Skip to main content
Do checkout my poem section. You are going to love it.

SUIM for user trace and role analysis

 SUIM (SAP User Information System) is a powerful transaction in SAP Basis that provides a centralized reporting and analysis tool for all aspects of user and authorization management.1 It acts as a single point of entry to a collection of reports, enabling administrators to quickly retrieve information about users, roles, profiles, authorizations, and change documents. While it's not a "trace" tool in the sense of ST01 or SU53, it's invaluable for analyzing data collected from traces and for understanding the overall authorization landscape.

I. SUIM for User Analysis

SUIM offers a wide array of reports under the "Users" node to analyze user-specific information, especially useful for auditing, troubleshooting, and compliance.2

Common User Analysis Reports in SUIM:

  1. Users by Complex Selection Criteria (Report: RSUSR002):

    • Purpose: This is one of the most frequently used reports. It allows you to find users based on a combination of criteria, such as:
      • User name, address data, user type.
      • Assigned roles (single, composite, derived).
      • Assigned profiles.
      • Specific authorization object values (e.g., users with S_TCODE for SE16).3
      • User group.
      • Validity dates (users valid on a specific date).
    • Use Cases:
      • "Find all users with the SAP_ALL profile."
      • "List all users assigned to the Z_FI_AR_PROCESSOR role."
      • "Show users belonging to user group 'Basis' who have access to transaction SU01."
      • "Identify all locked users."

  2. Users by Logon Date and Password Change (Report: RSUSR200):

    • Purpose: Crucial for security audits and cleanup. This report helps identify inactive users or users with long-unchanged passwords.4
    • Criteria:
      • Last logon date (e.g., users who haven't logged on in the last 90 days).
      • Last password change date (e.g., users whose password hasn't changed in the last 180 days).
      • Users with initial passwords (which often expire after a certain period).
    • Use Cases:
      • "Generate a list of users who have not logged on in the last 6 months for deactivation/deletion."
      • "Identify users who haven't changed their password in a year, for compliance purposes."

  3. Users with Critical Authorizations (Reports: RSUSR005, RSUSR008_009_NEW):

    • Purpose: These reports help identify users who possess potentially dangerous combinations of authorizations, which could lead to Segregation of Duties (SoD) violations or unauthorized access.
    • Mechanism: These reports use pre-defined lists of critical authorization objects/values (or customizable definitions) to flag users.
    • Use Cases:
      • "Find users who can create purchase orders AND release payments."
      • "Identify users with debug and change authorization in production (S_DEVELOP with ACTVT=02 and OBJTYPE=DEBUG)."

  4. Users by Address Data (Report: RSUSR002_ADDRESS):

    • Purpose: Allows searching for users based on their address details, like first name, last name, department, or telephone number. Useful for locating users based on non-technical criteria.

  5. Users Who Are Locked Due to Failed Logon Attempts (Report: RSUSR006):

    • Purpose: Provides a quick list of users whose accounts are locked due to exceeding the maximum allowed incorrect password attempts (login/fails_to_user_lock). This is a common first check when users report they cannot log in.

  6. Comparison Reports (under "Comparison" node, e.g., RSUSR050):

    • Purpose: Allows comparing authorization data between two users (or roles/profiles/authorizations). You can compare user A in client 100 with user B in client 200 of the same system, or even compare users across different SAP systems (if CUA is not in use, or to verify CUA synchronization).
    • Use Cases:
      • "Compare the authorizations of a new user with an existing user performing a similar job function to ensure consistency."
      • "Verify if user A in Development has the same access as user B in Quality."

II. SUIM for Role Analysis

SUIM is indispensable for understanding the content of roles, their assignments, and their overall structure.

Common Role Analysis Reports in SUIM:

  1. Roles by Complex Selection Criteria (Report: RSUSR070):

    • Purpose: Search for roles based on various criteria, similar to users, but focused on role attributes.
    • Criteria:
      • Role name, description.
      • Last changed by, last changed on.
      • Single, composite, or derived roles.
      • Roles assigned to a specific user or user group.
    • Use Cases:
      • "Find all roles modified in the last month."
      • "List all composite roles."

  2. Single Roles by Authorization Data (Report: RSUSR080 or similar for specific objects):

    • Purpose: This is extremely powerful for identifying which roles grant specific authorizations. You can search for roles containing a particular authorization object, or even specific values within an object's fields.5
    • Criteria:
      • Authorization object name (e.g., S_TCODE, F_BKPF_BUK).6
      • Authorization field name (e.g., ACTVT, BUKRS).
      • Specific field values (e.g., 01 for create, 1000 for company code).
    • Use Cases:
      • "Which roles allow users to create sales orders (V_VBAK_AAT with ACTVT=01)?"
      • "Find all roles that grant SAP_ALL profile (a bad practice, but useful for audit)."
      • "Identify roles that provide write access (ACTVT=02) to the GL Accounts authorization group."
      • "Find roles with S_RFC access to a specific function group or module."

  3. Roles by Transaction Assignment (Report: RSUSR010):

    • Purpose: Find roles that contain specific transaction codes in their menu.
    • Criteria: Transaction code (e.g., PFCG, SE38, FB01).
    • Use Cases:
      • "Which roles allow access to ME21N (Create Purchase Order)?"
      • "Find all roles containing critical transactions like SA38 or SE37."

