Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Trace

Former Member
0 Kudos

What is the difference between ST01 & SU53?

Edited by: Julius Bussche on May 19, 2010 10:30 PM

ps: This is the only known points-gaming on SDN which ever led to a successfull functional SAP development. Thanks Pradeep Gali (a.k.a. kinglokar rao)...

14 REPLIES 14

Former Member
0 Kudos

Hi,

SU53 is used to find the missing authorization.

ST01 is used for repetive missing authorizations.

In SU53 shows the authorization object and the missing value, while trace shows the authorization object, return code and filed as well as tested value.

In trace return code is the important factor. If retcode = 0 then check is succesfull else its not.

Note: You have to refresh before you capture exact SU53 else it will show the last value instead of the one which you are trying to capture.

Chav

Pradeep.Gali

0 Kudos

Some things which I have noticed:

SU53: A usefull trick for getting closer to the real failed auth check is to create a shortcut (right click the desktop -> .sap shortcut) with the transaction (type) /nsu53 in it. You can then drag-and-drop it into the sapgui (e.g. directly into the error popup) without having to click it away and increase the risk of further authority checks failing to determine the screen program (to go back to).

ST01: The return code can also be 0 although the authority-check failed (i.e. because there is no requirement for it to pass (e.g. S_TCODE in a call relationship, or SU24 check indicator deactivated).

ST01 is also usefull for searching to see whether an authority-check might be available in the program. But you still have to look at the program (there is a nice feature to jump from the trace to the program) or debug it to see what it does with the result of the authority-check and whether there are authority-checks available which are only reached when some condition exists for it (e.g. an authorization group has been placed on the account / program etc).

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> SU53: A usefull trick for getting closer to the real

> failed auth check is to create a shortcut (right

> click the desktop -> .sap shortcut) with the

> transaction (type) /nsu53 in it. You can then

> drag-and-drop it into the sapgui (e.g. directly into

> the error popup) without having to click it away and

> increase the risk of further authority checks failing

> to determine the screen program (to go back to).

Yes, it's slightly better (especially in situations where you do have a popup window - without the ability to launch transactions). For the same reason a "debug shortcut" can be helpful. But anyway: sometimes an application might first submit an AUTHORITY-CHECK (which fails) and then submit a second one (most likely with less strict requirements) which succeeds. If then another AUTHORITY-CHECK is submitted which fails, only that <u>last failing AUTHORITY-CHECK</u> can be analyzed with SU53.

> ST01: The return code can also be 0 although the

> authority-check failed (i.e. because there is no

> requirement for it to pass (e.g. S_TCODE in a call

> relationship, or SU24 check indicator deactivated).

No. An AUTHORITY-CHECK with SY-SUBRC = 0 is defined as "successful".

But most likely you want to express something different: an AUTHORITY-CHECK can be successful for various reasons, e.g. either the user is equipped with the required authorization (or an even more powerful one), or he is assigned to a reference user which holds that required authorization (respectively a super-set of it) or the check has been disabled in that context (SU24 / SU24 / SE97) or generally (SU25).

> ST01 is also usefull for searching to see whether an

> authority-check might be available in the program.

I would have expressed that slightly different:

ST01 allows you to navigate to the ABAP coding where that AUTHORITY-CHECK was invoked (if such an ABAP coding exists; some AUTHORITY-CHECKs are invoked by the kernel; in that case that approach will not lead to success; such checks are also safe against DEBUG/REPLACE bypassing).

Regards, Wolfgang

PS: special warm welcome to Julius - in the New Year 2007

0 Kudos

Hi Wolfgang,

>> No. An AUTHORITY-CHECK with SY-SUBRC = 0 is defined as "successful".

>> But most likely you want to express something different: ..

Yes, that is what I wanted to say. Of course, you have an advantage because you folks in Walldorf can see what is going on in the kernel. My means are more limited (e.g. ST01 - actually I very seldomly use it...). That might also hint at why many users have more authorizations than they actually need for the transaction contexts they can get to? (i.e. if USER A has AUTHORITY B and sy-subrc is set to 0 by the kernel, then how would one know that it could be taken away from USER A?). I am not aware of any tool which helps in this case, other than system debugging popups and trying to understand the SAP kernel (and reading lots of documents and OSS notes).

My understanding of it (and imagination of how your kernel works) is that the authority-check is not satisfied for the user (hence I said "failed"), but some force majore (not only limited to SU24/SE97/SU25) determines that for those conditions, the sy-subrc is set back to 0 (or 2... or whatever). If the conditions which the kernel expects are not met anywhere, then the authority-check remains <> 0 => failed.

Your comment about the kernel checks is also a good one because in addition to SU53 and ST01, there are also various "help" function modules which can be used to view those "invisibly coded" checks. (I am refering to the VIEW_AUTHORITY functions). One can view the kernel authority-checks which are invoked by certain ABAP statements, etc... and also react to them before the user has to stumble into a horrible dump or just get a blank screen or the file is empty... Alternately, one can also send the kernel those authorizations that it is looking for so that sy-subrc is 0 (or 8, or whatever... not sure...).

