SAP Security Important topics

Important Transaction:

SU01 - Create/Change User

SU01d - Display User

SU10 - Mass User Changes

PFCG - Role Maintenance

SUIM - User Information System

SU53 - Displays Last Authorization Check that Failed

ST01 - System Trace (STAUTHTRACE For Setting Trace System Wide)

PFUD - User Master Comparison

SUPC - Mass Generation of Profile

SU56 - Display User Buffer

SU24 - Maintain Check Indicator

SU25 - Fill USOBT_C and USOBX_C tables with SAP default values

SM19 - Configure Security Audit Log

SM20 - View Security Audit Log

SUGR - Maintain User Group

User Type in SAP:

Dialog User: Used for individual interactive logins, allowing personal access to SAP with
standard checks and password expiration.

System User: Designed for background processing, system-to-system communication, and

scheduled tasks, without interactive logins.

Communication User: Used for external RFC connections, enabling secure programmatic
access between systems without GUI login.

Service User: Shared user for anonymous and multiple concurrent logins with limited
interactive functionality, often used for web services.
Reference User: Assigned to other users to provide additional roles and authorizations
without direct logon capabilities. (In case profile exceeds 312)

Important Tables

USR02 - Logon Data

USR04 - User master authorization

USR10 - Authorization profiles

USR40 - Table for illegal passwords

USER_ADDR - Address Data for Users

AGR_USERS - Assignment of Roles to Users

AGR_1251 - Authorization data for the activity group

AGR_1252 - Organizational Elements for Authorizations

AGR_AGRS - Roles in composite roles

AGR_DEFINE - Role Definition

AGR_TIME - Time stamp for Role (Including profile)

USOBT_C - Relation transaction to authorization object

USOBX_C - Check table for Table USOBT_C

TDDAT - Table Authorization group to Table relation

TBRG - Table authorization groups

TRDIR - Program to Authorization group relation

E070 - Stores information about transport requests & tasks

TACT - Available activities in SAP System

Role Type in SAP

Single Role:

Contains a set of specific authorizations assigned to users, providing access to perform

designated tasks within the system.

Composite Role:

Groups multiple single roles together, simplifying user role assignments by bundling related
authorizations.

Derived Role:

Inherits authorizations from a master role, allowing customizations like organizational-level

values while maintaining a consistent structure.

Master Role: A template role that serves as a source for derived roles, containing all
authorizations without specific organizational values.

Traces: Access Issues

SU53 - Displays Last Authorization Check that Failed.

ST01/STAUTHTRACE – Set Trace on User ID to Check Missing Authorization

Return Codes for Trace

RC= 0 Check for authorization successful.

RC= 4 Check for authorization unsuccessful. User has authorization object in his user buffer
but with different values than what checked.

RC= 12 Check for authorization unsuccessful. User does not have authorization object in user
buffer.

USOBX_C and USOBT_C

USOBX_C and USOBT_C are tables which are used for SU24 transaction code.

Table USOBX_C defines the status of authorization checks for authorization objects (check
indicator is set to yes or no).

It also defines the proposal status, i.e. whether the authorization check values are being
maintained in SU24 or not.
The table USOBT_C defines the “values” which are maintained for check-maintained
authorization objects.

PFCG Traffic Indicator

Red – It means that some organizational value has not been maintained in org field in
profile generator.

Yellow – It means that there are some or all fields in certain authorization instances which
are blank (not maintained)

Green – It means that all the authorization fields are maintained (values are assigned).

SU24 Check Indicators:

Check / No – Authorization object is checked while tcode execution, but No authorization

object field value is proposed when tcode is added to Role Menu.

Check / Yes – Authorization object is checked while tcode executed and the authorization
object automatically gets pulled in the role when the tcode is added to Role Menu. The
authorization pulled may or may not have some field values depending on what is
maintained in SU24 in that object for that tcode.

Do Not Check – Object is not checked even though it may be in the ABAP Code

Critical Authorization in SAP

S_TABU_DIS -Used to protect tables using authorization groups with activity.

S_TABU_CLI - Auth object used to protect cross client tables.

S_TABU_NAM - New auth object to table access based on names.

S_PROGRAM - Used to run ABAP reports/programs via SA38.

S_DEVELOP - Auth object used to control ABAP objects or debug access.

S_USER_AGR - Used to control roles.

S_USER_AUT - Checked during authorization maintenance.

S_USER_GRP - Used control user groups.

S_USER_PRO - Used for profile maintenance.

S_BDC_MONI - Used to protect batch input monitoring.

S_BTCH_JOB - Used for background job monitoring and administration.

S_BTCH_ADM - Used for background job administration.

S_BTCH_NAM - User level control for background job scheduling

S_ADMI_FCD - Basis administration like spool and monitoring

SU25 Steps

Step 1 - Copy SAP Data: Copies SAP-provided authorization checks (SU24 proposals) from a
previous version to the current version.

Step 2a - Compare SAP Data: Compares and displays changes in SAP-provided default values
for authorization objects.

Step 2b - Adjust Proposals: Allows modifications to SAP-provided default values for

authorization objects based on new or changed SAP data.

Step 2c - Update Customer Tables: Automatically updates customer authorization tables

with changes made to default values.

Step 2d - meant to check if SAP has introduced new transactions in place of any existing
transactions. (ECC to S4 Upgrade – important)

Step 3 - Mass Generation of Profiles: Regenerates authorization profiles for roles that were
affected by changes to authorization proposals.

Step 4 - Upgrade Post Activities: Performs post-upgrade activities, such as manual

adjustments to authorization objects or roles.