Diagnosis

The system performs authorization checks when starting the token revocation and before display and deletion of OAuth 2.0 Token Contexts.

When starting the token revocation in administrator mode (transaction: SOAUTH2_REVOKE_ADM) the system checks if the user has the authorization S_OA2_OBJ with the object REVOCATION. (If the user does not have this authorization, the system will change to the standard behaviour of transaction SOAUTH2_REVOCATION. I.e. the user will only see their own tokens.)

Before display of a token context, the system checks if the logged on user has the authorization to display the user class and the OAuth 2.0 client assigned to this token context. In detail the following authorization objects will be checked:

• S_USR_GRP (with the class of the assigned user and activity 03) for the user group
• S_OA2_CL (with the assigned OAuth 2.0 client and activity 03) for the OAuth client

Before deletion of a token context, the system will check if the logged on user has the authorizations change for the OAuth 2.0 client and unassign for the user class assigned to this token context . In detail the following authorization objects will be checked:

• S_USR_GRP (with the class of the assigned user and activity 22) for the user group
• S_OA2_CL (with the assigned OAuth 2.0 client and activity 02) for the OAuth client

System Response

If the authorization check for at least one token context failed the system will raise this message.

If the authorization check for either client or user group display failed, the particular token context won't be displayed.

If the authorization check for either client or user group change failed, the particular token context won't be revoked.

Procedure

Turn on the authorization trace in transaction SE01 and repeat your action. You will then see in the trace, which authorization checks failed in detail, i.e. which token contexts were filtered from display resp. were not revoked.

Procedure for System Administration