Skip to Content
Author's profile photo Frank Buchholz

Show ST01 authorization trace

Did you ever have struggled with the complicated list output of the authorization trace, transaction ST01?

Well, in this case you might love this small Report ZSHOWAUTHTRACE which reads the current trace file and shows the authorization trace data in a simple to use grid format.

You find the ABAP code in the SDN Code Gallery.

Features:

  1. Switch on/off the authorization trace.
  2. Read ST01 trace file and filter events by user, authorization object or result.
    You can suppress duplicate authorization trace records.
  3. Show trace file in grid format.
  4. Navigate to the ABAP source code of the corresponding authorization check.

Selection Screen:

Selection Screen

Result:

Result

Schönen Gruß / Kind regards
Frank Buchholz
SAP Active Global Support – Security Services

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      This is quite an improvement on ST01.  I've added this to my tool bag.  Thanks!
      Author's profile photo Tahar Yacoub
      Tahar Yacoub

      Hello

      Is there a way to filter  on   more than one tcodes but not all  before generating the trace ?

      I know that  in the new  trace with confort  you have a selection screen but it is after the trace file is generated and hats what we do not want

      we want to generate a trace  only for the tansaction or userse we want

      Thanks

      Tahar

      Author's profile photo Frank Buchholz
      Frank Buchholz
      Blog Post Author

      No, there is only a filter for the user before generating the trace.

      Author's profile photo Former Member
      Former Member
      Hi Frank,

      It would be usefull if the ALV grid output showed the app server, and in selecting the UID it would be ideal if they already were logged on and only selectable if on the same app server => SM04. This causes some confusion "in the wild".. 😉

      Really, really cool would more integration between SU53 (*last* failed auth check) as an admin function and ST01 trace function with a context shown for the sy-subrc (like SU24 works in the wild).

      To be honest, I think that SU53 causes more problems than what it does good, without the features which ST01 offers app server specifically.

      I opened a "development wish" for this a long time ago and have been fiddling around with prototypes myself and been in contact with some of the finance developers from SAP as well about tools they have developed. However, without C-calls and other (for me unstable) tricks it does not work so I shy away from making any customer dependent on it ;-(

      Any chance of SAP supporting this as a development topic?

      Cheers,
      Julius

      Author's profile photo Former Member
      Former Member
      Also, as this is a report which can be scheduled for events (or "dropped" from shortcuts as you have evidently done) it might be advisable to check AUTH_CHECK_TCODE at initialization and to exit the program if another user is already active in ST01 itself and it's forms, instead of closing the file (just to be sure... because endusers are rascals... 🙂

      Just a thought,
      Julius

      Author's profile photo Frank Buchholz
      Frank Buchholz
      Blog Post Author

      As of SAP_BASIS release 7.03 you can use the standard transaction STAUTHTRACE instead of the described customer program. See notes 1603756, 1638729, and 1707841 to get latest updates on this transaction.

      Author's profile photo Former Member
      Former Member

      Hi Frank,

        Is there something like this T-code in ECC6.

      Thanks

      varun Jain

      Author's profile photo Frank Buchholz
      Frank Buchholz
      Blog Post Author

      My demo system with ECC 6.06 runs on SAP_BASIS 7.31 -> STAUTHTRACE is available.