SAP SECURITY TCODES
SAP SECURITY TCODES Details :
In this blog, we have the explained the SAP Security Tcodes , use of the Transaction code and Reports for sap security.
SAP SECURITY TCODES :
- SU01 – User maintain
- SU10 – Mass user change
- SU01D – User maintain display
- PFCG – Role maintenance
- SUIM – User info system
- SU53 – Authorization check evaluation
- SU56 – Authorizations in user buffer
- ST01 – System trace
- STAUTHTRACE – System wide trace
- SU03 – Authorization maintenance and profiles
- SU20 – Maintain authorization fields
- SU21 – Maintain authorization objects
- SU22 – Assignments of authorization objects (SAP delivered check)
- SU24 – Assignments of authorization objects (check indicators)
- SU25 – Profile generator (upgrade/first installation)
- SA38 – ABAP reports
SAP SECURITY Tables:
- USR* table contains user master information
- AGR* tables denotes data about roles
- UST* table has change documents information.
- USR01 – User master data (runtime data)
- USR02 – Users logon data (password, user name, validity date )
- USR04 – User master authorization
- UST04 – User profiles
- USR06 – License data
- USR10 – User master authorizations profiles
- UST10C – User master Composite profiles (i.e. profile has sub profile)
- USR11 – Text for authorization profiles
- USR12 – User master Authorization values
- UST12 – User master authorization
- USR13 – Short text for authorization
- USR40 – Table for illegal passwords
- AGR_1251 – Authorization data for roles
- AGR_1252 – Organizational data for roles
- AGR_USERS – Roles assigned to users
- AGR_AGRS – Roles in composite roles
- AGR_PROF – Profiles names for roles
- AGR_HIER – Table for Structure Info for Menu
- AGR_TIME – Time Stamp for Role (Menu, Profile, Authorizations)
- TACT – Activity list
- TOBJ – Authorization objects list
- TOBC – Authorization object class list
- TOBJT – Text for authorization objects
- TACTZ – Activities for authorization objects
- USOBT – Relation b/w Transaction -> Authorization objects (SAP Standard tables)
- USOBX – Check table for USOBT (SAP Standard tables)
- DEVACCESS – Table for development users including dev access key
SAP SECURITY Reports:
- RSUSR000 – Currently Active Users
- RSUSR002 – Users by Complex Selection Criteria (SUIM)
- RSUSR005 – List of Users with Critical Authorizations
- RSUSR006 – Locked Users and Users with Incorrect Logons (SUIM)
- RSUSR007 – Display Users with Incomplete Address Data
- RSUSR020 – Profiles by Complex Selection Criteria (SUIM)
- RSUSR030 – Authorizations by Complex Selection Criteria (SUIM)
- RSUSR040 – Authorization Objects by Complex Selection Criteria (SUIM)
- RSUSR050 – Comparisons (SUIM)
- RSUSRSUIM – User Information System
- RSUSRLOG – Log Display for Central User Administration
- RSUSR406 – Automatically Generate Profile SAP_ALL
- RSUSR405 – Reset all user buffers in all clients (uncritical)
- RSUSR070 – Roles by Complex Selection Criteria (SUIM)
- RSUSR100 – Change Documents for Users (SUIM)
- RSUSR101 – Change Documents for Profiles (SUIM)
- RSUSR102 – Change Documents for Authorizations (SUIM)
- RSUSR200 – List of Users According to Logon Date and Password Change (SUIM)
We have explained the SAP SECURITY Tcodes details.
Troubleshooting SAP Authorization Issues:
when we have working with SAP authorization issues, it’s essential to follow a Process. Below is the step-by-step guide to troubleshoot and resolve the authorization problems quickly.
Key Points:
• Identify the Issue
• Check Authorization Error Details
• Review User’s Current Authorizations
• Analyze and Update Role
• Assign Role and Perform User Comparison
• Test Authorization
• Document and Audit
Identify the Issue:
• Issue : The user is unable to access a transaction or perform a task due to an sap transaction authorization error. User no access for particular Tcode.
Error details : Obtain the error details or code from the user for analysis (e.g., “You are not authorized to use transaction X”).
Check Authorization Error Details:
• Ask to the user Execute the transaction SU53 , Then share the full screenshot for SU53 transaction code.
• Based on SU53 Screenshot, Analysis the objects and identify the failed authorization objects and find the missing objects volume.
• Check the missing objects volume and based on the objects, identify the existing roles.(Previously created roles)
System Trace : ST01
• Sometimes we are unable to identify the missing objects through SU53 transaction.
• In this case, we have deeply analysis the through ST01 transaction code.
• Enable the trace for the user and inform to the user for replicate the issue.
• Stop the trace and identify the issue, Based on results.
• Based on analysis then Assign the required authorizations to user.
Review User’s Current Authorizations:
• Execute the SUIM Tcode.
• Check the current users roles and authorization using SUIM.
• Review the current user assigned the roles and validity. Check if any roles have expired or conflict happened or not.
• If required Mass Regenerate the existing roles.
• Check the required user new authorization objects is part of the user role or not.
• If authorization issue, a part of the user roles then assign to the user id.
Analyze and Update Role:
• Sometimes profile has not generated properly.
• We need to check all profiles has generated or not. If all profiles has generated, no issue on profile side then we will assign to the missing objects and volume to role.
• Execute the Below transaction.
Transaction: PFCG (Profile Generator)
• If the required authorization is missing, modify the relevant role in PFCG.
Add Missing Authorization:
• Insert the required authorization object and maintain the correct field values (from SU53 or ST01).Generate Profile: Ensure to generate the authorization profile after modifying the role.
Assign Role and Perform User Comparison:
• Based on analysis, identify the which roles has missed on user id.
• Assigned the updated role to the user id through SU01- (User Maintenance)
• Execute the PFUD transaction for user comparison.
• Run a user comparison to synchronize changes and reflect the updated authorizations.
Test Authorization
Ask to the user again the check the issue. User has executed the transaction successfully then issue has been resolved.
Document and Audit:
Document all changes for compliance and audit purposes, especially in SOX-regulated environments.
Example Scenario :
• User facing the authorization issue for ME21N transaction code.
• SU53 reveals the missing authorization object M_BEST_EKG.
• After identifying the missing values in SUIM
• The role is updated in PFCG and assigned in SU01 and confirmed with PFUD.
• The user tests the transaction, and the issue is resolved.
Conclusion:
In this blog, we have the explained successfully the SAP Security Tcodes , use of the Transaction code and Reports for sap security.
We have explained the user Authorization issue and resolution steps.
Other Posts:
1. Sap hana db installation
2. SAP ECC to s/4 hana conversion
3. SAP HANA DB Backup configuration
4. SAP HANA Log volume full situation
5. Sybase db upgrade
6. Sybase db backup and restore process steps.
1 thought on “SAP SECURITY TCODES – S/4HANA”