STAUTHTRACE

Maybe I am being cynical here, but I would still say that its very rare that SAP comes up with something that reduces the daily drudgery we go through as security consultants. Today I discovered something from my colleagues that is really one of the best things I have seen in a very long time. SAP has come up with a new and improved version of the standard security trace ST01. The new transaction can be launched by using the tcode “STAUTHTRACE”.

The start screen for it is shown below.

STAUTHTRACE - Start Screen
STAUTHTRACE – Start Screen

As you can see from the opening screen itself, STAUTHTRACE allows us to start a trace for multiple app servers from a single screen. Most of us work on systems which have multiple app servers. Navigating to each server, starting a trace on each of them, checking which server the user accessed and finally switching off the trace in all servers is a royal pain. This is how the window looks once we try to start the trace on mutiple servers. Since the screenshots are from a development box, only one server is shown on screen but it does show all the app servers that are part of the system.

STAUTHTRACE - Trace on multiple app servers from a single screen
STAUTHTRACE – Trace on multiple app servers from a single screen

To start a trace we can filter on the user or trace all users in the system and click the activate trace button. At this point we would ask the user whom we are trying to trace to start with the problem transactions and once the error has been reproduced, we would deactivate the trace using the corresponding button from the toolbar or menu.

To view the authorization log we enter appropriate selection criteria in the “Restriction for Evaluation” section and click the execute button. A typical authorization log would be something like the one shown below

STAUTHTRACE - Authorization Trace Details
STAUTHTRACE – Authorization Trace Details

As you can see, the tabular format of the log is so much better than the old trace file. We can easily filter the results based on return codes or copy the entire log to an excel file for further analysis. However to my mind the killer feature of this new trace is the ability to drill down to the ABAP code where the actual authority-check statement is getting executed. To drilldown, you need to double click on one of the rows or to select a row and then follow the menu path Goto > Display Callpoints in ABAP Program. Following these steps in the above log allowed me to directly jump to the following piece of code where a custom authorization object was being checked in an enahncement.

STAUTHTRACE - Navigate to ABAP code
STAUTHTRACE – Navigate to ABAP code

Since I just found out about the transaction today, I am still exploring its various features. But even if I don’t find anything more, I would be very happy with the whatever I have discovered till now. Thank you SAP πŸ™‚

17 Replies to “STAUTHTRACE”

  1. Thanks for sharing Aninda. I couldn’t find the option “System-wide trace” in our version of SAP – 702 patch 10. Can you please give more information of what version you are using? Thanks.

    And there is a typo in the 1st paragraph.

    The new transaction can be launched by using the tcode β€œRSAUTHTRACE” – should be STAUTHTRACE (guess you are obsessed with BW security πŸ˜‰ πŸ™‚

  2. Hi Aninda,

    Could you tell me what is the functionality of Evaluate Extended Passport option present in the initial screen of the Transaction code- ‘STAUTHTRACE’.

  3. Hi Aninda

    Is there any table which stores st01 data.

    Like , Who activated trace to whom
    who did last change or change history

  4. Hi Aninda,

    Thanks you very much for sharing. this is great option to trace the user by selecting all application servers.

    1. Yes. You can use Sm50 to jump to different servers. However, you would still need to enable security trace in the servers individually

Leave a Reply

Your email address will not be published. Required fields are marked *