Upgrades are a great time to look again at security provisioning.  Natural expansion of authorizations since the last major project or first implementation will likely mean that there is quite a difference between what users have the potential to run and what they actually use or should be using. LiveCompare includes a dedicated template for analyzing users’ potential-vs-actual use.  It’s called U.09 – User Tcode Usage Analysis and you’ll find it in the Upgrade Analysis folder.

The template does two things.  First it calculates, based on each user’s roles/profiles, what transactions they have the potential to run.  Second it collects from production a record of each user’s transaction history.  A number of reports are available from a high-level summary to a detailed inspection of an individual account.

[Updated: 2009.03.30 - I added more examples to the benchmark and sorted the chart from smallest usage of potential to largest. With this many datapoints it looks like smaller communities have tighter fitting security provisioning.]

I took a quick look at 10 analyses and the pattern is clear: potential massively outweighs actual.  With end-user communities ranging in size from 350 to 10,000 users, the average utilization ranged from 1% to 27%.  The chart below summarises the analysis:

While upgrades tend to focus attention on security provisioning, we’re seeing more customers set this analysis up to run every month as a way to monitor usage and maintain a minimal security surface area.