R/3 Security Notes

Security
SAP offers different tools, processes, and measures for security check to protect the
data. Sap security helps to ensure that users can only use the functionality of sap
which is a part of their job.
Security is a balancing act for protecting the sap data and its applications from
unauthorized use and access.
It refers to the implementation of measures to protect the system, data, and processes
from unauthorized access, misuse, or any damage.
There are Two Types of security:
• Internal security = managed by SAP authorization concept, access is
controlled at the application level.
• External security = managed by underlaying database system, access is
controlled at the database level.

USER ADMINISTRATION

❖ It is all related to User Maintenance.

1) User creation
2) User modification
3) User deletion
4) User Lock and Unlock
5) User copy
6) User Password reset.

SU01 = > T code for User Administration

Varun N
 R/3 Security Notes

Process involved in the User Administration

Start

SAP access form = user must fill it himself providing the details.

Manager Approval
{It depends on Organization}
Role Owner Approval

Security Team (Final)

Closed

SU01 Tabs
*Create *Modify *Display *Delete *Copy *Lock/Unlock *Change Password

Varun N
 R/3 Security Notes

When you click on Create total 11 tabs will be visible.

➢ Documentation = enter the description and document for the user.

➢ Under address data only Last Name is Mandatory.

➢ Under Logon data User type and initial password is Mandatory.

Varun N
 R/3 Security Notes

➢ SNC (Secure network Communication) = Skip the password if active. If not

asking the password.

➢ Default means common to every user like date format, decimal notation, time
format, printer details, time zone.

➢ Parameters = Only required to be entered when requested by the User.

Varun N
 R/3 Security Notes

➢ Roles = Assign authorization through Roles.

➢ Profiles are interlinked with roles, and they get assigned automatically once
the roles are assigned.
➢ Maximum number of profiles that can be assigned to one user = 312.

➢ Groups = assign user to extra group if he belongs to them.

Varun N
 R/3 Security Notes

➢ Personalization = do not enter any details here.

➢ License data = this is related to licensing of users. Admin, developers, etc.

❖ Whenever you are copying the user, Address and password will not copy.
Change docs = To see changes done to the user in a time interval
Path: SU01 information Change documents for Users

Varun N
 R/3 Security Notes

USER TYPES IN SU01

Under logon data, initial password (mandatory), it also consists of user type, user
group, validity period, etc.
There are five user types.
1) Dialog 4) Service
2) System 5) Reference
3) Communication

Dialog user type = default user type, interactive user, password parameters
are applied, Gui login is allowed.

Ex = > All employees of the organization.

Service user type = used for multiple dialog logons, password parameters
are not applied, Gui login is allowed.

Ex = > FFID in Grc.

System user type = used for internal communication, system related

activities, password parameters are not applied, Gui login is not allowed.

Ex = > Background jobs are scheduled by using these System ids.

Varun N
 R/3 Security Notes

Communication user type = used for external communication, between the

system or across the landscape, password parameters are not applied, Gui
login is not allowed.

Ex = > RFC (Remote function call)

Reference user type = used for providing extra access to dialog ids, when it
accesses limit (312 profiles) is reached, no password required to login,
cannot login through Gui.

Ex = > Create reference user and assign two roles. and create one service
user assign the one role and also assign the reference user to this user in the
role tab, then one service user has access to three roles.

DIFFERENT TYPES OF USER LOCKS / SAP UFLAG VALUE

➢ It is the numbering value to determine the status of a user in the SAP system.
➢ The status here means, lock/unlock mode which can be refer to the following
details:
0 = Not Locked
32 = Global Lock (Cua)
64 = Administrator Lock
128 = Incorrect logon Locks
128 + 64 = 192 = > Password Lock + Locked by Administrator
128 + 32 = 160 = > Password Lock + Locked by Cua

Standard /default users created after SAP Installation:

User id Password Client
Sap* PASS/06071992 ALL
ddic 19920607 000, 001

Varun N
 R/3 Security Notes

Some facts
❖ User id maximum length = 12 characters. It differs from organization to
organization based on the combination of first and last name.
❖ Maximum no of profiles assigned to one user = 312.
❖ Mandatory fields for creating the user are last name and initial password.
❖ All the tables related to user starts with USR*
Ex = > USR02 User logon data.
USR40 User illegal password.

AUTHORIZATION CONCEPTS

In the above diagram, there will be many outer layers, in order to login to SAP
System you need to have break this firewall and the network. As a sap security
consultant, we don’t deal with firewall and the network.
We deal with Authentication to login to sap system by providing the login
credentials (user id, password). After entering SAP system whatever did inside is
Called Authorization.

Varun N
 R/3 Security Notes

▪ Authorization exists in inside system; Authentication exists in outside

system.
▪ If someone know the user id and password another user also login to sap
system, so the strong authentication check will be biometric.
▪ Authorization deals with permissions and privileges, authentication is
something it checks your identity. So, security deals with both.
▪ Authentication is common to every user; authorization will be varied for
every system.
▪ Authorization is identified by auth field and auth objects.
▪ Authorization objects is a group of 10 auth fields maximum.
Auth objects
Auth field 1 Value
AF2 V2
AF3 V3
- -
- -
- -
- -
- -
AF10 V10

▪ SU21 = T code for auth objects.

▪ Object class reveals the area of authorization objects. (Each folder belongs
to 1 area in that files are objects.

Varun N
 R/3 Security Notes

For example, = HR member come and ask, what is the authorization object for
appraisal, payroll, and recruitment, first we need to find out the authorization
object.
Path = SU21 = > scroll down = > HR (Human resources)

Below activities are performed under SU01

To Create User = > S_USER_GRP is auth object.
Assign roles to user = > S_USER_AGR is auth object.
Assign profiles to user => S_USER_PRO is auth object.
Role 1 = > SU01 = > S_USER_GRP + S_USER_AGR
(user cannot assign profile to another user)
Role 2 = > SU01 = > S_USER_AGR + S_USER_PRO
(user cannot create another user)
Role 3 = > SU01 + No auth objects
(user cannot perform any activity under SU01) means inside SU01 or any tabs
whatever we do that is controlled by auth objects.

Varun N
 R/3 Security Notes

Note = necessary authorization object required for particular T code, have been
linked with SU24.
SU24 = > T code to find the authorization object related to any t code in SAP.
Path = > SU24 = > enter t code = SU01 {any T code} => we get authorization
object related to a particular T code. (filter on proposal by yes)

For example, = users come to you and asking that I want access to sales order
creation, printer, payroll. = > VA01, SP01, PA30
❖ First you need to ask for that T codes, once you aware of that, now pull the
auth objects related to these t codes than combine.
❖ After, create one singe role and assign these above 3 t codes + auth objects
related to these 3 t codes (group of t codes and its objects related to these t
codes) = Role.
Note = > we cannot assign T codes and authorization objects directly to the
users. Hence, we are placing them under a role and then the role is assigned to
user.
T Code = > It is an easily memorable code to navigate to the desired program
without the long names.
✓ T code acts as a shortcut to a program.

Varun N
 R/3 Security Notes

✓ Whenever you are executing any t code the system as hitting in the
backend to show you the screen = > T code.
✓ SE93 = > maintenance of all t codes
✓ SE93 is a t code where you can find, create, maintain, display, delete and
modify, etc.
How to find what is the program related to the particular T code means
▪ Execute a T code called SE93 in a command field and click on enter.

▪ To find a program or auth object related to SU01 (any t codes), type the T
code in a transaction code field.

Varun N
 R/3 Security Notes

▪ Then click on display it will show the program and auth object related to a
particular t code.

▪ Here the program name is SAPMSUU0 and the auth object is

S_USER_GRP.
❖ To execute this program, go to a Command filed and enter a t code called
SA38 and enter a program name SAPMSUU0.

❖ Click on above execute, it will be getting the screen of SU01. (User

maintenance).

Note = > hence it is very difficult to remember the program instead of this they put
a shortcut code called T code.
SU01 = > program name = SAPMSUU0, SCC5 = > program name = SAPMSCC1

Varun N
 R/3 Security Notes

PROFILE and ROLE Concept

PFCG = > profile generator
Profiles are of two types.
1) Standard profiles.
2) Generated thru rules.
➢ Standard means which comes along with the installation. It can be assigned
to user directly.

➢ SAP recommends never assign the standard profiles to users. As they give
extra access. Hence, we assign roles to users which in turn assigns the
generated profiles to the users.
➢ Generated profiles cannot be assigned to user directly.
➢ Generated profiles are always starts with T.

➢ When you assign the roles to the users, the profiles will get automatically
assigned.

Varun N
 R/3 Security Notes

ROLE
▪ It is a group of T codes and its related authorizations.
For example, = > Create a necessary role for each and every team in the project.
Following teams are there in the project, finance, HR, sales, basis, security, abap.
o HR team performs below activities.
* Personal administration = > PA20, PA30, PA40
* Organizational management = > PO10, PO13, PPOM

Roles are categorized as two Types:

• Technical roles = > support roles (create the software’s)
• Functional roles = > end users (use the software's and prepare the bills)

Role matrix
o Information gathered from all the technical teams, regarding the roles and
the types of roles and which access they needed.
o With in the business roles, in Sales department there can be various levels
of employees like clerk, supervisors, manager, senior manager.
For example, = > Sales team - sales support role, salesclerk role, sales supervisor
role, sales manager role.

Role creation / Modification process

➢ Change request form has to be filled by the respective technical team.
➢ That has to be approved by the CAB (change advisory board).
➢ Once approved, the requests come’s to security and we create the role.

Profile concept.
PFCG = > Profile generator / Role maintenance

Varun N
 R/3 Security Notes

Old versions of SAP are SAP 3.0, 4.60, 4.66, 4.7, ECC5, ECC6……….
➢ In 4.7 version = > Major changes occurred in security area, role concept
has been introduced from 4.7 onwards, prior to that profile concept was
there

IN 4.7 changes that happened

SU02 = > to create profile After that, PFCG

Profile Role

T codes + Auth T codes + Auth

User Profile

User

Role naming conventions

Types of roles = >Single (X), Composite (Y), Derived (Z) /child, Parent (P)
/Master
Role Length = > Maximum 30 characters
Role name should contain the following: -
✓ Role type
✓ Business process = > basis, Fico, HR
✓ Sub process = > HR (PA, PD, Payroll)
✓ Extra information = > Client
Example, => X:HR:PERSONAL_ADMIN:TATA

Varun N
 R/3 Security Notes

PFCG Tabs

 Description = > just fill the long text with the information like why, when
and who is creating the role.

 Menu = > Fill the list of T codes in the Transactions option.

 Authorization Tab = > go to change auth data and generate profile.

Varun N
 R/3 Security Notes

How to see what does each field and each color represents in authorization tab
means:

Path = > Utilities Click on Legend or More Legend

 User Tab = > indicates the list of users and assigned to the role, click on
user comparison, once done you will see the user comparison tab become
green.

Varun N
 R/3 Security Notes

 Personalization tab => Do not touch it.

TESTING METHODS
Positive Testing
▪ Checking whether can executes the T codes under the role.
Negative Testing
▪ Ensuring the user is not executing other T codes, except which are not under
the role.

Authorization Tab

Traffic Lights

Varun N
 R/3 Security Notes

✓ Green = > All authorization fields are filled or maintained with values.

✓ Yellow = > At least one authorization field is not maintained or partially

unmaintained.

✓ Red = > unmaintained organization levels.

Varun N
 R/3 Security Notes

Organizational field
* Authorization objects contain authorization fields.
* Authorization objects is a group of ten authorization fields maximum.

It is of Two types: -
❖ Normal field = > The field which does not represents organization.
Example, = > Activity, role name

❖ Organizational field = > The field which represents organization.

Example, = > Plant, cost center, billing

Org field Value

Varun N
 R/3 Security Notes

o Meaning varies from organization to organization means specific to

organization.
* BMW = > plant (manufacturing hub): 100(UK plant), Walmart = > plant:
100(USA branch).
➢ Whereas normal field value is universal, Example = > Activity: 03
(Display).

➢ Organizational field values are maintained in organizational levels option in

authorization tab, whereas Normal field values can be directly maintained.

Difference between Normal field and organizational field

Normal field organizational field

*Does not represent organization Ex =
> Activity.
*Field value meaning is universal ex =
> Activity 03 means display across the
world.
*Field values are maintained locally.
*Represent organization Ex = > plant,
company code.
*Org field value meaning differs from
organization to organization means
specific to organization.
*Org field values have to be
maintained centrally from the
organization tab.

Varun N
 R/3 Security Notes

Note = > When we click on this symbol called "Where Used List"
(two hills with the sun rising in the background), it will show for which T-code the
authorization object is used and also shows auth fields and its value range.

Statuses of authorization objects

▪ There are four types.
 Standard = > Represent SAP default standard values pulled from SU24 for
the T codes added in the Menu.

 Maintained = > Represents blank fields have been maintained with values.
Before

 After, fill the blank field with some values the status has changed to
maintained.

Varun N
 R/3 Security Notes

 Changed = > Represent SAP default values have been maintained.

Before

 Maintain some value in Normal field (Activity) and click on save, the status
will be updated called changed.

 Manually = > Represent authorization object have been inserted directly

into the role, not pulled from SU24.

Varun N
 R/3 Security Notes

Deleting authorization object from role

• To delete authorization objects below two conditions, have to be satisfied: -
✓ Authorization object should be deactivated.

✓ Authorization object status should be either manually or changed.

Options in Authorization Tab Screen

❖ Save = > when we click on save all the data will be saved.
❖ Expand = > When we click on a particular field and select the expand
option, the entire field will be expanded.

Varun N
 R/3 Security Notes

❖ Collapse = > When some fields are expanded, clicking on the collapse
option will collapse that particular entry.

❖ Position = > When you click on any particular field and then select the
position option, the system will take you to the top of the screen. After
scrolling up, it will return to the normal view.

❖ Profile = After making changes to authorizations in the role, click on the

profile option to generate. You will be prompted with two options, check,
and click on generate.

❖ Delete inactive = > To delete any authorizations, click on the specific field
and select the delete option.
❖ Only manually added and changed authorizations will be deleted.

Varun N
 R/3 Security Notes

❖ Selection criteria = > When you select this option, a list of classes will be
displayed. Extend one class and select "Insert Chosen" above. This will add
the authorization object and show its status as "manually."

❖ Manually = > Here, you can directly insert authorization objects into the
role, without pulling them from SU24 or any of the T-codes. Type any
authorization object and click "Continue."

Varun N
 R/3 Security Notes

❖ Open Authorizations = > When you click on "open authorizations" all

empty fields will be displayed. However, SAP recommends that open fields
should be zero.

Varun N
 R/3 Security Notes

❖ Changed = > When we click on this, it will expand to show how many
objects have changed status.

❖ More = > when we click on this it will show, many options to maintain
authorizations and org levels.

Varun N
 R/3 Security Notes

Profile Generation
 This is done in two ways in Authorizations tab.

➢ Manual mode = > Change in Authorization data.

➢ Expert mode = > This mode is used during role
modification only, not during the role creation.

When we click on expert mode for profile generation there will be three actions
need to be performed: -
 Delete and recreate profile and authorizations.
 Edit old status.
 Read old status and merge with new data.

* Click on continue.

Varun N
 R/3 Security Notes

1) Delete and recreate profile and authorizations.

▪ Create a new role and add the T-code SCC4 in the Menu tab, then go to
change the authorization data in the authorizations tab.

▪ In the auth tab screen the authorization object called S_TABU_DIS (any
object), do Some customization, here I added Normal field (Activity) called
BD.
Before

After

▪ Click on save and generate the Profile.

*Then Modify the role, go back, and add the T code called SCC5 in the menu Tab.

Varun N
 R/3 Security Notes

▪ Go to the Authorizations tab. Instead of changing the authorization data,

click on Expert Mode and select the first option, "Delete and Recreate
Profile and Authorizations."

Check Now = >

✓ If the customization is to be deleted - old data is lost.
✓ It deletes entire old data including its customization also.
✓ Freshly loads the authorization data from SU24 for the T codes added in the
menu.

Varun N
 R/3 Security Notes

2) Edit old status.

Continue----
→ In the above same screen only, I will do some customization again, I will
add the Normal field (Activity) called BD.
→ Click on save and generate the profile.

→ Come back and add the T code called SM36 in the Menu tab, save.

→ Afte, go to the Authorizations tab and click on Expert Mode for profile
generation. Then, select the second option called "Edit Old Status."

Varun N
 R/3 Security Notes

→ If the authorization data has to be modified directly without modifying

menu.
→ It keeps the old data has it is (including customization) also.

→ It does not pull the authorization data related to new T codes added in the
menu.

3) Read old status and merge with new data.

Continue----
▪ Come back and go to the Authorizations tab. Click on Expert Mode for
profile generation, then select the third option called "Read Old Status and
Merge with New Data."

Varun N
 R/3 Security Notes

➢ It keeps the old data has it is (including customization) also.

➢ It also pulls the new authorization data related to all the T codes added in
the menu.

Varun N
 R/3 Security Notes

➢ It also merges the old data with the new data wherever is possible.
➢ Without losing the old data merge the new data of the T code inserted in the
menu.

Note: -
 Out of these three options the most favorable option is Read old status and
merge with new data.
 During role creation there is no something called as old data hence we do
not go for expert mode in the role creation concept.

Composite Role
➢ It is a group of single roles.
Scenario: -
✓ Two abap roles = >
*Abap display single role.
*Abap full access single role.

Varun N
 R/3 Security Notes

✓ Two roles for basis team = >

*Basis display role.
*Basis admin role.
✓ Two security roles = >
*Security display role
*Security admin role
Security team needs below role.
 Security admin role.
 Abap display access.
❖ These three single roles are combined together to create security composite
role.
❖ It will be easier to select the composite role because it is minimum in
number.
❖ Note = > The most important problem is when user is requesting the role,
instead of requesting display role, sometimes the user will be requesting full
access role, then that request will be rejected, because the approver, who is
approving the request he will see the different user is requesting full access,
so he may reject the request.
❖ The key role of composite role means to make the user comfortable and
also it decreases the security admin task.

Composite role Tabs

 Enter a T code called PFCG in sap command field.
 Type the Composite role name according to the role naming convention.
 Instead of Creating single role click on composite role Option.

Varun N
 R/3 Security Notes

 When we click on composite role It will display the below screen with some
tabs and also You can see the difference between single and composite role
tabs.

 Description = > just fill the long text with the information like why, when
and who is creating the role.

 Roles = > Fill the single roles.

 Menu = > Click on import menu to see the single roles and t code in it.
 To convert menu to green color click on import menu option.

Varun N
 R/3 Security Notes

 User Tab = > indicates the list of users and assigned to the role, click on
user comparison, once done you will see the user comparison tab become
green.

 Personalization tab => Do not touch it.

Note = > When we assign the composite role to the any user in the user roles tab
another tab will be getting called indirect assignment tab, we can directly delete

Varun N
 R/3 Security Notes

the composite role which was assigned, but not able to delete directly single roles
in that.

Master Role
➢ It is a parent role which has full access and contains org level as *
Derived role = > It is a single role which is derived from another single role.
=== What is the necessity of a derived role means?
When the client is
= > MNC - coke, BMW, nestle
= > Multiple business company – Tata, Dupont, total, Unilever
Coke

India finance = > process invoices of India.

USA finance = > process invoices of USA.
T code used to process invoice is same FBV0.
In India when they will execute the FBV0, they should be able to process the
invoices of India only.
In USA when they will execute the FBV0, they should be able to process the
invoices of USA only.
This access can be differentiated with the org fields i.e., plant, cost center,
company code.

Varun N
 R/3 Security Notes

In these diagram three roles are derived from one Master role.
Role Finance
T code = > FBV0
Auth object = > F_FICO_BUK
Activity = 16
Company code = *
For the Maintenance become easier we will use this concept.
➢ If any user requests extra access like t code or auth object, instead of
modifying derived roles we can directly do modifying in Master role.

➢ When You derive the roles from Master roles the T code, authorization
objects have been derived as it is.
➢ The Only difference between Master and derived role is the org field
Values.

Varun N
 R/3 Security Notes

Here, I created a Master role with the t-codes PFCG, RSA1, and RSD1 and
maintained the org value Plan version as *. Additionally, I customized the
S_USER_AGR object with the role name as X* and generated the profile.

And also, I created another derived role for India. In the Description tab, there is
an option called "Derived from Role." In that field, I specified the Master role.
This is an extra thing you need to do in a derived role.

And also, we got a option called delete Inheritance relationship that means the
relationship has been established between Master and derived role.

Varun N
 R/3 Security Notes

We can see the T codes whatever there in the Master role it will pull to the
derived role., and also here I maintained org value Plan version as 01.

Whatever I done customization in Master role It will not pull to this role, in order
to pull that customization, again go back to master role there will be another tab
generated called generate derived role, click on this.

Varun N
 R/3 Security Notes

After clicking Generate derived roles tab, now go back and check in the derived
role everything the data will pushed to derived role expect org values.

But we see the Org Values in the tab whatever we maintained in derived role it
will not change.so that org value is not overwritten, only the normal fields are
overwritten.

Varun N
 R/3 Security Notes

Another Example = > Create a role with company code value as * and we
have derived role for Germany, Malaysia, UK, with company code value as
200,300,400. Suppose if we add a new t code to master role and if we create
derive role from it, it will push the t code to Germany, Malaysia, UK, role,
but it will not touch the company code Value of derived roles. The
company code value will remain as it is. That is the concept of Master
and derived role.

If you want to add a new t code FB01 in these three derived roles, then you need
to add this t code to master role and derived roles will get modified accordingly.

The only difference between Master and derived role is org field values. i.e.,
company code values in this example.

Question = >How many derived roles can be derived in one Master role? Is
there any limit?

 No limit it depends on How many branches or business the company has.

Role Tables

All the Tables related to roles starts with AGR* (Activity Group = > Role Name)

Some Important Tables are: -

➢ AGR_DEFINE = > All roles definition and Master, derived role

information.
➢ AGR_AGRS = > Single and Composite roles Information
➢ AGR_TCODES = > Roles and its PFCG Menu’s Transactions.
➢ AGR_USERS = > User assigned to a Role.
➢ AGR_1250 = > Authorization data for the activity group
➢ AGR_1251 = > Role and its Authorization Values.

Varun N
 R/3 Security Notes

➢ AGR_1252 = > Role and its Org Values.

➢ AGR_INFO = > Filter Values from Generation Run.
➢ AGR_TIME = > Time Stamp for Role (Menu, Profile, Authorizations)
➢ AGR_NUM_2 = > Internal Counter for Assigning Profile Names.
➢ AGR_TIME = > Role Modification details with date and time.

How to view the tables means ----

▪ Enter a T code called SE16 in a sap Command field and click on enter.

▪ The below initial screen will Open.

▪ For ex --- Type the Table called AGR_DEFINE in the Table Name and
Click on enter.

Varun N
 R/3 Security Notes

▪ After this, the below screen will open. Type the role name or use the search
option. If needed, you can also apply filters.

▪ Then you can click on execute to see what AGR_DEFINE Table contains.

Varun N
 R/3 Security Notes

---- This table contains all role definitions, including Master (parent) and derived
role information. It also shows the user, change date, and time, which can be
filtered.

For Ex, another table called AGR_1252--- see in the below picture it will contain
role name and its Org Values.

Role Deletion

= When the role exists in the Development environment only

o Go to PFCG.
o Put the role name.
o Delete the role.

Varun N
 R/3 Security Notes

= When the Role exists in Dev, quality, and PRD Systems, especially in Quality
and production, we will have PFCG display access only.

→ Go to PFCG
→ Put the role name.
→ Create Transport request.
→ Load the role into transport request.
→ Delete the role in development system.
→ Release the Transport request.

After clicking Transport role option, the below screen will come in these never
tick Personalization data and direct user assignment.

After that click on execute and Create Transport request, save and continue too
Next.

Varun N
 R/3 Security Notes

After saving the TR, it shows the below screen which it contains Request
Number, Role Type, and the role status, if it is in green means then the role
recorded successfully.

TMS – Transport Management System

--Transport = > Movement of data from one environment to another

environment.

➢ Transport is done the form of Transport request.

Varun N
 R/3 Security Notes

➢ Transport request name = > SID K9 5-digit Request no.

➢ Example = > W88K900035
➢ SE01, SE09, SE10 These T codes are used to create, display, release the
Transport request.
➢ Transport Requests are of 4 Types but mainly most of us use only Two They
are: -

❖ Workbench TR = > It carries SAP standard data. Ex – Abap code, T codes,

programs

Varun N
 R/3 Security Notes

❖ Customizing TR = > It carries customized data Ex – Business data, Users,

Transactional data
❖ Transport request is a group of tasks.

❖ Task is space reserved for one user; on whose name the task is created only
that user can load the data into TR.

What are the tables related to transport requests in SAP?

o E070
o E071

Varun N
 R/3 Security Notes

Security Team duties regarding TMS.

▪ Creating a Transport Request (SE10 or SE09)

▪ Loading the role into Transport Request (PFCG)
▪ Releasing the Transport Request (SE10 or SE09)

▪ Intimate Basis Team that the TR has been released in dev system and
request them to transport the TR into Quality.

Varun N
 R/3 Security Notes

Note = > Before releasing the TR ensure all the tasks under that TR are released.

Only when TR is released from dev system, only then basis team can move that
TR into Quality system. Else they cannot.

Role Modification

→ Single role
 Modifying menu by adding/removing T codes from Menu.
 Directly modifying authorization data.
→ Composite role
 Adding/removing single roles from Roles tab.
→ Derived role = > Only Org Levels.
→ Master role
 This is modified similar to single role., Modifying menu by
adding/removing T codes from Menu.
 Directly modifying authorization data.

Common Authorization Issues in SAP Security.

- Not able to login to SAP System.

• Wrong password, user locked, user expired, incorrect client, password

expired—controlled by the parameter.

- Successfully logged into SAP System, but not able to execute the T code.

Varun N
 R/3 Security Notes

• Role is expired.
• Profile is not generated for the role.
• User comparison is not done.

-Able to execute the T code, but not able to perform certain functions under that T
code.

• User does not have access to appropriate authorization values required for
the role assignment.

• Profile is not generated for the role.

• User comparison is not done.

T codes used in troubleshooting

SU53, SU56, ST01, STAUTHTRACE

1) SU53

❖ It evaluates the last authorization check, whether it is successful or failure.

Varun N
 R/3 Security Notes

❖ When its failure even gives you the authorization values related to the
failure.
❖ See the below picture it will which object is missing, T code, and their fields
based on that we will give the authorization.

2)SU56

❖ It is a temporary memory created when user logs into SAP System and
wipes out when the user logs out.
❖ When user executes any T code, System crosses check with the user buffer
not with the DB.

Varun N
 R/3 Security Notes

❖ If there any problem related to the user buffer: -

• Ask user to logout and login to SAP System.
• Ask user to reset in user buffer.

In the SU56 screen, there is an option called Authorization Values. Click on that
and select the User Buffer option if any T-codes are not visible.

3)SUIM

It is a powerful tool for Security administrators to manage and audit user access
and roles. It helps ensure that the right people have the right access and that
security policies are being followed.

Varun N
 R/3 Security Notes

Important Options in SUIM:

1. User Information:

✓ Users by Address Data: Allows you to view user details, including

email, and other contact information.

✓ Users by Authorization Values: Lets you find users based on specific

authorization values.

✓ Users by Role Assignment: Provides a list of users assigned to

specific roles, helping to track user permissions.

2. Role Information:

✓ Roles by Complex Selection Criteria: Enables searching for roles

using various criteria like role name, description, or authorization
objects.

Varun N
 R/3 Security Notes

✓ Roles by User Assignment: Lists all the roles assigned to specific

users, which is useful for reviewing and managing user access.

✓ Roles by Profile Assignment: Shows roles associated with particular

profiles.

3. Authorization Information:

✓ Profiles by Complex Selection Criteria: Helps search for profiles

based on different attributes, such as profile name or description.

✓ Authorization Objects by Complex Selection Criteria: Allows you

to find authorization objects based on specific criteria.

✓ Authorizations: Lists all authorizations within the system, helping to

manage and review authorization objects and their values.

4. Change Documents:

Varun N
 R/3 Security Notes

✓ Users: Provides a history of changes made to user data, including who

made the changes and what changes were made.

✓ Roles: Shows the change history for roles, helping track modifications
over time.

✓ Profiles: Details the changes made to profiles, useful for auditing

purposes.

5. Other Tools:

✓ Where-Used List: Shows where specific authorization objects or

fields are used within the system.

✓ Field Values: Lists the possible values for a given authorization field.

Varun N
 R/3 Security Notes

ST01 = System Trace

1) Access the ST01 Transaction: -
❖ Go to the SAP Easy access screen.
❖ Enter the transaction code ST01 in the command field and press Enter.

2) Select Trace Components: -

• In the initial screen, you will see options to select the type of trace you
want to activate. Common options include:
❖ Authorization Check = > To monitor authorization checks.
❖ SQL Trace = > To log database queries.
❖ Buffer Trace = > To monitor buffer activities.
• Check the boxes for the components you want to trace.

Varun N
 R/3 Security Notes

3) Set Trace Options (Optional): -

• You can set filters in the down what all are the trace records, such as:
❖ User IDs = > Specify particular users to trace.
❖ Transaction Codes = > Focus on specific transactions.
❖ Programs = > Monitor specific programs.

4) Activate the Trace: -

❖ Click on the "Trace on" button. The system will start recording activities
based on your selected components and filters.

5) Perform the Activities to be Traced: -

❖ While the trace is active, login to that User id and perform the actions or
processes you want to analyze.
6) Deactivate the Trace: -
❖ Once you have captured the necessary information, return to the ST01
screen, and click "Trace off" to stop recording.
7) Display and Analyze Trace Results: -

Varun N
 R/3 Security Notes

❖ Click on "Analysis" in ST01 screen and specify the user, date, and time to
view the recorded data. Then execute to see the Trace.

8) Troubleshoot and Analyze:

❖ Use the trace data to identify issues, such as unauthorized access attempts,
slow-performing SQL queries, or other system problems.

Varun N
 R/3 Security Notes

❖ Based on that the security consultants give the authorization, if fails by

identify by using the return codes in red color.
Note = > It is important to deactivate the trace when not in use.

Return Codes
➢ RC = > 0 --- Authorization is successful.
➢ RC = > 4 --- User has required authorization object, but different
authorization Values.
➢ RC = > 8 --- User does not have required authorization values in the user
buffer.
➢ RC = > 12 --- User does not have access to authorization object.

If any 0 Records found

means if no trace display.

✓ Incorrect input values.

✓ User present in different application server.

Note = > ST01 trace should be applied in the local server only. Hence before
applying ST01 trace, ensure that user and you are in the same system.
AL08 = > Users in each server.
SM51 = > List of application servers.

Varun N
 R/3 Security Notes

STAUTHTRACE
 Exclusive authorization Trace.
 Trace is applied across all application servers.
Note = > This T code is available in the updated version of SAP.
How to Use STAUTHTRACE:
 Access the Transaction:
o Enter STAUTHTRACE in the SAP command field and press Enter.

 Start the Trace:

o Specify the Username and Click on "Start Trace" to begin recording
authorization checks.

 Perform Activities:
o Inform the user to perform the actions that are causing access issues, such
as trying to execute a transaction they cannot access.

Varun N
 R/3 Security Notes

 Stop the Trace:

o Once the activities are completed, go back to the STAUTHTRACE screen,
and click "Deactivate Trace".

 View and analyze results:

o Click on "Display Trace" to see the results. and review the authorization.

It displays the details about the authorization objects, field values, program
name and the return codes.
Note = > Click on System Wide Trace to view the trace for each application
server. Apply the necessary filters, then click on Execute.

Varun N
 R/3 Security Notes

PFUD
Mass User Comparison

✓ For a single role we can do user comparison in PFCG -> User comparison
Tab.

✓ If there is a requirement to perform User comparison for 100 Roles

(Multiple roles), then we go to a T code called PFUD, to perform that.

✓ Click from multiple role selection and copy from clipboard.

Varun N
 R/3 Security Notes

✓ Then, click on execute.

What all important actions are performed in PFUD?

1) Profile matchup
▪ It ensures profile get assigned to user and the role status is green under
SU01.

2) Composite role reconciliation

▪ Whenever composite role is modified, the role is added or removed from
composite role, should reflect to user as well.

3) HR organizational management: reconciliation

▪ It ensures that role assigned to position or org unit of the user.

4) Cleanups
▪ It ensures that expired roles are removed from SU01, record of users.
Program related to PFUD = > PFCG_TIME_DEPENDENCY
SM01 = > Lock T code
EWZ5 = > Mass User Lock
SU10 = > SU12

Varun N
 R/3 Security Notes

IMPLEMENTATION PHASE

Every Project has two Phases.

❖ Implementation = > Short term.

❖ Support = > Long term.

Types of projects

 Implementation = > where there is no SAP at all decided to implement SAP

in the company.
 Support = > already SAP is there we look into some issues.
 Upgrade = > version upgrade.
 Rollouts = > extending SAP to other business branches.

What are the roles and responsibilities of Security Consultants in Implementation

project.

➢ Roles = > PFCG = > Authorization data is pulled from SU24.

• The image below is a screenshot of the SU24 transaction.

Varun N
 R/3 Security Notes

➢ Initially if SU24 is empty, then PFCG T codes does not work.

➢ We need to fill the authorization data into SU24 by using the T code called
SU25.
• The image below is a screenshot of the SU25 transaction.

SU25 = > First Installation and Upgrade.

SU22 = > SAP Standard Authorization Values related to a T code.

SU22 data is stored in Two Tables: -

1) USOBT = > SAP Standard authorization Values related to a particular T code.

✓ SE16 = > USOBT, the image below is a screenshot of the USOBT screen. If
needed, you can apply the filters.

Varun N
 R/3 Security Notes

✓ Then click on execute to see the columns like T code, auth object, field, and
its range values.

2) USOBX = > Check Indicators of Authorization object related to a particular

T code (OK Flag).

✓ The image below is a screenshot of the USOBX screen. If needed, you can
apply the filters and also see the difference between both the screens.

Varun N
 R/3 Security Notes

✓ Then click on execute to see the columns like T code, auth object (cust)
OKFLAG and its Modifier name.

✓ Here OKFLAG contains the symbols called X, U, etc. and its description
shown below.

SU24 data is stored in Two Tables: -

1) USOBT_C => Customization + Standard.

2) USOBX_C => Standard + Customization

Note = >

Varun N
 R/3 Security Notes

 While the role is created, when T codes are added in the menu,
Authorization data is pulled from SU24.
 For the safety purpose we have take a copy from SU22 to SU24, then when
we added T codes in the menu, it will pull from SU24 authorization data to
PFCG.

Some Important Implementation T codes

SU20 = > Authorization Field creation.

• The image below is a screenshot of the SU20 Transaction.

SU21 = > Authorization object creation.

• The image below is a screenshot of the SU21 Transaction

SU22 = > Authorization data related to a T code.

Varun N
 R/3 Security Notes

SU24 = > Custom Authorization data related to a T code.

SU25 = > First Installation and Upgrade.

SM51 = > List of Application servers.

AL08 = > Users logged in to all servers.

SM04 = > Users logged in to local servers.

SE16 = > Table Display.

SM30 = > Table Maintenance.

• The image below is a screenshot of the SM30 Transaction.

SE38 = > Abap editor, create and edit programs.

• The image below is a screenshot of the SE38 Transaction.

Varun N
 R/3 Security Notes

Some Important Authorization objects

1) User administration 2) Role administration

❖ S_USER_GRP * S_USER_AGR
❖ S_USER_AGR * S_USER_TCD
❖ S_USER_PRO * S_USER_PRO
❖ S_USER_AUTH * S_USER_VAL
❖ S_USER_SAS
❖ S_USER_SYS
3) Abap 4) Archiving 5) T Code

❖ S_DEVELOP * S_ARCHIVE * S_TCODE

❖ S_PROGRAM

6) Table Access 7) Spool Admin 8) TMS

❖ S_TABU_DIS * S_SPO_DEV * S_TRANSPRT

❖ S_TABU_NAM * S_SPO_PAGE * S_CTS_ADMI
❖ S_TABU_LIN * S_SPO_ACT * S_CTS_LANG
❖ S_TABU_CLI * S_CTS_TADM

10) Background Admin 11) File Access

❖ S_BTCH_ADM * S_DATASET
❖ S_BTCH_JOB * S_PATH
❖ S_BTCH_NAM
❖ S_BTCH_MONI

Note = > S_CTS_SADM: CTS system administration (used instead of

S_CTS_ADMI in some cases)

Varun N
 R/3 Security Notes

→ In SU20 famous field is TCD/CLASS.

→ Never delete standard authorization or modified authorization field.

→ OSS = > online service system, it will come while creating authorization
object.

SU25 = > First Installation and upgrade.

• It helps to adjust and update authorization data, specifically the

authorization default values, to ensure they are compatible with the updated
version or system.

What are all the actions performed in SU25 means: -

 When we click on initial fill of customer tables, SU22 data will copy to
SU24, All the values are overwritten from SU22 to SU24, by losing some
customization. = Step 1

Varun N
 R/3 Security Notes

✓ If we do not lose the customization, whatever the data is there in SU22

same will be copied, how means by doing remaining steps, 2A, 2B, 2D, 2C.
= Step 2

➢ 2A (Compare with SAP Values) = > It will compare the SAP values
between SU22 and SU24. It will check with the standard application not
customized one.
→ 2B (Compare affected transactions) = > While we are running this
manual comparison is required it will ask u like which Authorizations you
want to proceed whether u want an SAP suggested or customized, most of
the cases we proceed with customized one that means SU24 data only.
 2D (Displayed Changed T codes) = > When we click on this, it displays the
role name, description, old T-code (to be deleted), and newly introduced T-
code. For example, well-established roles from past years might have
authorization fields and objects tied to the old T-code. Removing these
without understanding could affect other T-codes that depend on the same
objects.
o 2C (Roles to be checked) = > It provides the lists of roles that need to be
reviewed for changes in authorizations, due to updates in transaction
codes. It helps identify roles that may require adjustments to maintain
proper access control.
✓ If anything made changes in SU24, then click on 3) Transport the
customer tables. = Step 3

Varun N
 R/3 Security Notes

✓ After this, Check Indicators in SU24 = Step 4

✓ Deactivate Authorization objects globally, In SU21 there is a folder called
AAA – obsolete authorization objects. = Step 5
✓ Copy data from old profiles. = Step 6

Note = > If we are performing first step called Initial fill the Customer tables,
then remaining steps are not needed.

 SA38 = > T code is used to execute the programs.

 SUPC = > Mass generation of profiles for Multiple roles.
 Organizational fields are created by using the report called
PFCG_ORGFIELD_CREATE.
 TCDCOUPLES = > List of called Transactions.
 T000 = > Table related to the client.
 TSTC = > T code for Table checking.
 TSTCT = > Text for the T codes.
 SUKRI = > It is used to maintain the list of Transactions.
 USKRIA = > It is used to maintain the list of Authorizations.
 TBRG = >Authorization group programs stored in this table.
 TDDAT = > Table related authorization group.
 TRDIR = > Program for authorization group relation.
 DBTABLOG = > Log records of table changes.
 RFCDES = > Rfc destinations.
 TADIR = > Stores repository objects.
 TOBJ = > All the authorization objects exist in the System.
 TOBC = > Details of authorization objects class.
 TOBCT = > Text for authorization object class.
 Chang documents are stored in USH*

Varun N
 R/3 Security Notes

THANK
YOU

Varun N