Show TOC

Trace for Authorization ChecksLocate this document in the navigation structure

You can use a system trace or an authorization trace to record authorization checks and their values. This function supports you when maintaining authorization default values (transactions SU22 and SU24) and when maintaining authorization data for roles (transaction PFCG).

The following traces are available:

  • Authorization trace (transactionSTUSOBTRACE)

    Long-term trace that collects data across clients and user-independently and stores it in the database. During the execution of a program, as soon as the trace finds an authorization check that has not yet been recorded in connection with the current application, it creates a corresponding entry in the trace database table. Test the application as thoroughly as possible to obtain meaningful trace data. To be able to evaluate the trace, activate it (see SAP Note 543164 Information published on SAP site) and execute the significant actions (locally or in the target system).

  • System trace (transaction ST01 or STAUTHTRACE)

    Short-term trace that collects authorization data client-dependently and only on the current application server.

  • User trace for authorization checks (transaction STUSERTRACE)

    This long-term trace collects client-specific and user-specific authorization data, and stores it in the database.

    During the execution of a program, every authorization check is recorded exactly once for each user with the first time stamp, together with the name and type of the running application, the point in the program, the authorization object, the checked authorization values, and the result.