CUSTOMER

User Authorization Review

Last Update: December 8th, 2023

TABLE OF CONTENTS

1. RECOMMENDATIONS ................................................................................................... 3
SAP Visual Design Themes ....................................................................................................................... 3

2. GETTING STARTED ....................................................................................................... 4

3. USER VALIDATION ........................................................................................................ 5

Result ........................................................................................................................................................... 5
User List ...................................................................................................................................................... 6
Role-based User Classification ................................................................................................................. 8
Role / Profile Details ................................................................................................................................... 8

4. ROLE/PROFILE VALIDATION ....................................................................................... 9

Result ........................................................................................................................................................... 9
Role-based User Classification ............................................................................................................... 10
Role / Profile Details ................................................................................................................................. 10
User List .................................................................................................................................................... 10

5. PREVIOUS EXECUTIONS ............................................................................................ 11

6. ADDITIONAL NOTES ................................................................................................... 11

www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/trademark for additional trademark information and notices.
1. RECOMMENDATIONS

SAP Visual Design Themes

Some visual design themes do not provide full screen usage of the executed programs, e.g., the “Corbu
Theme” as shown below.

Make sure to select a design theme, e.g., the “Belize Theme”, which provides full-screen usage for the
optimal user experience.
You can change the Visual Design via the SAP Logon Pad menu → Options → Visual Design → Theme
Settings:

Some functionality might not be available for

Releases 7.00 and 7.01

3
2. GETTING STARTED
Required Authorization:
For the User Authorization Review report, the authorization object S_USER_GRP / ACTVT 03 is required.

Execution:
After installing SAP Note 3113382 (SAP Note 3308470 for Release 7.00 and 7.01) start the program
SLIM_USER_CLF_HELP via transaction SA38. Alternatively, you can use transaction SLIM_UCH.

With the User Authorization Review report, you can analyze your
1) Users based on their assigned authorizations, or
2) Roles/Profiles
against an authorization-based ruleset to determine the required user license type.

The required ruleset file is attached to SAP Note 3113382.

The CSV ruleset for Release 7.00 and 7.01 is attached to SAP Note 3308470.

4
3. USER VALIDATION
Select the radio button User Validation, enter the users you want to analyze, either by User IDs, their
technical User Type, e.g., only Dialog users, User Group, or their current user classification in the system.
You can select the checkbox Ignore Engines if you don’t want to evaluation any possible engine use.
Select the Validation Rules file (attached to the SAP Note) and select Execute to start the validation.

The ruleset is loaded, and the selected users are checked against the ruleset.
Only active users are considered, i.e., users who do not have an end date in their user record.

The checkbox “Use Val. Rules from Memory” can be set so that once the ruleset was
loaded, it will be stored in the session memory, and it does not need to be loaded again
once the report is executed multiple times.

IMPORTANT: If the execution stops and the message “The SQL statement failed for XXX
users.” is shown, please repeat the execution for a smaller number of users, e.g., split the
users into smaller portions like A* to L* and M* to Z* (or whatever is applicable). For each
execution, save the corresponding result file.

Result
The result shows the users with their current classification and the target classification based on their
authorizations. It also indicates how many users in a certain target classification are authorized for engines.
Users who cannot be assigned to any target classification and who are not authorized for any engines are
shown in the last column Not classified.

5
From this overview the results can be exported in two ways:
Export result: User IDs and User Names are exported as they are.
Export result for SAP: User IDs are exported as hashed values, and User Names are left blank.

The export function can be used to archive an existing validation run or to share it with SAP for further
analysis. For both options, the output file can optionally be password-encrypted using a 128-bit AES
Algorithm.
Remark: The password encryption is not available for Releases 7.00 and 7.01.
The ZIP file can be password-protected after the download, if necessary.

Export with Password: Binary File (.BIN): Encrypted ZIP archive that contains the result files (.BIN)
and a header file (.TXT).
Export without Password: ZIP archive (.ZIP) that contains the result files (.BIN) and a header file (.TXT).

User List
A click on a number on the User Validation Results will list the corresponding users for the Current
Classification and Target Classification:

The column Ratio indicates how many of the assigned roles match the Target Classification, e.g., 4 out of 6
assigned roles have been classified as HD Productivity.
The column Ref.User shows that a user inherits the assigned roles and classification from a Reference User.
The overview also lists the Engine authorizations.

User Classification Methods:

More information on User Classification Methods, including Classifying Users with Reference Users, Role-
based User Classification and Rule-based User Classification is available on the SAP Support Portal:
https://support.sap.com/en/my-support/systems-installations/system-measurement/system-measurement-
information/user-classification.html

6
For further drill-down, there are two options:
Option 1: Click on the User ID to show all roles and profiles that are assigned to the selected user:

The overview indicates the current classification (if applicable) and the target classification of each role
based on the included authorizations as well as the engine authorizations.
The total number of objects per role is listed in column Objects. The Ratio indicates how many of the
classified objects match the Target Classification of the role.
Remark: In case of a user who inherits the roles from a Reference User, the drill-down will show the
corresponding Reference User, not the selected user.

