Skip to Content

Segregation of Duties - source SAP tables with authorization data

Hi Everyone,

I am doing a segregation of duties review and need to extract user authorization information from SAP. Ultimately, I would like to have a single view where each record or records will contain UserID, role_name, profile_name, authorization_objects and activity value

I know that information on roles, profiles, authorizations and allowable activities within authorization fields resides in various tables and don't expect to have an issue linking the data in an external application. But as of now I have only been able to find the following info:

List of users, with roles and profiles assigned

List of all transactions, associated auth objects and allowable activities (TSTCA)

However I have difficulty finding is the tables holding:

- transactions assigned to roles/profiles

- auth objects part of the user's profiles and the associated activity values</b>

Does any one know where this info is.

Thanks in advance!


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 23, 2007 at 09:32 AM

    Hi Martin,

    transactions assigned to roles : AGR_1251 with object S_TCODE

    transactions assigned to profiles : UST10S with object S_TCODE + UST12 with auth. of UST10S and Object S_TCODE

    auth objects part of the user's profiles = Profile - Objects - Authorities: UST10S

    auth objects and associated activity values = Objects - Authorities – Field From/To : UST12

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 24, 2007 at 05:11 PM

    Hi Guys,

    Thanks again for the input. I have one last question. I've reached the very end of the authorization data extraction and need to pull the names(text) of the authorization fields. Actually I am not sure even if this data exists in the way I imagine it. I checked table AUTHX, but there I only have the field name/code, the data element and the corresponding table where the field data comes from. If you know of it please let me know, and if not I already feel SUPER grateful for the assistance you provided me with so far.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Martin,

      you can use function module AUTH_FIELD_GET_INFO, see Program SAPLSUSA FORM LOAD_INTFLD. Here is a little report to check whether it works:

      * get names(text) of the authorization fields
      TABLES:  dfies.
      PARAMETERS: p_sfield   LIKE authx-fieldname.
      DATA: field LIKE tobj-fiel1.
        field = p_sfield.
            fieldname = field
            langu     = sy-langu
            text      = dfies-fieldtext.
        WRITE : / field, dfies-fieldtext.

  • Oct 22, 2007 at 08:49 PM

    Hi Martin,

    Depending on how you want to do this depends on the tables you get the info from.

    The most straightforward way is:

    Tx to roles: AGR_1251 filtered on object S_TCODE. You could use AGR_TCODES but this only has menu transactions rather than those in S_TCODE

    Auth objects & values to roles: AGR_1251 (and can use AGR_USERS to ID the roles per user).

    AGR_1251 is at the role level which is all well and good, however auth data resides within the profiles and getting that data is a fair bit harder so you are looking at something like interrogating USR04, USR10 and USR12 to get all user-auth-value data.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 25, 2007 at 09:55 AM

    Good morning everyone,

    I looked in table DD04V and a lot of the field names were there. Some of them were not listed, such as, ACTVT, TCD, CEERKRS, CFUNCNAME and others but I will try to work without them. I just wanted to give you an idea as to what is my approach for the SoD analysis and why I have bypassed the built in SAP tools.

    Once I extracted all the authorization and user data, I pulled it into ACL for further analysis.

    For a total of 40 users, the final set is close to 93 000 records. Some of the tests that I can run in ACL are: filter out all roles that have display in their name, then quickly run classify function for all ACTVT fileds that have values other than 3. Also I can filter all BUKRS fields and can verify that the users are assigned company codes that belong to their organization. To me this approach seems logical, but this is the first time I am doing this so I am still developing the process - if you guys think that something is off, please let me know. I don't know if the tools that SAP provides offer this functionality. I am an auditor and what I have found in AIS so far, cannot be really used for this type of analytics.

    Wolfrad, thank you very much for providing me with the code, but I have no authorization for creating anything on the SAP system - I have read only access 😊

    Thanks again for all your help!

    Add comment
    10|10000 characters needed characters exceeded