How to obtain athorizations for LSMW

Jimbo's picture

LSMW access isn't given out very often and few SAP security professionals know what is required for access to LSMW. An easy way to expedite a request for access to LSMW is to include the specific authorization objects required to successfully utilize LSMW.

Requirements tend to be the same from system to system with minor differences depending on client expectations. The ability to create and edit LSMW objects requires different authorizations than does simply viewing or executing LSMW objects. When run in the three traditional systems it is common to have change/create access in a development system, but not in the Quality or Production systems.

When an account has been created without any access to LSMW the system will display this error. This implies that no authority to execute the transaction has been granted.

A quick jump into SU53 will show the last authorization check failure and list the actual Authorization Object. This is what the security professionals need in order to grant authority; they haven't memorized every object in SAP and this will give them a head start in granting the authorization. From the image below it is easy to see that the authorization object required to access the LSMW transaction is B_LSMW.

When an account has been granted access to LSMW, but in LSMW has no authorization to change or create LSMW objects the system will display an error message like this one. Junior security specialists often grant B_LSMW thinking that the authorization is sufficient because LSMW is right in the name.

SU53 again displays the actual authorization requirement. In this case it is B_LSMW_PRO.

The easiest way to expedite the granting of authorization for LSMW is to forward a link to this webpage to the security team along with a request for LSMW specifying the system that it is required in and the authorization level required. When they are done the screen should look something like this.