SAP Security & GRC

How to Set Up and Analyse STUSERTRACE

Soterion Season 2 Episode 10

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 18:46

Listen to the SAP Security & GRC podcast – helping you on your journey to effective access risk management in SAP. 

In this episode, Ross Robertson walks through the SAP User Authorisation Trace (STUSERTRACE) – a long-term authorisation trace that records unique authority checks per user in the background, making it invaluable for everything from day-to-day authorisation management to full role redesigns. Where STAUTHTRACE (covered in E09) captures a short window of activity, STUSERTRACE keeps a long-term history you can analyse months – even a year – later. 

🔑 Key Takeaways: 

  • What STUSERTRACE is and how it differs from the short-term STAUTHTRACE 
  • How it stays lightweight by logging each unique authority check only once per user 
  • How to activate it via the auth/authorization_trace profile parameter – and why you set it in both the dynamic (RZ11 / RZ10) and static (RZ10) profiles 
  • Parameter values explained: N (off), Y (active, no filter), F (active with a filter) – and why Soterion recommends F with exclusions 
  • Which users and authorisation objects to exclude (e.g. high-volume objects with constantly changing fields like order numbers) to protect system performance 
  • How to evaluate results by user, application type, authorisation object, check result, CDS entity, and date range 
  • Real consulting use cases: building SU24 authorisation defaults from real usage and excluding developer / firefighter activity from business-as-usual role design 

 Featuring: 

  • Ross Robertson – Senior SAP Authorisations Consultant, Soterion