Using Traces to Maintain Role Menus and Authorizations

Overview

Based on a trace evaluation, it is easier to maintain the menu and the authorization data of a role, as well as authorization default values for applications.

You can use a system trace or an authorization trace to record authorization checks and their values. This function supports you when maintaining authorization default values (transactions SU22 and SU24) and when maintaining the menu and authorization data for roles (transaction PFCG).

Diagram showing the steps to use Trace Evaluation to maintain Menus and Authorizations.

Maintaining Role Menus Using Trace Evaluation

In the role maintenance screen (transaction PFCG), the trace evaluation can be used to maintain the role menu. To add applications (transactions, WEB-DYNPROS, and so on) to the role menu, you collect these applications in the system trace (transaction ST01 or STAUTHTRACE). During its runtime, the tracing uses the start authorization checks to log which applications were called. The administrator can then copy these applications to the role menu.

Call transaction PFCG for a role and go to change mode. On the Menu tab, choose Copy Menus → Import from Trace. The upper-left half of the dialog box that the system displays contains the Information button. You can obtain all of the information about the use by selecting this button.

Screenshots showing the four steps to maintain Role Menus using Trace Evaluation.

Hint

If the trace for your applications occurred on another application server, you must configure an RFC destination for the target system or application server to transfer the trace results to transaction PFCG.

Maintaining Authorization Fields Using Trace Evaluation

In Role Maintenance (transaction PFCG), trace evaluation can also be used to maintain the authorization fields. You can complete the authorization fields of a role with values that you collect in the authorization trace or the system trace. To do this, navigate to authorization data maintenance for a role. Expand the authorizations and choose the Trace symbol at the authorization level. The system then displays a similar dialog box to that for menu maintenance and you can again choose Information to obtain information about the usage.

Screenshot highlighting the Trace button to start trace evaluation.

Screenshots showing the remaining three steps after starting trace evaluation to complete maintaining authorization fields.

Maintaining Authorization Default Values Using Trace Evaluation

You can also complete the authorization default values with values that you collect in the authorization trace or the system trace. Call transaction SU24 and display the authorization data for an application. Choose the Trace function.

Screenshots showing the four steps to maintain authorization default values.

Practice System Exercise: Use Authorization Trace

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

During your daily work as an administrator, you use the system trace for authorization checks for evaluation of successful and unsuccessful authorization checks and for maintenance of role menus and authorization values.

As a prerequisite, the instructor must start the System Trace for Authorization Checks, transaction STAUTHTRACE. This is done as the first task. The participants complete the exercise as the second task.

Task 1: Enable the System Trace for Authorization Checks. (Done by Your Instructor)

As a prerequisite, the instructor must start the System Trace for Authorization Checks (transaction STAUTHTRACE) for the GR* users.

Steps

Start the system trace for authorization checks and activate the trace for GR* users.
1. Start transaction STAUTHTRACE.
2. Enter GR*in the Trace for user only field of the Trace Options screen area.
3. Choose Activate Trace (F6).

Task 2: Use the System Trace for Authorization Checks to Analyze Unsuccessful Authorization Checks

Log on to the system as user GR##-MM1. Start transactions MM03 and MM19 and display the accounting view of material P605-100 in plant 1010 and 1030.

Steps

Log on to the system as user GR##-MM1.
1. Start SAP Logon.
2. Select system T41 and choose Log On.
3. Enter the user name GR##-MM1 in the User field.
4. Enter the password given in exercise 6 in the Password field.
5. ChooseContinue (Enter).
Start transactions MM03 and MM19 and display the accounting view of material P605-100 in plant 1010 and 1030.
1. Start transaction MM03 from the User menu .
2. In the Material field, enter the material ID P605-100.
3. Choose Select view(s).
4. Choose the Accounting 1 view.
5. Choose Continue.
6. In the Plant field, enter 1010.
7. Choose Continue (Enter).
  The accounting view of material P605-100 for plant 1010 is shown.
8. Choose Back (F3).
9. In the Material field, enter the material ID P605-100.
10. Choose Select view(s).
11. Choose the Accounting 1 view.
12. Choose Continue.
13. In the Plant field, enter now 1030.
14. Choose Continue (Enter).
  An error message appears: No authorization to display data for plant 1030.
15. Choose Confirm (Enter).
16. Choose Cancel (F12).
17. Start transaction MM19 from the User menu .
18. In the Material field, enter the material ID P605-100.
19. Choose Select view(s).
20. Choose the Accounting 1 view.
21. Choose Continue.
22. In thePlant field, enter 1010.
23. Choose Continue (Enter).
  The material at key date P605-100 for plant 1010 is shown.
24. Choose Confirm (Enter).
25. Choose Cancel (F12).
Log on to the system as user ADM940-## and evaluate the system trace for authorization checks.
Which authorization objects are checked?
Which field values are checked for authorization object M_MATE_WRK?
_______________________________________________
_______________________________________________
Are the authorization checks of M_MATE_WRK successful?
_______________________________________________
1. Log on to the system as user ADM940-##.
2. Start transaction STAUTHTRACE.
3. In the Restrictions for the Evaluation screen area, in the User field, enter GR##-MM1.
4. Choose Evaluate Trace (F8) to evaluate the trace.
  If no result is displayed, please adjust the time interval so that it fits your time zone.
5. The authorization objects that are checked are shown in the Objects column.
6. The field values that are checked are shown in the columns Field# and Value#.
  The following field values are checked for authorization object M_MATE_WRK:
  Field1: ACTVT ______ Value1: 03
  Field2: WERKS _____ Value1: 1010, 1030
  Result
  The authorization check of M_MATE_WRK ( ACTVT = 03; WERKS = 1010) was successful.
  The authorization check of M_MATE_WRK ( ACTVT = 03; WERKS = 1030) was not successful.
  An unsuccessful authorization check is shown in the columns Result and Result of Authorization Check.

