SAP Security & GRC Podcast - Technical Series (E11): How to Set up and Analyse STUSOBTRACE
In this episode, Ross Robertson covers the SAP Authorisation Trace at the application level – the STUSOBTRACE transaction – which records the authority checks a specific SAP application performs at runtime, whether that’s a transaction, a Fiori OData service, an RFC function module, or a background job.
Rounding off our authorisation tracing mini-series, Ross explains how to activate STUSOBTRACE via the auth/authorization_trace parameter, why the application-level trace can usually run unfiltered (value Y) where the per-user trace can’t, and how to turn its results into SU24 authorisation defaults, licensing insight, and everyday remediation.
What you’ll learn from this episode:
- What STUSOBTRACE is and how it differs from STAUTHTRACE (E09) and STUSERTRACE (E10)
- How to activate it via the auth/authorization_trace parameter in both the dynamic (RZ11) and static (RZ10) profiles
- Why value Y is usually fine at the application level, while value F suits the higher-volume per-user trace
- How it stays long-term by recording each unique authority check only once (and why the “changed by” user is only the first to trigger it)
- Analysing by application or by authorisation object – e.g. finding every transaction that calls an object for Activity 01
- Practical use cases: building SU24 defaults or spotting S/4HANA high-tier license usage.
Don’t miss out on insights from:
Ross Robertson – Senior SAP Authorisations Consultant, Soterion



