Skip to Content

Being a basis consultant , it was challenge to take up SAP APO security roles building exercise for an implementation project. I knew how to make roles and edit authorization objects for ECC, but that much information was not sufficient to find out authorization objects needed to control SAP APO functions.  Functional consultants started explaining me what all controls they need in their functionalities. A check at the SU22 screens was difficult process because of the lack of domain knowledge . Unfamiliar terms and codes were running on my head. Often the objects that I found with much pain was not the right one when we tested it . Functional consultants were not always available for our trial and error sessions.

I found that “authorization trace” of ST01 is the best and fastest way to find out right authorization objects. I asked the functional consultants to run functionalities  they want to put control on. I could watch their userids with trace produced at ST01.  But ST01 was too boring, I needed  much better tool to move fast and have more clarity.

STAUTHTRACE provide a neat formatting than ST01 for trace. I switched this on and asked functional consultant to execute the functionalities they needed. I found the authorization objects checked  in every functionalities by tracing what functional consultant was doing.

Example of how to use this function: Using STAUTHTRACE to customize SU01 functionality for unlock only

Description Screenshot
  • Create a sample userid for functional consultant in quality system. Provide a role with desired functionality . Here for example we use SU01.
  • Put on the trace for this user in transaction STAUTHTRACE
/wp-content/uploads/2014/06/1_477296.png
  • Provide userid in section Traceoptions-> Trace for user only.    Click on the button “activate trace ” at upper pane
   /wp-content/uploads/2014/06/1_5_477306.png
  • Then log in (TEST_TRACE)and execute all the function in SU01(for another user TEST_TRACE2). Here I have executed all the functions assign profile, reset password,lock,unlock.
/wp-content/uploads/2014/06/2_477308.png
  • After that you can display the trace in transaction code stauthtrace by clicking the button
/wp-content/uploads/2014/06/3_477311.png
  • In the upper pane. You can see the results as mentioned below
/wp-content/uploads/2014/06/4_477313.png
  • Here you can see the authorization object S_USER_GRP is checked and the activities were 02,05. If you can edit these activities for a role which has got SU01 transaction code assigned to it, you can use this role to control activities of users.
/wp-content/uploads/2014/06/5_477321.png
  • Make sure to put in a copy of standard node (S_USER_GRP) and not to edit the standard node – this is the best practice.

/wp-content/uploads/2014/06/2_477308.png

/wp-content/uploads/2014/06/3_477311.png

  • Select activity 5 to provide access for unlock/lock. Disable the standard node and only retain manual node of S_USER_GRP
/wp-content/uploads/2014/06/4_477313.png
  • Save, generate profile and exit.
/wp-content/uploads/2014/06/5_477321.png
  • Execute the user comparison in pfcg for the user.
/wp-content/uploads/2014/06/6_479374.png
  • Login as test_trace. Execute all the functions on SU01. Check  the trace log again . Failed authorization checks are displayed in red. If it was a webdynpro screen, you could have seen Webdynpro in column ‘Type’
/wp-content/uploads/2014/06/7_479381.png

By this method you can trace activity of the users by assigning any transaction code. This gives you insight into what all authorization objects are being checked while the functional consultant executes certain functions. This will help a team of security and functional consultants easily find the authorization controls required. It is much easier, accurate and faster method compared to breaking your head on analyzing description of each authorization object in SU22 . We have completed a SAP APO role building project by this method. Kindly do provide your suggestions and questions.

N.B : Please note that tracing authorization is different from stauthtrace for SAP BI.  For BI, SAP has given additional tools like RSECADMIN and RSSM
The roles which were created using this method are as mentioned this document. click here.
To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Colleen Hebbert

    Hi

    This is SAP standard work instruction even though STAUTHTRACE is a lot prettier and better functionality than ST01.

    I read thinking you were going to further develop your learning with the APO example. Wouldn’t it have made sense to pick an APO functionality and show how you struggled to work out what to build but STAUTHTRACE assisted you? As a Basis/Security person you should not need a trace to know SU01 restrictions. As well as that, the option for system wide trace vs ST01 opening n sessions for each app server to trace. And I love STAUTHTRACE automatically defaulting your timestamps for when you started and stopped the tracing.

    Also your screen shots exclude the key benefits of using STAUTHTRACE that ST01 does not provide. For example, drill into the code (which is great when you want to put a break point to debug a check), filter on results list with ALV, use this trace file in SU24 or PFCG to maintain security; and nice pretty colours for return codes.

