In April 2013, through SAP Note 1373111, SAP offered enhancements to the popular ST01 authorization trace. These enhancements improve SAP security administrator’s ability to troubleshoot authorization errors using ST01 and help analyze what really is going on with the authorization checks.
FOR_USER – This references the user that the authorization trace is hitting against
TCODE – This indicates through what transaction the authorization check is occurring
REASON – I find this to be the most helpful. There are currently four reason codes:
- A: The authorization object was globally deactivated through transaction AUTH_SWITCH_OBJECTS
- B: The authorization object was locally deactivated through SU24 for this transaction
- C: The S_TCODE check was deactivated through the CALL TRANSACTION via transaction SE97. You can find more information in SE97 in SAP Note 358122
- D: The S_TCODE check through system profile parameter auth/tcodes_not_checked was deactivated. Relates to SU53/SU56.
One issue I had was solved because of this trace enhancement. There was an S_TCODE authorization check with an RC (reason code) of zero even though the user did not have access to the transaction through S_TCODE. Reason code C came up and we had to update the transaction via SE97.