David: "Sarah shared that sometimes the business users are unable to utilize an application against specific business data."
David: "It may be that they don't have the correct business roles, or the authorization restrictions are not configured within the assigned business roles."
David: "I can use the Display Authorization Trace app to enable an authorization trace for a business user. This helps me to analyze if any authorizations are missing or are insufficient."
You can use authorization traces to monitor and record user activities executed on SAP S/4HANA Cloud, public edition.
The authorization trace represents a critical tool for maintaining the overall security and integrity of the system and ensuring that each user has the appropriate authorization to access the system and perform tasks required for their position or job. The trace will display authorization check results, stating if the assigned restrictions are adequate or not for the business user to run the application.
Typically, a trace records each authorization-related activity that the user executes and records the results. You can use the authorization trace for a variety of purposes, such as:
- Troubleshooting user access issues
- Documenting adherence to corporate policies or compliance regulations
- Performing forensic analysis to determine how unauthorized access may have occurred
Create an Authorization Trace for a Business User
You can create an authorization trace for a business user by using the following procedure:
- Click Activate Trace in the top right corner of the Display Authorization Trace screen. A pop-up listing all available business users appears.
- Select the business user for whom you would like to create an authorization trace and the apps for which the trace shall be executed if the user is lacking authorization.
- Once the user is selected, click the Activate button to enable the trace. You can check if the trace was activated by looking at the Trace Information in the top left corner of the screen.
Once the authorization trace is active, the business users will have to execute the apps that they do not have authorization for. They need to log on and navigate to the apps in question.
If any authorization checks are executed, you can analyze them by looking at the log table in the authorization trace.
- Once the user has executed each app and has performed all the relevant tasks you are trying to trace, you can deactivate the trace and prepare to review the trace log file.
Deactivate the trace using the Deactivate Trace button in the top-right corner of the screen.
- With the authorization trace now completed, you can begin to analyze the trace data contained in the log file for any missing authorizations.
The selection criteria help to retrieve specific trace results. Therefore when you define these selection criteria, especially the date range, consider that you can have a maximum of 10,000 data sets retrieved.
An authorization check can have one of the following statuses reported back: successful, failed, or filtered.
If an authorization check resulted in a Filtered status, you should check which business roles are exposed to the affected restriction type. It may be, for example, that the business user that has been checked is not assigned to the required business role or that the required value has not been maintained yet.
You need to analyze the authorization traces as soon as possible after they're produced, because they are automatically deleted after a certain time.
Use the Authorization Trace
In the exercise below you will enable an authorization trace for a business user.
You now know how to use an authorization trace and how to use the Display Authorization Trace app.