Tag: SUIM

SUIM is like a swiss knife for the authorization consultant. It has so many reporting tools it can basically answer any question.

Questions that will be answered in this blog are:

• What are the most useful tools in SUIM?
• How can I list users that never logged on to the system?
• How can I list users that are locked, or have password issues?
• How can I list users with critical authorizations?

SUIM

The SUIM tool is started with transaction SUIM:

Here you can select the reports from the different categories.

Most useful SUIM reports

In the subsections below you can find the most useful and most used SUIM reports.

Actual user columns are hidden in the examples below for privacy protection.

User with logon data and password change

Query need: to list when users did logon for the last time and when they last changed their password. This query can be very useful when you have to clean up for the yearly license measurement.

In SUIM select this report:

Start screen:

Example result screen:

Check on users with specific authorization value

One of the most used SUIM reports is to list which users have a specific authorization value:

In this example we will lookup users which have rights for debugging (object S_DEVELOP, value DEBUG):

On the result list you can see all users. Select the user you are interested in and select the button In Accordance with Selection to find out which role has the specifically requested authorization object:

Result can be multiple roles as well:

Remark: there are 3 single roles here which contain the object. The 3 roles are in 1 composite role that is assigned. That is why the number on top shows 1 roles and there are 3 detail lines.

Check on most common critical authorizations

SUIM has a nice check program to check on the most common critical authorizations:

You can select the default SAP variant and use display variant to see the list of checks:

Open the checks to see the details:

The result list can have many potential issues:

You again use the button In Accordance with Selection to find out which role is cause of the potential issue.

Be careful with the reporting of the numbers. A lot of managers cannot deal with the high amount reported. 'It is unbelievable that I have 91.493 critical authorization issues in my system!'. Most of the issues are simple to fix and bring the numbers down dramatically. Or some of the items are not relevant in your situation. Always handle the numbers with care.

OSS notes

SUIM is constantly being improved. There are many small bug fix OSS notes. Don’t be scared off by the length of the list. SUIM is a very large function. So it will have many OSS notes.

Bug fix notes to consider:

• 2476795 – SUIM | Wrong results when searching for authorization objects or values
• 2756179 – SUIM | RSUSR100N ‘Initial User Type’ is not displayed in the result list
• 2849900 – SUIM | RSUSR100 – incorrect change documents for profiles
• 2877507 – RSUSR002 – Incorrect results for transaction code
• 2886230 – SUIM | RSSCD100_PFCG – display of technical information for role menu entries
• 2888449 – SUIM | RSUSR100N – ‘Old Value’ and ‘New Value’ are not displayed for locks
• 2914923 – SUIM | RSUSR_ROLE_MENU does not find tile groups
• 2933933 – SUIM | incorrect texts for application type in SU2X_SHOW_HISTORY
• 2943963 – SUIM | Incorrect result for search for non-existent profile in RSUSR002
• 2953508 – SUIM – incorrect authorization check in RSUSR050
• 2959175 – SUIM: Search/display for authorization values with conversion exit is inconsistent
• 2959175 – SUIM: Search/display for authorization values with conversion exit is inconsistent
• 2960453 – SUIM | RSUSR_ROLE_MENU result list without derived roles
• 2962922 – SUIM | RUSR100N – change documents for person responsible
• 2966728 – SUIM | RSUSR100N – change documents display unnecessary entry for SNC names
• 2975206 – SUIM | result list is incomplete
• 2978102 – SUIM | RSUSR100N displays an incorrect change document: ‘Current Profile’
• 2984334 – User locked due to incorrect logon
• 3006632 – SUIM: Formatting of the header in result lists
• 3025197 – RSUSR200 | performance optimization and print output optimization
• 3028960 – RSUSR002 | Performance & functions for navigation in the result list
• 3046369 – RSUSR070 | performance and list header
• 3050636 – RSUSR002_ADDRESS displays invalid personnel numbers for a user
• 3058871 – RSUSR050 | Performance during user comparison with a very large number of authorizations
• 3063146 – RSUSR100N ignores authorization check for object S_USER_GRP
• 3076892 – SUIM | RSSCD100_PFCG displays an incomplete result list for archive data to be taken into account
• 3078602 – SUIM | RSUSR100N – transaction code is not displayed in the result list
• 3078714 – SUIM | RSUSR070 – selection criteria are not displayed correctly
• 3085343 – RSUSR002 | Runtime error for extremely extensive selection criteria/evaluations
• 3100941 – SUIM | ITAB_DUPLICATE_KEY for same selection criteria
• 3113345 – SUIM | Reporting for User Documentation
• 3121305 – SUIM | RSSCD100_PFCG – header data incorrect
• 3146884 – SUIM | Enhancement of User Information System
• 3158039 – SUIM | Enhancement and optimization of list headers
• 3192389 – SUIM | RSUSR100N displays incorrect change documents
• 3201282 – SUIM | Error in comparison of users
• 3203938 – SUIM | Date format incorrect in evaluation of change documents for users
• 3219149 – SUIM | prerequisite for search help for SU2X application types
• 3224200 – SUIM | RSUSR003 displays lock by unsuccessful logon
• 3225166 – SUIM | RSUSR_START_APPL – error in value help for application type
• 3241895 – SUIM | Reference user is not taken into account correctly during search for roles
• 3245672 – SUIM | selection criteria with incorrect criteria names
• 3247135 – SUIM | SUSR_SUIM_API_RSUSR070 – performance improvement
• 3252950 – SUIM | optimization for update of change documents
• 3264972 – SUIM | optimization for RSUSR002 and RSUSR100N
• 3267873 – SUIM | Enhancement of help functionality