Tip of the day: SAP User Parameters

Posted by Fabio Mambretti on Jan 20, 2023 8:15:00 AM
Fabio Mambretti

In this series of articles we discuss the "tip" of the day. That is, real cases of requests received in counseling. 


Today we discuss "is it worth using user parameters to manage permissions?" What are the advantages and disadvantages?

What are User Parameters, and what are they used for?

They are part of the SAP user master data and can be seen through the SU01 transaction. In fact there is a special tab in this transaction called precisely "Parameters"


  • To pre-value fields in SAP transactions
    That is, let's imagine the case where a user must always work on the same company while using SAP. In this case by valuing the parameter related to the company, in every transaction that will contain that field, it, will be pre-valued with a default value. Thus avoiding the need to always populate that field. So this feature saves time when populating fields.


Please note, not all fields support this functionality, to be able to check this you need to select the field within a certain transaction press F1 and enter the technical information (see image below)

Transazione SAP

then check for the presence of the field highlighted below

User Parameter

In case it is present it will be possible to used within, for example, transaction SU01

User Parameter_su01


Modify a certain process: This is the most "critical" functionality, i.e., if a parameter with a certain value exists in a user's master data, a certain transaction (which exploits this parameter) may behave in a certain way. The same transaction used by another user, without that parameter will behave differently.


This last feature is the reason why usually the SU3 transaction, which allows users to modify user parameters for themselves, is not released. In favor of SU50 for example. We also discussed this in the article on what the SAP basic role should contain. 

The SAP table where you can see all the user parameters is called TPARA while the table that contains the User - Parameter and Value link is called USR05.

It may not be so easy to find complete documentation on each parameter; in fact, some of them are documented through specific notes that one often comes across for specific issues. 


Parameters can also be used in the case of SAP FIORI. In the case of using only the APP interface, thus via FIORI, it is suggested to change these parameters only via the web. 



Why could they be used in the authorization model?

Can they also be used to manage aspects of the SAP authorization model?


In the standard in some contexts SAP has done this (see for example SAP CRM systems). However, a specific assessment needs to be made. In fact, one of the biggest issues is to remember this aspect in the long run.

What do I mean by that?

  • If you assign a role to a user it is easy to see and manage. In fact it is the "standard" model for enabling something. So it is easy to manage on new users, and during job changes (add or remove roles)
  • If a certain parameter is used it may not be so obvious. That is, with each change of a user I would have to remind myself of that parameter or parameters that have a specific meaning within a given process. I can assure you that it is very easy in this case (since it is often not only one person who puts hands on these aspects in the company) to forget this part completely. Maybe not as soon as you have done it but months or years later.


So what happens in the latter case? Users who should have that parameter do not have it (and thus additional calls to the help desk), users who should not have it, actually continue to have it. After years, it is also easy not to find documentation, and so it can also happen that no one then knows what it is really for.


Points of attention in automated utility management systems

What if you use automated user management tools, such as Identity Management or SAP GRC or IAS/IPS (Identity Authentication Service or Identity Provisioning Service) tools?


Clearly these tools are designed primarily to manage role assignments to users (although with some of these it is clearly possible to manage some other aspects of the user master data, including parameters).


It may therefore not be so simple to integrate the aspect introduced via a user parameter into these tools or anyway it will require additional effort.


In conclusion, consider carefully, especially taking into account the long run whether to use this functionality to manage the authorization aspects

Iscriviti al blog se ancora non lo hai fatto!


Topics: SAP IDM, SAP GRC, sap gui, parameter sap

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all