A user cannot execute a certain transaction and we want to find out why. Or a user needs a new, additional role and we need to find out what authorizations he already has in his other roles. There are several reasons to use SAP traces. The most important traces in terms of authorizations are:
In a way, they can all do the same thing, but the differences lie in the details:
ST01 und STAUTHTRACE: What is the difference?
ST01 and STAUTHTRACE both check the authorization checks. They can also both be restricted to a specific user. However, STAUTHTRACE allows the check to be performed simultaneously on all instances of the system. ST01, on the other hand, always checks only on the instance on which the user is currently logged in. STAUTHTRACE has therefore also been launched as an addition/extension to ST01.
STUSOBTRACE: for long term checks
STUSOBTRACE also checks across all instances, but beyond that this trace is designed for long-term checks (ST01 and STAUTHTRACE: log files are overwritten when the memory for the trace is full, STUSOBTRACE stores log data in the database so that it is preserved). STUSOBTRACE creates a new entry in the log file only when the trace encounters authorization checks that have not yet been captured in the context of the current application. Also in STUSOBTRACE it is possible to limit the check to one user, but in the evaluation the user is not displayed.
STUSERTRACE: clearly arranged and assigned to users
STUSERTRACE is also designed as a long-term trace. Thus, like STUSOBTRACE, it writes all results to a log file that is stored in the database and is not automatically overwritten. However, STUSERTRACE also shows in the evaluation the users who triggered the respective authorization check. The trace stores each result only once. The evaluation is therefore comparatively clear, because there are no duplicate entries (which would accordingly have no added value).