SAP Security & GRC Podcast – Technical Series (E09): How to Set up and Analyse STAUTHTRACE

Watch or listen to the SAP Security & GRC podcast – helping you on your journey to effective access risk management in SAP.

In this episode, Ross Robertson takes a deep dive into one of the most useful tools in any SAP authorisations administrator’s kit – the short-term user authority check trace, better known by its transaction code, STAUTHTRACE. If you’ve ever relied on the classic SU53 report to chase down an authorisation failure, this trace is the upgrade you’ve been waiting for.

Unlike SU53, which only shows you the last failed check, STAUTHTRACE captures both successful and failed authority checks in real time as users move through the system – across transactions, Fiori OData services, RFC function modules, and CDS view access checks. It runs on a rolling memory buffer, so it has negligible impact on system performance and can comfortably be left active long-term in day-to-day authorisation management.

Ross Robertson walks through the full workflow: activating the trace (system-wide or on a specific application server), applying evaluation restrictions for a single user, and filtering by date and time, application type, application name, authorisation object, and check result. From there, the episode moves into two practical troubleshooting examples – diagnosing a failed user-change attempt in SU01 (a failure on activity 02 in S_USER_GRP) and a blocked table display in SE16 (a failed check on table EKKO) – before showing how to inspect a user’s authorisation buffer using SU56.

Key takeaways:

  • STAUTHTRACE captures both passed and failed authority checks in real time – not just the last failure like SU53. 
  • The trace can be run system-wide or scoped to a specific application server, and results can be evaluated for a single user. 
  • Because it uses a rolling memory buffer (typically around an hour of history), it has minimal system impact and can be left active long-term. 
  • Results can be filtered by user, date/time, application type (transaction, Fiori OData service, RFC), application name, authorisation object, and check result. 
  • The trace surfaces CDS view entity checks – increasingly important as more access logic moves into S/4HANA. 
  • The user buffer can be inspected via SU56 to confirm exactly which authorisation values a user holds for a given object. 
  • Results export easily to spreadsheet or Word for documentation and analysis. 

Whether you’re troubleshooting a live user issue or building a clearer picture of how authority checks actually behave in your environment, STAUTHTRACE is a foundational tool every SAP authorisations professional should master

Don’t miss out on insights from:

  • Ross Robertson – Senior SAP Authorisations Consultant – Soterion 

Listen

Watch

Related Content

Background - Stay Informed

Stay informed of new episodes

Subscribe now to receive notifications straight to your inbox

You may find this interesting