In the Business Analyst role in an SAP shop, it may be helpful to know what Roles or Users have access to a particular transaction code. Here’s a little tip that lets you do all sorts of queries about the authorizations in your SAP system.
Use T-code: AUTH to Access “Infosystem Authorizations” Menu
To get started, enter AUTH into the command bar in SAP and then hit ‘ENTER’ or the Green check ball. The menu will change to the “Infosystem Authorizations” menu, which contains various t-codes for viewing the authorizations in the system.
There are numerous options to view authorizations by: User, Roles, Profiles, Authorizations, Authorization Objects, Transactions, etc.
I recently wanted to see the Users and Roles that had access to FI12. I used:
- Users / Users by Complex Selection Criteria / By Transaction Authorizations
- Roles / By Transaction Assignment
- Roles / By Authorization Object
When you’re working on security or trying to figure out who can get something done for you in Production, this is indespensible!
This document will be focused on (Briefly) SAP User Information System (SUIM) transaction for security beginners or SAP BASIS administrator who doesn’t have an idea about usage of SUIM transaction. Kindly provide your valuable comments/feedback so that it will be helpful for me and others.
As part of audit or security activities, we may need to get active user IDs, roles, profiles, change documents etc., To get those details, we need to use many reports in the ABAP system. for example:RSUSR002 report for user selection by complex criteria etc., we can’t remember all the reports hence SAP gave all the reports execution options together in single transaction that isSUIM.
The SUIM initial screen looks like below attached screen. we have the options for sorting users,roles,profiles,authorizations,authorization objects,transactions,comparison,where-used list and change documents.
User node will be used to extract the list for users based on our selection criteria. for example; we can get locked uses, users whoever having particular roles or profiles or by address data, users whoever having access to particular transaction etc.,
here is, attached sample screen shows users by complex selection criteria. you can apply multiple selection conditions simultaneously.
further selection conditions for the users are showing in the below screen. if CUA is configured, you can check users by system, roles, profiles and license data.
SUIM is useful tool for searching roles and profiles. If you want to assign a list of transactions to particular user ID, then you can search the roles by transaction assignment in SUIM and assign those roles to that user ID.
for example, I want to list the roles which has the transactions DB02,ST06 and SU01. double click on “By Transaction Assignment” and provide the transactions with AND conditions. you will get the list of roles which has the specified transactions.
Like this way, you can sort out the roles by name, assignment and multiple selection conditions together.
Profiles, authorizations and authorizations objects:
searching the profiles, authorizations and authorizations objects are same as roles search in SUIM. you can search the profiles based on the name,profiles by roles and other multiple selection criteria.
We can search the transactions in a particular roles or executable by users etc., for example, If I want to list out the transactions which are executable for user AAA, I can use the option “Executable by user”. in this way, you can can get transactions list with multiple selection conditions.
If you execute with DDIC user ID, it will shows transactions which are executable for DDIC.
SUIM makes you to compare two users, roles, profiles, authorizations and user comparison across the two systems. here, I have compared DDIC user ID with ADSCALLER. the “comparison” column will be red if the the object is not assigned in any one of the user, yellow – object is exists both of the user master data but filed level access is in different, green for both the user ID has the authorization object with same field level access.
Like this way, you can compare roles, profiles etc.,
Where-used list will be used to extract details about particular roles, profiles etc., where it is being used in the system. for example., I need to get the role Z_xx_yy assignment to the users. so I can simply use the Where-used list to find out who are all the users have this role.
This option is really useful to track the changes in user ID, roles, role assignment to users, profiles and authorizations. we can get last changed name list in SU01 or PFCG itself however we don’t know what change has been done. SUIM will provide the feature to track the changes done in user ID, roles, profiles by date, month, year etc.,
Here I am stopping the document, but if you are new to SUIM transaction, Please check individual nodes and options in detail. It is very simple and understandable transaction.
Please refer the link https://help.sap.com/saphelp_nw04/helpdata/en/52/671261439b11d1896f0000e8322d00/content.htmfor more information about the SUIM transaction.
Kindly provide your valuable comments