https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025537#M1898237 <HTML><HEAD></HEAD><BODY><P>Greetings Julius,</P><P></P><P>Thank you for the suggestion.</P><P>Though, kindly clarify the statement "<EM>y</EM><SPAN style="color: #333333; font-size: 12px;"><EM>ou can also mask names. eg. RFC*</EM>"? </SPAN></P><P><SPAN style="font-size: 10pt;">Did you mean using wildcard(s) on the <EM style="font-size: 12px; color: #333333; background: #ffffff;">Trace Options</EM>? Or had you implemented a logic in your custom program to mask the user name?</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Thank you.</SPAN></P></BODY></HTML> Thu, 23 Apr 2015 06:30:56 GMT former_member456858 2015-04-23T06:30:56Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025535#M1898235 <HTML><HEAD></HEAD><BODY><P>Greetings!</P><P></P><P>I would like to inquire if there are alternate transaction(s) or program(s) to enable authorization trace for multiple users. </P><P></P><P>Currently, we are looking at transaction <EM>STAUTHTRACE</EM>, and it seems that it only allows single user in the <EM>Trace Options</EM>. We found that an option to derive for select users is by setting them on the <EM>Restrictions for the Evaluation</EM> screen and leaving the field <EM>Trace for user only</EM> as blank. However, this is not the desired approach. If possible, the authorization trace should only be performed for the select users.</P><P></P><P>Thank you.</P></BODY></HTML> Wed, 22 Apr 2015 07:39:02 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025535#M1898235 former_member456858 2015-04-22T07:39:02Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025536#M1898236 <HTML><HEAD></HEAD><BODY><P>In addition to all user and single fully qualified user names, you can also mask names. eg. RFC*</P><P></P><P>But there are no select-options for lists.</P><P></P><P>We had the same challenges and developed our own programs for it to support select-options for lists and patterns which can also mask character sets within the user names. Eg. *RFC*. I could not find any way to do it in ST01.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Wed, 22 Apr 2015 20:12:04 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025536#M1898236 Former Member 2015-04-22T20:12:04Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025537#M1898237 <HTML><HEAD></HEAD><BODY><P>Greetings Julius,</P><P></P><P>Thank you for the suggestion.</P><P>Though, kindly clarify the statement "<EM>y</EM><SPAN style="color: #333333; font-size: 12px;"><EM>ou can also mask names. eg. RFC*</EM>"? </SPAN></P><P><SPAN style="font-size: 10pt;">Did you mean using wildcard(s) on the <EM style="font-size: 12px; color: #333333; background: #ffffff;">Trace Options</EM>? Or had you implemented a logic in your custom program to mask the user name?</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Thank you.</SPAN></P></BODY></HTML> Thu, 23 Apr 2015 06:30:56 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025537#M1898237 former_member456858 2015-04-23T06:30:56Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025538#M1898238 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>In <EM>STAUTHTRACE</EM> this option is available for evaluation of trace, you can mention the selected users please refer the below screen.</P><P><IMG class="migrated-image" src="https://community.sap.com/legacyfs/online/storage/attachments/storage/7/jiveimages/690871" /></P><P></P><P>You can look for long term trace by activating param auth/authorization_trace with value F. refer sap note 1854561.</P><P></P><P>Thanks-</P><P>Guru</P></BODY></HTML> Thu, 23 Apr 2015 07:22:39 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025538#M1898238 Former Member 2015-04-23T07:22:39Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025539#M1898239 <HTML><HEAD></HEAD><BODY><P>Greetings Guru,</P><P></P><P>Thank you for the suggestion.</P><P></P><P>However, the desired approach is to designate select users <SPAN style="text-decoration: underline;">before</SPAN> activating the trace. This is to reduce the resource being consumed in the memory while the trace is active.</P><P></P><P>I believe the User select-option under <EM>Restrictions for the Evaluation</EM> is to filter the trace results after evaluation.</P><P></P><P>Thank you. </P></BODY></HTML> Thu, 23 Apr 2015 08:07:42 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025539#M1898239 former_member456858 2015-04-23T08:07:42Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025540#M1898240 <HTML><HEAD></HEAD><BODY><P>Exactly. You can mask the end of the name in the field. Eg. RFC* will trace all users who's names start with RFC.</P><P></P><P>But you cannot create patterns (eg. *RFC* = all names which contain pattern RFC) and you cannot list names (no select-options nor intervals available). This part we solved with our own program.