RSUSR_SUAUTHVALTRC_DISPLAY: User Trace for Authorization Checks

This long-term trace collects client-specific and user-specific authorization data, and stores it in the database.

During the execution of a program, every authorization check is recorded exactly once with the first time stamp, together with the name and type of the running application, the point in the program, the authorization object, the checked authorization values, and the result.

The trace data is used to support the maintenance of authorization default values and authorizations, in particular for users with special tasks or special authorization objects – for example, for communications users in RFC scenarios.

Activating the Authorization Trace

The authorization trace is activated using the profile parameter “auth/auth_user_trace”. The profile parameter is dynamically switchable.

You can switch on the trace either fully or only for selected authorization checks by using a filter. You can use the application type, users, and authorization objects as filters. This enables you to investigate specific scenarios such as RFC programs or background jobs over a long period.

Note the following: If you are using a trace with filters, you have to define at least one filter, otherwise recording will not take place.

Performance

Each authorization check logged by the authorization trace needs at least an additional database selection of approx. 1 millisecond. How this extends the runtime of each affected application depends on the number of recorded authorization checks. To limit the number of recorded checks, we recommend using a filter.

Activation of the authorization trace without filters has a significant effect on performance.

Authorization Concept

The functions of the STUSERTRACE transaction are protected by the authorization object S_ADMI_FCD. Checks are performed on the authorization field S_ADMI_FCD with the following values:

STUF: Change filter of user traces for authorization checks
STUR: Evaluation of user traces for authorization checks