Collaborate security and functional consultants using stauthtrace
Being a basis consultant , it was challenge to take up SAP APO security roles building exercise for an implementation project. I knew how to make roles and edit authorization objects for ECC, but that much information was not sufficient to find out authorization objects needed to control SAP APO functions. Functional consultants started explaining me what all controls they need in their functionalities. A check at the SU22 screens was difficult process because of the lack of domain knowledge . Unfamiliar terms and codes were running on my head. Often the objects that I found with much pain was not the right one when we tested it . Functional consultants were not always available for our trial and error sessions.
I found that “authorization trace” of ST01 is the best and fastest way to find out right authorization objects. I asked the functional consultants to run functionalities they want to put control on. I could watch their userids with trace produced at ST01. But ST01 was too boring, I needed much better tool to move fast and have more clarity.
STAUTHTRACE provide a neat formatting than ST01 for trace. I switched this on and asked functional consultant to execute the functionalities they needed. I found the authorization objects checked in every functionalities by tracing what functional consultant was doing.
Example of how to use this function: Using STAUTHTRACE to customize SU01 functionality for unlock only
| Description | Screenshot |
|---|---|
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
 |
|
 |
|
 |
|
 |
By this method you can trace activity of the users by assigning any transaction code. This gives you insight into what all authorization objects are being checked while the functional consultant executes certain functions. This will help a team of security and functional consultants easily find the authorization controls required. It is much easier, accurate and faster method compared to breaking your head on analyzing description of each authorization object in SU22 . We have completed a SAP APO role building project by this method. Kindly do provide your suggestions and questions.
Hi
This is SAP standard work instruction even though STAUTHTRACE is a lot prettier and better functionality than ST01.
I read thinking you were going to further develop your learning with the APO example. Wouldn't it have made sense to pick an APO functionality and show how you struggled to work out what to build but STAUTHTRACE assisted you? As a Basis/Security person you should not need a trace to know SU01 restrictions. As well as that, the option for system wide trace vs ST01 opening n sessions for each app server to trace. And I love STAUTHTRACE automatically defaulting your timestamps for when you started and stopped the tracing.
Also your screen shots exclude the key benefits of using STAUTHTRACE that ST01 does not provide. For example, drill into the code (which is great when you want to put a break point to debug a check), filter on results list with ALV, use this trace file in SU24 or PFCG to maintain security; and nice pretty colours for return codes.
In your example for unlock you then show the activity 22 - which is assign. This would not be necessary for unlock. STAUTHTRACE might less boring than ST01 but it requires the same level of analysis in deciding if there is a misleading check and whether the access necessary for the user (just because the authorisation is checked doesn't mean the user requires the access for the specific function they need to perform). At same time, you started with the scope of unlock user in underline and then in the steps mentioned you were assigning access like profile as well.
Finally your PFCG examples and words imply that you are going to override SU24 values directly in PFCG and change authorisation status from standard to changed. This is not a good approach to building and maintaining roles. Sorry, if I have misrepresented what you have said.
I think your blog would be more beneficial if you kept to you APO example instead of SU01 and put more emphasis on how you used STAUTHTRACE functionality to assist with more focus on how you used the ALV layout to better assist you in interpreting the access requirements. In security it can be hard to get your functional consultant to provide requirements and you own prototyping and testing goes a long way to delivering appropriate security
At the end of your build did you have better appreciation of the APO specific authorisations?
Regards
Colleen
Ps - sorry if harsh.. I didn't mean it be - starting off with APO example got me interested as it had been quite some time since I supported that component
I am thinking of another blog/document to show which all are the APO roles built. In that blog I even think of recording what all are the authorization objects which were edited . The target audience is beginners here (in this blog ) as I myself used trace for the first time. I never thought at the beginning that using a simple tool and lot of collaboration , I could complete a project. The emphasis is on collaboration than a tool - hope you got it. Yes we do have lot of appreciation for the work we have done - I give all the credit to functional consultants that we have. To teach stauthtrace, I thought it would be more understandable for my target audience, if I mention a functionality which they already know , thats why I choose SU01. The intent of the blog is to serve as a link on how I collaborated with functional consultant to achieve authorization restriction for functionalities which I dont understand ( even now !!) . Inside the document which I am going to create , Is shall mention about APO specific customization which I have already done. Regarding editing the standard nodes and highlighting the unlock function - thanks for correcting me - I do really value your advice.
Best regards,
Syam
Hi Syam
I understand your eagerness in wanting to contribute learning materials but I feel you still need to master your technical skills before you attempt to become a mentor/trainer for beginners
You are only partially correct on that statement. Yes - do not edit proposals directly but No - it is not standard best practice to manually add an object because the default value is inappropriate for the role. You need to make a decision first as to whether SU24 should be maintained instead (which is yes in most cases)
STAUTRACE 'how to' is covered by SAP help and similar areas: https://help.sap.com/saphelp_nw73/helpdata/en/92/7ac87d293a47d8a17368c9f45661f4/content.htm
Again, in this blog I feel you have put too much focus on PFCG when your goal is to discuss STAUTHTRACE. That or you could have compared the differences between ST01 and STAUTHRACE other than just the layout.
I feel the sort of blogs and material you want to produce is too junior for security. If you are still eager to proceed, perhaps they belong more in your personal blog space.
Regards
Colleen
Thanks for the info regarding SU24, however I found default proposal need no change in our projects case as there was no need for mass maintainance of a specific authorization object in many roles. In such cases changing the default proposal can save work. However this could be best practice as it is coming from a specialist like you.
Hi Syam,
I second to Colleen's comments.
Had you taken some real time examples on APO-security parameters or functionalities or objects et al, then your post would have been more appealing and value-adding, Whether it is for creation of any APO specific roles or to fix the authorization issues on APO.
We understand that it would have been a new experience for you to work on APO-security but again, contents should have been more focussed over the topic. May be doing that way you can contibute much more than what you are doing as of now.
Hope you do understand community needs and expectations!!
Regads,
Ameet
Agreed, I have removed SAP APO from the heading of the blog. I shall be trying to get a scenario from SAP APO consultants. In reality I havent recorded any functionality to replicate , because it wasnt necessary when we built it up. I included SAP APO in the heading because tracing is different for some products like SAP BI