Data Description

The SUIM event is used to view the changes associated with SAP users, profiles, roles and authorizations. Data from multiple clients could be extracted (from SP 6.07).

Potential Use Cases

This event could be used in the following scenarios:

  • Identify and alert on changes, which could create compliance concerns

Splunk Event

SUIM with EVENT_SUBTYPE=”AUTH”

Changes of Authorizations. The event will look like this in Splunk:

SUIM with EVENT_SUBTYPE=”PROF”

Changes of Profiles. The event will look like this in Splunk:

SUIM with EVENT_SUBTYPE=”ADMR”

Changes for Roles Assignments. The event will look like this in Splunk:

SUIM with EVENT_SUBTYPE=”USER”

User related changes. The event will look like this in Splunk:

SUIM with EVENT_SUBTYPE=”ROLE”

Changes of Roles. The event will look like this in Splunk:

SAP Navigation

Log into the managed system and execute the SUIM transaction. Expand the Change Documents section to review one of options below:

Field Mapping

SUIM with EVENT_SUBTYPE=”AUTH”

Field

Description

Unit of Measure

ACTION

Type of the Change Document

String

AUTHORIZATIONF

Authorization Field

String

AUTHORIZATIONV

Authorization Value

String

AUTHORIZATON

Authorization name in user master maintenance

String

AUTHOTEXT

Authorization Name

String

COUNTER

Counter for Change Documents

Number

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DATEMODIFIED

Modification date

YYYYMMDD

EVENT_SUBTYPE

“AUTH”

String

EVENT_TYPE

“SUIM”

String

FIELD

Authorization Field

String

MANDT

Client

String

MODIFIERNAME

Last Changed By

String

OBJECTNAME

Authorization Object

String

OBJECTTEXT

Authorization Object Name

String

TIMEMODIFIED

Modification time

HHMMSS

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SUIM with EVENT_SUBTYPE=”PROF”

Field

Description

Unit of Measure

ACTION

Type of the Change Document

String

AUTH

Authorization name in user master maintenance

String

COUNTER

Counter for Change Documents

Number

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

“SUIM”

String

EVENT_TYPE

“PROF”

String

LANGU

Logon Language

String

MANDT

Client

String

MODDATE

Modification date

YYYYMMDD

MODIFIER

Last Changed By

String

MODTIME

Modification time

HHMMSS

OBJECT

Authorization Object

String

PROFILE

Auth. profile in user master maintenance

String

PROFN

Auth. profile in user master maintenance

String

PROFTYP

Type of Profile (Composite or Single)

String

PTEXT

Texts in user master/authorizations

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SUIM with EVENT_SUBTYPE=”ADMR”

Field

Description

Unit of Measure

CHANGENR

Document change number

Number

DEPARTMENT

Department

String

MANDT

Client

String

NAME_FIRST

First name

String

NAME_LAST

Last name

String

OBJECTID

Role Name

String

TABDESCR

Table description

String

TABNAME

Table name

String

TCODE

Transaction in which a change was made

String

UDATE

Creation date of the change document

YYYYMMDD

USERNAME

User name of the person responsible in change document

String

UTIME

Time changed

HHMMSS

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SUIM with EVENT_SUBTYPE=”USER”

Field

Description

Unit of Measure

ACTION

Type of the Change Document

String

AGR_FDATE

Start of the Change Date of the Validity

YYYYMMDD

AGR_TDATE

End of the Change Date of the Validity

YYYYMMDD

ATTRBT

Attribute Name of the Changed Field

String

BNAME

User Name in User Master Record

String

COUNTER

Counter for Change Documents

Number

DEPARTMENT

Department

String

MANDT

Client

String

MODBE

Last Changed By

String

MODDA

Modification date

YYYYMMDD

MODTI

Modification time

HHMMSS

NAME_FIRST

First name

String

NAME_LAST

Last name

String

NEW_TEXT

Text for the New Field Content of the Changed Field

String

NEW_VAL

New Contents of Changed Field

String

OLD_TEXT

Text for the Old Field Content of the Changed Field

String

OLD_VAL

Old Contents of Changed Field

String

SUBSYSTEM

Receiving system for central user administration

String

TCODE

Transaction Code

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SUIM with EVENT_SUBTYPE=”ROLE”

Field

Description

Unit of Measure

ACTION

Type of the Change Document

String

A_DEPARTMENT

Department

String

A_NAME_FIRST

First name

String

A_NAME_LAST

Last name

String

CHANGENR

Document change number

Number

DEPARTMENT

Department

String

FROM_DAT

Date of validity

YYYYMMDD

MANDT

Client

String

NAME_FIRST

First name

String

NAME_LAST

Last name

String

OBJECTID

Role Name

String

TCODE

Transaction in which a change was made

String

TO_DAT

Date of validity

YYYYMMDD

UDATE

Creation date of the change document

YYYYMMDD

UNAME

User Name in User Master Record

String

USERNAME

User name of the person responsible in change document

String

UTIME

Time changed

HHMMSS

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -