System Trace - a Last Resort to Identify Missing Authorizations
- by Tero Tukiainen, SAP Authorizations Consultant, SAPORT Consulting
- March 19, 2009
Learn how to run the trace functionality (transaction ST01) to resolve error messages about missing authorizations.
A system trace is a standard SAP functionality available in all versions that you can use for recording internal SAP system activities. A system trace can be either a replacement or an alternative for the SU53 report (the primary method for analyzing missing authorizations), and it should be run only after the SU53 report has been run a few times but the user still keeps getting error messages on missing authorizations. System traces are helpful in problem-solving scenarios because they allow you to figure out all your missing authorizations with one single report.
The problem: An employee keeps getting error messages about missing authorizations. The reason is that the user’s authorizations have not been defined properly in the common authorizations concept, which is the concept that includes all authorizations-related requirements for your company’s users. The user needs the authorizations, but you’re not sure which authorizations the user is missing. You have performed the other usual methods for tracking missing authorizations, including an SU53 (display authorization check) report, which is the primary method for analyzing authorization checks or an access-denied error. There is one last option however – use the trace functionality (transaction ST01).
When you use the system trace, you let the users keep their original authorizations and trace their work for a certain time period in which they carry out the responsibilities that they have in the SAP system. After this period is over, you can analyze the trace records. The system trace shows all the steps the user has taken so you can determine which authorizations the user is lacking (because there are different error codes for different types of missing authorizations), and which authorizations the user has to successfully complete the required tasks. Bear in mind, however, that the system trace is a little more complex than the SU53 report. I recommend running the SU53 first, and should it fail, I then recommend using the system trace.
Would you like to see this full item?