The system trace
The SAP® system trace
SAP® offers with the system trace the opportunity to evaluate the
authorization objects that are checked during the call of the
different transactions.
With the help of the trace all authorization objects, on which an
authority check is executed while working with the system, can be logged.
This also includes the corresponding field values within the
authorization objects.
Call the transaction ST01 for the use of the system trace.
From Release 4.7
In the selection screen the different components can be activated via checkmark.
There are options for additional filter settings. Push the button General Filters.
You can filter for the process you want to log, the user, the transaction, or the program.
Enter the required selection, push the key Enter, and then activate the trace.
Note: An activation of the trace for all system users should not be activated.
For user evaluation always enter the username you want to analyze.
With activation of the trace all required access rights for the selected user will be logged.
When all actions are traced, and logged, then please switch the Trace off.
After that you can evaluate the results by pushing the button Analysis [or key F2].
The evaluation path varies in dependency of the current release level.
A. from release 4.7:
Activate the integrated button Analysis. Enter the required selection for evaluation, and push the key F8 for activation.
Aside from the selection of the different trace components,
you can narrow down the selection according to users,
transactions work process, or times.
In the context of performance analysis you can select a restriction in the field duration, which is not very useful for an authorization trace.
Additionally an evaluation with consideration of tables can be set up,
which might be helpful for SQL or table buffer traces.
B. up to release 4.6D:
Double-click onto the displayed file name. Select the required information in the dialog box, and activate the button Analysis.
Trace in a multiple instance environment
In case you run SAP® on different instances you have to make sure that you
activate the trace for the instance on which the user is executing the
transactions that need to be logged for evaluation.
Users can be active on more than one instance.
[The user instance information is displayed down on the right in the SAP status bar.] You can review, and even change to the corresponding instance, with the help of transaction SM51.
Select the instance you want to review. Activate the button User Info [CTRL+SHIFT+F7]. Select the user from the correspond list.
Mark the entry. In the menu bar select the path Goto – Terminals.
Select the user. In the menu bar select the path Goto – Remote Server.
From here you can activate the trace for the instance on which the user is located.
The trace evaluation
For interpretation of the evaluation you can use the following overview
of relevant information.
Please find the component overview with corresponding acronyms.
The return code
Successfully passed authorization check are marked in dark green already and have the value RC=0 added in the column next to the authorization object.
RC is the acronym for return code.
The return values vary depending on the check result. For example:
The return code 0 means that the authorization was successfully checked.
The return code 4 says, that the required authorization for the authorization object
in the user master is not available.
The return code 12 says, that no authorization for the authorization object is available.
Saving of trace results
There are different ways to save trace evaluation results.
You can download the trace file in the evaluation display mode by saving the list locally.
If trace information are to be protected against overwriting,
you have to branch to the button Save after tracing.
In the following window you can enter remarks as well as a file name.
If you do not enter an absolute path when entering the file name manually, the file will be created in the log directory.
For the automatic file name creation, the system provides a file name, and creates the file in the log directory.
Automatically created file names can be selected with the F4 search key in the future. This option is not available for manually created names.
Automatically created file names can be deleted within this application, manually created file names need to be deleted on the OS level separately.
Therefore the automatic file name creation is to be preferred.
Trace configuration
The system trace is configurable through different profile parameters.
All trace relevant parameters are part of the category rstr/.
To review the parameters the transaction RZ11 can be used.
The following parameters are adjustable.
The system trace cannot only be used for the evaluation of authority checks, but also for evaluation of kernel functions, kernel modules, DB access, table buffer, RFC calls and lock operations. For system monitoring the developer trace is usually preferred.
