Creation of roles based on user’s transactions history

by

In our blogs and services for the SU24 optimization, we have dealt with a strategy for the role design – the creation of roles at the transaction level and the avoidance of manual objects. First and foremost, this means determining certain transactions and then integrating them into appropriate ones for the user roles. But what are these transactions and how can they be identified?

Determine the used transactions using the Role Profiler ST03n reports

In practice, you often see SAP users who have accumulated hundreds of thousands of transactions over time. This “historically evolved transactional allocation” makes the analysis difficult because users often use only a fraction of these entitlements. It is, therefore, sensible to build roles based on the used transactions.

With Xiting Role Profiler, you can analyze the existing system ST03n data in this regard. The Role Profiler has several reports available that will answer all your questions regarding executed transactions in the system. The “User Menu Generation” report provides you with an overview of the transactions you are using for a given period of time:

Creation of roles based on user's transactions history
Xiting Role Profiler User Menu Generation Report

 

In this example, we get the following information for the users: The “Favorites” column shows you the number of users’ favorites. The column “Us / Fav intersection” shows the number of used favorites. The “Used Only” column shows the number of transactions used beyond the favorites. The “Used” column shows all used transactions. Double-clicking on a number gives you a list of transactions, and under the column “Counter” you can see how often the user executed the transaction. This report includes a download function that allows you to quickly create roles based on the transactions you are using.

User Transaction Assignment Report

The report “User-Transaction assignment” provides further support. You can use the transactions used, e.g. for a department. After the user selection and time definition, you will get a list of transactions in the “Tcode” column. The symbols under the usernames have the following meaning: Green = authorized and used; Gray = authorized but not used; No symbol = not authorized.

Creation of roles based on user's transactions history
Xiting Role Profiler User Transaction Assignment Report

The report is supported with an “Export to Excel” function so that you can analyze the results more closely.

User-Transactions that are authorized with its usage

The report “User – transaction auth + usage” allows you to analyze the use of certain transactions. In our example, we have five users and three transactions in scope. The result is the actual usage analysis with the possibility of an “export to Excel” function.

Creation of roles based on user's transactions history
Xiting Role Profiler User Transaction Authorization and Usage Report

Creation of Roles with the Role Replicator

As you can see, the transactional analysis can be quite simple with an equivalent expert tool. The Xiting Role Profiler ST03n reports allow you to create the basis for a “slim” and Xiting role design. Join our free webinars to get hands on experience with our tools.

Teodor Tanev

Teo is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on the Xiting Authorizations Management Suite (XAMS).

Latest posts by Teodor Tanev (see all)

Subscribe to our SAP Security Newsletter

Stay up to date with the latest SAP security news and receive valuable tips and tricks by subscribing to our newsletter.