SAP Security & GRC Podcast – Technical Series (E10): How to Set up and Analyse STUSERTRACE
Watch or listen to the SAP Security & GRC podcast – helping you on your journey to effective access risk management in SAP.
In this episode, Ross Robertson digs into the SAP User Authorisation Trace – STUSERTRACE – one of the most valuable tools in an authorisations consultant’s kit when the goal is understanding how users really use the system over the long haul.
In episode 9 we looked at STAUTHTRACE, the short-term trace built for capturing a narrow window of activity. STUSERTRACE is its long-term counterpart. Rather than running for a few minutes, it’s designed to sit in the background and record authority checks continuously – for months, or even a year. The trick that makes that possible is that it logs each unique authority check only once per user. The first time a user triggers a given check, it’s recorded; every repeat of that exact check is ignored. That keeps the underlying table from ballooning and keeps the performance impact in check.
Ross Robertson covers the prep work first: STUSERTRACE depends on the auth/authorization_trace profile parameter, which has to be switched on before the trace can run. He explains the difference between the dynamic profile (set via RZ11 / RZ10 – takes effect immediately but resets on the next server restart) and the static profile (set via RZ10 – applies only after the next restart, but then persists), and why you set both so the trace activates now and survives restarts. He also walks through the parameter values – N (off, the kernel default), Y (active with no filter), and F (active only once a filter is applied) – and explains why Soterion typically recommends F together with targeted exclusions.
Those exclusions matter. Because STUSERTRACE can record enormous volumes of data, the team recommends excluding high-noise authorisation objects – typically objects with non-unique, constantly changing fields such as order numbers, which write a new record on virtually every transaction without adding licensing or security value – as well as noisy users like system, background-job, or firefighter accounts. One well-chosen exclusion lets the trace capture the other 99% of the system cleanly.
From there, the episode moves into analysis. Ross Robertson shows how to evaluate results for a single user (pulling every unique authority check they’ve triggered, passed and failed, and inspecting the user buffer for a failed check – such as a failed activity 02 on S_USER_GRP in SU01), and demonstrates the unique-once behaviour live in SE16N. He then shifts to an application-focused view: pulling every authority check made against a single transaction (e.g. SU01) across all users, which becomes a powerful basis for building SU24 authorisation defaults from real-world usage – and crucially, doing so selectively, so you can include the values contributed by consultants or business users while excluding those generated by developers, support, or firefighter activity that shouldn’t shape your business-as-usual roles.
Key takeaways:
- STUSERTRACE is a long-term authorisation trace that records unique authority checks per user – ideal for role redesign and ongoing authorisation management.
- It logs each unique check only once per user, keeping data volumes and performance impact under control.
- Activation requires the auth/authorization_trace profile parameter, set in both the dynamic (RZ11 / RZ10) and static (RZ10) profiles so it activates immediately and survives restarts.
- Parameter values: N (off), Y (active, no filter), F (active with a filter). Soterion recommends F with targeted exclusions.
- Exclude high-volume, low-value authorisation objects (e.g. those with order-number fields) and noisy users (system, background-job, firefighter) to protect performance.
- Results can be evaluated by user, application type (transaction, Web Dynpro, Fiori OData service, RFC), authorisation object, check result, CDS entity, and date range.
- Timestamps reflect the first execution of a check, not the most recent.
- A standout use case: building SU24 authorisation defaults from real usage, selectively including or excluding contributing users.
Whether you’re redesigning roles, cleaning up authorisation defaults, or simply trying to understand how your users actually behave over time, STUSERTRACE is a long-term trace every SAP authorisations professional should have running
Don’t miss out on insights from:
- Ross Robertson – Senior SAP Authorisations Consultant – Soterion



