Multiple Users for Authorization Trace

former_member456858 · ‎2015 Apr 22

Greetings!

I would like to inquire if there are alternate transaction(s) or program(s) to enable authorization trace for multiple users.

Currently, we are looking at transaction STAUTHTRACE, and it seems that it only allows single user in the Trace Options. We found that an option to derive for select users is by setting them on the Restrictions for the Evaluation screen and leaving the field Trace for user only as blank. However, this is not the desired approach. If possible, the authorization trace should only be performed for the select users.

Thank you.

Former Member · ‎2015 Apr 22

In addition to all user and single fully qualified user names, you can also mask names. eg. RFC*

But there are no select-options for lists.

We had the same challenges and developed our own programs for it to support select-options for lists and patterns which can also mask character sets within the user names. Eg. *RFC*. I could not find any way to do it in ST01.

Cheers,

Julius

former_member456858 · ‎2015 Apr 23

Greetings Julius,

Thank you for the suggestion.

Though, kindly clarify the statement "you can also mask names. eg. RFC*"?

Did you mean using wildcard(s) on the Trace Options? Or had you implemented a logic in your custom program to mask the user name?

Thank you.

Former Member · ‎2015 Apr 24

Exactly. You can mask the end of the name in the field. Eg. RFC* will trace all users who's names start with RFC.

But you cannot create patterns (eg. *RFC* = all names which contain pattern RFC) and you cannot list names (no select-options nor intervals available). This part we solved with our own program.

Cheers,

Julius

former_member456858 · ‎2015 Apr 27

Greetings Julius,

Thank you for the clarification.

As per checking the code for STAUTHTRACE, it seems it uses system functions to perform the trace (C_SET_SWITCH, C_SET_USER, C_SET_MOD_TIME). If I understood correctly, C_SET_USER determines the user which the trace will be performed.

We then tried to create a custom version of the program by enabling addition of multiple users in Trace Options.

As per checking the code, the variable which will contain the user for tracing has a type of CHAR12, which means it may not be able to contain all the set users on the Trace Options. A loop statement was the approach used to enable the passing of all users. However, it was observed that the system function stops the trace for the current user once a new user has been set. Thus, the trace will remain active only to the latest user.

As the possible users for tracing don't have a definite pattern, using wildcards seems an improbable approach.

With this, kindly advice accordingly.

Thank you.

Former Member · ‎2015 Apr 27

You should be careful calling kernel functions directly. The lights could unexpectedly dim and the neighbour's cat might fall over stone dead if you get a parameter wrong.. 😉

We used a different approach (not these C-kernel functions, for the above reasons) but it is a commercial product so it would be inappropriate to wave it around in SCN discussions.

You are however welcome to contact me via my Business Card if you are interested.

Cheers,

Julius

Former Member · ‎2015 Apr 23

Hi Jon,

In STAUTHTRACE this option is available for evaluation of trace, you can mention the selected users please refer the below screen.

You can look for long term trace by activating param auth/authorization_trace with value F. refer sap note 1854561.

Thanks-

Guru

former_member456858 · ‎2015 Apr 23

Greetings Guru,

Thank you for the suggestion.

However, the desired approach is to designate select users before activating the trace. This is to reduce the resource being consumed in the memory while the trace is active.

I believe the User select-option under Restrictions for the Evaluation is to filter the trace results after evaluation.

Thank you.

Former Member · ‎2015 Apr 24

Hi Jon,

if you want to go up to 5 users, please consider activating param auth/authorization_trace. Once you will activate param with value F, you need to go in STUSOBTRACE and specify up to 5 users. system will trace the activity of only those users which you will specify here in STUSOBTRACE.

Thanks-

Guru

former_member456858 · ‎2015 Apr 24

Greetings Guru,

How will the activation trace be activated? Is it through a different transaction code?

As per checking in STUSOBTRACE, there are no buttons/options to activate the trace.

Thank you.

Former Member · ‎2015 Apr 24

I suspect the guru meant the "change filter" button and misunderstood it.

The system level auth/authorization_trace is not a detailed user based trace. It is a collector mechanism for the transaction contexts to write entries into table USOBT_AUTHVALTRC to record which objects were checked with check values in a transaction. SAP uses it to propose values for SU22. SAP developers process it in transaction CHECKMAN. If maintained / transfered, then they land in SU24 when you process SU25 steps.

SAP released parts of this for customers as well to record "original data" for the customer system, but you will be given a warning about paralyzing the system if you turn it on because at every AUTHORITY-CHECK statement it compares the check data in the kernel to the application table. So it is ok for DEV and QAS systems to collect data for SU24, but for larger PROD systems you should be very careful (I do not recommend doing it in PROD).

Cheers,

Julius

Former Member · ‎2015 Apr 27

Hi Jon,

You can use ST01 and filter with program or transaction instead of multiple users.

Thanks,
Kavitha Rajan.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Multiple Users for Authorization Trace