
About
Listen to the SAP Security & GRC podcast – helping you on your journey to effective access risk management in SAP.
In this episode, Ross Robertson walks through the SAP User Authorisation Trace (STUSERTRACE) – a long-term authorisation trace that records unique authority checks per user in the background, making it invaluable for everything from day-to-day authorisation management to full role redesigns. Where STAUTHTRACE (covered in E09) captures a short window of activity, STUSERTRACE keeps a long-term history you can analyse months – even a year – later.
🔑 Key Takeaways:
- What STUSERTRACE is and how it differs from the short-term STAUTHTRACE How it stays lightweight by logging each unique authority check only once per user How to activate it via the auth/authorization_trace profile parameter – and why you set it in both the dynamic (RZ11 / RZ10) and static (RZ10) profiles Parameter values explained: N (off), Y (active, no filter), F (active with a filter) – and why Soterion recommends F with exclusions Which users and authorisation objects to exclude (e.g. high-volume objects with constantly changing fields like order numbers) to protect system performance How to evaluate results by user, application type, authorisation object, check result, CDS entity, and date range Real consulting use cases: building SU24 authorisation defaults from real usage and excluding developer / firefighter activity from business-as-usual role design
Featuring:
- Ross Robertson – Senior SAP Authorisations Consultant, Soterion