SAP Tables – S_TABU_NAM

As security consultants, we are often asked to secure or grant access to SAP tables. So most of us are already aware of the authorization objects used to secure tables, S_TABU_DIS, S_TABU_CLI and S_TABU_LIN. Out of this, S_TABU_DIS is the one that is needed for all tables. S_TABU_DIS secures tables on the basis of activity (02, 03) and authorization group for the table. S_TABU_CLI is needed when a user needs access to maintain client independent tables. S_TABU_LIN is meant for Line Oriented Authorizations which allows us to authorize indivdual rows of a table. However, till now security for tables was based on the authorization groups. The limitation with authorization groups is the lack of granular security on individual tables. Once a user has access a particular table authorization group, the user can access all tables linked to the authorization group. Technically it is has always been possible to create a new authorization group and link the offending table. But this soluation came with its own problems, specially when adopted for standard tables. For example a lot of tables are accessed to by standard tcodes. Changing authorizations groups for such tables can potentially impact the functioning of tcodes calling them. Also, the new authorization groups might be overwritten by SAP service packs so this becomes a recurring check for upcoming upgrades. Fortunately SAP in its latest service packs has come up with a new authorization objects for securinf tables, S_TABU_NAM. S_TABU_NAM promises to overcome the limitation of the current S_TABU_DIS object.

S_TABU_NAM - Fields
S_TABU_NAM - Fields

As can be seen above, the object has two authorization fields. The first is activity meant to restrict access to just display (03) or update (02). The other field TABLE takes the actual name of the table and allows us to restrict/provide access to individual tables overridding access for authorization groups.

I am copying the relevant SAP code section from the standard function module VIEW_AUHTORITY_CHECK. This FM is called by all standard table access transactions like SE16, SE16N, SM30, SM31, SM34, etc.

VIEW_AUTHORITY_CHECK 1
VIEW_AUTHORITY_CHECK 1
VIEW_AUTHORITY_CHECK 2
VIEW_AUTHORITY_CHECK 2

As you can see from the code above, VIEW_AUTHORITY_CHECK has a initial check for S_TABU_DIS. Only when the S_TABU_DIS check fails, is the new object S_TABU_NAM checked. So all the existing checks and the security roles built around them need not be updated as a result of the new object. It just provides us with an additional layer of flexibility for building our checks for tables. An example scenario might be to give display access to all tables with authorization group SC but restrict write access to just the T77UA (which shares the same auth group).

11 thoughts on “SAP Tables – S_TABU_NAM

  • March 7, 2012 at 2:29 pm
    Permalink

    Hello Anindha,
    we have a SAP security training center in bangalore, we have large number of students following your blog regulalry.
    I would to convey my sincere thanks to you on behalf of all our students.
    if possible I would like to have your contact information.

    –Pavan Kumar.

    Reply
    • March 8, 2012 at 8:12 am
      Permalink

      Hi Pavan,

      Good to know that my posts are helping someone learn SAP security better. You can contact me through this site.

      Regards,
      Aninda

      Reply
  • March 13, 2012 at 3:33 pm
    Permalink

    Hi,

    awesome explanations!

    Can you please provide BI Trace also that could be better those who are follow this columns.

    Best Regards,
    SIVA .

    Reply
    • March 15, 2012 at 4:35 pm
      Permalink

      Hi Siva,

      There is already an article on BI Trace in the blog. Look under SAP BW Security.

      Regards,
      Aninda

      Reply
  • June 3, 2013 at 12:37 pm
    Permalink

    hi,

    I would like to know how personalization tab in su01 would be helpful a security consultant. If possible try to explain it briefly

    Thanks & Regards,
    bhargav

    Reply
  • July 23, 2013 at 10:42 am
    Permalink

    i need to restrict acess of particular
    table in se11 t-code only….
    which auth obj i should use..

    Reply
  • August 22, 2013 at 6:56 am
    Permalink

    Hello,
    Object S_DISP_NAM does not exist in ECC 6.0

    Regards,

    Jyoti

    Reply
    • September 3, 2013 at 10:33 pm
      Permalink

      S_TABU_NAM? The object was introduced in one of the service packs so if you are still running an unpatched system, the object might not be available.

      Reply
  • August 4, 2014 at 6:55 am
    Permalink

    Hi Aninda,
    Is there any disadvantage by using S_TABU_NAM authorization object..?

    Thanks in Advance..

    Regards,
    Nilesh Tiramale.

    Reply
    • September 26, 2014 at 1:25 pm
      Permalink

      Nope. But you would need to know each table that you want to restrict.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *