Data Description

The SU01 event is used to give a visibility of users maintained in managed SAP system. The extractor supports extraction from multiple clients. Following information is collected: list of users with basic attributes (EVENT_SUBTYPE=””), user profiles (EVENT_SUBTYPE=”PROF”) and user roles (EVENT_SUBTYPE=”ROLE). Default interval is 24 hours.

Potential Use Cases

This event could be used in the following scenarios:

  • Identify potential anomalies in the environment

  • Dashboard users with certain attributes, profiles or roles.

  • Lookup user profiles and roles.

Metric Filters

Metric filters are an optional configuration option for the SU01 extractor.

Extract Data From Multiple Clients

If you would like the SU01 data to reflect data from multiple clients, please follow the steps below:

  • Log into the managed client where PowerConnect is installed

  • Execute the /n/bnwvs/main transaction.

  • Stop the PowerConnect batch jobs.

  • Go to Administrator --> Setup Metric --> Metric Configuration

  • In the row with SU01 in the Group Definition field and MULTICLIENT in the Parameter Key field, add an X to the Parameter Value field as seen below. Then Save.

  • Start the PowerConnect batch jobs in the administrative console.

Splunk Event

SU01 with EVENT_SUBTYPE=””

The event will look like this in Splunk:

SU01 with EVENT_SUBTYPE=”ROLE”

The event will look like this in Splunk:

SU01 with EVENT_SUBTYPE=”PROF”

The event will look like this in Splunk:

SAP Navigation

Log into the managed system and execute the SU01 transaction code.

Field Mapping

SU01 with EVENT_SUBTYPE=””

Field

Description

Unit of Measure

ACCNT

Account ID

String

ANAME

Creator of the User Master Record

String

BCDA1

Date of Last Password Change

YYYYMMDD

BNAME

User Name in User Master Record

String

CLASS

User group in user master maintenance

String

ERDAT

Creation Date of the User Master Record

YYYYMMDD

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

SU01

String

GLTGB

User valid to

YYYYMMDD

GLTGV

User valid from

YYYYMMDD

LOCNT

Number of failed logon attempts

Number

LTIME

Last Logon Time

HHMMSS

MANDT

Client

Number

MODBE

Last Changed By

String

MODBE_PR

Last Changed By

String

MODDA

Modification date

YYYYMMDD

MODDA_PR

Modification date

YYYYMMDD

MODTI

Modification time

HHMMSS

MODTI_PR

Modification time

HHMMSS

PWDCHGDATE

Date of Last Password Change

YYYYMMDD

PWDINITIAL

Indicator: Password Is Initial (= Set by Administrator)

Boolean

PWDLGNDATE

Date of Last Password Logon

YYYYMMDD

PWDLOCKDATE

Date: Setting of Password Lock

YYYYMMDD

PWDSETDATE

Date: Password Reset by Administrator

YYYYMMDD

PWDSTATE

Password Change Mandatory / Optional (See Domain XUPWDSTATE)

Number

SECURITY_POLICY

Security Policy Name

String

SNC_GUI

Permit Password Logon for SAP GUI (User-Specific)

Boolean

TRDAT

Last Logon Date

YYYYMMDD

TZONE

Time Zone

String

UFLAG

User Lock Status

String

USTYP

User Type

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SU01 with EVENT_SUBTYPE=”ROLE”

Field

Description

Unit of Measure

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

SU01

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

AGR_NAME

Role Name

String

AGR_TEXT

Short Description

String

FROM_DAT

Valid from date

YYYYMMDD

MANDT

Client

String

ORG_FLAG

Indicator: Indirect Assignment of the User to the Role

String

TO_DAT

Valid to date

YYYYMMDD

USERNAME

User Name in User Master Record

String

SU01 with EVENT_SUBTYPE=”PROF”

Field

Description

Unit of Measure

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

SU01

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

AKTPS

Active or maintenance version

String

MANDT

Client

String

PROFILE

Profile name

String

PTEXT

Texts in user master/authorizations

String

TYPE

Type of Profile (Composite or Single)

String

USERNAME

User Name in User Master Record

String