This site strives to be a comprehensive guide to SAP Security and Authorizations. Though  a search in google returns any number of references on security, the number of sites dealing exclusively with SAP security are few and far between. This is a personal site maintained solely by me. I intend to update it regularly with more information, links and other online resources. Feel free to look around and make use of any of the resources. I would be glad if any of information presented in the following pages helps you in learning SAP security. Continue reading “Welcome!”

Mass Changes – eCATT

SECATT - Initial Screen

ECATT, SECATT or CATT has been a popular method with security consultants to automate various tasks. Its not the only tool used for automation and can be considered to be another option available in our arsenal. Till date I have purposely refrained from adding any post about SECATT as almost everything that you can do via SECATT can be done via LSMW which has been already mentioned on the site. Also, documentation around SECATT is fairly ubiquitous on the internet and I did not think that adding the same information here will make any difference. Recently however, I came to use another feature of the ECATT tool which is not as popular among us security consultants and which can actually let us do things which couldn’t do as easily before. So here goes the first post for the new year…. and Happy New Year 2014 for everyone. May this year be better than the last. Continue reading “Mass Changes – eCATT”


Maybe I am being cynical here, but I would still say that its very rare that SAP comes up with something that reduces the daily drudgery we go through as security consultants. Today I discovered something from my colleagues that is really one of the best things I have seen in a very long time. SAP has come up with a new and improved version of the standard security trace ST01. The new transaction can be launched by using the tcode “STAUTHTRACE”. Continue reading “STAUTHTRACE”


Its quite common in the SAP world that one transaction calls another via different menu options. At the code level this is often implemented via the ABAP construct “CALL TRANSACTION”. We know that to start a transaction from menu or typing via the command window, a S_TCODE check is performed at the SAP kernel level. However whether a S_TCODE check is performed for the CALL TRANSACTION statement can be controlled by us through the SE97 tcode. Its not often that we need to mess with the SE97 settings but its good to know about the option is available if needed. Continue reading “SE97 and TCDCOUPLES”

Data Management

SAP NetWeaver ships with a mind bogging array of highly specialized applications to support different business processes. A SAP consultant will either interact with these applications or enhance them by writing new code to solve new problems during implementation. However, sometimes I feel that the real heart of SAP solution is not the code but the enterprise around which the code is built. The different application programs are just so many ways in which the users of the system can access the code. The power of SAP over the many legacy applications it typically replaces, is its one unified data model to store the different pieces of enterprise data. In a modern enterprise most data is inter-related and SAP leverages these linkages in its data design. However, since many of us, and this is all the more true of security consultants, do not directly work with data we lose sight of its importance in the bigger scheme of things. In this post, I would like to introduce to give a brief introduction the data management in SAP. Continue reading “Data Management”

Enterprise Structure

As all of us know, SAP is an an example of an Enterprise Resource Planning software. However, a lot of beginning security consultants are so taken up familiarising themselves with “creating roles and users” that they lose sight of the fact that the security exists to support the various Enterprise functions of the SAP solutions. Today as I write the hundred-th post of my hobbyist blog I am starting a new section to capture all things functional. All though a beginning security analysts can get by with just knowing core security concepts, its always expected that we understand the tools that SAP provides for securing functional data and applications. Continue reading “Enterprise Structure”

SU25 – A Discussion

There is already a post in this blog which talks about the SU25 transaction. However while recently working on a upgrade, it occurred to me that the information presented was too broad and might not answer a lot of the doubts that a security analyst might face when actually tasked to complete the full post SU25 execution. I do not claim that this post will answer all the question but it does go into more depth about the thinking that should go into the post upgrade activities. This is all the more important as when done wrong, the SU25 activity has potential to reduce the check indicators and roles for a SAP system to junk! Continue reading “SU25 – A Discussion”

SAP Authentication in CMC

Till now we have created users and group in the CMC and mapped these groups to application and content rights. All data for these users and groups are maintained in the BOBJ CMS. Since a common configuration of BOBJ reporting is to use the BOBJ frontend with a SAP BW Backend, BOBJ also allows us to import backend roles and users to the CMS. The attributes of these users and groups can not be changed in the CMC but they can be assigned to other CMS resources like groups, content and application rights. In fact, a user so imported into the CMC can login into the BOBJ launchpad or CMC with the SAP BW Backend credentials. This set up is known as SAP Authentication and this post will go over the steps that are needed to get this working. Continue reading “SAP Authentication in CMC”

Application Rights in BOBJ

Just like rights for content, Business Objects also allows us to set the rights that users have for specific application types. These basically control what a user can do on a particular application. Some examples would include the ability to create or change the design of a report or even to filter a report output. Its a best practice to maintain content rights and application rights in separate groups. Continue reading “Application Rights in BOBJ”

Accessing Content Objects

BOBJ is a reporting tool and an end user would typically use the BI launchpad to execute reports assigned to her. After logging  in the BI launch pad screen would look something like the one below.

BI Launchpad - Content Folders with Reports
BI Launchpad – Content Folders with Reports

As you can see the content that the user sees is grouped into a hierarchy of folders. During developement of reports need to be  added to folders and the correct folders need to be assigned to the correct set of users. This is the most common example of authorizing access to content in BOBJ and we in the next few paragraphs we would be looking at the security configuration to set it up. Continue reading “Accessing Content Objects”

Access Levels

Each of the applications in the BOBJ suite which are administered through the CMC exposes different rights on themselves to control which actions a user can perform on them. Access Rights can be of different types depending on the type of Content Management System (CMS) object they are defined on.

  • General – These are most general rights and shared by the other InfoObject types in the CMC. As the name suggests they are general in nature and allow users to view, edit or delete objects.
  • Application – These are rights exposed by the different applications managed in the CMC and control access to the individual applications.
  • Content – These rights control access to content like folders and the reports contained their-in
  • System – These are core objects in the CMS like users, group, connections and universes and are used by one or more applications.

Continue reading “Access Levels”