STUSERTRACE: New tracing option (Authorization trace for user)
When it comes to troubleshooting access issues, first thing comes to our mind is ST01 (old method) and if you are aware of new developments by SAP, then STAUTHTRACE. SAP has developed few more tracing options which are available in SAP 7.4 version onwards. One of them and the most useful one is STUSERTRACE.
STUSERTRACE is a long-term trace, unlike ST01 which interferes with BASIS and Development team’s other tracing options and can only be activated for shorter periods.
Activation: Activation of this trace requires a parameter to be set in RZ10 in DEFAULT.PFL profile, which obviously need a system restart. Luckily, this parameter is a dynamic parameter hence can be set in RZ11 as well. But once the system is restarted the parameter will again be set to the one maintained in RZ10 DEFAULT.PFL profile.
SAP has given very nice documentation around this new tracing option. I will fist talk about the advantages of STUSERTRACE, possible use cases, paste the screenshot of SAP documentation and then talk about parameter options.
Advantages of STUSERTRACE over ST01 and STAUTHTRACE:
- Can be activated for longer times or even permanently.
- Can be activated for multiple users.
- Can be activated for different type of applications, viz. Background jobs, RFC modules, Tcode etc. For example, activate it for batch user for only background job application.
- No interference with Developer/SQL trace.
- Activated in all servers
- Records actions exactly once saving space.
Use Cases –
- New implementation – Everyone must have faced this, as soon as the new system is installed, unless you upload roles from previous system, you end up assigning SAP_ALL to the developers/functional consultants.
So SAP_ALL can be given to them, this trace activated, and few weeks later, upload the trace data in a new role and assign.
- Batch users roles –
Almost everywhere, batch users (step users for jobs) have the broad access roles, almost equivalent to SAP_ALL. So trace can be activated for batch users, and a new role can be assigned to the batch user.
- Normal access issue – It can be activated for dialog users as well to troubleshoot access issues. Pro Tip – sometimes there are systems where the user base is only 100-200 users, there it can be activated for everyone, and the access issues can be resolved quickly.
Now, the parameter is a dynamic one and can be changed easily using RZ11. The possible values as mentioned by SAP are, N, Y, F. Currently, it is Inactive, hence F as seen in first screenshot.
Parameter Value – Y -> Now the trace is active for all the users and all types of applications. I am creating 2 test users here, TEST1 and TEST2. Even if I put filter for TEST1 user, it will capture for both the users. I am using TEST1 and TEST2 users to lock/unlock users.
(Trace set as Y, with Filter for user TEST1)
It captured for both the users.
Parameter value to F ->
Changing the Parameter to F will capture the trace only for the users/apps mentioned in the filter, you can also mention the pattern for users.
I used both the users to create new role and lock/unlock users. For TEST1 it was recorded for TEST2 it wasn’t, as the filter was active for user TEST1 only.
Plus, the lock/unlock activity was not captured for TEST1 user, as it as already there, and the timestamp was initial one.
Reorganizing/Deleting/Resetting the trace:
The trace can also be reset/deleted completely/partially for one/more options from below picture, Period, users, Auth Object, type of application.
This will simulate the action and let you know how many records will be deleted since the Test Run Option is checked. Uncheck the Test Mode to delete the trace.
I tried to cover everything related to this tracing option, please comment if anything else needs to be included too. Thank you guys.