Before the authorization comes the analysis. Which roles, transactions, profiles and authorization objects does a user have? Which ones do they really need? When it comes to these analyses, many roads lead to Rome. The fastest and most secure user transactions (and helpful tables) from our point of view can be found here.
What roles and profiles does a user have?
If you are dealing with individual users, the fastest way to find a solution to this question is to use transaction SU01. Enter the user ID and you will find all assigned roles and profiles as well as the user master data in the different tabs.
This approach becomes difficult if you want to analyze many users at once. Of course, you could check each one individually via SU01, but that takes forever and is cumbersome. Here, you will get a result faster via tables. So use transaction SE16. Then you can use the table AGR_USERS to analyze all users at once (multiple selection) and get all the roles assigned to the users in the result. You can then analyze these roles via the table AGR_PROF and get the associated profiles.
However, this procedure leaves out profiles that have been assigned directly to users, i.e. do not originate from a role (e.g. SAP_ALL). In order to record these as well, use table ST04, which shows all profiles that a user has – the role assignment, however, is missing from this overview.
Does a user have a specific authorization object and if so, from which role(s)?
You can use the user information system (transaction SUIM) to find out relatively easily whether a user already has a role with the authorization object you are looking for. To do this, follow the path below: SUIM -> Roles -> Roles by complex selection criteria.
In the “Selection by user assignment” item, check the “With valid assignment of” checkbox and enter the user name(s) you are interested in in the field below it.
Further down you will find the “Selection by authorization values” area. Enter the authorization object you are looking for here and confirm with Enter. The fields for the input values will open. If you are looking for roles with a very specific characteristic of the object, you can specify your search here accordingly.
As a result, you will get all the roles that are assigned to the user/users and contain the searched object in the searched characteristic.
For which transactions is a user authorized?
To find out which transactions a user is allowed to execute, also use the SUIM. Go here via Transactions -> Executable transactions. You can then search not only by user, but also by role or profile, for example – and also filter in more detail and exclude non-generated profiles, for example.
Good to know: Transaction S_BCE_68001426 takes you directly from the GUI window to the same selection screen.
Has a user used a particular transaction recently?
You may be creating a new authorization concept or want to adapt existing roles to a new concept. In this case, you not only need to know which authorizations a user has. It is also important to know whether they really need the transactions they are allowed to use.
You can find this out via transaction ST03 or ST03N. The transaction opens the SAP workload monitor. This is actually needed to find out, for example, how fast the SAP system is running, how high the response speed is, etc.
However, you can also use it to analyze who called up which transactions and reports and when. You can also restrict this analysis to a specific period (a day, a week or a month). You will find the corresponding selection menu in the menu tree at the very top under “Workload”.
For the user analysis, then go via the “Analysis views” menu item and to the “User and billing statistics” folder. Under “User profile” you will now see all users who have executed a transaction in the selected period. Double-clicking on the user shows you in detail which transactions the user has executed, when and how often.
Good to know: If you are looking for a very specific transaction and want to know which users have used it, go to the “Transaction Profile” folder instead.
Important: You can see all transactions and reports called from the GUI window if you select the task type (above the table view on the left) “Dialog”.
Extra tip: How do I quickly find out the full names of all user IDs if I have a large number of users?
Find out the full names of the users with one click – this is especially helpful when it comes to analyses for the specialist departments. Here, too, you can use transaction SE16. In the USER_ADDR table, you can select by user name and obtain (among other things) the first and last name for the user ID. Multiple selection, i.e. analysis of several users at the same time, is of course also possible here.