Get started Bring yourself up to speed with our introductory content.

8. What happens when a user is denied authorization in SAP?

Learn the response to the eighth question in's exclusive security quiz. Read the answer and more detailed information.

8. When a user is denied authorization when trying to access SAP information, what transaction will provide the name of the authorization object that caused denial to the transaction?

a) Transaction suim. Reports run from this transaction and it displays the objects along with the transaction under the user's dropdown.
b) Transaction su53. Run transaction su53 as the unauthorized user immediately after the authorization failure is displayed.
c) Transaction se38. Run report rsdispusrauth to show the authorizations needed for each transaction. Then add those to the user ID's role.
d) Transaction pfgg. If you're using CUA, you must log in to the system where the failure occurred and check transaction pfcg against the user ID for the authorization object shown in the associated short dump.


This scenario is probably one of the most common security issues that are encountered for new installations and also for new roles or users. This is the key to finding the technical name for the authorization object that is causing the failure. Once you have the object name, you can use the profile generator as transaction pfcg and make changes to your role or create a new role. Proper security planning is important in all instances because making these changes will also allow all other users with the role to gain access to the newly changed authorization.

Return to the answer page
Return to the quiz

Dig Deeper on SAP security