Transactions for SAP Roles (and Security Manager)

Posted by Fabio Mambretti on Jan 14, 2022 8:15:00 AM
Fabio Mambretti

Which SAP Security transactions should you have in your favorites?

 

SAP Security Favorites

 

Transactions for managing SAP Roles, for Profile generator configuration, for SAP auditing. Some of them are useful in certain moments, some of them daily. Also keep in mind in some cases is suggested to be used though a firefighter or your emergency users.

Transaction PFCG

It’s the main transaction used for SAP roles construction. PFCG means profile generator. Use it to maintain SAP profiles.

 

Recently SAP introduced two transactions for mass role maintenance: transaction PFCGMASSVAL (maintain values inside the authorizations tab) and transaction PFCGMASSCOLLASSIGN (massive addition and removal of single roles in/from collective roles)

 

pfcgmasscollassign

 

There is also a transaction used to distribute roles from a central system to a peripheral one: PFCGROLEDIST

 

PFCGROLEDIST

 

Transaction SU01 (display) or SU01D

Transaction SU01 allows one to display (if properly segregated) SAP users master data. Transaction SU01D allows one to only display SAP users master data.

 

Transaction SE93 (authorization start)

For each SAP transaction it’s possible to define a control by authorization object at the start of the transaction. If this object is not present in the authorization buffer for the user, the transaction will not be executed. In the image below you can see that transaction MM01 in order to be executed needs the authorization object M_MATE_STA with at least ACTVT (activity) field set to 01 (create)

 

se93

 

Transaction SM01 or SM01_CUS/SM01_DEV

Transactions SM01* allow one to globally lock an SAP transaction, regardless of the user’s authorizations, since SAP_BASIS 7.50 release it’s possible to launch the new SM01_* transactions

  • SM01 Lock Transactions
  • SM01_CUS Local App. Start Lock Maintenance (see image below)
  • SM01-DEV Global App. Start Lock Maintenance

SM01

 

It then becomes possible to specify the motivation for the transaction lock, see image below:

 

SM01_CUS

 

Through transaction RSAUDITC_BCE it’s possible to display if one or more SAP transactions are locked.

 

Do transactions for locking belong to systems or security area? Write a comment down below!

 

Transaction SE97

This transaction allows one to maintain the behavior of called back transactions through the ABAP Statement CALL_TRANSACTION, see image below. With transaction MM01 it’s possible to display all transactions that can be called back and the relative control on the S_TCODE authorization object during the “Check indicator” call-back

 

SE97

Transaction SUIM

Transaction SUIM in reality is a call-back menu to other sub-transactions (see image below). It is the SAP Security Reporting on roles, users, authorizations, profiles, change documents (Basis Security SAP area).

 

However the transaction also offers the possibility to do users/roles comparisons. Last but not least the possibility to add controls on the SAP critical authorizations (a sort of Critical Action or Critical Permission from SAP GRC Access Control)

SUIM

 

Did you know that there is a report for displaying users that haven’t accessed SAP for n days? See SUIM – Users à By Logon Date and Password Change.

 

Another reporting functionality, unfortunately without a specific transaction, is found in the program PRGN_DISPLAY_AUTH which allows one to search for authorization objects in a role, as if it were a query on the AGR_DEFINE, AGR_TEXTS_ AGR_1251 and

AGR_1252 tables.

 

PRGN_DISPLAY_AUTH

 

Transaction ST01 or STAUTHTRACE or STUSERTRACE or STRFCTRACE

These are transactions used to troubleshoot authorizations in SAP. Many of them exist depending on the trace that needs to be done. See image below for STAUTHTRACE. Transaction STAUTHTRACE.

 

Transaction STAUTHTRACE overcomes the limits of transaction ST01, meaning it is not application server dependent.

 

STAUTHTRACE

 

Transaction STSIMAUTHCHECK allows one to also check and compare authorizations of a user and an authorization trace.

 

STSIMAUTHCHECK

Hey, do you want the full excel list? Click here!

