analysis of authorization related to rssm trace...authorization checks by su24 and st01 trace if we...

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2010 SAP AG 1

Analysis of Authorization related

to RSSM Trace

Applies to:

SAP BW 3.5 RSSM Trace Analysis and Authorization.

Summary

In BW 3.5 we come across various authorization problems. For finding out a problem related to any report that is executed in BeX we need the help of RSSM Trace in BW. But running RSSM trace also requires certain authorizations without which it will not produce result. It will neither show any error nor will it show any error report or allow executing. This document provides the details of running RSSM trace along with the relevant authorization object attached to the same.

Author: Aveek Basu

Company: IBM India Pvt Ltd

Created on: 10 September 2010

Author Bio

I am Aveek Basu, working in IBM SAP Security. I am SAP Security Netweaver 2004 Certified consultant with 5 years experience in SAP Security.

Analysis of Authorization related to RSSM Trace


© 2010 SAP AG 2

Table of Contents

Introduction ......................................................................................................................................................... 3

Executing a BW report ........................................................................................................................................ 3

Running RSSM Trace ......................................................................................................................................... 5

Authorization checks by SU24 and ST01 Trace ................................................................................................. 8

RSSM Trace after having all necessary authorizations ...................................................................................... 9

Conclusion ........................................................................................................................................................ 11

Related Content ................................................................................................................................................ 12

Disclaimer and Liability Notice .......................................................................................................................... 13



© 2010 SAP AG 3

Introduction

In BW 3.5 we come across various authorization problems. The problems can be identified using various ways. For any error related to running a transaction a su53 dump may help. Like if a user tries to run su01 but has no access to run the same. Similarly we can take the help of Trace analysis in solving some issues. But for finding out a problem related to any report that is executed in BeX a trace in ST01 or su53 wont be helping us. In this regard we need the help of RSSM Trace in BW. But running RSSM trace also requires certain authorizations without which it will not produce result. It will neither show any error nor will it show any error report or allow executing. This document provides the details of running RSSM trace along with the relevant authorization object attached to the same.

Executing a BW report

The user is running a report CXXXX. In the user menu the test user is trying to find out the CXXXX report for execution.

The report CXXXX has been found and selected for execution of the same.



© 2010 SAP AG 4

If we double click on the report CXXX a new window opens up for reporting in the BeX. It prompts for user authentication. Here we need to provide the User Id and the password for the same.

After providing the test user id and password it will login into the second screen where we need to provide the various reporting details in the mandatory fields. This is shown below.

Now we need to click on the execute button to generate the BW report. Here at times it is found that the user has relevant authorization in running the report but at certain times user fails to run the same. Here the RSSM trace is required to find out the authorization problem the user is having. Below we are showing certain steps to run the RSSM trace.



© 2010 SAP AG 5

Running RSSM Trace

When we execute RSSM transaction the below screen appears. Here we give the test user id against which we need to execute the RSSM trace.

After clicking on Authorization Check Log we get the below screen. Here we need to enter the name of the user id against which we will run the RSSM trace.



© 2010 SAP AG 6

Now there are 2 Display options in this screen. If we click on the Old Version the below screen appears.

Old Version



© 2010 SAP AG 7

Here we do not see any log that is generated. We then click on the Display button beside as shown below.

If the user does not have authorization then it will neither show any error nor will it get into another screen. Since it doesn’t show any error so a user who is not having requisite authorization will fail to understand the authorization problem.



© 2010 SAP AG 8

Authorization checks by SU24 and ST01 Trace

If we check the su24 against transaction RSSM transaction then we will find the following.

User may have the necessary access to the authorization object but still the RSSM log will not be generated. If we ran su53 dump then we get the below screen.

A trace taken against the user id running the RSSM gives the following output.

It gives RC=4 against S_SPO_ACT authorization object though in su24 this authorization object is not CM for RSSM.

If the user is having proper authorization to run RSSM then no su53 dump will be generated.

The su53 will show all authorization checks successful.

Similarly the trace report will show the below result.



© 2010 SAP AG 9

RSSM Trace after having all necessary authorizations

A successful RSSM Trace will give the below output screens.



© 2010 SAP AG 11

Conclusion

In BW 3.5 we come across various authorization problems while executing reports. To detect the authorization error we need to generate the RSSM trace for the same. Running of RSSM trace requires authorization for s_spo_act authorization object other wise it will neither show in error nor open up a new screen. A trace and su53 taken after running RSSM gave the hint of the authorization problem. This document will help a security practitioner to give proper access in running RSSM transaction and generate error report.



© 2010 SAP AG 12

Related Content

http://www.sdn.sap.com/irj/scn/advancedsearch?query=SAP+BW

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/oss_notes_boj/sdn_oss_boj_erq/sap

http://wiki.sdn.sap.com/wiki/display/BI/Transaction

http://www.sdn.sap.com/irj/scn/advancedsearch?query=SAP+BWhttp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/oss_notes_boj/sdn_oss_boj_erq/saphttp://wiki.sdn.sap.com/wiki/display/BI/Transaction



© 2010 SAP AG 13

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

analysis of authorization related to rssm trace...authorization checks by su24 and st01 trace if we...

Documents