Download our eBook: SAP Authorization Concept - Simplied Click Here! (http://www.xpandion.

com/eBooks/sap-authorizations-concept-
(/index.php) simplied.html)

Home (/) / Security&Authorizations (/profiletailordynamicssecurityauthorizations.html) / GRC (/profiletailorgrc.html)

/ SAPLicensing (/SAPLicensing/profiletailorlicenseauditor.html) Blog (/Blog/Latest.html)

How to Use the SAP T-Code SUIM Correctly

General
The SAP T-Code SUIM is one of the most popular T-Codes in SAP among security & authorizations, particularly because it summarizes many
dierent SAP authorization aspects in one place. Although SUIM stands for User Information System, its commonly used to nd answers to
authorization-related questions. Such questions like who has access to this T-Code and which employees can access company code 1000 can
easily and quickly be answered with T-Code SUIM. However, there are some tricks to using SUIM, and SUIMs benets and disadvantages should
be well understood in order not to misuse SUIM. Furthermore, T-Code SUIM can occasionally supply some wrong answers, so users of SUIM
need to be aware of this and should check their results from time to time.

What can be done with SUIM?

In general, using SUIM you can view SAP authorizations in many ways, each one from a dierent angle. The main menu includes high-level views:

User use this when your question is mainly regarding users, i.e. Which user has access to T-Code XXX, or I need a list of users with their last
logon date. Pay attention that over the years SAP has added dierent types of reports under this menu entry like: authorizations-related
reports, usage reports, and general reports such as Users by address data, (which works well but doesnt seem to be related to authorizations).

Roles the short name roles might be misleading because in this context it applies to authorization roles (not job roles). The reports under
this entry are used to nd authorization roles via dierent criteria. If the question is, Which role includes authorization object XXX, then this is
the right menu entry to use.

Proles This menu item, proles, applies to authorization proles, which in fact should not be granted directly to users. The T-Code SUIM
allows the search for authorization proles and, in most cases, this menu path is not needed for common day-to-day questions. That said, this
menu path is perfect for the very popular question, (the number one question from auditors), Who has SAP_ALL or SAP_NEW proles?

Authorizations this is the entry to use to search for combinations of authorization objects and values. SAP denes an Authorization as a
combination of an authorization object with values. Pay attention that after the objects name is entered in the screen, the display changes, so
values can be added to the search criteria.

Read about the basic objects of SAP authorizations and SUIM in our eBook (/eBooks/sap-authorizations-concept-simplied.html)

Authorization Objects this menu allows the search for authorization objects by name or class and each menu entry is basically the same.
Compared to Authorizations above, this entry doesnt include a search option for objects with values, but for the authorization objects
themselves. Searches like Which objects include the word material in their description is a good trigger for using the Authorization Objects
menu path.
Transactions
Download using the traditional
our eBook: (and confusing)
SAP Authorization Concept name Transactions
- Simplied for(http://www.xpandion.com/eBooks/sap-authorizations-concept-
Click Here! T-Codes, SUIM allows the user to search for T-Codes according to
four search criteria: T-Codes for user, T-Codes in an authorization role, T-Codes in authorization prole and T-Codes which include a specic
simplied.html)
authorization object. From our experience, this menu entry is not used very much by most professionals.

Comparisons comparing users and authorization roles are the most utilized options in this SUIM menu entry. Its possible to compare them in
the same system and in remote systems (just press the Across Systems button). The comparison is focused on authorization objects only, so if
you need to compare users by roles for example, this is not the right place.

Where-Used List here you will nd the same reports that are located in other menus in SUIM, but from the need of where the object is used.
In most cases, this menu entry is not used so much because these reports are already located in the menu entries above.

Change Documents this menu path details the changes that occurred for a single object like user, role, etc. For instance, search here to know
what changes were performed on an authorization role over time. Part of SUIMs popularity is based on this menu entry that enables a user to
track changes to authorizations over time.

* Note about Complex Selection Criteria the menu entries: User, Roles, Proles, Authorizations, and Authorization Objects all have the
option to be shown by Complex Selection Criteria. This is an interesting option because it includes additional lters to the selection. In fact, the
report behind the menu path Complex Selection Criteria is the same report behind all the other options, however in other options the lters
are hidden, and in Complex Selection Criteria they are shown.

* Also note: some reports in SUIM have more in depth information than the one in the rst screen. In most reports, when you click on a row, the
system will show you much more data, related to that row. Go ahead and double click on rows in most cases it will reveal more relevant data.

What to be aware of when using SUIM

SUIM has some bugs. Thats not surprising news to people in the software industry, but its mentioned because many authorization experts tend
to rely heavily on SUIM. Just try googling bug in SUIM and wait for the search results youll see that there are many. SAP Notes like 961294
(SUIM | Error when searching for eld values in several elds) have been published during recent years, so be sure to implement the appropriate
ones if they are relevant to your system.

More pitfalls? Read our article: what to be aware when using SUIM (/Security-Authorizations/why-you-should-use-suim-very-carefully-when-
analyzing-sap-authorizations.html)

That said, SUIM is still a very good tool to identify who is granted to what situations when you dont have a tool like ProleTailor Dynamics to
monitor authorizations (/proletailor-dynamics-security-authorizations.html) SUIM is quick and it is free. If your auditors are nagging you about
authorizations, do a pass through SUIM rst and you might nd your answers there. Or, if you need to quickly identify who has access to
company codes SUIM can give good results. For more sophisticated situations, like matrices of users vs. their authorizations or for identifying
whose authorizations should be removed because they are not being used, its highly suggested to implement a professional tool like
ProleTailor Dynamics Security and Authorizations. (/proletailor-dynamics-security-authorizations.html)