SU01
Data Description
The SU01 event is used to give a visibility of users maintained in managed SAP system. The extractor supports extraction from multiple clients. Following information is collected: list of users with basic attributes (EVENT_SUBTYPE=””), user profiles (EVENT_SUBTYPE=”PROF”) and user roles (EVENT_SUBTYPE=”ROLE). Default interval is 24 hours.
Potential Use Cases
This event could be used in the following scenarios:
Identify potential anomalies in the environment
Dashboard users with certain attributes, profiles or roles.
Lookup user profiles and roles.
Metric Filters
Metric filters are an optional configuration option for the SU01 extractor.
Extract Data From Multiple Clients
If you would like the SU01 data to reflect data from multiple clients, please follow the steps below:
Log into the managed client where PowerConnect is installed
Execute the /n/bnwvs/main transaction.
Stop the PowerConnect batch jobs.
Go to Administrator --> Setup Metric --> Metric Configuration
In the row with SU01 in the Group Definition field and MULTICLIENT in the Parameter Key field, add an X to the Parameter Value field as seen below. Then Save.
Start the PowerConnect batch jobs in the administrative console.
Splunk Event
SU01 with EVENT_SUBTYPE=””
The event will look like this in Splunk:
SU01 with EVENT_SUBTYPE=”ROLE”
The event will look like this in Splunk:
SU01 with EVENT_SUBTYPE=”PROF”
The event will look like this in Splunk:
SAP Navigation
Log into the managed system and execute the SU01 transaction code.
Field Mapping
SU01 with EVENT_SUBTYPE=””
Field | Description | Unit of Measure |
|---|---|---|
ACCNT | Account ID | String |
ANAME | Creator of the User Master Record | String |
BCDA1 | Date of Last Password Change | YYYYMMDD |
BNAME | User Name in User Master Record | String |
CLASS | User group in user master maintenance | String |
ERDAT | Creation Date of the User Master Record | YYYYMMDD |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | SU01 | String |
GLTGB | User valid to | YYYYMMDD |
GLTGV | User valid from | YYYYMMDD |
LOCNT | Number of failed logon attempts | Number |
LTIME | Last Logon Time | HHMMSS |
MANDT | Client | Number |
MODBE | Last Changed By | String |
MODBE_PR | Last Changed By | String |
MODDA | Modification date | YYYYMMDD |
MODDA_PR | Modification date | YYYYMMDD |
MODTI | Modification time | HHMMSS |
MODTI_PR | Modification time | HHMMSS |
PWDCHGDATE | Date of Last Password Change | YYYYMMDD |
PWDINITIAL | Indicator: Password Is Initial (= Set by Administrator) | Boolean |
PWDLGNDATE | Date of Last Password Logon | YYYYMMDD |
PWDLOCKDATE | Date: Setting of Password Lock | YYYYMMDD |
PWDSETDATE | Date: Password Reset by Administrator | YYYYMMDD |
PWDSTATE | Password Change Mandatory / Optional (See Domain XUPWDSTATE) | Number |
SECURITY_POLICY | Security Policy Name | String |
SNC_GUI | Permit Password Logon for SAP GUI (User-Specific) | Boolean |
TRDAT | Last Logon Date | YYYYMMDD |
TZONE | Time Zone | String |
UFLAG | User Lock Status | String |
USTYP | User Type | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SU01 with EVENT_SUBTYPE=”ROLE”
Field | Description | Unit of Measure |
|---|---|---|
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | SU01 | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
AGR_NAME | Role Name | String |
AGR_TEXT | Short Description | String |
FROM_DAT | Valid from date | YYYYMMDD |
MANDT | Client | String |
ORG_FLAG | Indicator: Indirect Assignment of the User to the Role | String |
TO_DAT | Valid to date | YYYYMMDD |
USERNAME | User Name in User Master Record | String |
SU01 with EVENT_SUBTYPE=”PROF”
Field | Description | Unit of Measure |
|---|---|---|
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | SU01 | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
AKTPS | Active or maintenance version | String |
MANDT | Client | String |
PROFILE | Profile name | String |
PTEXT | Texts in user master/authorizations | String |
TYPE | Type of Profile (Composite or Single) | String |
USERNAME | User Name in User Master Record | String |