Analyzing CDS View Results in the Authorization Trace

Objective

After completing this lesson, you will be able to analyze CDS View Authorization Trace Results.

Authorization Trace for OData Services

The system trace for authorization checks shows the check of the start authorizations for the OData services. They are indicated by the S_SERVICE authorization object. Column Application Name shows the original application name of the OData service and columnValue 1 shows the hash code-based key entry.

Screenshot on authorization trace for OData Services.

To analyze missing start authorizations for OData services you can also use the system trace for authorization checks. If an entry for an OData service is missing in the role menu, the role maintenance cannot propose a start authorization for this service. 

In the example above the start authorization of the OData Service FIN_USER_DEFAULTPARAMETER_SRV is not checked during the execution of the application.

CDS View Results in Authorization Trace

You evaluate the user trace with transaction STUSERTRACE. The system also displays trace entries that were written due to the CDS access control of a CDS entity.

Illustration showing CDS View Results in Authorization Trace.

If access was made via access control of a CDS entity, the CDS Entity column contains the name of the view that was access.

When you click the name of the CDS entity, the fields used during the access control are displayed:

Filter

         Fields of the authorization object for which a user must have authorization (such as activity "03" for display authorization).

Requested Fields

         The user's authorizations are read for these fields of the authorization object and are used to select the business data. These fields are highlighted in blue in the output list.

The underlying DCL role is linked to authorization trace via the CDS Access Control button.

Screenshots showing the example of CDS View Results in Authorization Trace.

Note

For further information see following SAP Notes:

  • 2437978 - STAUTHTRACE: Access control for a CDS entity

  • 2242714 - STAUTHTRACE: Display of access filtering

  • 2437980 - STUSERTRACE: Access control for a CDS entity

Practice System Exercise: Use the System Trace for Authorization Checks

Select Start Exercise to start the simulation.

Part 1

ExerciseStart Exercise

Part 2

ExerciseStart Exercise

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

After creating roles some authorizations for the OData services may be missing. You need to find the missing authorizations. Therefore you can evaluate the System Trace for Authorization Checks.

As a prerequisite the instructor has to start the System Trace for Authorization Checks transaction STAUTHTRACE on the front-end server (FES) for all adm945 users. This is done in the first task. The participants will complete the exercise in the second task.

Task 1: Enable the System Trace for Authorization Checks on the SAP S/4HANA system. (Done by your instructor)

Steps

  1. Log on to the SAP GUI of the system S4D.

    FieldValue
    Usertrain-##
    Password

    Custom password

    1. Choose SAP Logon.

    2. Select 10 DevelopmentS4D SAP GUI non-SNC [PAS].

    3. Choose Log On.

  2. Enable the System Trace for Authorization Checks (System-Wide).

    1. Start the System Trace for Authorization Checks, using transaction STAUTHTRACE.

    2. In the Trace Options screen area, in the Trace for User Only field, enter adm945*.

    3. Choose System-Wide Trace.

    4. Choose Select All in the server list.

    5. Choose Activate Trace (F6).

Task 2: Evaluate the System Trace for Authorization Checks on the on the SAP S/4HANA system

Steps

  1. In Mozilla Firefox, start the SAP Fiori Launchpad.

    1. In the Microsoft Windows start menu, choose Mozilla Firefox.

    2. In Mozilla Firefox, go to Favorites.

    3. In Favorites, choose 10 Developments4dhost10 S4D Fiori Launchpad.

    4. Enter the following data:

      FieldValue
      Useradm945-##
      Password

      Your password.

    5. Choose Log on.

  2. Start the Manage Banks - Cash Management app.

    1. In the SAP Fiori Launchpad, select the Financial Accounting Space ## and choose the Bank Management Page ##.

    2. Select the Manage Banks - Cash Management app.

    3. Choose Go.

  3. Go back to the SAP GUI as administrator and evaluate the System Trace for Authorization Checks (System-Wide) to find out what has been checked and what authorizations might miss.

    1. Start the System Trace for Authorization Checks transaction STAUTHTRACE.

    2. In the Restrictions for the Evaluation screen area, in the User field, enter adm945-##.

    3. Choose System-Wide Trace.

    4. Choose Select All in the server list.

    5. Choose Evaluate Trace (F8).

      Result

      The trace indicates that during execution of the application UI_CASHBANK_MANAGE authorization for the CDS entity C_CASHBANKTP is checked according to the authorization object F_BNKA_MAO.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn