Nice.I am new to SAP security and learning lot from this blog .
    Thankyou

    Reply
  • June 21, 2012 at 4:19 am
    Permalink

    Hi Aninda,

    Your website is really great. Excellent work.
    Keep posting.

    Thank You.

    Reply
  • July 17, 2012 at 9:56 am
    Permalink

    hi aninda,
    can u update the system aduit logs and reports .. i mean (sm19 & sm20)srcreen shoot.
    thank u very much 4r dis site.

    thank u

    Reply
    • July 17, 2012 at 4:09 pm
      Permalink

      Hi Bathi,

      I will remember your request but I don’t think I can create anything on this in the next few months.

      Aninda

      Reply
  • November 1, 2012 at 6:37 am
    Permalink

    i include se11 in development role assign to one user which should have ACTIVIT 01,02 (create and change).but running su53 for that screen error showing that ACTIVIT 03 display should include in S_develope obj. how can i restrict 03 display for that development role ?
    where i need to change default value in s_develop.

    I need help please…………..

    Reply
    • November 25, 2012 at 11:48 pm
      Permalink

      SU53 is often misleading. Try a trace ST01. Also giving change/create in S_DEVELOP without display doesn’t make much sense.

      Reply
  • November 27, 2012 at 8:09 am
    Permalink

    THANKS lot ANINDA…..

    Reply
  • September 22, 2013 at 2:56 am
    Permalink

    Hi Aninda,
    Could you plz tell me how to analyse a SU53 Screenshot?For example user tells that he has no Authorization to create users and he sent you the above screenshot,then what will you do?

    Reply
  • November 20, 2013 at 8:49 pm
    Permalink

    Hi Aninda,

    I have an issue with SU53 not recording the last authorization failure. I created a user with no authorizations, logged in with that user, executed a transaction and it says the user has no authorization to use that transaction. Then I logged in as a user that has authorization to execute SU53, switched users to the user that doesn’t have any authorizations and it didn’t show any authorization failures. Any idea what the problem may be? I’ve never seen SU53 not work.

    Reply
    • November 22, 2013 at 6:32 pm
      Permalink

      So SU53 doesn’t work at all in the system? In such a case you can investigate the profile parameters which control SU53. If its just for the one case you mentioned then I am not sure about the problem. But would you ever actually face this problem in a real scenario?

      Reply
  • February 11, 2014 at 5:20 pm
    Permalink

    can u please post any practical scenario to handle a sap missing authorization ticket step by step process as same as in real tym… basically im not an xpert in security..i tried ..finally i found u..expecting a post from u.. its a request from ur regular viewer..

    thanks in advance

    Reply
    • April 10, 2014 at 12:01 pm
      Permalink

      I thought the posts were pretty detailed. But I don’t have anything more on SU53 or trace than what’s already there on the site.

      Reply
  • May 13, 2014 at 10:41 am
    Permalink

    Hi Aninda,

    Great Blog!

    I have a request,can you also please post some tricky SAP Security interview questions?

    Thank You!

    Reply
    • June 5, 2014 at 9:17 am
      Permalink

      My suggestions would be to learn the subject instead of preparing answers to questions.

      Reply
  • September 29, 2014 at 3:19 am
    Permalink

    Hi Aninda,

    Do you have any idea SU53 data stores in any table for temporally or permanently.
    or it will not have any table. i was wondering.

    Rayudu

    Reply
    • October 29, 2014 at 4:36 pm
      Permalink

      I am sure that there would be some table which stores the data, but I have no idea which one

      Reply
  • January 29, 2015 at 1:53 am
    Permalink

    Hi Aninda,

    In my view , su53 data are not stored in any table , instead its there in memory only.
    Let me know if you come across the table which stores su53 failed attempts .

    Reply
  • June 21, 2021 at 2:30 am
    Permalink

    Useful topic and answers.
    thank YOU

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *