Data Description
The SUIM event is used to view the changes associated with SAP users, profiles, roles and authorizations. Data from multiple clients could be extracted (from SP 6.07).
Potential Use Cases
This event could be used in the following scenarios:
Identify and alert on changes, which could create compliance concerns
Splunk Event
SUIM with EVENT_SUBTYPE=”AUTH”
Changes of Authorizations. The event will look like this in Splunk:
SUIM with EVENT_SUBTYPE=”PROF”
Changes of Profiles. The event will look like this in Splunk:
SUIM with EVENT_SUBTYPE=”ADMR”
Changes for Roles Assignments. The event will look like this in Splunk:
SUIM with EVENT_SUBTYPE=”USER”
User related changes. The event will look like this in Splunk:
SUIM with EVENT_SUBTYPE=”ROLE”
Changes of Roles. The event will look like this in Splunk:
SAP Navigation
Log into the managed system and execute the SUIM transaction. Expand the Change Documents section to review one of options below:
Field Mapping
SUIM with EVENT_SUBTYPE=”AUTH”
Field | Description | Unit of Measure |
|---|---|---|
ACTION | Type of the Change Document | String |
AUTHORIZATIONF | Authorization Field | String |
AUTHORIZATIONV | Authorization Value | String |
AUTHORIZATON | Authorization name in user master maintenance | String |
AUTHOTEXT | Authorization Name | String |
COUNTER | Counter for Change Documents | Number |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
DATEMODIFIED | Modification date | YYYYMMDD |
EVENT_SUBTYPE | “AUTH” | String |
EVENT_TYPE | “SUIM” | String |
FIELD | Authorization Field | String |
MANDT | Client | String |
MODIFIERNAME | Last Changed By | String |
OBJECTNAME | Authorization Object | String |
OBJECTTEXT | Authorization Object Name | String |
TIMEMODIFIED | Modification time | HHMMSS |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SUIM with EVENT_SUBTYPE=”PROF”
Field | Description | Unit of Measure |
|---|---|---|
ACTION | Type of the Change Document | String |
AUTH | Authorization name in user master maintenance | String |
COUNTER | Counter for Change Documents | Number |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | “SUIM” | String |
EVENT_TYPE | “PROF” | String |
LANGU | Logon Language | String |
MANDT | Client | String |
MODDATE | Modification date | YYYYMMDD |
MODIFIER | Last Changed By | String |
MODTIME | Modification time | HHMMSS |
OBJECT | Authorization Object | String |
PROFILE | Auth. profile in user master maintenance | String |
PROFN | Auth. profile in user master maintenance | String |
PROFTYP | Type of Profile (Composite or Single) | String |
PTEXT | Texts in user master/authorizations | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SUIM with EVENT_SUBTYPE=”ADMR”
Field | Description | Unit of Measure |
|---|---|---|
CHANGENR | Document change number | Number |
DEPARTMENT | Department | String |
MANDT | Client | String |
NAME_FIRST | First name | String |
NAME_LAST | Last name | String |
OBJECTID | Role Name | String |
TABDESCR | Table description | String |
TABNAME | Table name | String |
TCODE | Transaction in which a change was made | String |
UDATE | Creation date of the change document | YYYYMMDD |
USERNAME | User name of the person responsible in change document | String |
UTIME | Time changed | HHMMSS |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SUIM with EVENT_SUBTYPE=”USER”
Field | Description | Unit of Measure |
|---|---|---|
ACTION | Type of the Change Document | String |
AGR_FDATE | Start of the Change Date of the Validity | YYYYMMDD |
AGR_TDATE | End of the Change Date of the Validity | YYYYMMDD |
ATTRBT | Attribute Name of the Changed Field | String |
BNAME | User Name in User Master Record | String |
COUNTER | Counter for Change Documents | Number |
DEPARTMENT | Department | String |
MANDT | Client | String |
MODBE | Last Changed By | String |
MODDA | Modification date | YYYYMMDD |
MODTI | Modification time | HHMMSS |
NAME_FIRST | First name | String |
NAME_LAST | Last name | String |
NEW_TEXT | Text for the New Field Content of the Changed Field | String |
NEW_VAL | New Contents of Changed Field | String |
OLD_TEXT | Text for the Old Field Content of the Changed Field | String |
OLD_VAL | Old Contents of Changed Field | String |
SUBSYSTEM | Receiving system for central user administration | String |
TCODE | Transaction Code | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SUIM with EVENT_SUBTYPE=”ROLE”
Field | Description | Unit of Measure |
|---|---|---|
ACTION | Type of the Change Document | String |
A_DEPARTMENT | Department | String |
A_NAME_FIRST | First name | String |
A_NAME_LAST | Last name | String |
CHANGENR | Document change number | Number |
DEPARTMENT | Department | String |
FROM_DAT | Date of validity | YYYYMMDD |
MANDT | Client | String |
NAME_FIRST | First name | String |
NAME_LAST | Last name | String |
OBJECTID | Role Name | String |
TCODE | Transaction in which a change was made | String |
TO_DAT | Date of validity | YYYYMMDD |
UDATE | Creation date of the change document | YYYYMMDD |
UNAME | User Name in User Master Record | String |
USERNAME | User name of the person responsible in change document | String |
UTIME | Time changed | HHMMSS |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |