I’ll provide a comprehensive solution addressing the patch authorization changes, SU53 trace findings, and role update issues you’ve encountered.
Root Cause Analysis:
The OSS Note 3245678 introduced authorization field-level checks that aren’t properly reflected in your transported roles. The intermittent failures indicate authorization buffer synchronization issues post-transport.
Step 1 - Authorization Object Correction:
The patch added field-level authorization requirements to S_ASSET_TRF. Run transaction SU24 and check the authorization default values for transaction code used by your Fiori app. You’ll likely find that ACTVT field now requires values ‘01’ (Create), ‘02’ (Change), AND ‘23’ (Maintain) for complete transfer operations, not just ‘02’ as shown in your trace.
Update your roles in PFCG:
S_ASSET_TRF:
ACTVT: 01,02,23
ASSET_TYPE: * (or specific types)
WERKS: * (or specific plants)
Step 2 - Gateway Service Authorization:
The Fiori app requires proper gateway authorization mapping. Execute these steps:
- Transaction /IWFND/MAINT_SERVICE - select your asset transfer service
- Click ‘Add System Alias’ if backend system isn’t properly registered
- Under ‘Authorization’ tab, ensure these objects are maintained:
- S_SERVICE with full authorization for your service name
- S_ICF for the ICF node /sap/opu/odata/sap/ASSET_TRANSFER_SRV
Step 3 - Address SU53 Trace Findings:
For the S_TABU_DIS requirement you discovered:
- Don’t grant direct table authorization to business users
- Instead, ensure the backend service account (technical user) has S_TABU_DIS for ANLA
- The Fiori app should use this service account for backend calls, not the end user’s credentials
- Check /IWFND/ERROR_LOG to verify the correct user context is being passed
Step 4 - Role Update Synchronization:
After making role changes, you must synchronize authorization buffers:
- Run transaction PFCG for each modified role
- Click ‘Change Authorization Data’ → ‘Generate’ (even if no changes shown)
- Save and transport
- In production, run program RHAUTUPD_NEW immediately after import:
- SE38 → RHAUTUPD_NEW
- Execute with parameters: User = * (all users), Date = current date
- This rebuilds authorization buffers without waiting for scheduled job
Step 5 - Verify User Assignments:
For users who still can’t transfer:
SU01 → Select user → Display
Check 'Roles' tab → Click 'Authorization Data'
Verify 'To' date isn't expired
Check 'Change Documents' tab for recent role assignment changes
If validity dates are correct but issues persist, remove and re-assign the role (forces buffer refresh).
Step 6 - Post-Patch Configuration:
Execute transaction SUIM → ‘Roles by Authorization Object’ → Enter S_ASSET_TRF
Verify all asset-related roles appear. If your custom roles are missing, the patch may have overwritten authorization defaults. Restore from your pre-patch backup of table AGR_1251.
Validation:
Have affected users log out completely (not just /nex), log back in, clear browser cache, then test transfer. The complete logout ensures authorization buffer refresh. Monitor transaction SM21 for any remaining authorization failures.
This solution addresses all three focus areas: properly implements patch authorization changes, resolves SU53 trace findings without compromising security, and ensures role updates propagate correctly across your user base.