SAP AUTHORIZATIONS

Muhammad Arshad + Follow

SAP Technical Architect - BASIS | OS/DB Migration Public /Private Cloud/On-
Prem | SAP Rise | PCOE | S/4 Conversion | BTP | SAP CPI | Security | Solution
Manager | FIORI | SAP HANA | SAP S/4 HANA | Microsoft Azure | AWS
Published Jun 19, 2023

What SAP authorizations does transaction XYZ require?

You can find out about this by using transaction SU22. With transaction SU22, the
authorization objects of an application are assigned to an application and the default
values (for the profile generator (PFCG)) are managed.

how to do an Authorization trace?

There are several transactions for the authorization trace:

ST01 -> authorization check. Note: the trace is not system-wide but only works on the instance
under which the trace was started! So: Login on to the same server on which the session of the
user to be traced is running! In the details of an authorization check in the trace (double-click),
there is also a reference to the program and the source code line in which the authorization
check was carried out.

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
 In the evaluation: do not use asterisks in the field for the user ID, this does not work in the ST01
as you might expect. An indication of e.g. "ABC*" leads to the fact that the trace data is
evaluated for the user "ABC*" - and not for all users beginning with "ABC".

STAUTHTRACE: Extended version of ST01 for the trace of authorizations (from SAP_BASIS 7.00
SP26). As soon as it is valid according to SAP Note 1707841 (STAUTHTRACE: System-wide
trace evaluation), start the trace on appl. servers are also supported. If "Evaluate Extended
Passport" is checked, it also provides some useful statistical data, e.g. for RFC calls (calling
system/client, batch job, transaction name). Display of the trace data in an ALV grid, and jump to
the respective ABAP source code.

STUSOBTRACE: Setting the filters for the authorization trace (from SAP_BASIS 740?).
Dependent profile parameter: auth/authorization_trace.

STRFCTRACE (from SAP Note 2080378: Analysis of RFC communication, similar to the
function in "UCON" ("Unified
Connectivity", http://help.sap.com/saphelp_nw74/helpdata/de/ab/35e1c69f744d69a4fcf4ca93
284e0c/content.htm))

how to disable Authorization Checks?

Transactions AUTH_SWITCH_OBJECTS, SU24, SU25

-> preventable by profile parameter auth/object_disabling_active (should be set to N in P

systems!)

Brief description / delimitation of transactions SU22, SU24, SU25 (taken from the online
documentation on SU22):

As the developer of an application, you use transaction

SU22 to assign the authorization objects to the
application and edit the authorization default values of
the authorization objects. The authorization objects
and their default values can be transferred by the
customer's authorization administrator with
transaction SU25 and adjusted with transaction SU24.
The profile generator (role management tool,
transaction PFCG) uses this customer-customized
data when creating role authorizations. In the PFCG,

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
 the customer's role administrator can edit the
authorization values even further, e.g. to specify the
company code.

The SU25 is used for the initialization of the profile generator after the upgrade or initial
installation.

Other programs in the area: SU2X_CHECK_CONSISTENCY, SU24_AUTO_REPAIR.

SAP Note 1539556 (FAQ: Administration of Authorization Default Values)

Authorization fields, characteristics/value tables

Transaction SU20

For transportation: Object catalog entry is as follows

R3TR AUTH (authorization object)

But then also think about the data elements and domains used!

R3TR DTEL (Data Item)

R3TR DOMA (domain)

SUIM also help to search for total authorization ('*')

A * entered in the field values for permissions causes any characteristics in the field to be
searched for. If you want to query for the overall authorization, #* must be entered (see
SAP Notes 1267608: SUIM| RSUSR030 Search by total authorization and 1259329:
SUIM| Search with the search pattern #**).

Tab "Permissions" is missing in PFCG

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
-> auth/no_check_in_some_cases profile parameter does not contain "Y". See SAP Note
416016: Profile Parameter auth/no_check_in_some_cases.

How to declare a field as an organization level (in PFCG)?

SAP Notes

0323817: Creating Order Fields for the Profile Generator

0727536: FAQ | Use of customer-specific organizational levels in the PFCG

0535602: SUPO | Documentation and transport connection for OrgLayer maintenance

How to Interaction PFCG - HR-Org.Management?

-> indirect role assignment. By assigning users to a "position", they then also receive the
roles assigned to a position.

Documentation in the SAP Library:

https://help.sap.com/saphelp_nw73/helpdata/de/58/9e563cf19bcb43e10000000a1140
5a/frameset.htm

A role assignment via HR-Org.Management can be recognized, among other things, by

the "ORG_FLAG" flag in table AGR_USERS.

The prerequisite is, among other things, an entry in Table PRGN_CUST (HR_ORG_ACTIVE
"YES").

Tables involved, transactions, etc.: Tables T77AW (WEGID = US_ACTGR), transaction

PPOME. List of appointments: Transaction S_AHR_61016503. General Evaluation
Program: RHSTRU00

SAP Notes with information on how to do this:

0578271: PFCG Integration of Role Assignment Maintenance into PPOME

0511200: PFCG/PFUD/SU01/SU10: Role assignment and profile matching

Profiles SAP_ALL and SAP_NEW

There are generation programs for both:

RSUSR406 for SAP_ALL

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
REGENERATE_SAP_NEW for SAP_NEW

The REGENERATE_SAP_APP program can also be used to generate a "SAP_APP" profile

and/or a "SAP_APP role" in which, for example, basic and HR objects can be excluded.
Unlike SAP_ALL and SAP_NEW, the profile does not exist in the standard if it is generated
via REGENERATE_SAP_APP.

How to do Mass generation of profiles?

Tx. SUPC or program SAPPROFC_NEW. However, for the execution of SAPPROFC_NEW,

the transaction authorization for SUPC is also required (will be checked at the program
start). If you don't have it (and you don't have it for executing the generation in PFCG), you
can also switch to the function module SUPRN_PROFILE_BATCH to generate profiles of
individual roles (SE37, parameter: ACT_OBJID = role name). Interestingly, no change
documents seem to be generated in the process.

how to deletion of roles in bulk?

only via an add-on program from SAP Note 0313587: Mass Deletion of Activity Groups

Status overview of roles (profile/profile generation current, user assigned, etc.)

Program PRGN_STATUS_ALL

how to mass function for inclusion in the transport order?

Program PFCG_MASS_TRANSPORT

how to distribute roles to other systems?

Transaction PFCGROLEDIST

How to do a Role comparison?

SUIM -> comparisons -> roles (or transaction S_BCE_68001777 or program RSUSR050).

how to customize and generate derived roles?

However, program SUPRN_REGENERATE_DEPENDENT > only works for individual parent

roles (the name of the inheriting role must be specified in the selection screen).

Authorizations: On/off transaction authorization when called from another transaction

(CALL TRANSACTION...)

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
Transaction SE97 / Table TCDCOUPLES for authorization check Transaction call from
another transaction

In which composite roles is a role included?

via SE16 -> table AGR_AGRS, enter the role in CHILD_AGR.

What transactions did user x use in the period y - z?

ST03N -> switch to "Expert" -> select Appl server (not TOTAL!) -Select > time period -> in
the lower area "User and billing status." -> "User profile" -> double-click on user x

how to Refresh user buffers (permissions)?

in SU01 in the command field (no matter which screen) enter "RSET"

or

Run Report RSUSR405

or

Executing function module 'SUSR_USER_BUFFER_AFTER_CHANGE' (value for parameter

PROFILE: 4. See also SAP Note 452904: Loss of authorization after profile generation)

or

Executing function module 'SUSR_RESET_ALL_USER_BUFFERS'

The user buffer can also be reset for a single user: Specify SU56 > "Authorization Values"
> "Other User / Authorization Object" > User > "Authorization Values" > "Reset User
Buffer".

How to fix the user buffer overflow issue?

In releases < SAP_BASIS 750, there is a "hard" limit of 312 profiles that a user can have. If
this limit is exceeded, the user synchronization does not work (red lights).

The users who have such an overflow can be found via SE16 / Table USR04. The PROFS
field contains the assigned profiles, and the NRPRO field contains the number of bytes
used in the field. The profile name is 12 characters long, 2 additional bytes are required
for a change flag. So: (NRPRO - 2) / 12 = number of profiles. A value > 3740 indicates an
overflow in the user buffer.

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
SAP Notes on this:

0841612: Maximum number of profiles per user

0410993: Maximum number of profiles and permissions

The message "No permission to read the file usr/sap/trans/sapnames/USERNAME"

This is because: SAP Note 816523: Abort when a user logs on: "No authorization"

Some more useful programs for authorizations

PRGN_STATUS_ALL Overview of roles (profile generated, user assigned, etc.)

PFCG_ADD_MINIAPP Add a MiniApp

PFCG_AGRS_WITH_MANUAL_S_TCODE List all roles with manual S_TCODE permission

PFCG_COMPARE_ROLE_WITH_TEMPL Report PFCG_COMPARE_ROLE_WITH_TEMPL

PFCG_MASS_DOWNLOAD Bulk download of reels

PFCG_MASS_IMPORT Bulk import of roles

PFCG_MASS_TRANSPORT Mass transport of rolls

PFCG_MODAUTH Change permissions of a role from "Standard" to "Manual"

PFCG_ORGFIELD_CREATE Profile Generator: Create a new Org.-Level field

PFCG_ORGFIELD_DELETE Profile Generator: Delete the new Org.-Level field

PFCG_ORGFIELD_ROLES Synchronize roles with the order definition

PFCG_ORGFIELD_UPGRADE Profile Builder: Customization after upgrade for new org-level field

PFCG_SET_ACTGROUP_TIMESTAMP program PFCG_SET_ACTGROUP_TIMESTAMP

PFCG_SET_PROFILE_NAMERANGE set the number range for the name suggestion for profiles

PFCG_START_PFCG program to start the PFCG

PFCG_TIME_DEPENDENCY report for scheduling for time dependency of roles

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
 PFCG_UPDATE_ALL_ROLES Regenerate all roles

SUPRN_PRINT_COMPLETE_AGR Print preparation of all data of a roll

SUPRN_REGENERATE_DEPENDENT Customization of derived roles

how to assign Permissions on tables?

Permission for all tables in a permission group

About authorization object S_TABU_DIS. The authorization check for S_TABU_DIS is

carried out both in the "generic table access tools" (SE16, SM30...) and in many
application programs.

Permission for individual tables

This can be controlled via the authorization objects S_TABU_DIS (goal:

unsuccessful authorization check for authorization group of the table) and S_TABU_NAM
(goal: successful authorization check for the table).

In the "generic table access tools (transactions SE16, SE17, SM30, SM31, and SM34) and
all other applications that use the function module VIEW_AUTHORITY_CHECK for
authorization checking", S_TABU_DIS is first checked with the authorization group of the
table. If this authorization check fails, the authorization for S_TABU_NAM is then checked
with the table name. If this is successful, access to the table data is possible. In many
application programs, however, this methodology of authorization checking does not take
place, i.e. works for a user in transaction SE16, SM30, ... access to the table due to a lack
of authorization for S_TABU_DIS and existing authorization for S_TABU_NAM, it may be
denied access to the same table in the application programs.

Permission for individual rows of tables

About authorization object S_TABU_LIN.

In this context, it also makes sense: A parameter transaction for SM30 with the table
name, maintenance in SU24 for this parameter transaction.

Blocking a system against the import of user assignments from activity groups

If you want to block a system against the import of user assignments of activity groups,
you can specify this in the Customizing table PRGN_CUST (Maintenance with transaction
SM30). To do this, enter a line labeled USER_REL_IMPORT with a value of NO.

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
What are Security Guidelines / Security Policies?

FROM SAP_BASIS 731. The security policies replace a number of profile parameters with
regard to the definition of password rules, changes, and login restrictions. In SU01 (tab
"Logon data") you can assign users to a security policy. The security policies are
maintained in transaction SECPOL.

If no security policy is entered for a user, the rules are valid according to the profile
parameter.

Changes to problematic profile parameters (such as

login/password_downwards_compatibility) can be introduced without risking system
users if they are assigned to a security policy that defines older rules.

Note: with the introduction of the security policies, the password rules are now also valid
for service users!

Documentation: https://help.sap.com/viewer/c6e6d078ab99452db94ed7b3b7bbcccf/7.
31.19/en-US/e9c15fb4c06340558898fda99d98cb0d.html

Critical Permissions / Critical Combination of Permissions

As of Release 7.52, Report RSUSR_UP_AND_DOWNLOAD_FOR_CA allows you to define

the rules in Excel. (In older releases, the report can be created by yourself, the ABAP code
can be found
here: https://wiki.scn.sap.com/wiki/download/attachments/491918787/Z_USCRAUTH.t
xt). With this report, the existing rules from the system can be exported to Excel in the
appropriate format and adapted/supplemented there. The Excel can then be uploaded
again. For more information, see SAP Note 2785076: SUIM| New functionalities in
RSUSR008_009_NEW.

View the table contents of another tenant

via transaction ST04, where an SQL editor can be found

about the program ADBC_QUERY. Just enter the table name (DB connection name and database
schema can be left empty), then select columns if necessary, then you get the data of all clients
in the system.

Tables to see change documents for users

Tables:

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
 USRSTAMP timestamp for all changes to the user

USH02 Change History for Logon Data and Security Policy

USH04 Change History Permissions

CDHDR: OBJECTID = Username, and as usual, the related sentences in table CDPOS have the
same CHANGENR.

Have a nice day please let me know if anything missing in the SAP
authorizations.

Please connect and follow me for the next upcoming informative articles.

Cheers :)

SAP Learner Community 2mo

Wow, Muhammad Arshad! Your extensive knowledge in SAP systems is truly impressive! Your willingness
to share your expertise on SAP authorizations shows your dedication to helping others in the industry.
Keep up the great work and thank you for being such a valuable resource to the SAP community!
#sapexpertise #sapsupport #sapcommunity

Like · Reply

To view or add a comment, sign in

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
How To Revert Transports S4HANA Security Set Up Parallel Landscape
or Tasks From Release to… Parameter Baseline… for Upgrades and…
Aug 27, 2023 Aug 23, 2023 Aug 22, 2023
See all

Others also viewed

No More Extension to SAP ECC 6 and Business Suite 7 Mainstream Support End
Date in 2027.
Muhammad Arshad · 1mo

SAP GUI Configuration Export and Import

Muhammad Arshad · 1y

How To Enabling SAP-GUI Scripting?

Muhammad Arshad · 1y

CLEAN UP OF SOST – Re-org of the data

Muhammad Arshad · 2y

HOW TO DELETE DATA FROM THE SAP TABLE WITH THE FUNCTION MODULE
Muhammad Arshad · 1y

SAP Patch Tuesday overview for July 2023

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
 Muhammad Arshad · 1mo

Show more

Insights from the community

Electronic Data Interchange (EDI)

How do you manage and maintain EDI data integration patterns in a dynamic and
complex environment?

Electronic Data Interchange (EDI)

What's your process for converting EDI data?

Electronic Data Interchange (EDI)

How do you ensure your EDI software and tools work together?

Electronic Data Interchange (EDI)

How do you manage the risks and costs of EDI integration with your existing systems
and applications?

Electronic Data Interchange (EDI)

How do you share EDI data with stakeholders?

Electronic Data Interchange (EDI)

How do you manage EDI projects with fewer issues?

Show more

Explore topics
Sales

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
 Marketing

Public Administration

Business Administration

HR Management

Engineering

Soft Skills

See All

Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com