If you are new to SAP security, then you should know the ways to troubleshoot SAP authorization issues. We will be covering below SAP standard transactions for enabling authorization trace :
- SU53 trace
- ST01 trace
- STAUTHTRACE
First, we will start with the most basic transaction which is most widely used by SAP end users when they face any authorization issue.
- SU53
End-user can execute this transaction just after they get an authorization error. SU53 will show them the last failed authorization check. We can also run SU53 to check the failed authorization for other users.
SU53 –> Authorization values –> other user
Enter the user name and execute.
But we cannot completely rely on the SU53 screen as this will only report the last failed authorization check. There could be multiple failures before the user got the no authorization error. So we move on to the next option.
2. ST01 – System Trace
Using ST01, we can activate a system trace for a particular user and then ask the user to perform the steps for which he/she was getting the authorization issue.
Under Trace Components –> select the option “Authorization check” and then click on “General Filters”. A screen will pop up, there you can provide details like which user or transaction/program you would like to set the filter for ST01 to capture the trace.
To activate the trace click on the “Trace on” button. This will start capturing the trace for the selected filter.
Once the user is done with the test, you can click on “Trace off” and to evaluate the trace click on the “Analysis” button
The output should be like as below:
| hh:mm:ss:ms | Type | Lasts(us) | Object | Text |
| 20:22:32,099 | AUTH | S_TCODE RC=04 | tcode=ST22;TCD=ST22;type=TR;name= ;reason3=X;contextid | |
| 20:22:32,425 | AUTH | S_DEVELOP RC=0 | tcode=ST22;OBJTYPE=ST22;ACTVT=03;DEVCLASS= ;OBJNAME= ;P_GROUP= ;type=TR | |
| 20:22:32,437 | AUTH | S_ADMI_FCD RC=0 | tcode=ST22;S_ADMI_FCD=ST22;type=TR;name=ST22;reason3=X;contextid |
You should look out for entries with Return codes (RC) equal to 04, 12
0 Authorization check successful
4 Authorization check not successful
12 No authorization in user master record
40 The checked user does not exist
The drawback of ST01 is that the trace is activated on a particular application server and suppose if the user is on another server then it won’t be able to take any traces on another server. To overcome this make sure you are on the same server as the user. This is applicable to systems that have multiple application servers and users are logged on randomly on any of the available servers (Load balancing).
3. STAUTHTRACE
STAUTHTRACE solves the issue which we are likely to face in ST01. Using STAUTHTRACE, we can activate “System-wide Trace” and then select all the application servers.
Click on the “Select all” icon to select all the available servers. Enter the user on which you want to activate the filter. You may also set “Trace for errors only” so that it will only trace the errors and avoid big trace files from getting created. After this press “Activate Trace”. Post user activity, Deactivate the Trace.
To get the trace result, click on the “Evaluate” button. You will get the below output which can be exported as a spreadsheet.
You may also refer to the below SAP SCN links for more information regarding this topic:
https://wiki.scn.sap.com/wiki/display/PLM/Authorization+Trace+in+transaction+ST01
https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/92/7ac87d293a47d8a17368c9f45661f4/content.htm?no_cache=true