UME – Monitoring and Traces

Unfortunately the UME doesn’t provide as comprehensive reporting capabilities as provided by SUIM. The best bet for a security in such a case is to refer to the security log files generated by the UME and stored at the OS level. The files can off-course be checked at the OS level by someone with the appropriate permissions for the AS Java application server. More easily, they can also be viewed in the Netweaver Administrator (NWA) with the appropriate UME roles. The NWA is available at the following URL, “http://:port/nwa” or can be accessed from the app server launchpad.

AS Java - NWA
AS Java - NWA

Within the NWA, you can access the security log by following the menu path System Management > Monitoring > Logs and Traces > Expert View > Security Log. The security log can be show actions like user creation, deletion, role assignment, password lock etc.

AS Java - NWA - Security Log
AS Java - NWA - Security Log

Since the security log stores all security related log entries you can use the filters option to selection from the category that you need from the same screen.

AS Java - NWA - Security Log - Filters
AS Java - NWA - Security Log - Filters

Authorization Trace in BW

The standard SAP authorization trace given by ST01 is not enough for troubleshooting security issues in BW reporting. A ST01 trace will show a basic reference for the two objects S_RS_COMP and S_RS_COMP1 to check access to the query and cube but nothing further than that. SAP provides a completely new authorization trace though the RSECADMIN transaction to troubleshoot analysis authorizations. The error log button gets us to the authorization trace screen.

RSECADMIN - Analysis
RSECADMIN - Analysis

Once we have “configured log recording” for the affected user, the system logs all OLAP data accesses made by the user.

RSECADMIN - Authorization Logs
RSECADMIN - Authorization Logs

Displaying the log data gets us into the following screen which shows the details of the security checks for the user.

RSECADMIN - Authorization Logs 2
RSECADMIN - Authorization Logs 2

The trace first displays the name of the InfoProvider and the query name that the user executed. Next, we have a list of characteristics in the cube for which user has non full (*) access as these need to be checked at a more detail level. Lastly we have the authorization checks for these characteristics with non full authorizations. Its this section of the trace thats typically the most helpful in troubleshooting authorization issues.

Security Trace

The Security Trace Tool (transaction ST01) provides a way to trace the complete sequence of security checks for transaction. Since all checks are displayed, this is a much more foolproof way to investigating potential issues.

The trace needs to be set in the same application server as the user before transaction start. We can check this through SM51 . From the initial screen of ST01, we enter appropriate filter conditions for our trace, mostly this is the user for whom we are checking access, and click the “trace on” button.

ST01 - Initial Screen
ST01 - Initial Screen

The user now executes the sequence of actions to replicate the error. At this point, we click the analysis button, select appropriate filter criteria for the trace file and finally display the trace file itself.

ST01 - Trace Analysis
ST01 - Trace Analysis
ST01 - Trace Display
ST01 - Trace Display

SU53 – Display Auth Data

Troubleshooting security issues is one of the daily tasks of any security administrator. The first method of investigating authorization failures is the ubiquitous SU53 transaction. It involves us asking the affected user to run the step(s) to replicate the issue and immediately on getting the error, execute /nsu53 through the command window. The screen-shots below show the sequence of actions.

The user tries to create another user through SU01 and gets an authorization error

SU01- Create User
SU01- Create User

The user gets a pop with the message that he doesn’t have authorization to create user.

SU01 - Authorization Error
SU01 - Authorization Error

Many times clicking the help button can provide important information about the background of the error.

SU01 Help Info
SU01 Help Info

To get the SU53 screen, we execute /nsu53 from the command window immediately after getting the error. The SU53 window shows the last check for an authorization which has returned a non zero value (authorization failure) for the user.

SU53
SU53

The biggest limitation of SU53 is the fact that it only shows the last authorization failure of an user. In a typical transaction, there can be an entire sequence of authorization checks, any of which might fail. To view the entire sequence of authorization checks, we use the authorization trace tool (transaction ST01).