Tables, Roles, Profiles and Authorizations in SAP

Which are the main Security SAP Tables for SAP Roles and Profiles?

SAP contains hundreds of thousands of tables. In some cases the direct access to these tables allows one to retrieve data faster. Below a list of tables for each defined area:

  • SAP Roles
  • SAP Profiles
  • Users
  • Authorizations
  • Authorization objects

database-schema SAP profili e ruoli

SAP Roles

In the earlier SAP releases roles were called Activity Groups. That’s why tables that contain SAP Roles still today start with AGR in their name.

  • AGR_1016 –Profile name of Activity Group
  • AGR_1251 – authorization data for each Activity Group
    • Here you can find all authorization objects, authorizations and values, in addition to the status of the authorization object. This is one of the most frequently utilized tables!
  • AGR_AGRS – Roles inside Composite Roles
  • AGR_DEFINE – Roles definition
  • AGR_TCODES – Roles attribution to TCodes
  • AGR_TEXTS – archiving structure hierarchical menu – customer
  • AGR_USERS – Roles attribution to users
  • AGR_DATEU – Personal parameters for roles: in this table you can find out if SAP GUI parameters are active, for example if technical names are displayed, searching by ID = BROWSER_OPT and ATRIBUTES = X
  • AGR_BUFFI – It contains the detail of the links inserted in the SAP Role Menu
  • PRGN_STAT – Status Table Session Manager, here you can see the details of transaction SU25 steps (for a first SAP installation or for the following upgrades)

The above tables are not a complete list, but they are for sure the most useful and used by those who work on SAP Security! Write down in the comments if you think there might be other tables worth mentioning

SAP Profiles

Even if they’re not directly used anymore , authorization profiles are a fundamental technical component to the management of SAP authorizations.

  • USR10 – User authorization profile master data
  • USR11 –
  • USR21 – User Name ind. Key attribution
  • UST04 – User Master Data
  • UST10C – User Master data: global profiles
  • UST10S – User Master Data: single profiles
  • Inside USH* tables you can find the history of edits on profiles

SAP Authorizations

Even if roles, profiles and authorizations are often utilized as synonyms, they’re not. Every word has a specific meaning and represent a precise technical object. Authorizations are values of authorization objects.

  • UST12 – User Master data: authorizations

Authorization Objects

  • TOBJ – Authorization Objects
  • TOBJT – Short texts of authorization objects
  • TSTCA – Transaction codes authorizations values: this table allows you to see which are the authorization objects and their necessary values at the start of a transaction (Header Authorization)
  • TACTZ – Valid activities for every authorization object: this table allows one to see the admitted activities by the ACTVT field of every object that contains that field.
  • USOBT_C and USOBX_C – Transaction > Auth Obj. Relation (customer): These tables allow one to see the relation proposed by SAP and managed by the customer, between transactions and authorization objects with eventual pre-populated values
  • USOBAUTHINACTIVE – Start authorization check inactive (‘X’) or active (SPACE): This table allows one to enable or disable the S_START authorization object control
  • TDDAT – Update areas for tables: it allows to see the link SAP tables and authorization groups assigned (CCLAS field)
  • TCDCOUPLES – Transaction callbacks

Users

  • USGRP – User Groups
  • USR02 - Logon Data (Kernel – Side Use), here you can find the main information regarding users:
    • User Type
    • User Validity
    • Groups
    • Block Status
    • Password (Cryptography)
  • USR05 – User Master Data, ID parameters
  • USR06 – Additional data for users (here you can find the SAP License of Users)
  • USR21 – Username ind. Key attribution
  • V_USERNAME – Generated Table for View, in this view you can easily find the first and last name of users.
  • SMEN_BUFFC – It contains the detail of user favorites.
  • HRP1001 – DB table for info-type 1001: here you can see the link between users and HR objects (i.e. positions) inside the SAP organizational structure.

补充下角色表:
SAP 提供

表名 短文本

RSPFPAR 参数表

AGR_1016 活动组参数文件名称

AGR_1016B 活动组参数文件名称

AGR_1250 活动组的权限数据

AGR_1251 活动组的权限数据

AGR_1252 权限的组织元素

AGR_1253 作业组的权限数据 - 静态对象

AGR_AGRS 组合角色中的角色

AGR_AGRS2 作用定义

AGR_ATTS 角色属性

AGR_BUFFI 角色的 Internet 链接表

AGR_BUFFI2 Internet 链接表 - SAP 角色的客户版本

AGR_BUFFI3 Internet 链接表 - SAP 角色的 SAP 版本

AGR_CUSTOM 角色的定制对象

AGR_DATEU 角色的个人设置

AGR_DEFINE 角色定义

AGR_FAVOS PFCG 的个人设置

AGR_FLAGS 角色属性

AGR_FLAGSB 角色属性

AGR_HIER 菜单结构信息表

AGR_HIER_BOR Table for Object-Oriented Navigation (OBN)

AGR_HIER2 菜单结构信息 - SAP 角色的客户版本

AGR_HIER3 菜单结构信息 - SAP 角色的 SAP 版本

AGR_HIERT 角色菜单文本

AGR_HIERT2 角色菜单文本 - SAP 对象的客户版本

AGR_HIERT3 角色菜单文本 - 原始 SAP

AGR_HPAGE Role Home Page

AGR_HPAGET Description of the Home Page for a Role

AGR_INFO Filter Values from Generation Run

AGR_LOGSYS 逻辑系统

AGR_LSD 角色属性

AGR_MAP_KNUMA 换算表 AG_GUID CRM <> KNUMA

AGR_MAPP 角色中的 MiniApps

AGR_MARK 报表 SAPPROFC_NEW 的表格

AGR_MEM_INITIAL 协议: 初始上载的缓冲

AGR_MINI 角色中的 MiniApps

AGR_MINI2 角色中的 MiniApps

AGR_MINIT 角色最小应用文本

AGR_MINIT2 角色最小应用文本

AGR_NUM_2 分配参数文件名的内部计数器

AGR_NUMBER 分配参数文件名的内部计数器

AGR_OBJ Assignment of Menu Nodes to Role

AGR_PROF 角色的参数文件名

AGR_REL_KNUMA_CM 分配: 协议 > 活动

AGR_SELECT 将角色分配到事务代码

AGR_TCDTXT 将角色分配到事务代码

AGR_TCODE3 将角色分配到事务代码

AGR_TCODES 将角色分配到事务代码

AGR_TEXTS 用于层次菜单的文件结构-客户

AGR_TIME 角色的日期标记

AGR_TIMEB 角色的日期标记

AGR_TIMEC 角色的日期标记

AGR_TIMED 角色的日期标记

AGR_USERS 分配角色到用户

AGR_USERT 分配角色到用

1 个赞

优秀