Performing Authorization Traces in 4.6 Using ST01

Preliminary Steps

                Before starting this process it is important to make sure that you and the user are logged onto the same system.  In a logon load balanced environment it may be possible that you and the user may be on different application servers. Due to the buffers within SAP it is best to run on the same system to perform the trace.

           Steps to align your logon application server to the user:

1.    Execute transaction AL08 - List of all logged on users

2.    This will produce a list of all users logged on to all systems. 

3.    List of all logged on users. To find the user, do the following:

4.    From the menu select System > List > Find

         

5.    Once found then identify the application server (active instance) that the user is logged into.

           Switch to users application server

1.    Run transaction SM51 – List of SAP Servers.

2.    Select the correct instance by selecting it (clicking once).

3.    Select menu item Goto, then Remote logon:

4.    You will immediately be logged onto the requested instance.

5.    Now you can begin the trace process.

How to Run System Trace

                The trace should be done in the Integration/Test environment.  If you are tracing a CPIC or Batch user id, then the id should have been assigned SAP_ALL and SAP_NEW prior to running the trace. This is to allow the user to run the job without any authorization check failure.

Running the trace transaction (ST01) will impact system performance. Use it sparingly and be sure to stop the trace when finished.

Follow the step-by-step instruction below to execute system trace.

           Setting Up Trace Parameters

1.    Go to transaction ST01.

2.    Put a check next to the Authorization check item:      

3.    Go to the Edit menu item, and select Write Options:

4.  Check the Write to disk option, then hit the back button:

4.  Next, go to the Edit menu item again, and then Filter, Shared:

    

5.  Enter in the ID that you want to trace, then the Back button.

This is important, because if the trace is not restricted, then all users in the instance will be traced which will cause performance issues.

               

           Performing the Trace

1.    You are now ready to begin the trace.  Have the users tell you when they are ready to begin.  When they are ready, press the Trace On button:

2.  When the user is finished, hit the Trace Off button.

3.  To view the results, click on the File list button.

4.  Double click on the trace file on the first line:

5.  Next, select the Trace for authorization checks checkbox, then hit the Analyze button.  This will reveal each authorization call as shown on Page 9.

 Interpreting the Trace Results

1.    Authorization objects are labeled "AUT" followed by a return code.

2.    Return code "0" means that the authorization check was successful.

3.    Return code "1" means that the authorization check failed.

In order to better analyze the data from the trace, downloading it to an external file is very useful.  To can do this from the trace report screen, go to System > List > Save > Local File

SU24 Concept

•Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the relationships between the particular transaction and its authorization objects. It is possible to add or subtract the checks performed in the transaction by changing the appropriate flag.

•The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups using the Profile Generator.

•When new transactions are added, the Profile Generator will add all authorization values maintained in SU24 for the transaction(s).

•When deleting transaction the Profile Generator will remove all authorization values that are maintained in SU24 for the transaction.

•Activities performed:

•Check/Maintain Authorization Values

•Addition of Authorization Object to tcode

•Deletion of Authorization Object from tcode

Check Ind.	Proposal	Meaning	Explanation
Check	YS	Check /Maintained	The object will be inserted along with the values in the role.  The object will be checked along with the values during runtime of the transaction.
Check	NO	Check	This object will not be inserted into the roles.  A check on the object along with the values will be done during the runtime of the transaction
Do not Check	NO	Do Not Check	The object will not be inserted into the roles and there will not be any check performed during runtime of the transaction

Status Texts for authorizations

•Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults

•Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value

•Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value.

•Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it was not proposed by the Profile Generator).

Effect of SU24 changes in Role Groups

•Authorization objects are maintained in SU24 for a particular transaction code. When a transaction code is added to role, only the authorization objects having check as check indicator value and yes as proposal value, maintained for that tcode will be added into the role group.

1)  Adding Tcodes to a role

When a new Tcode is added to a role

•When a new tcode is added to a role, going in either change authorization data or expert mode provides the same result. All the authorizations maintained for the tcode at SU24 level is added to the role.

•The program adds new standard authorizations for  objects in the roles If the authorization default values contain objects that were previously not existing

Or only had authorizations in the status Changed or Manual

•A new standard authorization is not included

if the authorization fields contain identical authorizations in the status Standard in both authorizations, and the fields maintained in the old authorizations are empty in the new standard authorization.

If there were already authorizations in the status Maintained (active or inactive) or Inactive Standard before the merge, the program compares the values and the maintenance status of all authorization fields to determine whether new standard authorizations must be extended.

Changing SU24 values for a tcode

If the authorization data is changed for any tcode in SU24 and tcode is already present in the role, then going in the expert mode with option “read old data and compare with new data” will only reflect the additional changes. Change authorization data will not pull the new data for the tcode maintained at SU24 level

2) Removing Tcodes from the role

When you remove transactions from the role menu, this has the following effect on the authorizations.

•A standard authorization for which the associated transaction was removed from the role menu is removed during the merge, unless at least one other transaction that remains in the menu uses the same authorization default value. This applies both for active and inactive standard authorizations.

•Authorizations in the statuses Changed and Manual are not affected by the merge. They are therefore always retained.

When to use SU24?

 

To correct authorization objects that are not linked to transaction codes correctly

·     To correct authorization objects that have unacceptable default values.

·     To change default values to ones that will always be appropriate for all roles that will ever use the transaction. This means having blank fields where you need to allow different roles to have different values.