To be honest, I do find SAPs documentation and SAP notes on this to be informative and okay, but it is a long hard road for a beginner (or force majore consultant) to get to grips with.

I am sure that the open discussion here at SDN is a big help to everyone.

Cheers,

Julius

PS: Could you change the "warm wishes" to "-1°C, sunshine and powder snow wishes"? I have to drive for more than 1 hour to get to ski because of "warm"

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

That might also hint at why many users have more authorizations than they actually need for the transaction contexts they can get to?

Yes, exactly that is the case:

context-specific AUTHORITY-CHECKs

.
The reason for this is the way our applications are built: one application might invoke another one to perform a requested function (e.g. when processing a sales order that might trigger some material availability check, credit standing check, etc.) - which require the user to have additional authorizations. If you equip the user with those authorizations he could perform those actions (e.g. credit standing check) directly - not only in the context of a sales order. Normally that is not desirable. So, you need to instruct the system to "exceptionally grant access</u>" - under certain circumstances (application contexts).

Other approaches are:

- code-based authorizations

- rule-based authorizations (-> RBAM)

Cheers, Wolfgang

PS: yes, I also wish to have some snow - in combination with bright sunlight; I wouldn't mind -5°C even

0 Kudos

Hi Wolfgang,

If SAP is thinking of developing a SU53N and ST01N, perhaps you could add additional information which shows the transaction context (sy-tcode)and program context (sy-repid) at the point in time of the AUTHORITY-CHECK? Perhaps also the sy-host and sy-dynnr?

We had 11°C yesterday and it is 10°C today. The snow below 1500m is all gone. The Wellness resorts must be very happy about global warming...

All the best to you for 2007 as well!

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> If SAP is thinking of developing a SU53N and ST01N,

> perhaps you could add additional information which

> shows the transaction context (sy-tcode)and program

> context (sy-repid) at the point in time of the

> AUTHORITY-CHECK? Perhaps also the sy-host and

> sy-dynnr?

Well, I can only answer as <u>private</u> person (<u>not</u> representing SAP).

Regarding ST01: the source code location where AUTHORITY-CHECK is submitted is already provided in the recorded data. Yes, I agree with you that providing additional information ("reasoning") on successful (SY-SUBRC = 0) results could be very helpful. Well, the "demand" for such a feature needs to come from "outside"; so, feel free to submit a "development request" (providing reasons for your inquiry, listing other "fellows" which support your request).

Regarding SU53: since only failed AUTHORITY-CHECKs (with SY-SUBRC <> 0) are recorded, it would not help much to display additional information on the context; such context information would be helpful to understand why an AUTHORITY-CHECK resulted with SY-SUBRC = 0 although the requested authorization is <u>not</u> assigned to the user (neither directly nor indirectly via a reference user).

Cheers, Wolfgang

0 Kudos

Thanks Wolfgang,

I will try to put something together.

Regards,

Julius

0 Kudos

> Regarding ST01: the source code location where AUTHORITY-CHECK is submitted is already provided in the recorded data. Yes, I agree with you that providing additional information ("reasoning") on successful (SY-SUBRC = 0) results could be very helpful. Well, the "demand" for such a feature needs to come from "outside"; so, feel free to submit a "development request" (providing reasons for your inquiry, listing other "fellows" which support your request).

Part 1: See [SAP Note 1373111 - Improvements to authorization trace|https://service.sap.com/sap/support/notes/1373111]

Thank you SAP, Wolfgang and Bernhard!

Cheers,

Julius

0 Kudos

Thank you Wolfgang, this is a treat

Thank you, Jullius for notifying us ... could you put that someplace into the 'stickies', please?

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

SU53 displays the <u>last failed</u> authorization check (i.e. an invocation of AUTHORITY-CHECK that ended with SY-SUBRC <> 0). That does <u>not</u> necessarily have to be the last authorization check that has been performed ...

ST01 allows you to trace <u>all</u> authorization checks (and other events), irregardless of their result. Take care: ST01 works only locally on the current application server instance; you might have to activate the ST01 trace on each application server instance.

Regards, Wolfgang

0 Kudos

Hello Wolfgang,

> ST01 allows you to trace <u>all</u> authorization

> checks (and other events), irregardless of their

> result. Take care: ST01 works only locally on the

> current application server instance; you might have

> to activate the ST01 trace on each application server

> instance.

are you sure about this?

is there any system parameter by which I can activate this for all of my instances?

What happens if I have 10 Application Servers where my users could be?

regards

nesimi

0 Kudos

Yes, I'm pretty sure about that.

No, there is no such "switch" (system parameter) to enable the system-wide trace activation. That would be a "feature / development request" ...

Cheers, Wolfgang

Former Member
0 Kudos

Hi,

SU53 - Analyze Authorization check

It is meant for to check missing authorizations.

ST01 - Authorization Trace

Choose trace component Authorization check and pushbutton Trace on. The trace is automatically written to the hard disk.

To limit the trace function to your own sessions, choose Edit -> Filter -> Shared. Enter your user ID in field Trace for user only in the displayed dialog box.

Once the analysis is completed, choose Trace off.

Lolla Venkata Murali Krishna