CUSTOMER

User Authorization Review

Last Update: March 13th, 2024

TABLE OF CONTENTS

1. RECOMMENDATIONS ................................................................................................... 3
SAP Visual Design Themes ....................................................................................................................... 3

2. GETTING STARTED ....................................................................................................... 4

Required Authorization .............................................................................................................................. 4
Execution..................................................................................................................................................... 4
Background Execution .............................................................................................................................. 4

3. USER VALIDATION ........................................................................................................ 6

Result ........................................................................................................................................................... 7
User List ...................................................................................................................................................... 8
List of Roles and Objects ........................................................................................................................ 10
Role-based User Classification ............................................................................................................... 10
Role / Profile Details ................................................................................................................................. 10

4. ROLE/PROFILE VALIDATION ..................................................................................... 11

Result ......................................................................................................................................................... 12
List of Roles and Objects (XML Export) ................................................................................................. 12
Role-based User Classification ............................................................................................................... 13
Role / Profile Details ................................................................................................................................. 13
User List .................................................................................................................................................... 13

5. PREVIOUS EXECUTIONS ............................................................................................ 14

6. MANAGE RULESETS AND RESULTS ........................................................................ 15

Rulesets ..................................................................................................................................................... 15
Results ....................................................................................................................................................... 15
Background Execution ............................................................................................................................ 15

7. ADDITIONAL NOTES ................................................................................................... 16

www.sap.com/contactsap
© 2024 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/trademark for additional trademark information and notices.
1. RECOMMENDATIONS

SAP Visual Design Themes

Some visual design themes do not provide full screen usage of the executed programs, e.g., the “Corbu
Theme” as shown below.

Make sure to select a design theme, e.g., the “Belize Theme”, which provides full-screen usage for the
optimal user experience.
You can change the Visual Design via the SAP Logon Pad menu → Options → Visual Design → Theme
Settings:

Some functionality might not be available for

Releases 7.00 and 7.01

3
2. GETTING STARTED

Required Authorization
To run / start the User Authorization Review report the following authorization object is required:
Object: S_USER_GRP
Field: ACTVT
Value: 03 (Display)

To upload rulesets to the system to download the results the following authorizations are required:
Object: S_GUI
Field: ACTVT
Values: 60 (Upload) and 61 (Download)

Execution
After installing SAP Note 3113382 (SAP Note 3308470 for Release 7.00 and 7.01) start the program
SLIM_USER_CLF_HELP via transaction SA38.
Alternatively, you can use transaction SLIM_UCH.

Background Execution

Remark: This functionality is not available in Releases 7.00 and 7.01.

Since it is possible to upload rulesets to the database in the system and to save the result of a User or Role
Validation to the database in the system, the report can be scheduled for background processing.

4
With the User Authorization Review report, you can analyze your
1) Users based on their assigned authorizations, or
2) Roles/Profiles based on the included authorizations.
against an authorization-based ruleset to determine the required user license type.

The required ruleset file is attached to SAP Note 3113382.

The CSV ruleset for Release 7.00 and 7.01 is attached to SAP Note 3308470.

5
3. USER VALIDATION
Select the radio button User Validation, enter the users you want to analyze, either by User IDs, their
technical User Type, e.g., only Dialog users, User Group, or their current user classification in the system.
You have three options regarding the ruleset which shall be used:
(1) Select the option Use local PCE Ruleset to check the users against the current PCE ruleset which
is also used for the PCE metering. The ruleset is loaded from the database and the selected users
are checked against this ruleset.
Remark: This option is only available in PCE systems with a valid PCE ruleset.
(2) Select the option Local Ruleset to use a ruleset which was previously uploaded to the system. The
ruleset is loaded from the database and the selected users are checked against this ruleset.
(3) Select the Validation Rules file (attached to the SAP Note) and select Execute to start the
validation. The ruleset is loaded, and the selected users are checked against this ruleset.

You can select the checkbox Ignore Engines if you don’t want to evaluation any possible engine use.
If you want to save the result for later use, please select the checkbox Save Result.

Important: Only active users are considered, i.e., users who do not have an end date in the past
in their user master record.

IMPORTANT: If the execution stops and the message “The SQL statement failed for XXX
users.” is shown, please repeat the execution for a smaller number of users, e.g., split the
users into smaller portions like A* to L* and M* to Z* (or whatever is applicable). For each
execution, save the corresponding result file.

6
Result
The result shows the users with their current classification and the target classification based on their
authorizations. It also indicates how many users in a certain target classification are authorized for engines.
Users who cannot be assigned to any target classification and who are not authorized for any engines are
shown in the last column Not classified.

