Security/User Tables

Security Tables
USR* table contains user master information.
AGR* tables dontains data about roles.
USH* table has change documents information.

You can use SQVI or SE16 to get data from these tables.

Table Description
AGR_1016 Name of the activity group profile
AGR_1016B Name of the activity group profile
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE Role definition
AGR_HIER2 Menu structure information - Customer vers
AGR_HIERT Role menu texts
AGR_OBJ Assignment of Menu Nodes to Role
AGR_PROF Profile name for role
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TEXTS File Structure for Hierarchical Menu - Cus
AGR_TIME Time Stamp for Role: Including profile
AGR_USERS Assignment of roles to users
USER_ADDR Address Data for users
USGRP User groups
USGRPT Text table for USGRP
USH02 Change history for logon data
USOBT Relation transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBX_C Check Table for Table USOBT_C
USOBXFLAGS Temporary table for storing USOBX/T* chang
USR01 User Master Data (runtime data)
USR02 Logon data (password,user name, validity date etc..)
USR04 User master authorization (one row per user)
USR06 License data
USR10 Authorisation profiles (i.e. &_SAP_ALL)
USR11 Text for authorisation profiles
USR12 Authorisation values
USR13 Short text for authorisation
USR40 Table for illegal passwords ( never enter * in this table)
UST04 User profiles (multiple rows per user)
UST10C Composit profiles (i.e. profile has sub profile)

