Maybe I am being cynical here, but I would still say that its very rare that SAP comes up with something that reduces the daily drudgery we go through as security consultants. Today I discovered something from my colleagues that is really one of the best things I have seen in a very long time. SAP has come up with a new and improved version of the standard security trace ST01. The new transaction can be launched by using the tcode “STAUTHTRACE”. The start screen for it is shown below.
As you can see from the opening screen itself, STAUTHTRACE allows us to start a trace for multiple app servers from a single screen. Most of us work on systems which have multiple app servers. Navigating to each server, starting a trace on each of them, checking which server the user accessed and finally switching off the trace in all servers is a royal pain. This is how the window looks once we try to start the trace on mutiple servers. Since the screenshots are from a development box, only one server is shown on screen but it does show all the app servers that are part of the system.
To start a trace we can filter on the user or trace all users in the system and click the activate trace button. At this point we would ask the user whom we are trying to trace to start with the problem transactions and once the error has been reproduced, we would deactivate the trace using the corresponding button from the toolbar or menu.
To view the authorization log we enter appropriate selection criteria in the “Restriction for Evaluation” section and click the execute button. A typical authorization log would be something like the one shown below
As you can see, the tabular format of the log is so much better than the old trace file. We can easily filter the results based on return codes or copy the entire log to an excel file for further analysis. However to my mind the killer feature of this new trace is the ability to drill down to the ABAP code where the actual authority-check statement is getting executed. To drilldown, you need to double click on one of the rows or to select a row and then follow the menu path Goto > Display Callpoints in ABAP Program. Following these steps in the above log allowed me to directly jump to the following piece of code where a custom authorization object was being checked in an enahncement.
Since I just found out about the transaction today, I am still exploring its various features. But even if I don’t find anything more, I would be very happy with the whatever I have discovered till now.