Hello,
the answer for both questions is 'No'.
There is no log for which 'role' granted an authorization for a certain action in the SAP system, for which an authority-check was performed.
Background: a role is just a box, which contains, beyond other data, the authorization profile. This profile contains the authorizations. the authority-check, which is logged in the system, compares only that authorizations with the requested values in the coding (abap statement 'authority-check'). With which 'boxes' an authorization was assigned to a user does not matter at all and is not evaluated (also because of a performance reason).
If the admin does not know, with which roles he assigned which authorizations to a user, he can still use SUIM to find that out. (for instance by using the report 'users by authorization values')
The best way to find out, which authorizations a user really requires is, to use the long term trace 'STUSERTRACE' (see also SAP note 2220030 ). It records each auth.-check once for each environment. After some time (some weeks/month) all the checks are available in the trace result (filter for instance for object S_PROGRAM). Furthermore a role can be created directly from the trace result, containing only that required authorization values (see also SAP note 2353127 ).
b.rgds,
Bernhard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.