STAUTHTRACE

Maybe I am being cynical here, but I would still say that its very rare that SAP comes up with something that reduces the daily drudgery we go through as security consultants. Today I discovered something from my colleagues that is really one of the best things I have seen in a very long time. SAP has come up with a new and improved version of the standard security trace ST01. The new transaction can be launched by using the tcode “STAUTHTRACE”.

The start screen for it is shown below.

STAUTHTRACE - Start Screen
STAUTHTRACE – Start Screen

As you can see from the opening screen itself, STAUTHTRACE allows us to start a trace for multiple app servers from a single screen. Most of us work on systems which have multiple app servers. Navigating to each server, starting a trace on each of them, checking which server the user accessed and finally switching off the trace in all servers is a royal pain. This is how the window looks once we try to start the trace on mutiple servers. Since the screenshots are from a development box, only one server is shown on screen but it does show all the app servers that are part of the system.

STAUTHTRACE - Trace on multiple app servers from a single screen
STAUTHTRACE – Trace on multiple app servers from a single screen

To start a trace we can filter on the user or trace all users in the system and click the activate trace button. At this point we would ask the user whom we are trying to trace to start with the problem transactions and once the error has been reproduced, we would deactivate the trace using the corresponding button from the toolbar or menu.

To view the authorization log we enter appropriate selection criteria in the “Restriction for Evaluation” section and click the execute button. A typical authorization log would be something like the one shown below

STAUTHTRACE - Authorization Trace Details
STAUTHTRACE – Authorization Trace Details

As you can see, the tabular format of the log is so much better than the old trace file. We can easily filter the results based on return codes or copy the entire log to an excel file for further analysis. However to my mind the killer feature of this new trace is the ability to drill down to the ABAP code where the actual authority-check statement is getting executed. To drilldown, you need to double click on one of the rows or to select a row and then follow the menu path Goto > Display Callpoints in ABAP Program. Following these steps in the above log allowed me to directly jump to the following piece of code where a custom authorization object was being checked in an enahncement.

STAUTHTRACE - Navigate to ABAP code
STAUTHTRACE – Navigate to ABAP code

Since I just found out about the transaction today, I am still exploring its various features. But even if I don’t find anything more, I would be very happy with the whatever I have discovered till now. Thank you SAP 🙂

18 thoughts on “STAUTHTRACE

  • November 22, 2013 at 6:50 pm
    Permalink

    Thanks for sharing! 🙂

    Reply
  • November 23, 2013 at 3:24 am
    Permalink

    Thanks for sharing Aninda. I couldn’t find the option “System-wide trace” in our version of SAP – 702 patch 10. Can you please give more information of what version you are using? Thanks.

    And there is a typo in the 1st paragraph.

    The new transaction can be launched by using the tcode “RSAUTHTRACE” – should be STAUTHTRACE (guess you are obsessed with BW security 😉 🙂

    Reply
  • November 25, 2013 at 1:16 pm
    Permalink

    Hi Aninda,

    Thank you for sharing this. Can you please let me know if only one admin can turn on the trace at a time.

    Regards,
    R.K

    Reply
    • December 9, 2013 at 2:38 pm
      Permalink

      Only one trace per server!

      Reply
  • December 13, 2013 at 8:35 am
    Permalink

    Hi can we know, which enhancement package it is available.

    Reply
    • January 27, 2014 at 7:59 pm
      Permalink

      Sorry, I don’t know the answer!

      Reply
  • April 11, 2014 at 7:43 am
    Permalink

    Hi Aninda,

    Could you tell me what is the functionality of Evaluate Extended Passport option present in the initial screen of the Transaction code- ‘STAUTHTRACE’.

    Reply
  • April 11, 2014 at 7:44 am
    Permalink

    Guys,

    This t-code can be available with the ECC 6.0 EHP6 version.

    Reply
  • April 14, 2014 at 6:53 pm
    Permalink

    I found this for SP level:

    “You will get a nice version with NW Basis 700 SP27, 701 SP12, 702 SP12, 730 SP8 and 731 SP5 (and it is of course part of NW740). See also SAP Note 1707841 and related Notes.”

    http://scn.sap.com/thread/3441479

    Reply
    • April 16, 2014 at 10:14 am
      Permalink

      Hi Dred,

      Thanks for looking this up and sharing with everyone.

      Regards,
      Aninda

      Reply
  • June 17, 2014 at 8:00 am
    Permalink

    Hi Aninda

    Is there any table which stores st01 data.

    Like , Who activated trace to whom
    who did last change or change history

    Reply
    • September 26, 2014 at 2:03 pm
      Permalink

      I would expect the current trace date to be captured in a table but never had a reason to investigate.

      Reply
  • July 1, 2014 at 3:31 am
    Permalink

    Hi Aninda,

    Thanks you very much for sharing. this is great option to trace the user by selecting all application servers.

    Reply
  • August 31, 2014 at 4:14 pm
    Permalink

    Thanks for sharing this information 🙂

    Reply
  • October 7, 2014 at 11:40 am
    Permalink

    Nice information.. Very Helpful

    Reply
  • October 10, 2014 at 7:45 am
    Permalink

    Hi,

    We can you sm50 to jump to other servers right? if we want to use st01 tcode

    Regards,
    Venu.

    Reply
    • October 29, 2014 at 4:30 pm
      Permalink

      Yes. You can use Sm50 to jump to different servers. However, you would still need to enable security trace in the servers individually

      Reply
  • July 23, 2020 at 2:43 am
    Permalink

    Hi There,

    If you liked STAUTHTRACE, check out about STUSERTRACE, this is another very useful one (mainly during test phases).

    regarding the servers: you can switch on STAUTHTRACE directly for all servers in a system, you don´t need to “jump” between servers. You just need to use the option “System Wide Trace”.

    As per CDS-view related troubleshooting, STAUTHTRACE is the only way to go (excepting debugging).

    Have a nice day

    Regards
    Olalla

    Reply

Leave a Reply to Avinash Cancel reply

Your email address will not be published. Required fields are marked *