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Fri, 24 Apr 2015 09:59:34 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025540#M1898240 Former Member 2015-04-24T09:59:34Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025541#M1898241 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>if you want to go up to 5 users, please consider activating param auth/authorization_trace. Once you will activate param with value F, you need to go in STUSOBTRACE and specify up to 5 users. system will trace the activity of only those users which you will specify here in STUSOBTRACE.</P><P></P><P>Thanks-</P><P>Guru</P></BODY></HTML> Fri, 24 Apr 2015 11:55:18 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025541#M1898241 Former Member 2015-04-24T11:55:18Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025542#M1898242 <HTML><HEAD></HEAD><BODY><P>Greetings Guru,</P><P></P><P>How will the activation trace be activated? Is it through a different transaction code?</P><P>As per checking in STUSOBTRACE, there are no buttons/options to activate the trace.</P><P></P><P>Thank you.</P></BODY></HTML> Fri, 24 Apr 2015 14:32:13 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025542#M1898242 former_member456858 2015-04-24T14:32:13Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025543#M1898243 <HTML><HEAD></HEAD><BODY><P>I suspect the guru meant the "change filter" button and misunderstood it.</P><P></P><P>The system level auth/authorization_trace is not a detailed user based trace. It is a collector mechanism for the transaction contexts to write entries into table USOBT_AUTHVALTRC to record which objects were checked with check values in a transaction. SAP uses it to propose values for SU22. SAP developers process it in transaction CHECKMAN. If maintained / transfered, then they land in SU24 when you process SU25 steps.</P><P></P><P>SAP released parts of this for customers as well to record "original data" for the customer system, but you will be given a warning about paralyzing the system if you turn it on because at every AUTHORITY-CHECK statement it compares the check data in the kernel to the application table. So it is ok for DEV and QAS systems to collect data for SU24, but for larger PROD systems you should be very careful (I do not recommend doing it in PROD).</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Fri, 24 Apr 2015 20:42:15 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025543#M1898243 Former Member 2015-04-24T20:42:15Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025544#M1898244 <HTML><HEAD></HEAD><BODY><P>Greetings Julius,</P><P></P><P>Thank you for the clarification.</P><P></P><P>As per checking the code for <EM>STAUTHTRACE</EM>, it seems it uses system functions to perform the trace (C_SET_SWITCH, C_SET_USER, C_SET_MOD_TIME). If I understood correctly, <SPAN style="font-size: 13.3333330154419px;">C_SET_USER determines the user which the trace will be performed.</SPAN></P><P></P><P>We then tried to create a custom version of the program by enabling addition of multiple users in Trace Options.&nbsp; </P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">As per checking the code, the variable which will contain the user for tracing has a type of CHAR12, which means it may not be able to contain all the set users on the Trace Options. A loop statement was the approach used to enable the passing of all users. However, it was observed that the system function stops the trace for the current user once a new user has been set. Thus, the trace will remain active only to the latest user.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">As the possible users for tracing don't have a definite pattern, using wildcards seems an improbable approach.</SPAN></P><P></P><P>With this, kindly advice accordingly.</P><P></P><P>Thank you.</P></BODY></HTML> Mon, 27 Apr 2015 03:49:21 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025544#M1898244 former_member456858 2015-04-27T03:49:21Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025545#M1898245 <HTML><HEAD></HEAD><BODY><P>You should be careful calling kernel functions directly. The lights could unexpectedly dim and the neighbour's cat might fall over stone dead if you get a parameter wrong..&nbsp; <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>We used a different approach (not these C-kernel functions, for the above reasons) but it is a commercial product so it would be inappropriate to wave it around in SCN discussions.</P><P></P><P>You are however welcome to contact me via my Business Card if you are interested.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Mon, 27 Apr 2015 06:27:56 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025545#M1898245 Former Member 2015-04-27T06:27:56Z https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025546#M1898246 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>You can use ST01 and filter with program or transaction instead of multiple users.</P><P></P><P>Thanks,<BR />Kavitha Rajan.</P></BODY></HTML> Mon, 27 Apr 2015 15:45:35 GMT https://community.sap.com/t5/application-development-and-automation-discussions/multiple-users-for-authorization-trace/m-p/11025546#M1898246 Former Member 2015-04-27T15:45:35Z