Skip to Content
Technical Articles
Author's profile photo Sahil Taneja

STUSERTRACE: New tracing option (Authorization trace for user)

When it comes to troubleshooting access issues, first thing comes to our mind is ST01 (old method) and if you are aware of new developments by SAP, then STAUTHTRACE. SAP has developed few more tracing options which are available in SAP 7.4 version onwards. One of them and the most useful one is STUSERTRACE.

STUSERTRACE is a long-term trace, unlike ST01 which interferes with BASIS and Development team’s other tracing options and can only be activated for shorter periods.

Activation: Activation of this trace requires a parameter to be set in RZ10 in DEFAULT.PFL profile, which obviously need a system restart. Luckily, this parameter is a dynamic parameter hence can be set in RZ11 as well. But once the system is restarted the parameter will again be set to the one maintained in RZ10 DEFAULT.PFL profile.

SAP has given very nice documentation around this new tracing option. I will fist talk about the advantages of STUSERTRACE, possible use cases, paste the screenshot of SAP documentation and then talk about parameter options.


Advantages of STUSERTRACE over ST01 and STAUTHTRACE:

  1. Can be activated for longer times or even permanently.
  2. Can be activated for multiple users.
  3. Can be activated for different type of applications, viz. Background jobs, RFC modules, Tcode etc. For example, activate it for batch user for only background job application.
  4. No interference with Developer/SQL trace.
  5. Activated in all servers
  6. Records actions exactly once saving space.

Use Cases –

  1. New implementation – Everyone must have faced this, as soon as the new system is installed, unless you upload roles from previous system, you end up assigning SAP_ALL to the developers/functional consultants.

So SAP_ALL can be given to them, this trace activated, and few weeks later, upload the            trace data in a new role and assign.

  1. Batch users roles –

Almost everywhere, batch users (step users for jobs) have the broad access roles, almost                  equivalent to SAP_ALL. So trace can be activated for batch users, and a new role can be                  assigned to the batch user.

  1. Normal access issue – It can be activated for dialog users as well to troubleshoot access issues. Pro Tip – sometimes there are systems where the user base is only 100-200 users, there it can be activated for everyone, and the access issues can be resolved quickly.


Now, the parameter is a dynamic one and can be changed easily using RZ11. The possible values as mentioned by SAP are, N, Y, F. Currently, it is Inactive, hence F as seen in first screenshot.


Parameter Value – Y -> Now the trace is active for all the users and all types of applications. I am creating 2 test users here, TEST1 and TEST2. Even if I put filter for TEST1 user, it will capture for both the users. I am using TEST1 and TEST2 users to lock/unlock users.

(Trace set as Y, with Filter for user TEST1)

It captured for both the users.

Parameter value to F ->

Changing the Parameter to F will capture the trace only for the users/apps mentioned in the filter, you can also mention the pattern for users.


Filter Options


Filter Options – Types of applications


Parameter value – F and active for TEST1 user


I used both the users to create new role and lock/unlock users. For TEST1 it was recorded for TEST2 it wasn’t, as the filter was active for user TEST1 only.

Plus, the lock/unlock activity was not captured for TEST1 user, as it as already there, and the timestamp was initial one.


Trace recorded only once with first timestamp.


Reorganizing/Deleting/Resetting the trace:

The trace can also be reset/deleted completely/partially for one/more options from below picture, Period, users, Auth Object, type of application.


Menu – More – Goto – Organize


Reorganizing for User TEST1

This will simulate the action and let you know how many records will be deleted since the Test Run Option is checked. Uncheck the Test Mode to delete the trace.


Trace deleted for user TEST1

I tried to cover everything related to this tracing option, please comment if anything else needs to be included too. Thank you guys.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Vinod Sonimindia
      Vinod Sonimindia

      Thanks Sahil for sharing this informative document very well explained.

      Author's profile photo James Low
      James Low

      Thanks for the informative article.  I believe that you have a small typo just above the first screenshot.  The text says "Currently, it is Inactive, hence F as seen in first screenshot." when I think that you meant ""Currently, it is Inactive, hence N as seen in first screenshot."  Cheers

      Author's profile photo PRASANNA Santhanam
      PRASANNA Santhanam

      Thanks Sahil for sharing the document.

      Small reconfirmation needed, even we maintain the parameter value in RZ11.whether system restart is needed.



      Prasanna S

      Author's profile photo Surapureddy Hema
      Surapureddy Hema

      Thank you for the information and keep posting like this .

      Author's profile photo Myra Gill
      Myra Gill

      Do you know the meaning of the 'Check for User' value in the report?

      Author's profile photo Ertugrul Öztürk
      Ertugrul Öztürk


      it seems that the parameter auth/auth_user_trace is not a system-wide one, so do we have to activate it on each instance consequently?


      Author's profile photo Surapureddy Hema
      Surapureddy Hema

      Thanks for the useful information.