User type reference not always taken into account
We are all aware that different type of user types exists in the SAP system (http://help.sap.com/saphelp_nw04/helpdata/en/3d/3272396ace5534e10000000a11405a/content.htm).
I find the use of reference users a bit “tricky” and my experience is that this user type is not always investigated properly during an authorization analysis.
What are reference users:
Reference user type ‘L’
No logon possible.
Reference users are used for authorization assignment to other users.
Usage: Internet users with identical authorizations
Using reference users has it benefits, if a user is assigned to a reference user, it inherits the authorizations from this reference user. This can be helpful with Employee Self Service users for example.
However, the link to the reference user isnot always in your SAP report (via SUIM or table agr_users).
There are some reports in SUIM that will give you the link between a user ID and the reference user (like users by complex selection criteria (S_BCE_68001400)
Please be aware that not all SUIM reports will make the link to the reference user
Also bare in mind that the table AGR_USERS will not show the user with the authorizations from a reference user will (therefore you won’t see what roles are assigned to the user via this reference user).
How to search for the usage of reference users (this action can be part of your periodic authorization review)
1. Check if reference users are existing in your system (like SE16->URS02 usertpe L)
2. If they do exist.
2a.Check the assignment of authorizations to this reference user
2b.Check the assignment of users to this reference users (via S_BCE_68001400)