Which are the main Security SAP Tables for SAP Roles and Profiles?
SAP contains hundreds of thousands of tables. In some cases the direct access to these tables allows one to retrieve data faster. Below a list of tables for each defined area:
- SAP Roles
- SAP Profiles
- Users
- Authorizations
- Authorization objects
SAP Roles
In the earlier SAP releases roles were called Activity Groups. That’s why tables that contain SAP Roles still today start with AGR in their name.
- AGR_1016 –Profile name of Activity Group
- AGR_1251 – authorization data for each Activity Group
- Here you can find all authorization objects, authorizations and values, in addition to the status of the authorization object. This is one of the most frequently utilized tables!
- AGR_AGRS – Roles inside Composite Roles
- AGR_DEFINE – Roles definition
- AGR_TCODES – Roles attribution to TCodes
- AGR_TEXTS – archiving structure hierarchical menu – customer
- AGR_USERS – Roles attribution to users
- AGR_DATEU – Personal parameters for roles: in this table you can find out if SAP GUI parameters are active, for example if technical names are displayed, searching by ID = BROWSER_OPT and ATRIBUTES = X
- AGR_BUFFI – It contains the detail of the links inserted in the SAP Role Menu
- PRGN_STAT – Status Table Session Manager, here you can see the details of transaction SU25 steps (for a first SAP installation or for the following upgrades)
The above tables are not a complete list, but they are for sure the most useful and used by those who work on SAP Security! Write down in the comments if you think there might be other tables worth mentioning
SAP Profiles
Even if they’re not directly used anymore , authorization profiles are a fundamental technical component to the management of SAP authorizations.
- USR10 – User authorization profile master data
- USR11 –
- USR21 – User Name ind. Key attribution
- UST04 – User Master Data
- UST10C – User Master data: global profiles
- UST10S – User Master Data: single profiles
- Inside USH* tables you can find the history of edits on profiles
SAP Authorizations
Even if roles, profiles and authorizations are often utilized as synonyms, they’re not. Every word has a specific meaning and represent a precise technical object. Authorizations are values of authorization objects.
- UST12 – User Master data: authorizations
Authorization Objects
- TOBJ – Authorization Objects
- TOBJT – Short texts of authorization objects
- TSTCA – Transaction codes authorizations values: this table allows you to see which are the authorization objects and their necessary values at the start of a transaction (Header Authorization)
- TACTZ – Valid activities for every authorization object: this table allows one to see the admitted activities by the ACTVT field of every object that contains that field.
- USOBT_C and USOBX_C – Transaction > Auth Obj. Relation (customer): These tables allow one to see the relation proposed by SAP and managed by the customer, between transactions and authorization objects with eventual pre-populated values
- USOBAUTHINACTIVE – Start authorization check inactive (‘X’) or active (SPACE): This table allows one to enable or disable the S_START authorization object control
- TDDAT – Update areas for tables: it allows to see the link SAP tables and authorization groups assigned (CCLAS field)
- TCDCOUPLES – Transaction callbacks
Users
- USGRP – User Groups
- USR02 - Logon Data (Kernel – Side Use), here you can find the main information regarding users:
- User Type
- User Validity
- Groups
- Block Status
- Password (Cryptography)
- USR05 – User Master Data, ID parameters
- USR06 – Additional data for users (here you can find the SAP License of Users)
- USR21 – Username ind. Key attribution
- V_USERNAME – Generated Table for View, in this view you can easily find the first and last name of users.
- SMEN_BUFFC – It contains the detail of user favorites.
- HRP1001 – DB table for info-type 1001: here you can see the link between users and HR objects (i.e. positions) inside the SAP organizational structure.