STAUTHTRACE
Maybe I am being cynical here, but I would still say that its very rare that SAP comes up with something that reduces the daily drudgery we go through as security consultants. Today I discovered something from my colleagues that is really one of the best things I have seen in a very long time. SAP has come up with a new and improved version of the standard security trace ST01. The new transaction can be launched by using the tcode “STAUTHTRACE”.
The start screen for it is shown below.
As you can see from the opening screen itself, STAUTHTRACE allows us to start a trace for multiple app servers from a single screen. Most of us work on systems which have multiple app servers. Navigating to each server, starting a trace on each of them, checking which server the user accessed and finally switching off the trace in all servers is a royal pain. This is how the window looks once we try to start the trace on mutiple servers. Since the screenshots are from a development box, only one server is shown on screen but it does show all the app servers that are part of the system.
To start a trace we can filter on the user or trace all users in the system and click the activate trace button. At this point we would ask the user whom we are trying to trace to start with the problem transactions and once the error has been reproduced, we would deactivate the trace using the corresponding button from the toolbar or menu.
To view the authorization log we enter appropriate selection criteria in the “Restriction for Evaluation” section and click the execute button. A typical authorization log would be something like the one shown below
As you can see, the tabular format of the log is so much better than the old trace file. We can easily filter the results based on return codes or copy the entire log to an excel file for further analysis. However to my mind the killer feature of this new trace is the ability to drill down to the ABAP code where the actual authority-check statement is getting executed. To drilldown, you need to double click on one of the rows or to select a row and then follow the menu path Goto > Display Callpoints in ABAP Program. Following these steps in the above log allowed me to directly jump to the following piece of code where a custom authorization object was being checked in an enahncement.
Since I just found out about the transaction today, I am still exploring its various features. But even if I don’t find anything more, I would be very happy with the whatever I have discovered till now. Thank you SAP ๐
Thanks for sharing! ๐
Thanks for sharing Aninda. I couldn’t find the option “System-wide trace” in our version of SAP – 702 patch 10. Can you please give more information of what version you are using? Thanks.
And there is a typo in the 1st paragraph.
The new transaction can be launched by using the tcode โRSAUTHTRACEโ – should be STAUTHTRACE (guess you are obsessed with BW security ๐ ๐
Hi Aninda,
Thank you for sharing this. Can you please let me know if only one admin can turn on the trace at a time.
Regards,
R.K
Only one trace per server!
Hi can we know, which enhancement package it is available.
Sorry, I don’t know the answer!
Hi Aninda,
Could you tell me what is the functionality of Evaluate Extended Passport option present in the initial screen of the Transaction code- ‘STAUTHTRACE’.
Guys,
This t-code can be available with the ECC 6.0 EHP6 version.
I found this for SP level:
“You will get a nice version with NW Basis 700 SP27, 701 SP12, 702 SP12, 730 SP8 and 731 SP5 (and it is of course part of NW740). See also SAP Note 1707841 and related Notes.”
http://scn.sap.com/thread/3441479
Hi Dred,
Thanks for looking this up and sharing with everyone.
Regards,
Aninda
Hi Aninda
Is there any table which stores st01 data.
Like , Who activated trace to whom
who did last change or change history
I would expect the current trace date to be captured in a table but never had a reason to investigate.
Hi Aninda,
Thanks you very much for sharing. this is great option to trace the user by selecting all application servers.
Thanks for sharing this information ๐
Nice information.. Very Helpful
Hi,
We can you sm50 to jump to other servers right? if we want to use st01 tcode
Regards,
Venu.
Yes. You can use Sm50 to jump to different servers. However, you would still need to enable security trace in the servers individually
Hi There,
If you liked STAUTHTRACE, check out about STUSERTRACE, this is another very useful one (mainly during test phases).
regarding the servers: you can switch on STAUTHTRACE directly for all servers in a system, you donยดt need to “jump” between servers. You just need to use the option “System Wide Trace”.
As per CDS-view related troubleshooting, STAUTHTRACE is the only way to go (excepting debugging).
Have a nice day
Regards
Olalla