    In your example for unlock you then show the activity 22 – which is assign. This would not be necessary for unlock. STAUTHTRACE might less boring than ST01 but it requires the same level of analysis in deciding if there is a misleading check and whether the access necessary for the user (just because the authorisation is checked doesn’t mean the user requires the access for the specific function they need to perform). At same time, you started with the scope of unlock user in underline and then in the steps mentioned you were assigning access like profile as well.

    Finally your PFCG examples and words imply that you are going to override SU24 values directly in PFCG and change authorisation status from standard to changed. This is not a good approach to building and  maintaining roles. Sorry, if I have misrepresented what you have said.

    I think your blog would be more beneficial if you kept to you APO example instead of SU01 and put more emphasis on how you used STAUTHTRACE functionality to assist with more focus on how you used the ALV layout to better assist you in interpreting the access requirements. In security it can be hard to get your functional consultant to provide requirements and you own prototyping and testing goes a long way to delivering appropriate security

    At the end of your build did you have better appreciation of the APO specific authorisations?

    Regards

    Colleen

    Ps – sorry if harsh.. I didn’t mean it be – starting off with APO example got me interested as it had been quite some time since I supported that component

    (0) 
    1. Syam krishnan M R Post author

      I am thinking of another blog/document to show which all are the  APO roles built. In that blog I even think of recording what all are the authorization objects which were edited . The target audience is beginners here (in this blog ) as I myself used trace for the first time. I never thought at the beginning that using a simple tool and lot of collaboration , I could complete a project. The emphasis is on collaboration than a tool – hope you got it.  Yes we do have lot of appreciation for the work we have done – I give all the credit to functional consultants that we have. To teach stauthtrace, I thought it would be more understandable for my target audience, if I mention a functionality which they already know , thats why I choose SU01. The intent of the blog is to serve as a link on how I collaborated with functional consultant to achieve authorization restriction for functionalities which I  dont understand ( even now !!) . Inside the document which I am going to create , Is shall mention about APO specific customization which I have already done. Regarding editing the standard nodes and highlighting the unlock function – thanks for correcting me – I do really value your advice.

      Best regards,

      Syam

      (0) 
      1. Colleen Hebbert

        Hi Syam

        I understand your eagerness in wanting to contribute learning materials but I feel you still need to master your technical skills before you attempt to become a mentor/trainer for beginners

        Make sure to put in a copy of standard node (S_USER_GRP) and not to edit the standard node – this is the best practice.

        You are only partially correct on that statement. Yes – do not edit proposals directly but No – it is not standard best practice to manually add an object because the default value is inappropriate for the role. You need to make a decision first as to whether SU24 should be maintained instead (which is yes in most cases)

        STAUTRACE ‘how to’ is covered by SAP help and similar areas: https://help.sap.com/saphelp_nw73/helpdata/en/92/7ac87d293a47d8a17368c9f45661f4/content.htm

        Again, in this blog I feel you have put too much focus on PFCG when your goal is to discuss STAUTHTRACE. That or you could have compared the differences between ST01 and STAUTHRACE other than just the layout.

        I feel the sort of blogs and material you want to produce is too junior for security. If you are still eager to proceed, perhaps they belong more in your personal blog space.

        Regards

        Colleen

        (0) 
        1. Syam krishnan M R Post author

          Thanks for the info regarding SU24, however I found default proposal need no change in our projects case as there was no need for mass maintainance of a specific authorization object in many roles. In such cases changing the default proposal can save work. However this could be best practice as it is coming from a specialist like you.

          (0) 
  2. Ameet kumar

    Hi Syam,

    I second to Colleen’s comments.

    Had you taken some real time examples on APO-security parameters or functionalities  or objects et al, then your post would have been more appealing and value-adding, Whether it is for creation of any APO specific roles or to fix the authorization issues on APO.

    We understand that it would have been a new experience for you to work on APO-security but again, contents should have been more focussed over the topic. May be doing that way you can contibute much more than what you are doing as of now.

    Hope you do understand community needs and expectations!!

    Regads,

    Ameet

    (0) 
    1. Syam krishnan M R Post author

      Agreed, I have removed SAP APO from the heading of the blog. I shall be trying to get a scenario from SAP APO consultants. In reality I havent recorded any functionality to replicate , because it wasnt necessary when we built it up. I included SAP APO in the heading because tracing is different for some products like SAP BI

      (0) 

Leave a Reply