Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

  • Font size: Larger Smaller
  • Hits: 10237
  • Print

(This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots).

When it comes to SAP audit time, auditors will direct security administrators to run a set of reports on User Information System using SAP Transaction, or T-Code, “SUIM”. This allows them to inquire on users’ SAP authorization data and sensitive objects.


b2ap3 thumbnail iStock 000015128648XSmall

The SUIM activity can be confusing to the novice user – and often to the auditor as well. Making decisions, or moreover announcing defects on the customers’ systems based on data from SUIM, can be a mistake if the person using SUIM does not understand this activity’s limitations.

For example, the SAP audit report entitled “T-Codes that can be executed by users” is often used to identify users who can perform sensitive activities, like F110 for “Payment Run/Automatic Payment Transactions” or FB02 for “Change a financial document.” Even if this report showed what its name promises, “T-Codes that can be executed by users,” it still refers to theoretical SAP authorizations and not in-practice SAP authorizations. In other words, this report presents who is able to execute F110, not who really executed F110. 

Therefore, no decision to remove a sensitive SAP authorization should be made based solely on this report or any other SUIM report, and the auditor needs to further inspect activity logs for each activity and each user.

If You Misuse SUIM, You Don’t Get the Whole Picture

The main disadvantage when using this report’s default interface is that it checks who is allowed to operate a T-Code, based on a single SAP authorization object’s value, and regardless of the mode (read, write, view only) of the T-Code. It is just not enough to have the appropriate value in S_TCODE in order to use an activity. Furthermore, some activities can be used totally differently if users have other values in the SAP authorization objects that are not S_TCODE. You can only imagine the amount of errors this creates.

Bottom Line: Checking S_TCODE Is Not Sufficient Enough for Making Meaningful Conclusions (and Allegations)

There is a standard solution in SUIM, but it’s cumbersome. You have to know beforehand what the SAP authorization objects are, as well as the values that are required for the exact situation. From our experience, this is not a simple task and is rarely done by auditors. 

So… What Can You Do If Your Auditor Uses SUIM to Analyze SAP Authorizations?

First, be aware of the way SUIM operates and know its limitations. Try to explain to your auditor that the results are not necessarily accurate. Second, suggest adding the relevant SAP authorization objects and values for each checked T-Code, in order to get the correct output for the question. 

Alternatively, you can simply use Xpandion’s ProfileTailor Dynamics solution, which has about 60,000 predefined SAP activity modes, and then search for all users that can use activity SU01 with mode “Change,” for example.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • Guest
    Janilson Lima 10/04/2014

    Very good! Sometimes it's hard to have to explain to the auditors and they become convinced.

  • Guest
    Auditor 14/11/2014

    "systems based on data from SUIM, can be a mistake if the person using SUIM does not understand this activity’s limitations." Well I think this goes for every report in any system.

Leave your comment

Guest 21/07/2017


in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...

in Security & AuthorizationsPosted by Yoav Michaeli

Unexpected Party in Production

IT activities in most enterprises fall under internal rules and regulations. Transferring objects to the production environment or creating them – is no different. Companies usually have a process for transferring T-Codes into the production environment or creating new user queries in the global que...
in Security & AuthorizationsPosted by Dror Aviv

The Curse of the Unused: Z_UNUSED_TCODE and Y_UNUSED_ROLE

In 1914, American judge Louis Brandeis coined the famous quote “Sunlight is said to be the best of disinfectants,” and it has proven to be most accurate in 2014 too.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


3310 W Braker Lane Suite 300-253

Austin, TX 78758, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India