Example (Line 1, columns Objects and Ratio from right to left):

The role contains 541 objects, 489 objects out of 541 are classified, and 1 object out of the 489 classified
objects match the Target Classification HD Productivity.

Option 2: Select Display Roles to show ALL roles and profiles assigned to the selected users:

This overview indicates the current role classification (if applicable) and the target classification of each role
based on the included authorizations as well as the engine authorizations.
The total number of objects per role is listed in column Objects. The Ratio indicates how many of the
classified objects match the Target Classification of the role.
In addition, the last column Users shows how many of the selected users have each of the listed roles and
profiles assigned.

7
 In case you encounter a discrepancy between a role’s purpose and the shown Target
Classification, the role should be analyzed in detail.
Example: A role for Employee Self-Services is classified as Professional Use.

Use the function Show/Hide unclassified entries to filter in/out the roles which are not classified.

Role-based User Classification

You can transfer the target classification of the roles to transaction license_attributes by marking the
corresponding roles and selecting Transfer Role Classification which is then used for the role-based user
classification when performing the User Measurement via USMM. This function requires the authorization
object S_USER_AGR with fields ACT_GROUP = <role name> or * and ACTVT = 02 for the current user.
To display a graphical representation of the Classification Details per role, select at least one
classified role and select Show classification details.

Role / Profile Details

A click on the Role or Profile Name will show all the objects, fields and values which are included in the
selected role or profile, along with the target classification for each line and the possible engine
authorizations. In addition, the Application Component is shown to indicate which area this authorization
belongs to.
If an icon is displayed in column “Tx”, double-click on the line to list all transactions which can possibly be
executed with the corresponding authorization object / field / value.

Use the function Show/Hide unclassified entries to filter in/out the entries which are not classified.

List of executable transactions:

8
4. ROLE/PROFILE VALIDATION
Select radio button Role/Profile Validation, enter the roles/profiles you want to analyze and select Execute to
start the validation.

The ruleset is loaded, and the selected Roles and Profiles are checked against the ruleset.

Result
The result shows the selected Roles and Profiles with their target classification based on the included
authorizations as well as the included engine authorizations.
It also indicates how many users have this Role or Profile assigned.

Use the function Show/Hide unclassified entries to filter in/out the entries which are not classified.
If you want to perform the User Validation for those users who are assigned to the selected role, select
Simulate Users. It will navigate you to the result screen shown in section User Validation above.

A click on the User counter will list all users which currently have the corresponding role or profile assigned.

The ratio indicates how many of the assigned roles match the target classification, e.g., 3 out of 5.

9
Role-based User Classification
You can transfer the target classification of the roles to transaction license_attributes by marking the
corresponding roles and selecting Transfer Role Classification which is then used for the role-based user
classification when performing the User Measurement via USMM. This function requires the authorization
object S_USER_AGR with fields ACT_GROUP = <role name> or * and ACTVT = 02 for the current user.
In case you want to use the role-based classification, make sure to remove the manual classification from the
users, e.g., via mass change in transaction USMM.

Role / Profile Details

A click on the Role or Profile Name will show all the objects, fields and values which are included in the
selected role or profile, along with the current classification (if applicable), the target classification for each
line and the possible engine authorizations. In addition, the Application Component is shown to indicate
which area this authorization belongs to.
If an icon is displayed in column “Tx”, double-click on the line to list all transactions which can possibly be
executed with the corresponding authorization object / field / value.

Use the function Show/Hide unclassified entries to filter in/out the entries which are not classified.

User List
A click on the User counter in column Users will list all users which currently have the corresponding role or
profile assigned.

The Ratio indicates how many of the assigned roles match the target classification, e.g., 3 out of 5.

10
5. PREVIOUS EXECUTIONS

Remark: This functionality is not available in Releases 7.00 and 7.01.

To display the results of previous executions, select the radio button Upload Previous Executions, select the
saved Result File, enter the password for this result file (if applicable) and select Execute.

Supported Result File Types:

• Binary Files (*.BIN): Password-encrypted result files, either zipped or plain text files.
• ZIP Archives (*.ZIP): Zipped result files without password.
• Text Files (*.TXT): Plain text result files without password.

The result file is loaded and depending on the type of the validation file (User Validation or Role Validation)
the corresponding result screen will be displayed as described in sections 1 and 2 above.

6. ADDITIONAL NOTES
Please note that the ruleset included in the note will not account for custom authorization objects. A
significant number of custom objects used in your current authorization structure as well as unclassified roles
may result in users being targeted for a classification that is lower than their actual use. For these scenarios,
complex authorization structures, or for assistance of any kind, please consider SAP’s STAR service to aid
you in this analysis.
This free of charge, non-binding service can be requested through your account team or by using the form
found in the SAP Support Portal:
https://support.sap.com/en/my-support/systems-installations/glac.html
Our trusted experts will work with you to help you fully understand the results.

11