Professional Documents
Culture Documents
Business Users who are actual business users working in the front-end
Each SAP ID needs access & authorization to deliver the duties allocated to the designated user to run
the daily business. During the job deliverables, users face authorization issues, which could be due to
access restricted to a certain level or no access at all. In such scenarios, by providing access to missing
authorizations, the issue can be resolved. But, how do we find the exact access that is missing for a
specific user?
ST01
STAUTHTRACE
Tracing Missing Access: Identifies the missing access through tracing tools and provides missing
access to the User ID.
SU53: Authorization check records the failed authorization objects against its value.
www.mouritech.com
SAP Security Authorization - Trace & Checks
The above screenshot refers to the missing objects and their values. Authorization object T_Admin
refers to missing values H1 for field ACTVT. In this case, User ID is missing with the values as shown
and SU53 records the value which is not assigned in SU56 (user buffer).
How to evaluate missing access from SU53 screenshot?
Ensure that the missing access is evaluated against the right User ID.
Request the user to share the latest screenshot to evaluate (check for the date and time).
Make sure that the information shared is about the right system, client and instance.
Once the required access is identified, the system (SUIM) is analyzed for roles related to missing access
and access with approvals is assigned.
If the analysis through SU53 doesn’t work, missing access can be traced through ST01.
In few cases, the users face critical authorization errors, which are not captured thorough SU53. Such
type of errors can be traced through ST01.
ST01 → General Filters → Trace for user only → Trace on → Check with user to replicate the steps
→ Trace off → Analysis
www.mouritech.com
SAP Security Authorization - Trace & Checks
Navigate to ST01 Tcode and opt for the type of trace component (in this scenario, it is Authorization
Check). Select general filters to choose the trace type (trace for user only), enter User ID - whose access
is missing, initiate the trace and instruct the user to replicate the steps. Upon completion, turn the
trace off and analyze the results.
Analyzing Trace: Once the user has replicated the steps, turn the trace off and click on “Analysis” as
shown in the above screenshot.
Key in the username and the select Authorization Check (All: for every recorded result, Error: for only
recorded errors) and execute.
www.mouritech.com
SAP Security Authorization - Trace & Checks
Return codes
RC 12 = User does not have required authorization object(s) and its value.
Apart from the authorization check, system trace can also be set for tracing the below components:
Kernel functions
General kernel
RFC calls
HTTP calls
Lock Operations
In order to trace either a specific component or multiple components together, flag the component
and provide the User ID for user-specific tracing.
Tracing can be performed specific to any process, user, transaction or program, which can be selected
through General Filters.
STAUTHTRACE: This is a system-wide trace to trace from all the available application servers at a given
time with options for filtering specific to user or application. Just as in ST01, we have an option
available in STAUTHTRACE to choose between local trace and system-wide trace.
System-wide trace: Enables us to trace across the system and is not restricted to a specific instance.
www.mouritech.com
SAP Security Authorization - Trace & Checks
Local Trace: Enables us to trace specific to an instance. Select the option from the list of available
servers and activate the trace.
‘Trace for errors only’ option is available for system-wide trace as well as for local trace.
www.mouritech.com
SAP Security Authorization - Trace & Checks
Deactivate the trace once the user has replicated the steps.
Missing Trace screen for STAUTHTRACE resemble ST01 page, compared to ST01 few more options are
available in STAUTHTRACE, such as User Buffer, CDS Access Control, User Icon (sixth icon from the left
in the trace results screen) which navigates to SU01 in display mode.
SAP provides the “Export” option to download & evaluate the trace results to the system folder.
However, to perform the trace, User ID has to be assigned along with the required authorizations.
sandeepv.in@mouritech.com
MOURI Tech
www.mouritech.com