Being a basis consultant , it was challenge to take up SAP APO security roles building exercise for an implementation project. I knew how to make roles and edit authorization objects for ECC, but that much information was not sufficient to find out authorization objects needed to control SAP APO functions.  Functional consultants started explaining me what all controls they need in their functionalities. A check at the SU22 screens was difficult process because of the lack of domain knowledge . Unfamiliar terms and codes were running on my head. Often the objects that I found with much pain was not the right one when we tested it . Functional consultants were not always available for our trial and error sessions.

I found that "authorization trace" of ST01 is the best and fastest way to find out right authorization objects. I asked the functional consultants to run functionalities  they want to put control on. I could watch their userids with trace produced at ST01.  But ST01 was too boring, I needed  much better tool to move fast and have more clarity.

STAUTHTRACE provide a neat formatting than ST01 for trace. I switched this on and asked functional consultant to execute the functionalities they needed. I found the authorization objects checked  in every functionalities by tracing what functional consultant was doing.

Example of how to use this function: Using STAUTHTRACE to customize SU01 functionality for unlock only

Description	Screenshot
Create a sample userid for functional consultant in quality system. Provide a role with desired functionality . Here for example we use SU01. Put on the trace for this user in transaction STAUTHTRACE
Provide userid in section Traceoptions-> Trace for user only.    Click on the button "activate trace " at upper pane
Then log in (TEST_TRACE)and execute all the function in SU01(for another user TEST_TRACE2). Here I have executed all the functions assign profile, reset password,lock,unlock.
After that you can display the trace in transaction code stauthtrace by clicking the button
In the upper pane. You can see the results as mentioned below
Here you can see the authorization object S_USER_GRP is checked and the activities were 02,05. If you can edit these activities for a role which has got SU01 transaction code assigned to it, you can use this role to control activities of users.
Make sure to put in a copy of standard node (S_USER_GRP) and not to edit the standard node - this is the best practice.
Select activity 5 to provide access for unlock/lock. Disable the standard node and only retain manual node of S_USER_GRP
Save, generate profile and exit.
Execute the user comparison in pfcg for the user.
Login as test_trace. Execute all the functions on SU01. Check  the trace log again . Failed authorization checks are displayed in red. If it was a webdynpro screen, you could have seen Webdynpro in column 'Type'

By this method you can trace activity of the users by assigning any transaction code. This gives you insight into what all authorization objects are being checked while the functional consultant executes certain functions. This will help a team of security and functional consultants easily find the authorization controls required. It is much easier, accurate and faster method compared to breaking your head on analyzing description of each authorization object in SU22 . We have completed a SAP APO role building project by this method. Kindly do provide your suggestions and questions.