In case the local PCE ruleset was used, lines with user types which do not belong to the PCE price list are
highlighted in red:

From this overview the results can be exported in two ways:

Export result: User IDs and User Names are exported as they are.
Export result for SAP: User IDs are exported as hashed values, and User Names are left blank.

The export functions can be used to archive an existing validation run or to share it with SAP for further
analysis. For both options, the output file can optionally be password-encrypted using a 128-bit AES
Algorithm.

Remark: The password encryption is not available for Releases 7.00 and 7.01.
The ZIP file can be password-protected after the download, if necessary.

Export with Password: Binary File (.BIN): Encrypted ZIP archive that contains the result files (.BIN)
and a header file (.TXT).
Export without Password: ZIP archive (.ZIP) that contains the result files (.BIN) and a header file (.TXT).

7
User List
A click on a number on the User Validation Results will list the corresponding users for the Current
Classification and Target Classification:

The column Ratio indicates how many of the assigned roles match the Target Classification, e.g., 4 out of 5
assigned roles have been classified as HB Professional.
The column Ref.User shows that a user inherits the assigned roles and classification from a Reference User.
The overview also lists the Engine authorizations.

User Classification Methods:

More information on User Classification Methods, including Classifying Users with Reference Users, Role-
based User Classification and Rule-based User Classification is available on the SAP Support Portal:
https://support.sap.com/en/my-support/systems-installations/system-measurement/system-measurement-
information/user-classification.html

For further drill-down, there are two options:

Option 1: Click on the User ID to show all roles and profiles that are assigned to the selected user:

The overview indicates the current classification (if applicable) and the target classification of each role
based on the included authorizations as well as the engine authorizations.
The total number of objects per role is listed in column Objects. The Ratio indicates how many of the
classified objects match the Target Classification of the role.

Remark: In case of a user who inherits the roles from a Reference User, the drill-down will show the
corresponding Reference User, not the selected user.

8
Example (Line 1, columns Objects and Ratio from right to left):

The role contains 541 objects, 489 objects out of 541 are classified, and 1 object out of the 489 classified
objects match the Target Classification HD Productivity.

Option 2: Select Display Roles to show ALL roles and profiles assigned to the selected users:

This overview indicates the current role classification (if applicable) and the target classification of each role
based on the included authorizations as well as the engine authorizations.
The total number of objects per role is listed in column Objects. The Ratio indicates how many of the
classified objects match the Target Classification of the role.
In addition, the last column Users shows how many of the selected users have each of the listed roles and
profiles assigned.
Use the function Show/Hide unclassified entries to filter in/out the roles which are not classified.

In case you encounter a discrepancy between a role’s purpose and the shown Target
Classification, the role should be analyzed in detail.
Example: A role for Employee Self-Services is classified as Professional Use.

9
List of Roles and Objects
A complete list of Roles and all included classified objects can be downloaded as XML file by selecting the
corresponding roles in the list, and select the Export function:

Role-based User Classification

You can transfer the target classification of the roles to transaction license_attributes by marking the
corresponding roles and selecting Transfer Role Classification which is then used for the role-based user
classification when performing the User Measurement via USMM. This function requires the authorization
object S_USER_AGR with fields ACT_GROUP = <role name> or * and ACTVT = 02 for the current user.

Role / Profile Details

A click on the Role or Profile Name will show all the objects, fields and values which are included in the
selected role or profile, along with the target classification for each line and the possible engine
authorizations. In addition, the Application Component is shown to indicate which area this authorization
belongs to.
If an icon is displayed in column “Tx”, double-click on the line to list all transactions which can possibly be
executed with the corresponding authorization object / field / value.

Use the function Show/Hide unclassified entries to filter in/out the entries which are not classified.

List of executable transactions:

10
4. ROLE/PROFILE VALIDATION
Select radio button Role/Profile Validation, enter the roles/profiles you want to analyze and select Execute
to start the validation.
You have three options regarding the ruleset which shall be used:
(1) Select the option Use local PCE Ruleset to check the users against the current PCE ruleset which
is also used for the PCE metering. The ruleset is loaded from the database and the selected roles
are checked against this ruleset.
Remark: This option is only available in PCE systems with a valid PCE ruleset.
(2) Select the option Local Ruleset to use a ruleset which was previously uploaded to the system. The
ruleset is loaded from the database and the selected roles are checked against this ruleset.
(3) Select the Validation Rules file (attached to the SAP Note) and select Execute to start the
validation. The ruleset is loaded, and the selected roles are checked against this ruleset.

