How to Use the SAP T-Code SUIM Correctly
The SAP T-Code SUIM is one of the most popular T-Codes in SAP among security & authorizations, particularly because it summarizes many different SAP authorization aspects in one place. Although SUIM stands for “User Information System,” it’s commonly used to find answers to authorization-related questions. Such questions like “who has access to this T-Code” and “which employees can access company code 1000” can easily and quickly be answered with T-Code SUIM. However, there are some tricks to using SUIM, and SUIM’s benefits and disadvantages should be well understood in order not to misuse SUIM. Furthermore, T-Code SUIM can occasionally supply some wrong answers, so users of SUIM need to be aware of this and should check their results from time to time.
What can be done with SUIM?
In general, using SUIM you can view SAP authorizations in many ways, each one from a different angle. The main menu includes high-level views:
User – use this when your question is mainly regarding users, i.e. – “Which user has access to T-Code XXX”, or “I need a list of users with their last logon date”. Pay attention that over the years SAP has added different types of reports under this menu entry like: authorizations-related reports, usage reports, and general reports such as “Users by address data,” (which works well but doesn’t seem to be related to authorizations).
Roles – the short name “roles” might be misleading because in this context it applies to “authorization roles” (not job roles). The reports under this entry are used to find authorization roles via different criteria. If the question is, “Which role includes authorization object XXX,” then this is the right menu entry to use.
Profiles – This menu item, “profiles,” applies to “authorization profiles,” which in fact should not be granted directly to users. The T-Code SUIM allows the search for authorization profiles and, in most cases, this menu path is not needed for common day-to-day questions. That said, this menu path is perfect for the very popular question, (the number one question from auditors), “Who has SAP_ALL or SAP_NEW profiles?”
Authorizations – this is the entry to use to search for combinations of authorization objects and values. SAP defines an “Authorization” as a combination of an authorization object with values. Pay attention that after the object’s name is entered in the screen, the display changes, so values can be added to the search criteria.
Authorization Objects – this menu allows the search for authorization objects by name or class and each menu entry is basically the same. Compared to “Authorizations” above, this entry doesn’t include a search option for objects with values, but for the authorization objects themselves. Searches like “Which objects include the word ‘material’ in their description” is a good trigger for using the “Authorization Objects” menu path.
Transactions – using the traditional (and confusing) name “Transactions” for T-Codes, SUIM allows the user to search for T-Codes according to four search criteria: T-Codes for user, T-Codes in an authorization role, T-Codes in authorization profile and T-Codes which include a specific authorization object. From our experience, this menu entry is not used very much by most professionals.
Comparisons – comparing users and authorization roles are the most utilized options in this SUIM menu entry. It’s possible to compare them in the same system and in remote systems (just press the “Across Systems” button). The comparison is focused on authorization objects only, so if you need to compare users by roles for example, this is not the right place.
Where-Used List – here you will find the same reports that are located in other menus in SUIM, but from the “need” of where the object is used. In most cases, this menu entry is not used so much because these reports are already located in the menu entries above.
Change Documents – this menu path details the changes that occurred for a single object – like user, role, etc. For instance, search here to know what changes were performed on an authorization role over time. Part of SUIM’s popularity is based on this menu entry that enables a user to track changes to authorizations over time.
* Note about Complex Selection Criteria – the menu entries: User, Roles, Profiles, Authorizations, and Authorization Objects all have the option to be shown “by Complex Selection Criteria.” This is an interesting option because it includes additional filters to the selection. In fact, the report behind the menu path “Complex Selection Criteria” is the same report behind all the other options, however in other options the filters are hidden, and in “Complex Selection Criteria” they are shown.
* Also note: some reports in SUIM have more in depth information than the one in the first screen. In most reports, when you click on a row, the system will show you much more data, related to that row. Go ahead and double click on rows – in most cases it will reveal more relevant data.
What to be aware of when using SUIM
SUIM has some bugs. That’s not surprising news to people in the software industry, but it’s mentioned because many authorization experts tend to rely heavily on SUIM. Just try googling “bug in SUIM” and wait for the search results – you’ll see that there are many. SAP Notes like 961294 (SUIM | Error when searching for field values in several fields) have been published during recent years, so be sure to implement the appropriate ones if they are relevant to your system.
More pitfalls? Read our article: what to be aware when using SUIM
That said, SUIM is still a very good tool to identify “who is granted to what” situations when you don’t have a tool like ProfileTailor Dynamics to monitor authorizations SUIM is quick and it is free. If your auditors are nagging you about authorizations, do a pass through SUIM first and you might find your answers there. Or, if you need to quickly identify who has access to company codes SUIM can give good results. For more sophisticated situations, like matrices of users vs. their authorizations or for identifying whose authorizations should be removed because they are not being used, it’s highly suggested to implement a professional tool like ProfileTailor Dynamics Security and Authorizations.