STAUTHTRACE – A Powerful Tool
As an SAP Security Analyst, it is important to understand how certain transactions work, and why users have access to them. To find these answers, it’s necessary to understand and use the STAUTHTRACE transaction effectively.
What is STAUTHTRACE in SAP?
- STAUTHTRACE is a transaction code that allows you to trace authorization checks that happened during the attempt to use a specific transaction or program.
- This level of visibility grants the user the ability to identify potential security risks and troubleshoot authorization issues
How to use STAUTHTRACE in SAP
1) Enter transaction code STAUTHTRACE
2) Once you open the transaction, enter in the user you wish to trace and hit “System-Wide Trace”
3) From there, select the appropriate server, apply the correct time frame, and hit “Activate Trace”
4) Once the trace is active, the user you’re tracing needs to perform the actions you are tracing for. In this example, user TEST-74-04 will try to use SU01, STAUTHTRACE and SU24
5) Once the user has performed the actions, click “Evaluate” in the top left corner
As you can see, you’re able to see TEST-74-04’s activity. We can see they passed the authorization check for SU01; however they failed the checks for STAUTHTRACE and SU24
In the “Result” column, you will see these possible return codes:
- 0 – Authorization check successful
- 4 – Authorization check not successful. However, the user has the authorization object but not the expected value
- 12 – Authorization check not successful because the user does not have the authorization in the user master record
- 40 – The checked user does not exist
STAUTHTRACE Findings
These findings help you identify which authorization values a user does or does not require. They’re also useful when investigating a specific transaction, as you can see which authorization objects and values are triggered when performing it.
NOTE: One last important tip is to make sure to deactivate the trace once you’re finished.
Author Tate Bullman