7.18.3 Gathering Authorization Data Let's explore where to find authorization data in the SAP system. Statistical Trace Data: Transaction STO3N One treasure trove of information related to transaction execution activity is the Workload Monitor. You can access it via Transaction STO3N. Among many other things, it shows you user transaction execution activity. Using that information, you can analyze what transactions your users executed over the past few months. The exact timeframe depends on your system configuration. By default, your SAP system retains three months’ worth of usage data, unless you changed the configuration. We generally recommend accumulating between three to six months’ worth of usage data to get a good overview of what transactions your users use. If you have SAP GRC Access Control, you can get the same information from SAP GRC’s Action Usage Report (table GRACACTUSAGE) The next step is to optimize your roles by merging Transaction SU24 proposals. If you haven't maintained your authorization proposals yet, it's recommended to optimize Transaction SU24. By bringing in Transaction SU24 proposals, you have taken the first step to populate your roles with authorization fields and values. Unfortunately, not all the objects you need in your roles are available via Transaction SU24. So, the next step is to find out what fields and values you need to properly authorize your users, including organizational values. Authorization Fields and ValuesTransaction STO3N does not include authorization objects below the transaction (TCODE) level. As a result, we have to leverage other trace sources, such as Transaction ST01, to get an idea of what authorization fields and values are required for the roles we are trying to build. Additionally, you will have to determine the proper organizational fields and values for each user. For the latter, you can retrieve the necessary information from a variety of tables, based on the type of data you need. For instance, if you are building a role to authorize users to change purchasing documents, you can look at table exko for information about which users made changes to purchasing documents and what the associated org fields were. Using that information, you can fine-tune your roles and make sure your users are properly authorized based on the relevant organizational values. 7.18.4 Testing Role Changes in Production Once you have built new roles as part of your redesign project you have to test them. Unfortunately, SAP offers very limited tools to automate that process beyond individual trace files. Analyzing those traces for hundreds or thousands of users without proper reporting and gap analysis is not feasible. Instead, you can leverage the productive test simulation (PTS), which is part of the Xiting Authorizations Management Suite (XAMS), as described in SAP Note 1682316 - Consulting: Optimizing RFC User Authorizations. Using this technology, you, as a role administrator, can test new roles in a production environment without negatively affecting end users. To accomplish this, XAMS leverages standard SAP reference users (user type Reference).Let's say you want to test the new roles you created for user Dave. Via the XAMS, in production, you would create a reference user, assign the new roles to that reference user and then assign the reference user to Dave. Why use a reference user? The answer is simple: anytime the SAP kernel performs an authority check, it does so against the reference user first—if there is a reference user assigned. If that authority check fails, then the SAP kernel performs the same authority check against the dialog user. If that authority check succeeds, SAP logs a return code 0. With the help of the XAMS, you can analyze these return codes and quickly export roles containing the missing authorizations. Using the exported roles, you can fine-tune your new roles in development and transport the changes up to production. 7.18.5 Automate Role Creation and Testing While the steps discussed thus far about the creation of new roles help you to gather the required information to build proper roles in SAP, they are time-consuming and error-prone. As a result, the steps are impractical if your goal is to build roles for more than a handful of users. However, you don't have to perform the steps manually. To automate and simplify all the tasks we have described above, you can leverage XAMS. With the XAMS, you can: * Streamline the analysis and processing of trace data « Instantly identify missing Transaction SU24 proposals + Enable role administrators to build roles based on statistical trace data and via a drag-and-drop interface+ Automatically enrich the created roles with business data, including the required organizational fields and values +» Simulate new roles based on user activity in production to identify any missing authorization fields and values with the PTS + Replicate individual roles across organizational units