There are many use cases for it. Currently only tcode, RFC, WYDA and Webservice comparisons between the stat records and the roles is possible, and this still does not tell you which role it as which led to the success of the check... so you need to create a rather complex selection criteria to take slices out of combinations of sets of users, ideally just one role and then try to assign them to each other functionaly to produce a meaningfull output.

The new solution is actually quite simple but very powerful. You assign just that which you wan to compare indirectly to the user(s) via a reference user, as those authorizations are evaluated first. Depending on whether this leads to setting sy-subrc to 0 or not, an additional "reason code" is assigned to the ST01 trace and also the Su53 data (if you have implemented SAP Note 1671117).

This means that you can evaluate the source of successfull checks and simulate whether they are sufficient for the user without it actually failing. This also means that any auths in roles assigned directly which are still reached are missing in the indirect role which is actually being evaluated, and any auths never reached are not needed.

The simulation mode use-case is what I am most interested in and find most powerful.

The origin of the request is the service described in SAP Note 1682316 (use-case RFC simulation, as often you cannot really test realistically in QA systems). Vut as mentioned, there are several other nifty tricks you can use to get very valuable information from these "reason codes".

Cheers,

Julius