SAP Security Cheat Sheet

ABHISHEK KUMAR SHARMA – SAP S4 SECURITY, GRC CONSULTANT, MENTOR

Security Overview & Importance
SAP Security involves safeguarding SAP systems by managing user access, roles, and authorizations to protect critical business data and maintain
compliance with security standards.
Effective SAP Security ensures data integrity, mitigates risks, prevents unauthorized access, and supports regulatory compliance across an organization's
integrated SAP landscape.

Important Transaction User Type in SAP Important Tables

SU01 - Create/Change User Dialog User: Used for individual interactive logins, USR02 - Logon Data
SU01d - Display User USR04 - User master authorization
allowing personal access to SAP with standard checks
SU10 - Mass User Changes USR10 - Authorization profiles
and password expiration.
PFCG - Role Maintenance USR40 - Table for illegal passwords
System User: Designed for background processing, USER_ADDR - Address Data for Users
SUIM - User Information
system-to-system communication, and scheduled AGR_USERS - Assignment of Roles to Users
System
tasks, without interactive logins. AGR_1251 - Authorization data for the activity group
SU53 - Displays Last
Authorization Check that Failed Communication User: Used for external RFC AGR_1252 - Organizational Elements for Authorizations
connections, enabling secure programmatic access AGR_AGRS - Roles in composite roles
ST01 - System Trace
between systems without GUI login. AGR_DEFINE - Role Definition
(STAUTHTRACE For Setting Trace
AGR_TIME - Time stamp for Role (Including profile)
System Wide) Service User: Shared user for anonymous and multiple
USOBT_C - Relation transaction to authorization object
PFUD - User Master concurrent logins with limited interactive functionality,
USOBX_C - Check table for Table USOBT_C
Comparison often used for web services. TDDAT - Table Authorization group to Table relation
SUPC - Mass Generation of Reference User: Assigned to other users to provide TBRG - Table authorization groups
Profile additional roles and authorizations without direct TRDIR - Program to Authorization group relation
SU56 - Display User Buffer logon capabilities. (In case profile exceeds 312) E070 - Stores information about transport requests & tasks
SU24 - Maintain Check TACT - Available activities in SAP System
Indicator Role Type in SAP
SU25 - Fill USOBT_C and
USOBX_C tables with SAP Single Role: Contains a set of specific authorizations assigned to users, providing access to perform designated
default values tasks within the system.
SM19 - Configure Security Composite Role: Groups multiple single roles together, simplifying user role assignments by bundling related
Audit Log authorizations.
SM20 - View Security Audit Derived Role: Inherits authorizations from a master role, allowing customizations like organizational-level values
Log while maintaining a consistent structure.
SUGR - Maintain User Group Master Role: A template role that serves as a source for derived roles, containing all authorizations without
specific organizational values.
Access Issue
SU53 - Displays Last PFCG Traffic Indicator USOBX_C and USOBT_C
Authorization Check that Failed. Red – It means that some organizational USOBX_C and USOBT_C are tables which are used for SU24
ST01/STAUTHTRACE – Set Trace on value has not been maintained in org field transaction code.
User ID to Check Missing in profile generator. Table USOBX_C defines the status of authorization checks for
Authorization Yellow – It means that there are some or all authorization objects (check indicator is set to yes or no).
Return Codes for Trace fields in certain authorization instances It also defines the proposal status, i.e. whether the authorization
RC= 0 Check for authorization which are blank (not maintained) check values are being maintained in SU24 or not.
successful. Green – It means that all the authorization The table USOBT_C defines the “values” which are maintained
RC= 4 Check for authorization fields are maintained (values are assigned). for check-maintained authorization objects.
unsuccessful. User has authorization
object in his user buffer but with SU24
different values than what checked. Check / No – Authorization object is checked while tcode execution, but No authorization object field value is
RC= 12 Check for authorization proposed when tcode is added to Role Menu.
unsuccessful. User does not have Check / Yes – Authorization object is checked while tcode executed and the authorization object automatically
authorization object in user buffer. gets pulled in the role when the tcode is added to Role Menu. The authorization pulled may or may not have some
field values depending on what is maintained in SU24 in that object for that tcode.
SU25 Step Do Not Check – Object is not checked even though it may be in the ABAP Code

Step 1 - Copy SAP Data: Copies SAP-provided authorization checks Critical Authorization in SAP
(SU24 proposals) from a previous version to the current version.
Step 2a - Compare SAP Data: Compares and displays changes in SAP- S_TABU_DIS -Used to protect tables using authorization groups with activity.
S_TABU_CLI - Auth object used to protect cross client tables.
provided default values for authorization objects.
S_TABU_NAM - New auth object to table access based on names.
Step 2b - Adjust Proposals: Allows modifications to SAP-provided
S_PROGRAM - Used to run ABAP reports/programs via SA38.
default values for authorization objects based on new or changed SAP
S_DEVELOP - Auth object used to control ABAP objects or debug access.
data. S_USER_AGR - Used to control roles.
Step 2c - Update Customer Tables: Automatically updates customer S_USER_AUT - Checked during authorization maintenance.
authorization tables with changes made to default values. S_USER_GRP - Used control user groups.
Step 2d - meant to check if SAP has introduced new transactions in S_USER_PRO - Used for profile maintenance.
place of any existing transactions. (ECC to S4 Upgrade – important) S_BDC_MONI - Used to protect batch input monitoring.
Step 3 - Mass Generation of Profiles: Regenerates authorization profiles S_BTCH_JOB - Used for background job monitoring and administration.
for roles that were affected by changes to authorization proposals. S_BTCH_ADM - Used for background job administration.
Step 4 - Upgrade Post Activities: Performs post-upgrade activities, such S_BTCH_NAM - User level control for background job scheduling
as manual adjustments to authorization objects or roles. S_ADMI_FCD - Basis administration like spool and monitoring