This is the vast list of USR, USH & AGR tables

Table name Description

AGRR2 R2 transfer structure
AGRR2T R2 roles transfer structure - Texts
AGR_1016 Name of the activity group profile
AGR_1016B Name of the activity group profile
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_1253 Authorization Data for Activity Group - Static Objects
AGR_AGRS Roles in Composite Roles
AGR_AGRS2 Role definition
AGR_ATTS Role attributes
AGR_BOR_DTL Extended BOR Details for Menu Nodes
AGR_BUFFI Internet Links for a Role
AGR_BUFFI2 Internet links table - Customer version of SAP roles
AGR_BUFFI3 Internet links table - SAP versions of SAP roles
AGR_CATS Transfer structure for categories/PFCG start
AGR_CUSTOM Role Customizing objects
AGR_DATEU Personal settings for roles
AGR_DEFINE Role definition
AGR_EXT_DTL Extended Details for Menu Nodes
AGR_FAVOS Personal settings for PFCG
AGR_FILT Transfer table filter for PRGN_TREE_START
AGR_FLAGS Role attributes
AGR_FLAGSB Role attributes
AGR_HIER Table for Structure Information for Menu
AGR_HIER2 Menu structure information - Customer version of SAP roles
AGR_HIER3 Menu structure information - SAP version of SAP roles
AGR_HIERT Role menu texts
AGR_HIERT2 Role menu texts - Customer version of SAP objects
AGR_HIERT3 Role menu texts - SAP Original
AGR_HIER_BOR Table for Object-Oriented Navigation (OBN)
AGR_HPAGE Role Home Page
AGR_HPAGET Description of the Home Page for a Role
AGR_ICON Display the status icon in the Profile Generator
AGR_INFO Filter Values from Generation Run
AGR_LOGSYS Logical system
AGR_LSD Role attributes
AGR_MAP MiniApp and Text
AGR_MAPP MiniApps in Role
AGR_MAP_KNUMA Conversion Table AG_GUID CRM <> KNUMA
AGR_MARK Table for report SAPPROFC_NEW
AGR_MEM_INITIAL Agreements: Buffer for Intial Upload
AGR_MINI MiniApps in Role
AGR_MINI2 MiniApps in Role
AGR_MINIT Role mini-appl texts
AGR_MINIT2 Role mini-application texts
AGR_NSPCE Namespace
AGR_NUMBER Internal Counter for Assigning Profile Names
AGR_NUM_2 Internal Counter for Assigning Profile Names
AGR_OBJ Assignment of Menu Nodes to Role
AGR_POPUP Structure for dialog box
AGR_POPUP2 Structure for transaction assignment
AGR_POPUP3 Auxiliary structure to input authorization objects
AGR_PROF Profile name for role
AGR_REL_KNUMA_CM Assignment: Agreement --> Campaign
AGR_SELECT Assignment of roles to Tcodes
AGR_SHIER Structure for the Drag and Drop Tool
AGR_SHIERT Structure for the Drag and Drop Tool
AGR_SHIER_BOR Structure for Additional Details with no STRING Field
AGR_SMENU Transfer structure for role maintenance
AGR_SPRTXT Structure for the Drag and Drop Tool
AGR_START Start Role Maintenance: Structure for Tree
AGR_STRING Structure for the Drag and Drop Tool
AGR_STRUC Structure to transfer Tcodes into the Profile Generator
AGR_ST_NAME Role Name
AGR_TAB PFCG start tree transfer structure
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TCODE3 Assignment of roles to Tcodes
AGR_TCODES Assignment of roles to Tcodes
AGR_TCODES_TEXTS Transaction Codes with Texts from AGRs
AGR_TEXTS File Structure for Hierarchical Menu - Customer
AGR_TIME Time Stamp for Role (Menu, Profile, Authorizations)
AGR_TIMEB Time Stamp for Role (Profile Generation)
AGR_TIMEC Time Stamp for Role (User Assignment)
AGR_TIMED Time Stamp for Role (Profile Comparison, RFC Distribution)
AGR_TRAN Transport modules of external personalization objects
AGR_TRANS Help Structure for Translation
AGR_TXT Role and Text
AGR_UPLO Stucture for upload node types
AGR_UPLT Stucture for upload node types
AGR_UPLTX Stucture for upload description text
AGR_USERS Assignment of roles to users
AGR_USERT Assignment of roles to users
USH02 Change history for logon data
USH02_ARC_TMP Change History for Logon Data: Last Entries from Archive
USH04 Change history for authorizations
USH04_ARC_TMP Authorizations Change History: Last Entries from Archive
USH10 Change history for authorization profiles
USH10_ARC_TMP Change History for Profile Data: Last Entries from Archive
USH12 Change history for authorization values
USH12_ARC_TMP Change History for Authorizations: Last Archive Entries
USR01 User master record (runtime data)
USR02 Logon Data (Kernel-Side Use)
USR03 User address data
USR04 User master authorizations
USR05 User Master Parameter ID
USR06 Additional Data per User
USR06SYS System-Specific User Classification (License-Related)
USR07 Object/values of last authorization check that failed
USR08 Table for user menu entries
USR09 Entries for user menus (work areas)
USR10 User master authorization profiles
USR11 User Master Texts for Profiles (USR10)
USR12 User Master Authorization Values
USR13 Short Texts for Authorizations
USR14 Surchargeable Language Versions per User
USR15 External User Name (Replaced By Table USRACL)
USR16 Values for Variables for User Authorizations
USR20 Date of last user master reorganization
USR21 Assign user name address key
USR21S Shadow table: Assignment of user name to address key
USR22 Logon data without kernel access
USR30 Additional Information for User Menu
USR40 Table for illegal passwords
USR41 User master: Additional data
USR41_MLD Transaction Data for USR41
USRACCNTV Generated Table for View USRACCNTV
USRACL SNC Access Control List (ACL): User
USRACLEXT Extended SNC Access Control List (ACL) for Users
USRARCSTAT Reloaded Archiving Runs
USRATTR Additional Attributes for Users
USRBF User Buffer Contents for Fast RFC Logon
