How do you surpass the 312 profiles limit in SAP?

Posted by Fabio Mambretti on Feb 11, 2022 8:15:00 AM
Fabio Mambretti

In SAP there is/was a limit on the number of profiles that can be assigned to a user. Historically this limit of 300 and then 312 has been kept to stop the assignment of too many authorizations to users.




Does this limit persist?

1. What is an authorization profile?

A profile is a container of authorizations. A profile can contain up to 150 authorizations, in the latest releases 170, see note OSS 410993 - Maximum number for profiles and authorizations


With transaction Su02 it's possible to display the content of profiles. Even if the transaction allows for changes it is suggested not to maintain SAP profiles with this transaction. The management of SAP profiles must be through transaction PFCG (Profile Generator). 


That means automatically generating profiles with roles.


2. What types of SAP profiles are there?

There are two types of profiles in SAP. Single and composite. Single profiles are authorization containers, while composite profiles are containers of single profiles.


One of the most known profiles is SAP_ALL. This is a collective profile that contains n single profiles which, in turn, contain the most powerful authorizations (asterisk)


Do you wish to know SAP authorizations better?



3. No limits!

From release SAP_BASIS 7.50 SP00, as described in note OSS 2293683 - FAQ | Classic user and authorization management, the limit of 312 profiles has been surpassed.


Now there are no limits on the number of profiles (and roles) that can be assigned to a user. In the below image it's possible to see that in UST04 table (table that contains the user - profile link) the number assigned to user TEST_AG is 663!




As suggested by SAP, the removal of the limit was not made to encourage the assignment of a vast number of profiles to users.


One of the main goals of a good authorization concept is to limit as much as possible the defined roles and the ones assigned to users in the system.


Blog post originally translated from:

Iscriviti al blog se ancora non lo hai fatto!

Topics: SAP Security, 312, profili, ust04, SAP ECC, pfcg, S4/HANA

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all