You can select the checkbox Ignore Engines if you don’t want to evaluation any possible engine use.
If you want to save the result for later use, please select the checkbox Save Result.

11
Result
The result shows the selected Roles and Profiles with their target classification based on the included
authorizations as well as the included engine authorizations.
It also indicates how many users have this Role or Profile assigned.

Use the function Show/Hide unclassified entries to filter in/out the entries which are not classified.
If you unticked the checkbox Do not eval. assigned Users on the selection screen, you can select function
Simulate Users to perform the User Validation for those users who are assigned to the selected role.
It will navigate you to the result screen shown in section User Validation above.

A click on the Users counter will list all users which currently have the corresponding role or profile assigned.

The ratio indicates how many of the assigned roles match the target classification, e.g., 3 out of 5.

List of Roles and Objects (XML Export)

A complete list of Roles and all included classified Objects can be downloaded as XML file by selecting the
corresponding roles in the list, and select the Export function:

12
Role-based User Classification
You can transfer the target classification of the roles to transaction license_attributes by marking the
corresponding roles and selecting Transfer Role Classification which is then used for the role-based user
classification when performing the User Measurement via USMM. This function requires the authorization
object S_USER_AGR with fields ACT_GROUP = <role name> or * and ACTVT = 02 for the current user.
In case you want to use the role-based classification, make sure to remove the manual classification from the
users, e.g., via mass change in transaction USMM.

Role / Profile Details

A click on the Role or Profile Name will show all the objects, fields and values which are included in the
selected role or profile, along with the current classification (if applicable), the target classification for each
line and the possible engine authorizations. In addition, the Application Component is shown to indicate
which area this authorization belongs to.
If an icon is displayed in column “Tx”, double-click on the line to list all transactions which can possibly be
executed with the corresponding authorization object / field / value.

Use the function Show/Hide unclassified entries to filter in/out the entries which are not classified.

User List
A click on the User counter in column Users will list all users which currently have the corresponding role or
profile assigned.

The Ratio indicates how many of the assigned roles match the target classification, e.g., 3 out of 5.

13
5. PREVIOUS EXECUTIONS

Remark: This functionality is not available in Releases 7.00 and 7.01.

To display the results of previous executions, select the radio button Upload Previous Executions, select
the saved Result File, enter the password for this result file (if applicable) and select Execute.

Supported Result File Types:

• Binary Files (*.BIN): Password-encrypted result files, either zipped or plain text files.
• ZIP Archives (*.ZIP): Zipped result files without password.
• Text Files (*.TXT): Plain text result files without password.

The result file is loaded and depending on the type of the validation file (User Validation or Role Validation)
the corresponding result screen will be displayed as described in sections 1 and 2 above.

14
6. MANAGE RULESETS AND RESULTS

Remark: This functionality is not available in Releases 7.00 and 7.01.

Select the option Manage Rulesets and Results on the selection screen:

Rulesets
You have the possibility to upload rulesets into the system which are then saved to the database to avoid the
need to upload a ruleset file every time you want to execute the report.
Upload
To upload a ruleset to the system, select Upload behind the behind the Local Ruleset field. You will be
prompted with a File Selector. Select the ruleset file and press Open. After the upload was completed, the
ruleset file will be available in the drop-down list for a User or Role Validation.
Deletion
To delete a ruleset from the system, select a ruleset from the drop-down list and select Delete behind the
Local Ruleset field. Confirm the warning popup to delete the ruleset.

Results
In addition, it is also possible to save the user or role validation results to the database for later use. To do so
make sure to select the checkbox Save Result in the Additional Parameters on the selection screen.
Display
To display the older results which have been save to the database, select a Local Result from the
corresponding drop-down box and select Display.
Deletion
To delete a result from the system, select a result from the drop-down list and select Delete behind the Local
Result field. Confirm the warning popup to delete the result.

Background Execution
These two options allow you e.g. to execute the report in background.

15
7. ADDITIONAL NOTES
Please note that the ruleset included in the note will not account for custom authorization objects. A
significant number of custom objects used in your current authorization structure as well as unclassified roles
may result in users being targeted for a classification that is lower than their actual use.
For these scenarios, complex authorization structures, or for assistance of any kind, please consider SAP’s
STAR service to aid you in this analysis.
This free of charge, non-binding service can be requested through your account team or by using the form
found in the SAP Support Portal:
https://support.sap.com/en/my-support/systems-installations/glac.html
Our trusted experts will work with you to help you fully understand the results.

16