3 Tips to secure printers in SAP

Do all the users of your system have the SP01 transaction? 

Do you really allow all SAP users to see what all users print? Could the prints contain personal data (GDPR), sensitive data? Maybe is better to check it out! 

1) What allows the SP01 transaction to do?

SP01 transaction allows to display SAP's print spool.  The print spool is an area where the prints that a user makes from SAP are stored before being printed physically. 

Unlike the SP02 transaction, that allows to see only your own prints, SP01 allows to see the prints of all users. 

If HR it's also used in SAP ERP system, any user could see the printing of confidential documents (i.e. pay slips, or other confidential HR data). You can clearly see the prints generated by technical users (i.e. system users). There are often jobs that generate spools through technical utilities. 

2) Is it a real risk?

It could be a very high risk also if the SP01 transaction might not really allow to display all spools. 

As for most SAP transactions, the fact of owning a transaction does not mean being able to execute it with all its functionality. In fact, in addition to the technical authorization object S_TCODE (which protects the transactions' boot in SAP) it is necessary to have a series of additional authorization objects in order to see the contents of the print spools. 

The authorization objects linked to the prints are the following: 

• S_SPO_ACT – Limitation of activities in spools
• S_SPO_DEV – Limitation of printing devices, if managed in SAP
• S_ADMI_FCD with the values SPOR and SP01

If all the objects above are present, a user is able to display all the spool through SP01 transaction.

Attention if you enable the SP01 transaction in a role that doesn't have the objects mentioned above, a certain user may receive them from other roles. In SAP the authorizations mount up!

3) How to avoid the problem and where it was probably born?

• Often during SAP implementations consultants suggest the use of SP01 transaction. For those who give support or for those who carry out a project, this can be correct. However, this feature should not be released or shown to end users. This often results in a habit to use this transaction, also for legitimate purposes, hard to get off. 
  • Remove SP01 transaction from all users and assign it only to those who might really need it.
  • Release and alert the users to use the SP02 transaction in place of SP01, see also how to build a base role in SAP.
  • If some users need to see the spool of other people you can release the SP01 transaction so that you can see the spool of other people (they could also classify sensitive and non-sensitive information, see note OSS Note 158487 - How can one user view the spool requests of other users)

Blog post originally translated from: https://www.aglea.com/blog/3-suggerimenti-sulla-sicurezza-delle-stampanti-in-sap