From SAP_BASIS 7.40 SP16 SAP has been release a new tool for trace user authorization "long-term" trace.
What is it and how works?
STUSERTRACE how works and how should be consumed?
To analyze authorization error you could use transaction ST01 (obsolete) and STAUTHTRACE however a new tool exist from SAP (SAP_BASIS 7.40 SP16) transaction STUSERTRACE.
Why the advantage to use STUSERTRACE?
- It could be activated on multiple users at the same time
- It could be activated for different Type of Application: Background Job, RFC modules, Transactions, TADIR Service, External Service
- It could be activated longer or even permanently
- It is activated on all servers
- It Records the activities performed only once so less memory is used
- It doesn’t interfere with the traces of Basis Team and Developers
How to activate the trace using STUSERTRACE transaction?
Trace could be activated from RZ11 by modifying the parameter auth/auth_user_trace.Usually done by basis team.
In the following picture the parameter is disabled
The parameter allows the following values:
- N: Trace disabled
- Y: Trace enabled for all users: trace is active for all users and all type of application
- F: Trace enabled with filter (the filter is set directly through transaction STUSERTRACE). Trace is active only for the users or type of application to be monitored
- The maximum number of users to be set in the filter, by standard, is 10 but the limit could be extended up to 1000 by modifying from SM30 table USR_CUST, parameter STUSERTRACE_MAX_USER
When could be useful use it?
- Dialog users: to quickly resolve final users’ authorization errors trace could be activated to detect directly the missing authorizations without requiring SU53 error screen
- Technical users: Usually SAP_ALL (or equivalent roles) is assigned to the technical users. Monitoring the activities performed by these users for few months the wide profile could be removed and replaced by specific roles containing all the necessary authorizations
- New implementations: in the new systems SAP_ALL (or equivalent roles) is assigned to consultants and IT. Even in this case, by monitoring the activities performed by these users for few months the wide profile could be removed and replaced by specific roles containing all the necessary authorizations
How to delete logs?
Can happen to generate a lot of logs. For that reason a feature exist to clean up the generated logs.
Data stored by trace can be deleted to save storage space as all the activities performed are traced since the trace has been activated (only the first time is recorded)
Goto –> Reorganize: Insert users and the period of time to be deleted (there is the possibility to do it in Test mode first and then definitely)