SAP Security Authorization Trace & Checks
Authorization trace is mainly performed to identify and record the missing access against the user access. Tracing supports when the default authorization values are stored in Tcodes like SU22 and SU24 and when maintaining the same authorization data for roles. Traces are of basically of types, they can be either system-wide or limited to a specific user or instance. Tracing can be executed for trouble- shooting, especially for missing access in SAP GUI by validating the access provided to the SAP User ID. This article majorly describes how to perform tracing in R/3, ECC and S/4 systems.
Users & Access
For delivering the day-to-day business requirements in SAP, users require ID and password to login. The types of users that login to SAP are categorized as follows:
- Technical Users such as ABAPer or Basis/Security personnel
- Functional Users for configuring and providing functional support
- Business Users who are actual business users working in the front-end
Each SAP ID needs access & authorization to deliver the duties allocated to the designated user to run the daily business. During the job deliverables, users face authorization issues, which could be due to access restricted to a certain level or no access at all. In such scenarios, by providing access to missing authorizations, the issue can be resolved. But, how do we find the exact access that is missing for a specific user?
Tracing & Identifying Missing Access by Tracing Tools (Tcodes)
Tracing Missing Access: Identifies the missing access through tracing tools and provides missing access to the User ID.
SU53: Authorization check records the failed authorization objects against its value.
Note – Successful transactions are not recorded in SU53.
The above screenshot refers to the missing objects and their values. Authorization object T_Admin refers to missing values H1 for field ACTVT. In this case, User ID is missing with the values as shown and SU53 records the value which is not assigned in SU56 (user buffer).
How to evaluate missing access from SU53 screenshot?
- Ensure that the missing access is evaluated against the right User ID.
- Request the user to share the latest screenshot to evaluate (check for the date and time).
- Make sure that the information shared is about the right system, client and instance.
Once the required access is identified, the system (SUIM) is analyzed for roles related to missing access and access with approvals is assigned.
If the analysis through SU53 doesn’t work, missing access can be traced through ST01.
ST01: Refers to System Trace, which is an instance-specific trace.
In few cases, the users face critical authorization errors, which are not captured thorough SU53. Such type of errors can be traced through ST01.
ST01 → General Filters → Trace for user only → Trace on → Check with user to replicate the steps → Trace off → Analysis
Navigate to ST01 Tcode and opt for the type of trace component (in this scenario, it is Authorization Check). Select general filters to choose the trace type (trace for user only), enter User ID – whose access is missing, initiate the trace and instruct the user to replicate the steps. Upon completion, turn the trace off and analyze the results.
Analyzing Trace: Once the user has replicated the steps, turn the trace off and click on “Analysis” as shown in the above screenshot.
Key in the username and the select Authorization Check (All: for every recorded result, Error: for only recorded errors) and execute.
- RC 0 = No issues with the authorization.
- RC 04 = User has the required Authorization Object, but value/activity is missing.
- RC 12 = User does not have required authorization object(s) and its value.
Errors RC 04 and RC 12 need to be worked on.
Apart from the authorization check, system trace can also be set for tracing the below components:
- Kernel functions
- General kernel
- DB access (SQL Trace)
- Table buffer trace
- RFC calls
- HTTP calls
- APC & AMC calls
- Lock Operations
In order to trace either a specific component or multiple components together, flag the component and provide the User ID for user-specific tracing.
Tracing can be performed specific to any process, user, transaction or program, which can be selected through General Filters.
Note – Unlike SU53, ST01 captures successful transactions such as RC=0.
STAUTHTRACE: This is a system-wide trace to trace from all the available application servers at a given time with options for filtering specific to user or application. Just as in ST01, we have an option available in STAUTHTRACE to choose between local trace and system-wide trace.
System-wide trace: Enables us to trace across the system and is not restricted to a specific instance.
Local Trace: Enables us to trace specific to an instance. Select the option from the list of available servers and activate the trace.
‘Trace for errors only’ option is available for system-wide trace as well as for local trace.
Activating the trace:
- Navigate to STAUTHTRACE.
- Select the type of trace (system-wide or local).
- Fill in the required fields, such as:
- Trace for user only (single or multiple users)
- Trace for errors only (based on the requirement)
- Restrictions for the evaluations (if required)
- Activate the trace.
- Deactivate the trace once the user has replicated the steps.
- Evaluate the results for missing Tcodes or objects or values.
Missing Trace screen for STAUTHTRACE resemble ST01 page, compared to ST01 few more options are available in STAUTHTRACE, such as User Buffer, CDS Access Control, User Icon (sixth icon from the left in the trace results screen) which navigates to SU01 in display mode.
Tip to Export and Evaluate
SAP provides the “Export” option to download & evaluate the trace results to the system folder. However, to perform the trace, User ID has to be assigned along with the required authorizations.