You can use a system trace or an authorization trace to record authorization checks and their values. This function supports you when maintaining authorization default values (transactions SU22 and SU24) and when maintaining authorization data for roles (transaction PFCG).
The following traces are available:
Long-term trace that collects data across clients and user-independently and stores it in the database. During the execution of a program, as soon as the trace finds an authorization check that has not yet been recorded in connection with the current application, it creates a corresponding entry in the trace database table. This means that you need to test the application as completely as possible to obtain meaningful trace data. To be able to evaluate the trace, you need to activate it (more information: SAP Note 543164 ) and execute the significant actions (locally or in the target system).
System trace (transaction ST01 or STAUTHTRACE)
Short-term trace that collects authorization data client-dependently and only on the current application server. More information: Using the System Trace to Record Authorization Checks (Transaction STAUTHTRACE).