Evaluate Users and Authorizations

Objectives

After completing this lesson, you will be able to:
  • Use the User Information System to obtain information about authorizations and users
  • Execute the system trace for authorization checks to locate authorization problems

Options for Locating User Information

To obtain an overview of authorizations and users in an SAP system, you can use the user information system.

You start the user information system with transaction SUIM. To start it from user maintenance (transaction SU01), choose the menu path InformationInformation System.

As the figure User Information System shows, the user information system provides you with a collection of different reports that help you to evaluate information on users, roles, profiles, authorizations, and so on.

You can display lists that answer various questions, such as the following:

  • Which users have been locked in the system by administrators or failed logon attempts?

  • When did a user last log on to the system?

  • What changes were made in the authorization profile of a user?

  • In which roles is a certain transaction contained?

  • Which users have authorizations assigned to them that are classified as critical?

Hint

We recommend that you regularly check the various lists that are important for you. Define a monitoring procedure and corresponding checklists to make sure that you continually review your authorization plan.

We especially recommend that you determine which authorizations you consider critical and regularly review which users have these authorizations in their profiles.

Optional: User Information System

Business Example

As a user administrator, you want to use User Information System to evaluate information on users and their authorizations.

Note

In this exercise, when the values include ##, replace the characters by the number your instructor has assigned to you.

Task 1: Determine Executable Transactions in a Role

You want to find out which transactions are executable within role Z_BC_ENDUSER_##. To do so, you use the User Information System (transaction SUIM).

Steps

  1. In your assigned SAP system, use the User Information System to determine transactions that are executable for the Z_BC_ENDUSER_## role.

    1. Log on to client 100 in your SAP system.

    2. Start transaction SUIM.

    3. In the tree structure, expand node Transactions.

    4. Choose Executable for Role.

    5. Select radio button With Role.

    6. In the Role field, enter role name Z_BC_ENDUSER_##.

    7. Choose Execute in the bottom right-hand corner.

      Result

      The transactions SU3 and SU53 are executable with role Z_BC_ENDUSER_##.

Records of Authorization Checks

Failed authorization checks can be displayed in transaction SU53. The system shows authorization objects for which the authorization check failed along with the checked values.

In many cases, end users are authorized for SU53 so they can find out themselves which authorizations they are missing.

Hint

Users can only display values for the checked object if they have authorizations for the object S_USER_AUT. Otherwise, the message You are not authorized display authorization values is displayed.

The system administrator can use transaction SU53 to check which authorizations other users are also missing while executing an action. If system administrators have authorizations for S_USER_AUT too, they can also display the values that the user has for the checked object.

System Trace for Authorization Checks

You can record authorization checks in your own and other sessions using the system trace function System Trace for Authorization Checks (transactionSTAUTHTRACE). Alternatively, you can also use the authorization check function in the system trace (transaction ST01).

Caution

By default, the system trace only works if the instance (application server) is the same.

All checked authorization objects including the checked field values are recorded here. The system trace is suited to finding multiple missing authorizations. In this case, you can activate the system trace for the authorization check of a special user who has all required authorizations for the actions to be checked. The actions are then performed with this special user. The trace records all authorization checks. You can then evaluate them.

If you want to use values from traces easily when maintaining authorization defaults or roles, see SAP Note 1631929Using trace evaluation to maintain menus and authorizations.

Optional: System Trace for Authorization Checks

Business Example

You want to record authorization checks and their values for specific users in the system.

Note

In this exercise, when the values include ##, replace the characters by the number your instructor has assigned to you.

Steps

  1. Start the System Trace for Authorization Checks (transaction STAUTHTRACE) and activate the trace for your TRAIN-## user.

    1. Log on to client 100 in your SAP system.

    2. Start transaction STAUTHTRACE.

    3. In the Trace for user only field, enter your TRAIN-## user.

    4. Choose Activate Trace.

      Result

      The authorization trace is switched on.

  2. In a new GUI window, start the User Maintenance (transaction SU01) and set the title for your own user.

    1. Call transaction SU01 in a new GUI session (for example, with /oSU01).

    2. In the user field, enter your user name (TRAIN-##).

    3. Choose Change.

    4. On the Address tab, select a title.

    5. Choose Save in the bottom right-hand corner.

  3. Deactivate the trace and evaluate the generated system trace for authorization checks.

    Which authorization objects have been checked?

    ___________________________________________

    Was the authorization check of S_USER_GRP successful?

    ___________________________________________

    1. Go back to the session with System Trace for Authorization Checks.

    2. Choose Deactivate Trace.

    3. Filter the results for your user only by entering your user name (TRAIN-##) in the Restrictions for the Evaluation section.

    4. Choose Evaluate to analyze the trace results.

      Result

      The authorization objects that have been checked are shown in the Objects column. The check of authorization object S_USER_GRP was successful.

Related Information

More information on User Administration topics can be found in the SAP S/4HANA online documentation, path Product AssistanceEnglishEnterprise TechnologyABAP PlatformSecuring the ABAP PlatformSecurity and User AdministrationUser Administration and Identity Management in ABAP Systems.

In addition, the following SAP Notes cover topics presented in this lesson:

  • SAP Note 2467: Password rules and preventing incorrect logons
  • SAP Note 862989: New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
  • SAP Note 1631929: Using trace evaluation to maintain menus and authorizations

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn