Tracing Standard Authorizations

This lesson covers the use of standard authorization tracing strategies, focusing on tools like SU53, ST01, STAUTHTRACE, and STUSERTRACE to support the specification and assignment of standard authorizations.

Users can use transaction SU53 to analyze an access-denied error in their system that just occurred. They can call transaction SU53 in any session, not just the session in which the error occurred.

Using SU53, you can analyze which authorizations are missing and pass this information to the authorization administrator.

If there are many active users and many failed authorization checks, the number of checks and the period covered can be decreased for a user.

The user can also use transaction SU56 to view which authorizations are currently in the buffer.

If a user is unable to perform an action, and the authorization error analysis shows the message "All authorization checks have been successful". Then the issue lies elsewhere, not with authorization.

If transaction SU53 does not provide a satisfactory result, the following further system trace options can be used: ST01 and STAUTHTRACE.

The system trace allows you to record internal SAP system activities. The system trace is primarily used when an authorization trace is required. Apart from authorization checks, the following components can be monitored using the system trace: kernel functions, kernel modules, database accesses, table buffers, RFC calls, and lock operations.

For the ST01 system trace, ensure the trace and transaction being traced are on the same application server.

Once you have completed the analysis, choose Trace off.

The System Trace for Authorization Checks (transaction STAUTHTRACE) provides an optimized user interface to trace authorization checks. It works in the same way as the system trace (transaction ST01) but is solely for performing authorization checks.

STAUTHTRACE tool usage notes:

• Evaluation of the system trace for authorization checks can be done for the current server.
• It is also possible to start and stop the system trace for authorization checks on all servers or on selected servers of a system.
• The system displays an additional server name column when viewing performed authorization checks.

The advantages of STAUTHTRACE compared to the ST01 transaction are as follows:

• STAUTHTRACE: The System Wide Trace option can be activated to get the trace for all application servers. At the same time, you can also fetch and deactivate all server trace from the single point. ST01 – If a system has 3 different application servers, you must login to three servers separately and activate and deactivate the trace in all servers if the user server is unknown. You must also fetch the trace from different servers separately.
• STAUTHTRACE – We can remove the duplicate traces in the trace report while analyzing the logs. ST01 – Doesn’t have the option to remove duplicate entries before the trace log is downloaded.
  Note

  For more information please refer to SAP NOTE 2577291 - How to get trace of authorization checks using transaction STAUTHTRACE.

This long-term trace collects client-specific and user-specific authorization data and stores it in the database. During the execution of a program, every authorization check is recorded once for each user with the first time stamp, together with the name and type of the running application, the point in the program, the authorization object, the checked authorization values, and the result.

Trace data aids in maintaining authorization default values and authorizations, especially for users with specific tasks or unique objects like communication users in RFC scenarios.