This site strives to be a comprehensive guide to SAP Security and Authorizations. Though  a search in google returns any number of references on security, the number of sites dealing exclusively with SAP security are few and far between. This is a personal site maintained solely by me. I intend to update it regularly with more information, links and other online resources. Feel free to look around and make use of any of the resources. I would be glad if any of information presented in the following pages helps you in learning SAP security.

Mass Changes – eCATT

ECATT, SECATT or CATT has been a popular method with security consultants to automate various tasks. Its not the only tool used for automation and can be considered to be another option available in our arsenal. Till date I have purposely refrained from adding any post about SECATT as almost everything that you can do via SECATT can be done via LSMW which has been already mentioned on the site. Also, documentation around SECATT is fairly ubiquitous on the internet and I did not think that adding the same information here will make any difference. Recently however, I came . . . → Read More: Mass Changes – eCATT


Maybe I am being cynical here, but I would still say that its very rare that SAP comes up with something that reduces the daily drudgery we go through as security consultants. Today I discovered something from my colleagues that is really one of the best things I have seen in a very long time. SAP has come up with a new and improved version of the standard security trace ST01. The new transaction can be launched by using the tcode “STAUTHTRACE”. The start screen for it is shown below.

STAUTHTRACE – Start Screen

As you can see . . . → Read More: STAUTHTRACE


Its quite common in the SAP world that one transaction calls another via different menu options. At the code level this is often implemented via the ABAP construct “CALL TRANSACTION”. We know that to start a transaction from menu or typing via the command window, a S_TCODE check is performed at the SAP kernel level. However whether a S_TCODE check is performed for the CALL TRANSACTION statement can be controlled by us through the SE97 tcode. Its not often that we need to mess with the SE97 settings but its good to know about the option is available if . . . → Read More: SE97 and TCDCOUPLES

Data Management

SAP NetWeaver ships with a mind bogging array of highly specialized applications to support different business processes. A SAP consultant will either interact with these applications or enhance them by writing new code to solve new problems during implementation. However, sometimes I feel that the real heart of SAP solution is not the code but the enterprise around which the code is built. The different application programs are just so many ways in which the users of the system can access the code. The power of SAP over the many legacy applications it typically replaces, is its one unified . . . → Read More: Data Management

Enterprise Structure

As all of us know, SAP is an an example of an Enterprise Resource Planning software. However, a lot of beginning security consultants are so taken up familiarising themselves with “creating roles and users” that they lose sight of the fact that the security exists to support the various Enterprise functions of the SAP solutions. Today as I write the hundred-th post of my hobbyist blog I am starting a new section to capture all things functional. All though a beginning security analysts can get by with just knowing core security concepts, its always expected that we understand the . . . → Read More: Enterprise Structure

SU25 – A Discussion

There is already a post in this blog which talks about the SU25 transaction. However while recently working on a upgrade, it occurred to me that the information presented was too broad and might not answer a lot of the doubts that a security analyst might face when actually tasked to complete the full post SU25 execution. I do not claim that this post will answer all the question but it does go into more depth about the thinking that should go into the post upgrade activities. This is all the more important as when done wrong, the SU25 . . . → Read More: SU25 – A Discussion

SAP Authentication in CMC

Till now we have created users and group in the CMC and mapped these groups to application and content rights. All data for these users and groups are maintained in the BOBJ CMS. Since a common configuration of BOBJ reporting is to use the BOBJ frontend with a SAP BW Backend, BOBJ also allows us to import backend roles and users to the CMS. The attributes of these users and groups can not be changed in the CMC but they can be assigned to other CMS resources like groups, content and application rights. In fact, a user so imported . . . → Read More: SAP Authentication in CMC

Application Rights in BOBJ

Just like rights for content, Business Objects also allows us to set the rights that users have for specific application types. These basically control what a user can do on a particular application. Some examples would include the ability to create or change the design of a report or even to filter a report output. Its a best practice to maintain content rights and application rights in separate groups.

The steps in setting up application rights mirror the ones for setting up rights for content access covered before. In the example below, we will be setting up a user . . . → Read More: Application Rights in BOBJ

Accessing Content Objects

BOBJ is a reporting tool and an end user would typically use the BI launchpad to execute reports assigned to her. After logging  inthe BI launch pad screen would look something like the one below.

BI Launchpad – Content Folders with Reports

As you can see the content that the user sees is grouped into a hierarchy of folders. During developement of reports need to be  added to folders and the correct folders need to be assigned to the correct set of users. This is the most common example of authorizing access to content in BOBJ and we . . . → Read More: Accessing Content Objects

Access Levels

Each of the applications in the BOBJ suite which are administered through the CMC exposes different rights on themselves to control which actions a user can perform on them. Access Rights can be of different types depending on the type of Content Management System (CMS) object they are defined on.

General – These are most general rights and shared by the other InfoObject types in the CMC. As the name suggests they are general in nature and allow users to view, edit or delete objects. Application – These are rights exposed by the different applications managed in the CMC and control . . . → Read More: Access Levels