  4. Where-Used Lists (under "Where-Used List" node, e.g., RSUSR060):

    • Purpose: Determine where a particular entity is used.
    • Examples:
      • Where is a Role Used? (By users, by composite roles, by derived roles). "Which users are assigned to role Z_FI_AP_PROCESSOR?"
      • Where is a Profile Used? (By roles, by users).
      • Where is an Authorization Object Used? (By roles). "Which roles contain the S_DEVELOP authorization object?"
      • Where is a Transaction Used? (In which roles' menus).

  5. Evaluating Applications in Role Menus (Report specific to Fiori/NetWeaver Gateway):

    • Purpose: For Fiori-enabled systems, this report helps analyze which Fiori catalogs, groups, and applications are included in role menus.
    • Use Cases:
      • "Find roles containing a specific Fiori Catalog."
      • "List all Fiori apps assigned to a particular role."

  6. Evaluating Startable Applications in Roles:

    • Purpose: This report identifies which applications (transactions, reports, Fiori apps) contained within a role's menu are actually executable based on the authorizations within the role. It helps detect inconsistencies between the menu and the actual authorizations.

III. SUIM for Change Document Analysis

SUIM also allows you to audit changes made to user and authorization master data.7 This is critical for security and compliance.

  1. Change Documents for Users (Report: RSUSR100):

    • Purpose: Track changes made to user master records (e.g., password resets, locks/unlocks, changes to user groups, validity dates).
    • Criteria: User name, date, user who made the change.

  2. Change Documents for Profiles (Report: RSUSR101):

    • Purpose: Track changes to authorization profiles.8

  3. Change Documents for Authorizations (Report: RSUSR102):

    • Purpose: Track changes made to the authorization objects and field values within roles. This is very useful for investigating why an authorization might have suddenly stopped working.

How SUIM Supports Authorization Troubleshooting

While SU53 and ST01 are your primary tools for identifying missing authorizations in real-time, SUIM complements them by providing the context and solution options:

  1. Pinpointing the Solution: Once SU53 or ST01 identifies a missing object (e.g., F_BKPF_BUK for company code 2000), you use SUIM's "Roles by Authorization Data" (or "Roles by Complex Selection Criteria" with authorization object details) to find:

    • Existing Roles: "Do we already have a role that grants F_BKPF_BUK for company code 2000 with ACTVT=03?" This prevents role proliferation.
    • Similar Roles: "Which roles have F_BKPF_BUK for other company codes? We can use one of these as a template for a new role or to modify an existing one."

  2. User-Role Assignment Verification: If a user reports an issue, you can use "Users by Complex Selection Criteria" to quickly check:

    • If the user is assigned the expected roles.
    • If their account is locked or expired.

  3. Audit and Compliance: SUIM reports are heavily used during internal and external audits to demonstrate compliance with security policies (e.g., password aging, critical access review, SoD analysis).9

  4. Role Design and Clean-up:

    • "Roles by Transaction Assignment" helps to see if a transaction is still in use or if its role can be deprecated.10
    • "Users by Logon Date" combined with "Where-Used List for Roles" helps identify roles that are no longer needed because their assigned users are inactive.

In essence, SUIM is the SAP Basis and Security administrator's reporting hub. It's not about real-time tracing, but about comprehensive data retrieval and analysis to support robust user and authorization management, troubleshooting, and audit activities.

Comments

Post a Comment

Popular posts from this blog

An experiment with the life

"Best Thing about experiment is that it only improves the outcome." Well, I am Rakshit, hope you already know. I am not special and surely not especially gifted. Neither things go according to my wish. Neither I am the best writer.  But I am myself who is totally unique from anyone else. And I am Rakshit Ranjan Singh. I have my own fun, fights and fall in the most fundamentalistic way. Mechanical is my degree. IT is my Job. Beauty in nature is what I search. Words of my heart are what I write. Four different things I carry on my shoulder and a smile on my face, hope you might have seen that. What do I care for? Family, friends and nature. Do I have regrets? More than I can imagine. Let us move further to see what really is my life.
Read more

Learn Java

Hello Friends, You might already know what Java is. Without taking much of your time, I would like to ask you to please click below if you are ready to learn it from end to end. The Material over here is available on the internet and is free to access.  I would request you to bookmark this page and follow it. Please comment if you are happy with the learning. click here
Post a Comment
Read more

Driving

My Driving Journey: From Zero to (Almost) Hero! Hello everyone! I'm excited to share my ongoing adventure of learning to drive. It's been a mix of nervous excitement, hilarious near-misses, and the slow but steady feeling of progress. Buckle up, because here's a peek into my journey behind the wheel! The First Lesson: Clutch Confusion! My first time in the driver's seat was... memorable. Let's just say the clutch and I weren't immediate friends. Lots of jerky starts and a few stalls later, I began to understand the delicate dance between the pedals. My instructor was incredibly patient (thank goodness!). Mastering the Steering Wheel (Sort Of) Steering seemed straightforward enough, but navigating turns smoothly was a different story. I definitely had a few moments of feeling like I was wrestling with the wheel. Slowly but...
Post a Comment
Read more