WHY AUDITORS SHOULD

USE SUIM VERY CAREFULLY

Introduction

In many SAP audits or audit-related processes involving SAP systems – either while preparing for an
audit or prior to a regular inspection for audit purposes – customers are guided by their auditors
to use SAP T-Code SUIM (User Information System). Sometimes, the auditors themselves are using
SUIM to better understand customers’ authorizations and sensitive objects. The SUIM activity (in SAP
terms “Transaction” or “T-Code”) can be confusing to the novice user – and often to the auditor as
well. Making decisions, or moreover announcing defects on the customers’ systems based on data
from SUIM, can be a mistake if the person using SUIM does not understand this activity’s limitations.

This document focuses on one audit report, and the one most used in audits – T-Codes that can be
executed by users. It is also the simplest in which to demonstrate how SUIM works and what you need
to know when getting its data. The full path of this report inside SUIM is: User Information System
-> User -> By Transaction Authorizations, and the ABAP program behind it is RSUSR002. This report
is often used to identify users who can perform sensitive activities, for example F110 (Payment Run/
Automatic Payment Transactions) or FB02 (Change a Financial Document). Of course, even if this report
conducted what its name promises, it is still referring to theoretical authorizations and not in-practice
authorizations. In other words, this report presents who is able to execute F110; it does not deal with
who really executed activity F110.

Therefore, no decision to remove a sensitive authorization should be made based solely on this report (or
any other SUIM report), and the auditor needs to further inspect activity logs for each activity and each user.

Figure 1
SUIM report example - users who
can use T-Code F110 (Payment Run)

The main disadvantage when using this report’s default interface is that it checks who is allowed to operate
a T-Code, based on a single authorization object’s value , and regardless of the mode (read, write, view
only) of the T-Code. This authorization object, named S_TCODE, controls the initial operation of each
T-Code at the exact moment of the call. When any T-Code is called, SAP automatically checks if users

www.xpandion.com
are authorized for this T-Code even before running the ABAP program behind it. If users have the
appropriate value for the object S_TCODE in one of the authorization roles to which they are attached,
SAP will call the ABAP program behind it. If not, an error message appears telling the users that they
lack the required authorizations.

What is the problem?

It is just not enough to have the appropriate value in S_TCODE in order to use an activity. Furthermore,
some activities can be used totally differently if users have other values in the authorization objects that
are not S_TCODE. The vast majority of SAP T-Codes check 30-20 different authorization objects and values
in order to operate correctly. Most of them check 2-1 on the first couple of lines and then, according
to the exact user’s usage, additional authorization checks are conducted. Taking for example T-Code
FB02 (Change Financial Documents): This activity checks no less than 66 different authorization objects
and their values during its operation, starting with F_BKPF_BUK for the company code and the famous
F_BKPF_KOA (Authorization Object for Account Type). Of course, not all 66 objects are checked in each
use of FB02, however in each way of use some objects are checked for sure. If users do not have the
appropriate authorizations, the activity is not performed – either partially or at all. The list of authorization
objects for an activity can be found in T-Code SU24, which in itself has some problems – the main one
being that the data must be maintained manually, either by SAP or by the customer (for Z-Transactions).

Figure 2
T-Code SU24 displaying the required
objects for using FB02 (Change
Financial Document)

Checking S_TCODE is not sufficient enough for making meaningful conclusions

(and allegations)

The above description can explain why an auditor may say: “You have 300 users that can use a sensitive activity
FB02,” and when you log into the SAP systems using one of those risky usernames you get the annoying
No Authorization message. The explanation is that although the user is allowed to use FB02 by S_TCODE, the
user does not have any other required authorization objects and therefore the activity is in fact blocked for him.

www.xpandion.com
Furthermore, the auditor may say: “You have 50 people that can change usernames (using T-Code
SU01),” and when you go over the list you discover that 45 of them are the helpdesk personnel who
cannot really change username details or authorizations but can only change passwords for a user
(which is indeed expected of them). This situation can be explained by the fact that even though
the helpdesk has S_TCODE with SU01 as the transaction value, the authorization object S_USER_GRP
contains only the value 05 (Lock) in the ACTVT field and not value 02 (Edit), which is required for
performing change of a user.

Is there a standard solution in SUIM?

Yes, there is an option to check an activity with certain values of authorization objects. The way to do
this is to click the small plus (+) button at the top of the report’s selection screen. This button opens
more selection criteria, including authorization objects and values. The only major difficulty with this
is that the list of authorization objects does not relate to the T-Code and therefore you have to know
beforehand what the authorization objects are, as well as the values that are required for the exact
situation. From our experience, this is not a simple task and is rarely done by auditors.

Figure 3
(+) “All Selections” button

So… What can you do if your auditor uses SUIM in your audit?

First, be aware of the way SUIM operates and know its limitations. Try to explain to your auditor that
the results are not necessarily right. Second, suggest adding the relevant authorization objects and
values for each checked T-Code, in order to get the correct output for the question. Of course, either
you or your auditor must invest the time to find the appropriate authorization object and values that are
relevant to your exact situation (for example, the ability to change a username). The full list of objects
for each T-Code can be seen in T-Code SU24 as explained above.

Alternatively, you can simply use Xpandion’s ProfileTailor Dynamics solution, which has about 60,000
predefined activity modes, and then search (or ask your auditor to search) for all users that can use
activity SU01 with mode “Change.”

How does ProfileTailor Dynamics work?

ProfileTailor Dynamics is a behavioral-based solution that monitors SAP users and creates a business
profile for each user. A common use of the system is to investigate possible access to sensitive activities
vs. the de-facto usage of them, in order to narrow user authorizations.

www.xpandion.com
ProfileTailor Dynamics includes a unique concept of isolation that separates the requirements and needs
of business users and technical personnel. Business users and auditors know business processes and they
define the audit requirements, such as what is considered sensitive and who should have access to sensitive
activities. Technical people know authorization objects and values; they define all the different modes of an
activity (for example: Change, Display). Based on the concept of isolation in ProfileTailor Dynamics, auditors
can define risky situations with modes such as activity SU01 in mode “Change” or activity FS00 with mode
“Delete” but do not have to deal with technically defining the mode itself.

Technical people should define the mode “Change” in SU01 and “Delete” in FS00, if they are not among
the predefined 60,000 modes already included in the standard product.

Figure 4
ProfileTailor Dynamics report
Activity to Users (Static) - find all
users who can perform activity SU01
with mode “Change Password.”

About Xpandion Further reading

Focused on ERP usage inspection and SAP security and licensing, 1. Xpandion’s Quick Guide Document:
Xpandion creates user-friendly, easily deployed, automated management The SAP Authorization Concept -
solutions for SAP’s global customers. Xpandion’s ProfileTailor Suite Authorizations Simplified.
delivers unprecedented visibility of actual, real-time authorization
usage, significantly improving enterprise security, while reducing fraud 2. SAP Help about SUIM:
and leakage of sensitive data. It is the only solution that detects and http://help.sap.com/saphelp_nw70/
alerts behavior deviations in real-time, including deviations from SoD helpdata/en/671261439/52b11d1896f000
and GRC rules. 0e8322d00/frameset.htm

| info@xpandion.com | Tel +1-800-707-5144 | www.xpandion.com