How To Fix CHK_SU22017 - Default for obsolete authorization object &1

The SAP error message CHK_SU22017 indicates that there is a default for an obsolete authorization object in the system. This typically occurs when an authorization object that was previously used in the system has been marked as obsolete, but there are still references to it in the authorization profiles or roles.
Cause:

Obsolete Authorization Object: The authorization object referenced in the error message is no longer valid or has been replaced by a new object.
Role/Authorization Profile Issues: The roles or profiles assigned to users may still contain references to the obsolete authorization object.
System Upgrade or Changes: This error can occur after a system upgrade or changes in the authorization concept where certain objects have been deprecated.

Solution:


Identify the Obsolete Object: Check the specific authorization object mentioned in the error message (represented by &1). You can do this by looking at the system logs or using transaction codes like SU53 (to analyze authorization failures) or SUIM (to check user information).


Update Roles/Profiles:

Go to transaction PFCG (Role Maintenance).
Find the role that contains the obsolete authorization object.
Remove or replace the obsolete authorization object with the appropriate current object.
Generate the profile again after making changes.



Check for Dependencies: Ensure that there are no other roles or profiles that might still be referencing the obsolete object. You may need to perform a system-wide search for the object.


Testing: After making the changes, test the affected roles to ensure that users can perform their tasks without encountering the error.


Documentation: Document the changes made for future reference and to maintain a clear audit trail.


Related Information:

Authorization Objects: These are used in SAP to control access to various transactions and data. Each object has fields that define the specific authorizations required.
Transaction Codes:

SU53: Displays the last authorization check and can help identify what authorization is missing.
SUIM: User Information System, useful for reporting on roles, profiles, and authorizations.
PFCG: Role Maintenance, where you can manage roles and their associated authorizations.


SAP Notes: Check SAP Notes for any specific guidance or patches related to the obsolete authorization object.

If the issue persists after following these steps, consider reaching out to your SAP Basis or Security team for further assistance, as they may have additional tools or insights into the specific configuration of your SAP environment.