SAP Security Audit Guidelines – Part II


This post is part 2 of our discussion on SAP Security Audit Guidelines. In the previous post, we had discussed about some of the important points which need to be followed for SAP Security Audit Guidelines. We would continue to do so in this part as well and try to cover as many important points as possible.



List of some common tables for which table logging should be enabled




 List of clients


 Company Codes


 Definition of tcodes


 Definition of Authorization objects


 Valid activities


 Parameters for Transactions


 Authorization Groups for Programs


 Authorization Groups for Tables


 Table to Authorization group mapping


 Definition of number range objects


 Values for Transaction code authorizations


Some transaction codes are very critical and should not be assigned to any one in production system and should be locked. Also, there are some transaction codes which should only be assigned to Basis or Security team or to some super user roles. These super user roles can be assigned for temporary period of time based on emergency requirements after following a proper approval process. Below is a list of a few such critical transaction codes:



Critical Transaction Codes in Production:

 Transaction Code


 Assignment Status in Production


 Create User

 Security Team


 Mass User creation

 Security Team


 Role Maintenance

 Display only version to Security Team


 System Trace

 Basis/Security Team


 Security Audit Configuration

 Basis/Security Team


 Analysis of Security Audit Log

 Basis/Security Team


 Reorganize Security Audit Log

 Basis Team


 Lock Users

 Security Team


 Maintain Profile Parameters

 Basis Team


 Display and Delete Locks

 Basis Team


 User List

 Basis Team


 RFC Destinations (Display/Maintain)

 Basis Team


 ABAP Reporting

 Super User Role


 Output Controller

 Basis Team


 Extended Computer Aided Test Tool

 Super User Role


 Client Administration


 SE09 / SE10

 Transport Organizer



 Execute external OS commands



 Maintain External OS Commands



 Transaction and Screen Variants



 ABAP Editor



 Maintain Transaction Codes






Lets have a look at some of the critical authorization objects in SAP. From Audit perspective, it is pertinent that special care must be taken while assigning full access ‘*’ to any field value.


  • S_PROGRAM – All critical programs and reports should be linked with proper authorization groups. Appropriate action should be maintained for this object.
  • S_TABU_DIS – Caution should be taken while maintaining change access for this object.
  • S_TABU_CLI – Access to this object should be strictly restricted.
  • S_TCODE – Make sure that this authorization object does not give access ‘*’ access or access to big ranges using wildcards on the TCD field.
  • S_DEVELOP – Should be assigned with caution. Make sure not to give the change – debug access in production.
  • S_RZL_ADM – For R/3 System administration using the CCMS. This should only be required by Basis.
  • S_ADMI_FCD – For checking access to some Basis functions, like spool administration and monitoring. Normally for Basis Team only.
  • S_BTCH_ADM – For processing background jobs. Only needed by Basis or Background admin.
  • S_BDC_MONI – For batch input management and monitoring – Can be assigned to Functional Team when they upload data using LSMW
  • S_CTS_ADMI – For administration functions in the Change and Transport System. Only to Basis.
  • S_LOG_COM – For executing external operating system commands – Only to Basis.
  • S_TRANSPRT – For transport organizer – Only to Basis.
  • S_DATASET – For accessing files from ABAP/4 programs. ABAP Program name and File Path should be maintained with caution.
  • S_USER_* – Should be maintained very carefully. Make sure to give display access (activity 03) only. For Security Team.