SAP Authorization trace | SU53 | ST01 | STAUTHTRACE

If you are new to SAP security, then you should know the ways to troubleshoot SAP authorization issues. We will be covering below SAP standard transactions for enabling authorization trace :

  1. SU53 trace
  2. ST01 trace
  3. STAUTHTRACE

First, we will start with the most basic transaction which is most widely used by SAP end users when they face any authorization issue.

  1. SU53

End-user can execute this transaction just after they get an authorization error. SU53 will show them the last failed authorization check. We can also run SU53 to check the failed authorization for other users.

SU53 –> Authorization values –> other user

SU53 --> Authorization Values --> Other User

Enter the user name and execute.

Input value of User

But we cannot completely rely on the SU53 screen as this will only report the last failed authorization check. There could be multiple failures before the user got the no authorization error. So we move on to the next option.

2. ST01 – System Trace

Using ST01, we can activate a system trace for a particular user and then ask the user to perform the steps for which he/she was getting the authorization issue.

Under Trace Components –> select the option “Authorization check” and then click on “General Filters”. A screen will pop up, there you can provide details like which user or transaction/program you would like to set the filter for ST01 to capture the trace.

To activate the trace click on the “Trace on” button. This will start capturing the trace for the selected filter.
Once the user is done with the test, you can click on “Trace off” and to evaluate the trace click on the “Analysis” button

ST01 System trace

The output should be like as below:

hh:mm:ss:msTypeLasts(us)ObjectText
20:22:32,099AUTHS_TCODE RC=04tcode=ST22;TCD=ST22;type=TR;name= ;reason3=X;contextid
20:22:32,425AUTHS_DEVELOP RC=0tcode=ST22;OBJTYPE=ST22;ACTVT=03;DEVCLASS= ;OBJNAME= ;P_GROUP= ;type=TR
20:22:32,437AUTHS_ADMI_FCD RC=0tcode=ST22;S_ADMI_FCD=ST22;type=TR;name=ST22;reason3=X;contextid

You should look out for entries with Return codes (RC) equal to 04, 12

0 Authorization check successful
4 Authorization check not successful
12 No authorization in user master record
40 The checked user does not exist

The drawback of ST01 is that the trace is activated on a particular application server and suppose if the user is on another server then it won’t be able to take any traces on another server. To overcome this make sure you are on the same server as the user. This is applicable to systems that have multiple application servers and users are logged on randomly on any of the available servers (Load balancing).

3. STAUTHTRACE

STAUTHTRACE solves the issue which we are likely to face in ST01. Using STAUTHTRACE, we can activate “System-wide Trace” and then select all the application servers.

STAUTHTRACE  system-wide trace

Click on the “Select all” icon to select all the available servers. Enter the user on which you want to activate the filter. You may also set “Trace for errors only” so that it will only trace the errors and avoid big trace files from getting created. After this press “Activate Trace”. Post user activity, Deactivate the Trace.

To get the trace result, click on the “Evaluate” button. You will get the below output which can be exported as a spreadsheet.

STAUTHTRACE evaluation result

You may also refer to the below SAP SCN links for more information regarding this topic:

https://wiki.scn.sap.com/wiki/display/PLM/Authorization+Trace+in+transaction+ST01
https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/92/7ac87d293a47d8a17368c9f45661f4/content.htm?no_cache=true

2 thoughts on “SAP Authorization trace | SU53 | ST01 | STAUTHTRACE”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top