Transaction SM20N or RSAU_CONFIG/ RSAU_READ_LOG

With transaction SM20N it’s possible to display the content of a Security Audit Log, see here how to configure and install the SAP Security Audit Log (SAL) LINK

SM20N

 

New Functionalities are available with transaction RSAU_CONFIG, se image below

 

RSAU_CONFIG

 

Transaction SU24

It’s the transaction used to configure the behavior of the profile generator

Transaction SUCOMP

This transaction allows one to create a company at the user master data level. You can define a company master data that you may then associate to a SAP user (with transaction SU01)

SUCOMP

Inside transaction SU01 you can associate or call the transaction for companies definition.

SU01_COMPANY

 

Transaction PFUD

It’s good practice to plan a periodic job for user comparison. The transaction used to do it is PFUD

PFUD

 

Transaction SM30_SSM_CUST

There are various parameters that can be given to the session manager, through this transaction it’s possible to manage them.

SM30_SSM_CUST

 

Transaction SUPC

This one is useful for profiles mass generation. It allows one to make this activity automatic

SUPC

 

RSCSAUTH

Every Sap program can have an authorization group used to protect its execution. With this transaction it’s possible to maintain their values.

RSCSAUTH

 

Transaction SU20

Makes it possible to display or maintain the definition of authorization fields

SU20

 

Transaction SU21

Makes it possible to display or maintain the definition of authorization objects

 

Transaction TU02

Makes it possible to display changes made to the SAP instance profiles


TU02

 

Transaction RSPFPAR

Makes it possible to display all SAP instance profiles and their values

RSPFPAR

 

Transaction SE16T000

Makes it possible to display the SAP client status

T000

 

RZ11

As transaction RSPFPAR, but in this case makes it possible to display attached documentation for a single SAP instance profile

RZ11

 

 

Transaction ST22

Even if this one is not strictly an SAP Security transaction, in some cases, for example when there is a deficiency of authorizations on writing files in the application server, it can be useful to display the authorization cause of the errors

 

Transaction AL08/SM04

These transactions allow one to display users that are currently logged into the application server (SM04 can also cancel sessions) or into the system (AL08)

Transaction SM51

Even if it’s a system transaction, it can prove itself useful, especially in the releases in which transaction STAUTHTRACE does not exist yet, to move from an application server to the other.

 

Transaction AUTH_DISPLAY_OBJECTS

This one is useful for verifying the status (active/inactive) of SAP authorization objects

AUTH_DISPLAY_OBJECTS

 

SU25 SACF

Essential during first installation and system upgrades. It contains a series of callbacks to other transactions for the activation of ulterior functions, for example, Switchable Authorization Checks SACF

SU25

During an SAP upgrade, support package update or migration to S/4HANA, do not forget about SAP authorizations.

 

Transaction PA20 (Infotype 0105)

When the HR module is used for the Sap users management, the display of infotype 0105 subtype 0001 allows one do see which USERID is associated to a CID

Transaction PPOMW

When the HR module is used for the attribution of roles to users, transaction PPOMW allows one to manage the attribution of roles and users to organizational positions.

 

Transaction SE16N (Security)

Useful to explore SAP security tables

Transactions OOSB, OOSP

In the case of organizational structure HR segregation the use of structural profiles becomes essential.  With these transactions it's possible to define structural profiles (PD profile) and assign them to users 

 

Transaction SACM Access Control Management (CDS/DDL)

It is used to analyze for the control of authorizations in the CDS Views

SACM

 

Transaction SACMSEL (ACM Runtime Simulator)

Used to run simulations on the Access Controls

SACMSEL

 

/UI2/FLP SAP Fiori Launchpad

This transaction allows one to execute the Fiori Launchpad while in the ABAP Front End Server part (Read more on SAP FIORI Here) if you don’t know the web link.

Remember that if you execute transaction that start with / inside the SAP GUI, you have to put /N before the transaction name

 

/UI2/FLPD_CONF and /UI2/FLPD_CUST

These transactions allow one to manage the creation and change of groups and/or catalogues in SAP Fiori, respectively cross client, or client dependent.

 

Scarica l'elenco delle transazioni SAP Security in formato EXCEL

 

Topics: sap cyber security, SAP Consulting, SAP Transactions

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all