SAP Parameter auth/authorization_trace - Trace every authority-check once for authorization proposals


Short text
Authorization trace for authorization default values

Parameter description
The authorization trace collects data across clients and userindependently, and stores it in the database.
During the execution of a program, every authorization check is recordedexactly once, together with the name and type of the runningapplication, the point in the program, the authorization object, and thechecked authorization values.
The trace database table supports the maintenance of authorizationdefault values.
The parameter auth/authorization_trace can have the following values:

  • N: Trace deactivated

  • Y: Trace activated

  • F: Trace activated with filters (SAP Note 1854561). You can set the
  • filters for the recording in transaction STUSOBTRACE. You can useapplication type, users, and authorization objects as filters. In thisway, you can investigate specific scenarios. At least one filter must beset, otherwise the trace does not record anything. With filters, thevolume of data and thefore the effect on the performance of the systemare significantly smaller than with Y.
    • Space: With this setting, the trace is activated is SAP systems (profile
    • parameter transport/systemtype = SAP), and deactivated in customersystems (transport/systemtype = CUSTOMER). This is the default setting,if the parameter has not been set in the instance profile or defaultprofile (DEFAULT.PFL) and has not been dynamically changed.
      The activation of the authorization trace without filters has asignificant effect on performance.

      Work area

      Default value
      <(><<)>space>, not set

      Who is allowed
      SAP, customer

      Limitation for os

      Limitation for db

      Other parameter

      Y, N, F, <(><<)>space>