(This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots).
When it comes to SAP audit time, auditors will direct security administrators to run a set of reports on User Information System using SAP Transaction, or T-Code, “SUIM”. This allows them to inquire on users’ SAP authorization data and sensitive objects.
The SUIM activity can be confusing to the novice user – and often to the auditor as well. Making decisions, or moreover announcing defects on the customers’ systems based on data from SUIM, can be a mistake if the person using SUIM does not understand this activity’s limitations.
For example, the SAP audit report entitled “T-Codes that can be executed by users” is often used to identify users who can perform sensitive activities, like F110 for “Payment Run/Automatic Payment Transactions” or FB02 for “Change a financial document.” Even if this report showed what its name promises, “T-Codes that can be executed by users,” it still refers to theoretical SAP authorizations and not in-practice SAP authorizations. In other words, this report presents who is able to execute F110, not who really executed F110.
Therefore, no decision to remove a sensitive SAP authorization should be made based solely on this report or any other SUIM report, and the auditor needs to further inspect activity logs for each activity and each user.
If You Misuse SUIM, You Don’t Get the Whole Picture
The main disadvantage when using this report’s default interface is that it checks who is allowed to operate a T-Code, based on a single SAP authorization object’s value, and regardless of the mode (read, write, view only) of the T-Code. It is just not enough to have the appropriate value in S_TCODE in order to use an activity. Furthermore, some activities can be used totally differently if users have other values in the SAP authorization objects that are not S_TCODE. You can only imagine the amount of errors this creates.
Bottom Line: Checking S_TCODE Is Not Sufficient Enough for Making Meaningful Conclusions (and Allegations)
There is a standard solution in SUIM, but it’s cumbersome. You have to know beforehand what the SAP authorization objects are, as well as the values that are required for the exact situation. From our experience, this is not a simple task and is rarely done by auditors.
So… What Can You Do If Your Auditor Uses SUIM to Analyze SAP Authorizations?
First, be aware of the way SUIM operates and know its limitations. Try to explain to your auditor that the results are not necessarily accurate. Second, suggest adding the relevant SAP authorization objects and values for each checked T-Code, in order to get the correct output for the question.
Alternatively, you can simply use Xpandion’s ProfileTailor Dynamics solution, which has about 60,000 predefined SAP activity modes, and then search for all users that can use activity SU01 with mode “Change,” for example.