STUSERTRACE: User trace for authorization checks

ST01 and STAUTHTRACE transactions can be used for short term in-depth authorization traces. The problem is that these traces are very detailed and generate a lot of data.

For some use cases, you need to know what authorizations are needed for a user for longer period of time. Example: you have some background users with too many authorizations and your are tasked to reduce this. Then you want to enable a long term trace that records which authorizations are used by this user ID. You are not interested in how many times and when, but just need a complete list over a very long time (for example 2 months). Another example is when you are tasked to S_TABU_NAM full * authorization with actual table names. How to find out which tables are actually needed?

This is the goal of the STUSERTRACE: long term recording of authorization checks called including detailed table level.

STUSERTRACE enabling settings

The activation is described in OSS note 2220030 – STUSERTRACE: User trace for authorization checks. The first step is to switch parameter auth/auth_user_trace to value F. There is an option to set to Y for full, but don’t do this since then you might run into performance issues. F is the value where filtering happens.

As explained in OSS note 2220030 there is a minor performance impact. To limit the impact, use filtering.

Now start transaction STUSERTRACE to set the filters:

Choose the Change Filter button to add filters:

In this case we add the standard SAP workflow user to trace.

STUSERTRACE results

After you let the trace run, you can use the STUSERTRACE transaction to see which authorization checks were executed for this user ID:

STUSERTRACE will also capture detailed table access down to actual table level:

This means this transaction STUSERTRACE can also be used help replace * values in S_TABU_NAM with the actual tables.

Reorganization of data

Reorganization of data to clean up can be done using menu function Goto/Reorganize:

Relevant OSS notes

Table logging

Table logging captures all table changes. This blog will answer the following questions:

  • How to activate table logging in general?
  • How to check if for specific table the logging is active?
  • How to check table changes for a specific customizing action?
  • How to check general table change?
  • How to delete table logging?
  • When not to use table logging?
  • How can I review table logging for audit purposes?

Table logging activation

In RZ11 system parameter Rec/Client determines the table logging for the complete system. Make sure the value is set to ALL.

See also OSS note 2437986 – SCU3 | How to enable logging in the system. And explanation note 3000730 – Impact on enabling table logging with profile parameter rec/client.

As of new S4HANA 2021 installations or upgrades the activation is done by default: 3093760 – Table Data Change Logs In ABAP Platform.

Table logging per table

In transaction SE11 enter the table you want to check and then go to the technical settings. As example table T000:

SE11 technical settings table logging

At the section Data Changes you can see that Log Changes has been activated.

Mandatory table logging

In OSS note 112388 – Tables with obligatory logging the mandatory table logging is explained. Which tables are logged is explained in OSS note 2543478 – SCU3 | Which tables are logged?.

If table logging is working properly is explained in OSS note 2523607 – SCU3 | How to check if logging is on.

How to view table changes?

The common way to view table changes is via transaction SCU3. At the start screen press the button analyze logs:

In the next selection screen enter the table to analyze. In this example we analyze table T000:

T000 table changes

Make sure to set the radio button to Tables. Output of the changes to table T000 then looks as follows:

T000 table changes output

Here you can see changes done by user ILLEGALUSER. At which date and time they were done, and the old and new value.

See also OSS note: 3311577 – SCU3 | How to find out, if table change logs exists for a specific time interval.

Bug fixes:

Checking table changes from customizing

If you are in a customizing action and you want to see who did perform changes, select the menu Utilities and then option Change Log. Select date and time frame to analyze and press Execute. As example here changes to Plant Definition (table T001W):

T001w changes

See also OSS note 3195801 – SPRO | SM30 | How to check the result of a customizing transport and 1834956 – SCU3 | How to enable logging for importing to the system via tp (or R3trans).

Custom tables and standard SAP tables

By default a lot of SAP configuration and important setting tables have the log changes activated. But not all. It is not uncommon to activate table logging for standard SAP configuration tables important for your business. For important custom configuration Z tables you might want to activate table logging.

Table logging is not a replacement for change documents. Standard SAP generates change documents for changes to documents that must be kept for tracking and audit purposes. This is common for all major transnational objects and its underlying tables. That is why for example for an important table like VBAK (sales order header) the table logging is off: change documents are already generated.

It is very bad practice to make use of table logging for business data reasons. Table logging is used for recording changes to configuration and if all theses logs are deleted there should be no business impact.

Background OSS note: 3153906 – SCU3 | How to enable logging for tables in customer name space.

Deletion of table logging

Table logging can be deleted with transaction SLG2.

Make sure only very limited amount of people have access to SLG2 and the below program SBAL_DELETE.

SLG2 can run for a long time. For background read OSS note 2507213 – SBAL_DELETE runs too long

Please be aware the deletion is cross client! See OSS note 3000914 – SCU3 | RSTBPDEL | Caution: The table is cross-client.

Other bug fix notes:

Review of table logging for audit

OSS note 112388 – SAP system audit | Tables requiring logging explains the audit relevance of table logging and explanation about program RDDPRCHK.

Table logging can be reviewed with program RDDPRCHK:

Bug fixes for RDDPRCHK:

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

  • How to run the new STAUTHTRACE tool?
  • What are the major improvements in STAUTHTRACE tool?

For long term user tracing there is a different tool: STUSERTRACE. Read more in this blog.

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the transaction code is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

  • All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
  • Specific user only, but errors only: this will reduce your logging footprint to errors only
  • Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE. Main note with references: 1603756 – Using STAUTHTRACE to record authorization checks.

Bug fix notes: