Basics of SAP Security

Agenda
1.Introduction to SAP Security
2.Building Blocks
 User Master Record
 Roles
 Profiles
 Authorization Objects
3. User Buffer
4. Troubleshooting of Authorization Issues.
 SU53, ST01/STAUTHTRACE, SUIM
5. Sap Password Controls
 RZ10
 RZ11
6. Frequently Used SAP Security Transactions and Tables
1.Introduction to SAP Security
 SAP stands for - Systems, Applications and Products in data processing.

 SAP Security means:

 protecting the SAP system from running transactions and programs from
unauthorized access.
 You shouldn't allow users to execute transactions and programs in SAP system
until they have defined authorization for particular activity.

 Why is SAP Security Important?

 SAP systems store large amounts of confidential or sensitive data.
 Users on your network using an SAP system must have access to everything
they need to do their jobs; at the same time, they should not have access
to important data, such as financial records or confidential information.
2.Introduction to User Master
Record
 A User initially has no access in SAP. When we create access in system it defines
User Master Record.

 User Master Record information includes:

 Name, Password, Address, User type, Company information
 User Group
 Roles and Profiles
 Validity dates (from/to)
 User defaults (logon language, default printer, date format, etc)
User Types
1. Dialogue User
2. System User
3. Communication User
4. Service User
5. Reference User

1. Dialogue Users
 These are interactive users.
 It can login to SAP GUI and checks for user password has expired/initial.
 Here user can update his new password as per the password policy.
 Multiple logons are possible and can be restricted by parameters.
2. System User
 Used to communicate within the system.
 Cannot login to SAP GUI.
 It wont check for password details, only admin can change password.
Eg: Internal RFC, External RFC.

3. Communication User
 These users communicate between the systems.
 Cannot login to SAP GUI.
 System checks the details of password parameters.
4. Service User
 This type of users are available to a group of users access.
 It can login to SAP GUI.
 It doesn’t check the details of password and only admin can change the password.
 It accepts multiple logins to SAP systems.

5. Reference User
 Used for authentication of administration.
 It cannot login to SAP GUI.
User Administration (SU01)
 Step 1:
 Enter transaction code “SU01” in
the SAP command field and press
enter.
 Step 2:
 On user maintenance screen,
update the following details.
 User: – Enter new user id that
you wants to create.
 Click on create button (F8)
 Step 3: – On next screen,
update the following
details.
 Address tab: –
Title: – Update the title from drop
down list.
Last Name: – Update the user last
name, this is mandatory field that to
be update.
First name: – Update the first name
of user.
Communication: – Update all
communication details of user like
mobile number, email id and default
language.
 Logon data: – On logon data
tab, update the following
details.

User type: – Update the user type that you

want to assign to the user id.
Password: – Update the initial and repeat
password (for e.g. SAP@123456), later user
can change the password. It is mandatory to
follow the password parameters
Validity period: – Update the valid period start
data and last date.
 Default tab: – Click on
default tab and update
the following
information.
You can update default details of Logon
language, date format, time format, start
menu and so on.
Spool Control: – Specify the output
device like printer.
Personal Time Zone: – You can specify
the time zone of user based on his
location.
• Parameters: – Update the parameters
and parameter value.

• Role tab: – The admin has to assign a

particular role to a user to perform his tasks.
Eg: if you are creating user for system admin,
here we assign role to the user.
 Profiles: SAP provides predefined SAP_All
means user will be have authorization for all
transactions.

 Group: – Assign user to a specific user group.

After updating all the mandatory fields,

click on save button to save the configured new user id in SAP.
User Mass Maintenance (SU10)
Mass maintenance helps you to modify bulk users details at once, so that you can save
the time.

Step 1: – Enter transaction code “SU10” in the  If you want to modify the details of user you
SAP command field and enter. can modify all at once. On user field, update
all the user that you want to mass change.
 Now you modify the details of users, for example let change decimal notation and
date format.
 Mark the change option and change the
decimal notation, date format and time
format.
 Click on save button to save the data, you get
the notification about mass change. Press yes
to continue..

Similarly you can change user address details and Authorization details like
user group, role, Authorization object and so on. So mass user maintenance helps you to
User Group (SUGR)
 SUGR is a transaction code used for
Maintaining User Groups in SAP.
 It comes under the package SUSR.
 When we execute this transaction
code, SAPMSUUG is the normal
standard SAP program that is being
executed in background.
 It is Used to categorize user into a
common denominator, sort users into
logical groups and allow segregation
of user maintenance, this is especially
useful in a large organization.
Introduction to Roles
 A role is a group of permissions/ authorizations that are provided to user.

 Roles and Authorizations allow the users to access SAP standard as well as
custom transactions in a secure way.

 Roles provide access to transactions, reports, web applications, etc.

 A role in SAP is created by the profile generator (transaction PFCG).

Types of Roles
 Single role
 Composite role
 Derived role

 Single role:
• It is a group of authorizations that are assigned to the user.
• Generally, these authorizations are assigned in the form of transactions, reports,
web address and functions.

 Composite role:
• It consists of many single roles. Composite roles doesn’t contain any profile in it.
• We can add single role or derived role to composite role but we cannot add
composite role to composite role because composite role doesn’t contain any
profile.
 Derived role: Master-Derived Role
• The derived role is a role that is derived from
the master role.
• It inherits the menu structure i,e. t-codes,
reports, web address from the master role,
except the organizational values such as
controlling area, company code,.. etc

Master-Derived Role concept is basically used

when SAP has been implemented across many
sites (large geography) and the object level
authorization remains the same across all the
sites. ... The authorization values are maintained
in the master role and the roles for different sites
are derived from the master role.
WHAT ARE THE COMPONENTS OF A ROLE:
• A Master Role or a Derived Role is having below components inside it:
• Profile
• Transaction Codes
• Authorization Objects Class
• Authorization Objects
• Auth Fields and values
• Organization level

• Profile: Profiles are the objects that actually store the authorization data.
• Transaction Codes: A transaction code is used to access functions or running programs
(including executing ABAP code) in the SAP application more rapidly.
• Authorization object class: It is a grouping of Authorization objects. It may contain one
or more than one authorization objects.
• Authorization Objects: Objects that define the relation between different fields and
also helps in restricting/ allowing the values of that particular field.
• Auth Fields and Values: An authorization enables you to perform a particular activity in
the SAP System, based on a set of authorization object field values.
• Organization level: This defines actually the organizational elements in SAP for ex:
Company Code, Plant, Purchase organization, Sales organization, Work Centers, etc.
 Role
Administration(PFCG)
• Step 1: – Enter transaction code
“PFCG” in the SAP command field
and enter.
Step 2: – On “Role maintenance” screen update the
following details.
Enter new role id that you want to create (In this configuration we are going to create
Z_ROLE_USER with certain transaction codes authorizations).
Click on create role button.
• Step 3: – On create role screen,
update the following details.
Description: – Enter the role descriptive
text, here we are updated as “Role for
end user procurement team”
Long text: – Update the long text of the
role.
After updating the detail, click on save
button.
• Step 4: – Now we have to assign transaction code to the role. Go to menu tab to
assign transactions and click on the transactions tab as shown below screen shot.

• Now add all the Transaction codes that

you want to assign to role and then click
on Assign transactions.
• Step 5: – Now we have to generate authorization profile, follow the following
steps.
• Now click on missing level and click on execute
• Click on authorizations tab,
option as shown in below image.
• Next click on “change authorization data”

• Click on save button to assign profile name for

generated authorization profile

Click on save yes option to save the role.

Step 6: – Now assign particular users to a role by click on user tab and update
user id as shown below. And click on User Comparison to reconcile the profiles within
a user's account and make the necessary changes.

Click on save button and save the details, successfully we created user roles and
assigned in SAP.

Personalization tab: – The data in the personalization tab is fetched

based on the values we have entered in the previous tabs. SAP is going to fetch
the data in personalization tab.
Standard Signal Status Lights/Colours in the
Role
• Green - All the fields and values are maintained properly.
• Yellow - It indicates that particular authorization objects contains some fields with
missing values.
• Red - It indicates that organization values are missing.

Status of the Authorization Objects

• Standard: All the authorization objects, fields and values are proposed by SAP.
• Maintained: If the default suggestion for the value in a field is empty and we are
maintaining some values in that field which is left empty, then the status of auth. object
will be in maintained state.
• Changed: If the SAP default suggestion have some existing values and if some
values are added/ removed to the existing values, then that particular auth. object will
be in changed state.
• Manual: If we add any auth. object manually, it will be shown in manual state.
Difference between Change Authorization Data and Expert Mode for Profile Generation
Change Authorization Data
• Change auth mode opens the
last saved authorizations for
change.
• If any new t-code is added to that
role then it only adds the
relevant objects in role for the
new t-code.
Expert Mode for Profile generation
Expert mode has three options detailed below:
• Delete old auth and create new
• This will delete all old auth data except org values and will create
new authorization by including the objects maintained for t-codes
of role in SU24.
• Edit Old Status
• This will open last saved auth for change with any
change/addition of relevant objects if you have added any new t-
code to role.
• Edit old status and merge with new
• It will include the new objects for newly added t-code in role.
• It compares the objects for old t-codes of role and includes the
missing object/auth values if any, deleted earlier due to any
reason.
• New added auth objects will have the status new. Updated auth
objects will get the status updated. Old objects which are not
changed will have the status old.
Difference between authentication and authorization

Both the terms are often used in conjunction with each other in terms of security especially when it comes to gaining access to
the system. However, both are crucial and different topics with different concepts.

Authentication Authorization
• Authentication means confirming your • Authorization means granting access in the
own identity. system.
• It is the process of verifying whether access is
• It is the process of validating user allowed or not.
credentials to gain user access. • It determines what user can and cannot
• It determines whether user is what he access.
claims to be. • Authentication factors required for
• Authentication usually requires a authorization may vary, depending on the
security level.
username and a password.
• Authorization is done after successful
• Authentication is the first step of authentication.
User Buffer (SU56)
• When a User logs into the system, all of the authorizations that the
User has are loaded into a special place in memory called the User
Buffer.
• As the User attempts to perform activities, the system checks whether
the user has the appropriate Authorization Objects in the User Buffer.
• We can use this to analyze for a particular user, or reset the buffer for
the user.
• You can see the buffer in Transaction – SU56
4. Troubleshooting of
Authorization Issues
• we will learn about different methods to identify authorization issues.
• SU53 – last failed authorization check
• ST01/ STAUTHTRACE – SAP system trace for authorization checks
• SUIM - User information system

• SU53
Using this transaction you can analyze an access denied error in your system that just occurred. It
displays the last failed authorization check, the user’s authorization and the failed HR authorization
check.

Scenario: T-code - IW22

User gets an authorization error on releasing a notification from IW22 transaction
• On clicking the release icon, users gets below • Now we will be able to identify the missing
error message authorization objects and values for the user

Press Enter or Click the green tick Authorization Authorization Field Authorization Field
Object Values
• Type /nSU53 in transaction code area, Press I_VORG_MEL BETRVORG PMM2

Enter QMART M1

These values can be used in SUIM transaction to identify

the roles which you can assign to user.
• ST01

ST01 is one of the primary tools in the SAP Security

Module. ST01 gives us a peek inside running ABAP
program or standard transaction to record the SAP
Authorization checks in your own or external system. The
trace records each authorization objects, along with the
object’s fields and the values tested.

Scenario: T-code - IW32

User is having access to perform “Do not Execute” in the
work order, need to restrict the user with the
functionality. This particular access cannot be captured
via SU53
When the Work order is in CRTD status, system will allow
you to set “Do Not Execute” from the Path Order –
Functions – Complete – Do not Execute. To identify the
access provide to this user, you can identify via Trace
 ST01

Enter the Trace for User Only “PM01” and

click the green tick or press enter. PM01 is the
sample user Id

ke sure you check Authorization check and select All

k General Filters
Click Settings to Save
• Before starting the Trace, request the user to • You have successfully taken the trace. Click
be in IW32 transaction with the order number
entered, this will reduce the trace length.

• Now Click

• Request the user to execute “Do not Execute”

function for the work order. Once the action is
performed, click
Enter the User Name, Client. Date From/To
and Select Authorization Check and All

Click Execute
 • Here you will be able to get the Authorization
Field and Values.
Authorization Authorization Authorization
Object Field Field Value
I_VORG_ORD BETRVORG BABL
AUFART PM01

Restricting above authorization access,

Do check the value RC = 4 (No
Authorization) and Double click the line
item
will give no access to “Do not Execute”
business transaction.
These values can be used in SUIM transaction to
identify the roles which is giving access to user.
Various Possible Return Codes(RC)
• RC = 0 – Authorizations present and executed successfully
• RC = 4 – Authorization object present but missing field values
• RC = 8 – Missing Profiles
• RC = 12 – Authorization object is missing

Limitation of SU53 over ST01:

• The biggest limitation of SU53 is the fact that it only shows the last authorization
failure of an user.
• In a typical transaction, there can be an entire sequence of authorization checks,
any of which might fail.
• To view the entire sequence of authorization checks, we use the authorization
trace tool (transaction ST01).
• STAUTHTRACE
STAUTHTRACE is the new SAP transaction to track the authorization issues based on the authorization logs.
• How to activate trace in SAP STAUTHTRACE
• Logon to SAP >> Transaction STAUTHTRACE >> Enter the USER ID in trace for user only field >> Select
System Wide Trace tab >> Select All Servers >> Activate Trace >>Trace Status will change to
Authorization trace is switched On.
How to de-activate trace in SAP
STAUTHTRACE:
• Logon to SAP >> Transaction
STAUTHTRACE >> Select System
Wide Trace tab >> Select All Servers
>> Deactivate Trace >> Status will
change to Trace is Switched Off.
How to evaluate the trace logs in SAP
STAUTHTRACE:
• Logon to SAP >> Transaction
STAUTHTRACE >> Enter the USER ID
in trace for user only field >> Select
System Wide Trace tab >> Select All
Servers >> Evaluate >>Error
messages will be in red color.

• Check the missing authorization

objects and value>> Search the
suitable roles from SUIM
transaction and assign to users to
fix the authorization error.
Advantages of STAUTHTRACE compared to
ST01 transaction
STAUTHTRACE
• System Wide trace option can be activated to
get the trace for all application servers at a
same time.
ST01
• If a system has 3 different application servers, we
have to login to 3 servers separately and activate and
deactivate the trace in all servers if we don’t have any
idea about the server which user is logged in.

• we have to fetch the trace from different servers

• we can fetch and deactivate all server trace
separately.
from the single point.

• Doesn’t have the option to remove duplicate entries

• We can remove the duplicate traces in the
before we download the trace logs.
trace report while analyzing the logs.

• Log report fields are complex to understand and

• Log report fields are easy to understand and
analyze compared to STAUTHTRACE trace
analyze compared to ST01 trace
SUIM - User Information System
• Overview:
As part of audit or security activities, we may need
to get active user IDs, roles, profiles, change
documents etc., To get those details, we need to
use many reports in the ABAP system. for
example:RSUSR002 report for user selection by
complex criteria etc., we can’t remember all the
reports hence SAP gave all the reports execution
options together in single transaction that is SUIM.

• Initial Screen:
The SUIM initial screen looks like below attached
screen. we have the options for sorting users, roles,
profiles, authorizations, authorization objects,
transactions, comparison, where-used list and
change documents.
• User Node:

User node will be used to extract the list for

users based on our selection criteria. for
example; we can get locked users, users
whoever having particular roles or profiles
or by address data, users whoever having
access to particular transaction etc.,

here is, attached sample screen shows

users by complex selection criteria. you can
apply multiple selection conditions
simultaneously.
further selection conditions for the users are showing
in the below screen. if CUA is configured, you can
check users by system, roles, profiles and license
data.
• Roles node:
SUIM is useful tool for searching roles and profiles. If
you want to assign a list of transactions to particular
user ID, then you can search the roles by transaction
assignment in SUIM and assign those roles to that user
ID.
• Profiles, authorizations and authorizations
objects:
searching the profiles, authorizations and
authorizations objects are same as roles search in
SUIM. you can search the profiles based on the name,
profiles by roles and other multiple selection criteria.

• Transactions:
We can search the transactions in a particular roles or
executable by users etc., for example, If I want to list
out the transactions which are executable for user
AAA, I can use the option “Executable by user”. in this
way, you can can get transactions list with multiple
selection conditions.
• Comparison:
SUIM makes you to compare two users, Like this way, you can compare roles, profiles etc.,
roles, profiles, authorizations and user
comparison across the two systems.
Here, I have compared DDIC user ID with
ADSCALLER.
The “comparison” column will be
• Red - if the the object is not assigned in
any one of the user.
• Yellow – object is exists both of the
user master data but field level access
is in different.
• Green - for both the user ID has the
authorization object with same field
level access.
• Where-Used List:
Where-used list will be used to extract details about
particular roles, profiles etc., where it is being used in
the system. for example., I need to get the role
Z_xx_yy assignment to the users. so I can simply use
the Where-used list to find out who are all the users
have this role.
• Change Documents:
This option is really useful to track the changes in user
ID, roles, role assignment to users, profiles and
authorizations. we can get last changed name list in
SU01 or PFCG itself however we don’t know what
change has been done. SUIM will provide the feature
to track the changes done in user ID, roles, profiles by
date, month, year etc.,
 5. Sap Password Controls
There are some Standard SAP Password Controls delivered by SAP which cannot be changed
• First-time users forced to change their passwords before they can log onto the SAP system,
or after their password is reset.
• Users can only change their password when logging on.
• Users can change their password at most, once a day.
• Users can not re-use their previous five passwords.
• The first character can not be “?” or “!”.
• The first three characters of the password cannot
• appear in the same order as part of the user name.
• all be the same.
• include space characters.
• The password cannot be PASS or SAP*.
SAP Passwords Controls using Profile Parameters
• In a SAP system, the minimum length for passwords is 3 by default and maximum length
that is allowed is 8.
• You can use the following system profile parameters to specify the minimum length of a
password and the frequency with which users must change their password.

• login/min_password_lng: minimum password length.

Default value is Three characters. You can set it to any value between 3 and 8.

• login/password_expiration_time: number of days after which a password expires

To allow users to keep their passwords without limit, leave the value set to the default 0.
You can display the documentation for each profile parameter by using RZ11.
• Step 1: Transaction RZ11

• Step 2: Enter the parameter name as login/min_password_lng

you can see 2 options −
Display − To display the value of parameters in SAP system.
Display Docu − To display SAP documentation for that parameter.
• When you click on the Display button, you • When you click on Display Doc option, it
will be moved to Maintain Profile will display SAP documentation for the
Parameter screen. You can see the parameter.
following details as shown in below
screen:-
At the bottom, you have current value of
parameter login/min_password_lng
There are different password parameters in a SAP system. You can enter
each parameter in the RZ11 transaction and can view the documentation.

• login/min_password_diff
• login/min_password_digits
• login/min_password_letters
• login/min_password_specials
• login/min_password_lowercase
• login/min_password_uppercase
• login/disable_password_logon
• login/password_charset
• login/password_compliance_to_current_policy
To change the Parameter value, run Transaction RZ10 and select the Profile as shown below −

Multiple application servers − Use DEFAULT profile.

Single Application servers − Use Instance Profile.

• Select Extended Maintenance and • Select the parameter that you want to
click Display. change and click on Parameter at the top.
• When you click on the Parameter tab, you can • You will be prompted to save when you exit the
change the value of parameter in new window. screen. Click on Yes to save the parameter value.
You can also create the new parameter by clicking
on Create (F5).
• You can also see the status of the parameter in
this window. Type the parameter value and click
on Copy.
6. Frequently Used SAP Security Transactions and
Tables
T-code Description
SU01 User Maintenance
SU01D To Display Users
SU10 User Maintenance: Mass Changes
SUGR Maintain User groups
SUCOMP Maintain company address
SU02 For Manual creation of profiles
SU03 For Manual creation of authorization.
SU21 Maintain Authorization Objects
SU24 Auth Object check under transactions
SU25 For initial Customer table fill
SU3 Maintain default settings
T-code Description
SU53 Display Authority Check Values
SU56 Display user buffer
SUIM Authorization Reporting Tree
SUPC For generation of Mass profile
PFCG Role Maintenance
PFUD For Comparing User master in Dialog
ST01 User trace
SM01 For locking the transaction from execution
SM19 Configuration of Audit Log
SM20 Display Audit Log
S_BCE_68002111 List of users with Critical Authorizations
T-code Description
SE16 Data Browser
SE16N General Table Display
AL08 Users logged on globally
SM04 Users logged on to specific instance
SE10 Transport Organizer
SM36 To schedule Background jobs
SM37 to check status of Background Jobs
SM30 Table Maintenance
What is an SAP table?
• SAP tables are created, displayed and maintained via the SAP data dictionary using
transactions such as SE11 and SE80 and are the building blocks of the SAP environment.
• It is here where all the data within your SAP system is stored ready to be processed or
accessed via your ABAP code.
SAP Std Tables Description
contains information on auth. object class, auth. objects, fields and
AGR_1251 values in a role
AGR_1252 contains the orgnization values in the role
AGR_AGRS gives the single roles that are present in composite role
AGR_DEFINE information about master and child roles
AGR_TCODE information about t-codes present in a role
AGR_TEXTS contains the text and short description of a role
AGR_USER provides info about users assigned to a role
TACT store all the activities in the sap system
TSTC to see all t-codes in the system
TSTCT to store Transaction Code Texts data
USR40 To store illegal passwords
USOBT, USOBX and USOBT/X_C - difference
and use.
• USOBX and USOBT - SAP standard tables.
• USOBX - defines which authorization checks should occur within a transaction and which
authorization checks should be maintained in the profile generator.
• USOBT - lists the authorization object which are associated with the T-code.

• USOBX_C and USOBT_C – Customer tables

• The customer tables USOBX_C and USOBT_C are initially filled with the contents of these USOBT and
USOBX tables and can be synchronized at each further upgrade.

• These tables can be evaluated in the Data Browser (transaction SE16).

Note:
In sap system, we can assign:
• Maximum number of profiles in a role - 312
• Maximum number of objects in a role - 150
• Maximum number of t-codes in a role – 14000
• Maximum number of fields in an object - 10