SUIM_CHDOC_USER: new transaction to show user changes

In SUIM there is a function to show changes for users, but this transaction can be performing very poor with higher data volumes.

SAP has developed successor transaction SUIM_CHDOC_USER that is giving the same data, but faster.

How to get transaction SUIM_CHDOC_USER?

It is import to know transaction SUIM_CHDOC_USER only works on HANA database. If you are not running on HANA, don’t continue.

Implementation steps:

  1. Apply OSS note 3399100 – SUIM | change history calculation for user/profile assignment
  2. Apply OSS note 3418682 – SUIM_CHDOC_USER | Implementation prerequisite for SAP Note 3405921. Run the generation program.
  3. Apply OSS note 3405921 – SUIM | Read Change Documents for User. Important here: do execute the manual steps here first. These final steps are NOT covered in the previous note.

Transaction SUIM_CHDOC_USER

Now you can start transaction SUIM_CHDOC_USER:

Input is the same as you were used to. Output as well. The new transaction is simply faster.

SUIM User Information System

SUIM is like a swiss knife for the authorization consultant. It has so many reporting tools it can basically answer any question.

Questions that will be answered in this blog are:

  • What are the most useful tools in SUIM?
  • How can I list users that never logged on to the system?
  • How can I list users that are locked, or have password issues?
  • How can I list users with critical authorizations?

SUIM

The SUIM tool is started with transaction SUIM:

Here you can select the reports from the different categories.

Most useful SUIM reports

In the subsections below you can find the most useful and most used SUIM reports.

Actual user columns are hidden in the examples below for privacy protection.

User with logon data and password change

Query need: to list when users did logon for the last time and when they last changed their password. This query can be very useful when you have to clean up for the yearly license measurement.

In SUIM select this report:

Start screen:

Example result screen:

Check on users with specific authorization value

One of the most used SUIM reports is to list which users have a specific authorization value:

In this example we will lookup users which have rights for debugging (object S_DEVELOP, value DEBUG):

On the result list you can see all users. Select the user you are interested in and select the button In Accordance with Selection to find out which role has the specifically requested authorization object:

Result can be multiple roles as well:

Remark: there are 3 single roles here which contain the object. The 3 roles are in 1 composite role that is assigned. That is why the number on top shows 1 roles and there are 3 detail lines.

Check on most common critical authorizations

SUIM has a nice check program to check on the most common critical authorizations:

You can select the default SAP variant and use display variant to see the list of checks:

Open the checks to see the details:

The result list can have many potential issues:

You again use the button In Accordance with Selection to find out which role is cause of the potential issue.

Be careful with the reporting of the numbers. A lot of managers cannot deal with the high amount reported. 'It is unbelievable that I have 91.493 critical authorization issues in my system!'. Most of the issues are simple to fix and bring the numbers down dramatically. Or some of the items are not relevant in your situation. Always handle the numbers with care.

SUIM_CHDOC_USER

This is new transaction to show user changes. Read more in this blog.

OSS notes

SUIM is constantly being improved. There are many small bug fix OSS notes. Don’t be scared off by the length of the list. SUIM is a very large function. So it will have many OSS notes.

Bug fix notes to consider: