Preliminary Steps
Before starting this process it is important to make sure that you and the user are logged onto the same system. In a logon load balanced environment it may be possible that you and the user may be on different application servers. Due to the buffers within SAP it is best to run on the same system to perform the trace.
Steps to align your logon application server to the user:
1. Execute transaction AL08 - List of all logged on users
2. This will produce a list of all users logged on to all systems.
3. List of all logged on users. To find the user, do the following:
4. From the menu select System > List > Find
5. Once found then identify the application server (active instance) that the user is logged into.
Switch to users application server
1. Run transaction SM51 – List of SAP Servers.
2. Select the correct instance by selecting it (clicking once).
3. Select menu item Goto, then Remote logon:
4. You will immediately be logged onto the requested instance.
5. Now you can begin the trace process.
How to Run System Trace
The trace should be done in the Integration/Test environment. If you are tracing a CPIC or Batch user id, then the id should have been assigned SAP_ALL and SAP_NEW prior to running the trace. This is to allow the user to run the job without any authorization check failure.
Running the trace transaction (ST01) will impact system performance. Use it sparingly and be sure to stop the trace when finished.
Follow the step-by-step instruction below to execute system trace.
Setting Up Trace Parameters
1. Go to transaction ST01.
2. Put a check next to the Authorization check item:
3. Go to the Edit menu item, and select Write Options:
4. Check the Write to disk option, then hit the back button:
4. Next, go to the Edit menu item again, and then Filter, Shared:
5. Enter in the ID that you want to trace, then the Back button.
This is important, because if the trace is not restricted, then all users in the instance will be traced which will cause performance issues.
Performing the Trace
1. You are now ready to begin the trace. Have the users tell you when they are ready to begin. When they are ready, press the Trace On button:
2. When the user is finished, hit the Trace Off button.
3. To view the results, click on the File list button.
4. Double click on the trace file on the first line:
5. Next, select the Trace for authorization checks checkbox, then hit the Analyze button. This will reveal each authorization call as shown on Page 9.
Interpreting the Trace Results
1. Authorization objects are labeled "AUT" followed by a return code.
2. Return code "0" means that the authorization check was successful.
3. Return code "1" means that the authorization check failed.
In order to better analyze the data from the trace, downloading it to an external file is very useful. To can do this from the trace report screen, go to System > List > Save > Local File