SAP Authorization Trace - Simple Overview of Authorizations
What are SAP authorizations?
The security audit log is evaluated via the SM20 or SM20N transaction or the RSAU_SELECT_EVENTS report. We recommend using the report as you have more options to personalise the evaluation and to include archived logs of different application servers in the evaluation.
Now check the SY-SUBRC system variable. If the value is 0, the Permissions Check succeeded. If the value is 4, the test did not pass. At a value of 8, there is an inconsistency in the definition of the authorization object and the verification in the code - this should not happen! If the value is 12, the permission is not part of your permission buffer.
Generic access to tables
The Security Optimisation Service for ABAP contains more security checks than the corresponding section in the EWA. In particular, the number of eligibility checks is higher. A total of 110 eligibility tests are currently defined in the SOS, including 16 critical eligibility tests for HR. The full list of all security checks in the SOS can be found in the SAP Service Marketplace on the page https://service.sap.com/sos via Media Library (Security Optimisation Service > ABAP Checks).
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
If the Step user does not have a matching permission, an error message is displayed.
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer.