sap security authorization - trace & checks
TRANSCRIPT
SAP Security Authorization - Trace & Checks
www.mouritech.com
SAP Security Authorization - Trace & Checks
Introduction
Authorization trace is mainly performed to identify and record the missing access against the user
access. Tracing supports when the default authorization values are stored in Tcodes like SU22 and SU24
and when maintaining the same authorization data for roles. Traces are of basically of types, they can
be either system-wide or limited to a specific user or instance. Tracing can be executed for trouble-
shooting, especially for missing access in SAP GUI by validating the access provided to the SAP User ID.
This article majorly describes how to perform tracing in R/3, ECC and S/4 systems.
Users & Access
For delivering the day-to-day business requirements in SAP, users require ID and password to login.
The types of users that login to SAP are categorized as follows:
Technical Users such as ABAPer or Basis/Security personnel
Functional Users for configuring and providing functional support
Business Users who are actual business users working in the front-end
Each SAP ID needs access & authorization to deliver the duties allocated to the designated user to run
the daily business. During the job deliverables, users face authorization issues, which could be due to
access restricted to a certain level or no access at all. In such scenarios, by providing access to missing
authorizations, the issue can be resolved. But, how do we find the exact access that is missing for a
specific user?
Tracing & Identifying Missing Access by Tracing Tools (Tcodes)
SU53
ST01
STAUTHTRACE
Tracing Missing Access: Identifies the missing access through tracing tools and provides missing
access to the User ID.
SU53: Authorization check records the failed authorization objects against its value.
Note - Successful transactions are not recorded in SU53.
SAP Security Authorization - Trace & Checks
www.mouritech.com
The above screenshot refers to the missing objects and their values. Authorization object T_Admin
refers to missing values H1 for field ACTVT. In this case, User ID is missing with the values as shown
and SU53 records the value which is not assigned in SU56 (user buffer).
How to evaluate missing access from SU53 screenshot?
Ensure that the missing access is evaluated against the right User ID.
Request the user to share the latest screenshot to evaluate (check for the date and time).
Make sure that the information shared is about the right system, client and instance.
Once the required access is identified, the system (SUIM) is analyzed for roles related to missing access
and access with approvals is assigned.
If the analysis through SU53 doesn’t work, missing access can be traced through ST01.
ST01: Refers to System Trace, which is an instance-specific trace.
In few cases, the users face critical authorization errors, which are not captured thorough SU53. Such
type of errors can be traced through ST01.
ST01 → General Filters → Trace for user only → Trace on → Check with user to replicate the steps
→ Trace off → Analysis
SAP Security Authorization - Trace & Checks
www.mouritech.com
Navigate to ST01 Tcode and opt for the type of trace component (in this scenario, it is Authorization
Check). Select general filters to choose the trace type (trace for user only), enter User ID - whose access
is missing, initiate the trace and instruct the user to replicate the steps. Upon completion, turn the
trace off and analyze the results.
Analyzing Trace: Once the user has replicated the steps, turn the trace off and click on “Analysis” as
shown in the above screenshot.
Key in the username and the select Authorization Check (All: for every recorded result, Error: for only
recorded errors) and execute.
SAP Security Authorization - Trace & Checks
www.mouritech.com
Return codes
RC 0 = No issues with the authorization.
RC 04 = User has the required Authorization Object, but value/activity is missing.
RC 12 = User does not have required authorization object(s) and its value.
Errors RC 04 and RC 12 need to be worked on.
Apart from the authorization check, system trace can also be set for tracing the below components:
Kernel functions
General kernel
DB access (SQL Trace)
Table buffer trace
RFC calls
HTTP calls
APC & AMC calls
Lock Operations
In order to trace either a specific component or multiple components together, flag the component
and provide the User ID for user-specific tracing.
Tracing can be performed specific to any process, user, transaction or program, which can be selected
through General Filters.
Note - Unlike SU53, ST01 captures successful transactions such as RC=0.
STAUTHTRACE: This is a system-wide trace to trace from all the available application servers at a given
time with options for filtering specific to user or application. Just as in ST01, we have an option
available in STAUTHTRACE to choose between local trace and system-wide trace.
System-wide trace: Enables us to trace across the system and is not restricted to a specific instance.
SAP Security Authorization - Trace & Checks
www.mouritech.com
Local Trace: Enables us to trace specific to an instance. Select the option from the list of available
servers and activate the trace.
‘Trace for errors only’ option is available for system-wide trace as well as for local trace.
SAP Security Authorization - Trace & Checks
www.mouritech.com
Activating the trace:
Navigate to STAUTHTRACE.
Select the type of trace (system-wide or local).
Fill in the required fields, such as:
o Trace for user only (single or multiple users)
o Trace for errors only (based on the requirement)
o Restrictions for the evaluations (if required)
Activate the trace.
Deactivate the trace once the user has replicated the steps.
Evaluate the results for missing Tcodes or objects or values.
Missing Trace screen for STAUTHTRACE resemble ST01 page, compared to ST01 few more options are
available in STAUTHTRACE, such as User Buffer, CDS Access Control, User Icon (sixth icon from the left
in the trace results screen) which navigates to SU01 in display mode.
Tip to Export and Evaluate
SAP provides the “Export” option to download & evaluate the trace results to the system folder.
However, to perform the trace, User ID has to be assigned along with the required authorizations.
Contact for further details
Sandeep Voruganti
Technology Specialist - SAP Basis & Security
MOURI Tech