Task 3: Create a Role Based on the Result of the System Trace for Authorization Checks

Create a role GR##_TRACE. Maintain the role menu and the authorization values using the system trace for authorization checks generated in task 1.

Steps

Start the role maintenance transaction and create the role GR##_TRACE. Enter a short description, and save.
1. SAP Menu:
  Tools → Administration → User Maintenance → Role Administration → Roles (transaction code PFCG).
2. Enter the name for the role GR##_TRACE in the Role field.
3. Choose Create Single Role.
4. Enter description Trace in the Description field.
5. Then choose Save (Ctrl+S) to save your role.
Create the role menu using the system trace for authorization checks generated in the previous task.
1. Go to the Menu tab.
2. Choose From Menus → Import from Trace.
3. Choose Evaluate Trace → System Trace (STAUTHTRACE) → Local in theEvaluate Trace Data window.
4. Enter GR##-MM1 in the Trace for user only field.
5. Choose Evaluateon the System Trace window .
  If no result is displayed, please adjust the time interval so that it fits your time zone.
6. In the Value1 field, select transactions MM03 and MM19 of the System Trace and choose Transfer.
7. Choose Insert as List.
8. Choose Save.
Result
The transactions MM03 and MM19 are added to the role menu.
Maintain the authorization values for the organizational levels.
Define the organizational levels:
- Company code: 1010,
- Warehouse number/complex: *
- Sales organization: 0001
- Distribution Channel: *
- Plant: 1010, 1030
1. Go to the Authorizations tab page.
2. Choose Change Authorization Data.
3. Enter the following values in the Define Organizational Levels window:
  When you maintain organizational levels, you usually only see those lines where values have been assigned. If an organizational level field has not yet been maintained, only one line is displayed. You can display multiple lines by choosing the More Values button.
  - Company code: 1010
  - Warehouse number/complex: *
  - Sales organization: 0001
  - Distribution Channel: *
  - Plant: 1010, 1030
4. Choose Save (Ctrl+S) to save the authorization values for the organizational levels.
Maintain the authorization values for authorization object M_MATE_STA using the system trace for authorization checks generated in task 1.
1. Choose the Evaluate Trace Data (Ctrl+F5) icon on the Change Role: Authorizations screen.
2. On the Evaluate Trace Data window, choose authorization object M_MATE_STA.
3. On theEvaluate Trace Data window, choose Evaluate Trace → System Trace (STAUTHTRACE) → Local.
4. Enter GR##-MM1 in the Trace for user only field.
5. Choose Evaluateon the System Trace window.
6. Select all values in the STATM field of the System Trace.
7. Choose Transfer.
8. Choose Continue (Enter).
9. Check the field values of the authorization object M_MATE_STA.
Generate the authorization profile for your role. Accept the proposed profile name.
1. Choose the Generate icon.
2. Press Generateagain or in the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).
3. Choose Back (F3) to return to the Change Roles screen.

Task 4: Deactivate the System Trace for Authorization Checks (Done by Your Instructor)

At the end of this exercise, the instructor must deactivate the System Trace for Authorization Checks (transaction STAUTHTRACE) for GR* users.

Steps

Start the system trace for authorization checks and activate the trace for GR* users.
1. Start transaction STAUTHTRACE.
2. Choose Deactivate Trace (F7).