Which SAP Security transactions should you have in your favorites?
Transactions for managing SAP Roles, for Profile generator configuration, for SAP auditing. Some of them are useful in certain moments, some of them daily. Also keep in mind in some cases is suggested to be used though a firefighter or your emergency users.
Transaction PFCG
It’s the main transaction used for SAP roles construction. PFCG means profile generator. Use it to maintain SAP profiles.
Recently SAP introduced two transactions for mass role maintenance: transaction PFCGMASSVAL (maintain values inside the authorizations tab) and transaction PFCGMASSCOLLASSIGN (massive addition and removal of single roles in/from collective roles)
There is also a transaction used to distribute roles from a central system to a peripheral one: PFCGROLEDIST
Transaction SU01 (display) or SU01D
Transaction SU01 allows one to display (if properly segregated) SAP users master data. Transaction SU01D allows one to only display SAP users master data.
Transaction SE93 (authorization start)
For each SAP transaction it’s possible to define a control by authorization object at the start of the transaction. If this object is not present in the authorization buffer for the user, the transaction will not be executed. In the image below you can see that transaction MM01 in order to be executed needs the authorization object M_MATE_STA with at least ACTVT (activity) field set to 01 (create)
Transaction SM01 or SM01_CUS/SM01_DEV
Transactions SM01* allow one to globally lock an SAP transaction, regardless of the user’s authorizations, since SAP_BASIS 7.50 release it’s possible to launch the new SM01_* transactions
- SM01 Lock Transactions
- SM01_CUS Local App. Start Lock Maintenance (see image below)
- SM01-DEV Global App. Start Lock Maintenance
It then becomes possible to specify the motivation for the transaction lock, see image below:
Through transaction RSAUDITC_BCE it’s possible to display if one or more SAP transactions are locked.
Do transactions for locking belong to systems or security area? Write a comment down below!
Transaction SE97
This transaction allows one to maintain the behavior of called back transactions through the ABAP Statement CALL_TRANSACTION, see image below. With transaction MM01 it’s possible to display all transactions that can be called back and the relative control on the S_TCODE authorization object during the “Check indicator” call-back
Transaction SUIM
Transaction SUIM in reality is a call-back menu to other sub-transactions (see image below). It is the SAP Security Reporting on roles, users, authorizations, profiles, change documents (Basis Security SAP area).
However the transaction also offers the possibility to do users/roles comparisons. Last but not least the possibility to add controls on the SAP critical authorizations (a sort of Critical Action or Critical Permission from SAP GRC Access Control)
Did you know that there is a report for displaying users that haven’t accessed SAP for n days? See SUIM – Users à By Logon Date and Password Change.
Another reporting functionality, unfortunately without a specific transaction, is found in the program PRGN_DISPLAY_AUTH which allows one to search for authorization objects in a role, as if it were a query on the AGR_DEFINE, AGR_TEXTS_ AGR_1251 and
AGR_1252 tables.
Transaction ST01 or STAUTHTRACE or STUSERTRACE or STRFCTRACE
These are transactions used to troubleshoot authorizations in SAP. Many of them exist depending on the trace that needs to be done. See image below for STAUTHTRACE. Transaction STAUTHTRACE.
Transaction STAUTHTRACE overcomes the limits of transaction ST01, meaning it is not application server dependent.
Transaction STSIMAUTHCHECK allows one to also check and compare authorizations of a user and an authorization trace.
Hey, do you want the full excel list? Click here!
Transaction SM20N or RSAU_CONFIG/ RSAU_READ_LOG
With transaction SM20N it’s possible to display the content of a Security Audit Log, see here how to configure and install the SAP Security Audit Log (SAL) LINK
New Functionalities are available with transaction RSAU_CONFIG, se image below
Transaction SU24
It’s the transaction used to configure the behavior of the profile generator
Transaction SUCOMP
This transaction allows one to create a company at the user master data level. You can define a company master data that you may then associate to a SAP user (with transaction SU01)
Inside transaction SU01 you can associate or call the transaction for companies definition.
Transaction PFUD
It’s good practice to plan a periodic job for user comparison. The transaction used to do it is PFUD
Transaction SM30_SSM_CUST
There are various parameters that can be given to the session manager, through this transaction it’s possible to manage them.
Transaction SUPC
This one is useful for profiles mass generation. It allows one to make this activity automatic
RSCSAUTH
Every Sap program can have an authorization group used to protect its execution. With this transaction it’s possible to maintain their values.
Transaction SU20
Makes it possible to display or maintain the definition of authorization fields
Transaction SU21
Makes it possible to display or maintain the definition of authorization objects
Transaction TU02
Makes it possible to display changes made to the SAP instance profiles
Transaction RSPFPAR
Makes it possible to display all SAP instance profiles and their values
Transaction SE16T000
Makes it possible to display the SAP client status
RZ11
As transaction RSPFPAR, but in this case makes it possible to display attached documentation for a single SAP instance profile
Transaction ST22
Even if this one is not strictly an SAP Security transaction, in some cases, for example when there is a deficiency of authorizations on writing files in the application server, it can be useful to display the authorization cause of the errors
Transaction AL08/SM04
These transactions allow one to display users that are currently logged into the application server (SM04 can also cancel sessions) or into the system (AL08)
Transaction SM51
Even if it’s a system transaction, it can prove itself useful, especially in the releases in which transaction STAUTHTRACE does not exist yet, to move from an application server to the other.
Transaction AUTH_DISPLAY_OBJECTS
This one is useful for verifying the status (active/inactive) of SAP authorization objects
SU25 SACF
Essential during first installation and system upgrades. It contains a series of callbacks to other transactions for the activation of ulterior functions, for example, Switchable Authorization Checks SACF
During an SAP upgrade, support package update or migration to S/4HANA, do not forget about SAP authorizations.
Transaction PA20 (Infotype 0105)
When the HR module is used for the Sap users management, the display of infotype 0105 subtype 0001 allows one do see which USERID is associated to a CID
Transaction PPOMW
When the HR module is used for the attribution of roles to users, transaction PPOMW allows one to manage the attribution of roles and users to organizational positions.
Transaction SE16N (Security)
Useful to explore SAP security tables
Transactions OOSB, OOSP
In the case of organizational structure HR segregation the use of structural profiles becomes essential. With these transactions it's possible to define structural profiles (PD profile) and assign them to users
Transaction SACM Access Control Management (CDS/DDL)
It is used to analyze for the control of authorizations in the CDS Views
Transaction SACMSEL (ACM Runtime Simulator)
Used to run simulations on the Access Controls
/UI2/FLP SAP Fiori Launchpad
This transaction allows one to execute the Fiori Launchpad while in the ABAP Front End Server part (Read more on SAP FIORI Here) if you don’t know the web link.
Remember that if you execute transaction that start with / inside the SAP GUI, you have to put /N before the transaction name
/UI2/FLPD_CONF and /UI2/FLPD_CUST
These transactions allow one to manage the creation and change of groups and/or catalogues in SAP Fiori, respectively cross client, or client dependent.