You are on page 1of 4

WHY AUDITORS SHOULD

USE SUIM VERY CAREFULLY
Introduction

In many SAP audits or audit-related processes involving SAP systems – either while preparing for an
audit or prior to a regular inspection for audit purposes – customers are guided by their auditors
to use SAP T-Code SUIM (User Information System). Sometimes, the auditors themselves are using
SUIM to better understand customers’ authorizations and sensitive objects. The SUIM activity (in SAP
terms “Transaction” or “T-Code”) can be confusing to the novice user – and often to the auditor as
well. Making decisions, or moreover announcing defects on the customers’ systems based on data
from SUIM, can be a mistake if the person using SUIM does not understand this activity’s limitations.

This document focuses on one audit report, and the one most used in audits – T-Codes that can be
executed by users. It is also the simplest in which to demonstrate how SUIM works and what you need
to know when getting its data. The full path of this report inside SUIM is: User Information System
-> User -> By Transaction Authorizations, and the ABAP program behind it is RSUSR002. This report
is often used to identify users who can perform sensitive activities, for example F110 (Payment Run/
Automatic Payment Transactions) or FB02 (Change a Financial Document). Of course, even if this report
conducted what its name promises, it is still referring to theoretical authorizations and not in-practice
authorizations. In other words, this report presents who is able to execute F110; it does not deal with
who really executed activity F110.

Therefore, no decision to remove a sensitive authorization should be made based solely on this report (or
any other SUIM report), and the auditor needs to further inspect activity logs for each activity and each user.

Figure 1
SUIM report example - users who
can use T-Code F110 (Payment Run)

The main disadvantage when using this report’s default interface is that it checks who is allowed to operate
a T-Code, based on a single authorization object’s value , and regardless of the mode (read, write, view
only) of the T-Code. This authorization object, named S_TCODE, controls the initial operation of each
T-Code at the exact moment of the call. When any T-Code is called, SAP automatically checks if users

www.xpandion.com

Most of them check 2-1 on the first couple of lines and then. however in each way of use some objects are checked for sure.com . The list of authorization objects for an activity can be found in T-Code SU24. according to the exact user’s usage. which in itself has some problems – the main one being that the data must be maintained manually. SAP will call the ABAP program behind it.are authorized for this T-Code even before running the ABAP program behind it. Of course.” and when you log into the SAP systems using one of those risky usernames you get the annoying No Authorization message. If users do not have the appropriate authorizations. the activity is not performed – either partially or at all.xpandion. some activities can be used totally differently if users have other values in the authorization objects that are not S_TCODE. not all 66 objects are checked in each use of FB02. The vast majority of SAP T-Codes check 30-20 different authorization objects and values in order to operate correctly. either by SAP or by the customer (for Z-Transactions). Furthermore. the user does not have any other required authorization objects and therefore the activity is in fact blocked for him. If users have the appropriate value for the object S_TCODE in one of the authorization roles to which they are attached. additional authorization checks are conducted. Taking for example T-Code FB02 (Change Financial Documents): This activity checks no less than 66 different authorization objects and their values during its operation. starting with F_BKPF_BUK for the company code and the famous F_BKPF_KOA (Authorization Object for Account Type). an error message appears telling the users that they lack the required authorizations. Figure 2 T-Code SU24 displaying the required objects for using FB02 (Change Financial Document) Checking S_TCODE is not sufficient enough for making meaningful conclusions (and allegations) The above description can explain why an auditor may say: “You have 300 users that can use a sensitive activity FB02. If not. www. The explanation is that although the user is allowed to use FB02 by S_TCODE. What is the problem? It is just not enough to have the appropriate value in S_TCODE in order to use an activity.

This button opens more selection criteria. and then search (or ask your auditor to search) for all users that can use activity SU01 with mode “Change. this is not a simple task and is rarely done by auditors.” and when you go over the list you discover that 45 of them are the helpdesk personnel who cannot really change username details or authorizations but can only change passwords for a user (which is indeed expected of them). the ability to change a username). This situation can be explained by the fact that even though the helpdesk has S_TCODE with SU01 as the transaction value.xpandion. www. the de-facto usage of them. Is there a standard solution in SUIM? Yes. A common use of the system is to investigate possible access to sensitive activities vs. which is required for performing change of a user. there is an option to check an activity with certain values of authorization objects. which has about 60. in order to narrow user authorizations.000 predefined activity modes. the authorization object S_USER_GRP contains only the value 05 (Lock) in the ACTVT field and not value 02 (Edit). as well as the values that are required for the exact situation. Figure 3 (+) “All Selections” button So… What can you do if your auditor uses SUIM in your audit? First. The only major difficulty with this is that the list of authorization objects does not relate to the T-Code and therefore you have to know beforehand what the authorization objects are. you can simply use Xpandion’s ProfileTailor Dynamics solution. From our experience. in order to get the correct output for the question. Try to explain to your auditor that the results are not necessarily right. the auditor may say: “You have 50 people that can change usernames (using T-Code SU01). The way to do this is to click the small plus (+) button at the top of the report’s selection screen. suggest adding the relevant authorization objects and values for each checked T-Code.com .” How does ProfileTailor Dynamics work? ProfileTailor Dynamics is a behavioral-based solution that monitors SAP users and creates a business profile for each user. either you or your auditor must invest the time to find the appropriate authorization object and values that are relevant to your exact situation (for example. Second. Of course.Furthermore. including authorization objects and values. Alternatively. be aware of the way SUIM operates and know its limitations. The full list of objects for each T-Code can be seen in T-Code SU24 as explained above.

com/saphelp_nw70/ alerts behavior deviations in real-time. 1.xpandion. delivers unprecedented visibility of actual. Figure 4 ProfileTailor Dynamics report Activity to Users (Static) . Xpandion’s ProfileTailor Suite Authorizations Simplified. Display).sap.com . automated management The SAP Authorization Concept - solutions for SAP’s global customers. It is the only solution that detects and http://help. Xpandion’s Quick Guide Document: Xpandion creates user-friendly. auditors can define risky situations with modes such as activity SU01 in mode “Change” or activity FS00 with mode “Delete” but do not have to deal with technically defining the mode itself. real-time authorization usage.com | Tel +1-800-707-5144 | www. Technical people know authorization objects and values. Technical people should define the mode “Change” in SU01 and “Delete” in FS00. if they are not among the predefined 60. such as what is considered sensitive and who should have access to sensitive activities. 0e8322d00/frameset.find all users who can perform activity SU01 with mode “Change Password. easily deployed. they define all the different modes of an activity (for example: Change.” About Xpandion Further reading Focused on ERP usage inspection and SAP security and licensing. SAP Help about SUIM: and leakage of sensitive data. Based on the concept of isolation in ProfileTailor Dynamics. Business users and auditors know business processes and they define the audit requirements. significantly improving enterprise security.ProfileTailor Dynamics includes a unique concept of isolation that separates the requirements and needs of business users and technical personnel.htm | info@xpandion.000 modes already included in the standard product. including deviations from SoD helpdata/en/671261439/52b11d1896f000 and GRC rules. while reducing fraud 2.