SAP Security & GRC Podcast - Technical Series (E11): How to Set up and Analyse STUSOBTRACE

In this episode, Ross Robertson covers the SAP Authorisation Trace at the application level – the STUSOBTRACE transaction – which records the authority checks a specific SAP application performs at runtime, whether that’s a transaction, a Fiori OData service, an RFC function module, or a background job.

Rounding off our authorisation tracing mini-series, Ross explains how to activate STUSOBTRACE via the auth/authorization_trace parameter, why the application-level trace can usually run unfiltered (value Y) where the per-user trace can’t, and how to turn its results into SU24 authorisation defaults, licensing insight, and everyday remediation.

What you’ll learn from this episode:

  • What STUSOBTRACE is and how it differs from STAUTHTRACE (E09) and STUSERTRACE (E10) 
  • How to activate it via the auth/authorization_trace parameter in both the dynamic (RZ11) and static (RZ10) profiles 
  • Why value Y is usually fine at the application level, while value F suits the higher-volume per-user trace 
  • How it stays long-term by recording each unique authority check only once (and why the “changed by” user is only the first to trigger it) 
  • Analysing by application or by authorisation object – e.g. finding every transaction that calls an object for Activity 01 
  • Practical use cases: building SU24 defaults or spotting S/4HANA high-tier license usage. 

Don’t miss out on insights from:

Ross Robertson – Senior SAP Authorisations Consultant, Soterion 

Listen

Watch

Related Content

Background - Stay Informed

Stay informed of new episodes

Subscribe now to receive notifications straight to your inbox

You may find this interesting