USRBF2 User buffer content for fast RFC logon - new
USRBF3 User Buffer Content for Fast RFC Logon - New
USRCD Structure for Change Documents Display in RSUSR100
USRCDT Structure for Change Documents (Technical View)
USRCOBJ Object Filters for Exploding Product Structures
USRCOMB Critical Combinations of Authorizations
USRCOMBT Short Texts for Critical Combinations of Authorizations
USRCRCOMB Part List of Variants for Critical Combinations of Auths
USRDFLT User Settings Field/Value Combination
USRDFLT_KEY Key for User Settings
USRDFLT_PERS User Settings
USRDFLT_PERS_ALV User Settings - ALV Display
USREF Transfer structure for cross-reference function modules
USREFUS Reference user for internet applications
USREFUSVAR Assignment of Reference User Variabe to Reference User
USREL_2 User Administration: Relationship Between Two Objects
USREL_3 User Administration: Relationship Between Three Objects
USREL_AT User Administration: User in Relationship (with Time)
USREL_SA GUM: Assignment of Role/Position to System (Type)
USREL_UA GUM: Assignment of Role to User
USREL_US GUM: Assignment of User (Group) to System (Type)
USREL_USA User Administration: User - System - Activity Group
USREL_UT User Administration: User in Relationship (with Time)
USREL__A User Administration: System - Activity Group
USREL__S User Administration: System in Relationships
USREL__U User Administration: User in Relationship
USREXTID Assignment of External ID to Users
USREXTIDH External ID (Access Using Hash Value)
USREXTIDT Values Table for External ID Type
USREXTIDTT Values Table for External ID Type (Texts)
USRFIELD Central user maintenance: Field maintenance allowed or not
USRFLD CUA: Definition of Logical Fields
USRFLDDEF CUA: Definition of Logical Field Names of ALE Distrib. Users
USRFLDGRP CUA: Field Selection Groups
USRFLDSEL CUA: Field Attributes
USRFLDT CUA: Text Table to Define Logical Fields
USRFLDTSEL Selection of fields
USRFLDVAL CUA: Selection Criteria for Field Attributes
USRGENPRS Table for General Workplace Personalization Data
USRGETFTR Transfer Structure
USRGETSTRC Structure for user transfer
USRGIFAV iPPE Interface: Favorite
USRGIFOL iPPE Interface: Folder
USRGIPROFIL User Assignment to an iPPE Profile
USRGIPROFIL_DYNP Dialog Structure: User Assignment - iPPE Workbench
USRGIPROFIL_WTY Assign User Profile
USRGISETTINGS User Settings for the iPPE Workbench
USRGISTACK iPPE Workbench: Stack
USRINFO Extended User Info for SM04
USRINKONS Reference table for FMs for determining inconsistencies
USRLISTPROFILE Variable List Definition in PDM Environment
USRLUIPROFILE User Assignments to Profiles in the iPPE Workbench Express
USRLUIPROFILE_DYNP User Assignments to Profiles
USRLUISETTINGS User-Specific Settings of the iPPE Workbench Express
USRLUISETTINGS_DYNP User-Specific Settings for Profile
USRM0 Material Master User Settings: Screen Reference "User"
USRM1 Material Master User Settings: Organizational Levels
USRM2 User Settings for the Material Master: Logical Screens
USRM3 Material Master User Settings: Retail Organizational Levels
USRMETHOD Method to be called when distributing users
USRMM User settings: material master
USROBJECTS Table of Previous Initial Object in Structure Overview
USRPDM User-Specific Data in the PDM Environment
USRPWDHISTORY Password History
USRSETTINGS_DYNP User Settings: Navigation Tree - Dialog Structure
USRSTAMP Time Stamp for all Changes to the User
USRSYSACT CUA: Roles in Distributed Systems
USRSYSACTT CUA: Roles in Distributed Systems
USRSYSLNG User's Language in a System
USRSYSPRF CUA: Profiles in Distributed Systems
USRSYSPRFT CUA: Profile Text in Distributed Systems
USRSYSUPL CUA: Price Lists in SAP System
USRSYSUPPL CUA: Assignment of User Types to Price Lists
USRSYSUTPA CUA: System Measurement: User Types with Attributes
USRSYSUTYP CUA: Texts for User Types in SAP System
USRSYSUZUS CUA: Texts for Special Versions
USRSYSVTYP Generated Table for View USRSYSVTYP
USRTICLASS Class Assignment for Tabular Maintenance of iPPE
USRTREECOL User-Specific Column Permutations per Array Type
USRURLPRS Table for Personalization of Services
USRURLSVR Logical Web Servers for Logical Systems (User-Specific)
USRVAR Variants for Critical Authorizations
USRVARCOM Variants of Critical Combinations of Authorizations
USRVARCOMT Short Texts for Variants of Critical Combs of Authorizations
USRVARID Part List of Variants for Critical Authorizations
USRVART Short Texts for Variants of Critical Authorizations
USRVIEWCOL User-Specific Column View
USRVIEWTAB User-specific Tabstrip View
USR_AUFK User-Defined Fields of AUFK
USR_FLAGS Various Flags for Authorization Programs
USR_FLGNT Personal User Settings / Without Transport
USR_LIST Generated Table for View USR_LIST
USR_QUERY BW Query
USR_TREESNODE Node Structure of a Simple Tree (Report SAPTREX3)
USR_VALUES Transfer structure for selection acc. to auth. values
SAP Basis Reference Books:
SAP Basis Components, System Administration, Security, ALE and iDoc Books

SAP Table Tips:

SAP Database Table Hints and Tips

Back to Basis Menu:

SAP BC (Basis Components) Hints and Tips

Return to :-
SAP ABAP/4 Programming, Basis Administration, Configuration Hints and Tips

SAP Tables Useful For Basis Admin

Skip to end of metadata

 Created by Mahesh Kumar Mukkawar, last modified on Aug 23, 2013

Go to start of metadata

Accessing Tables

SAP Tables can be accessed and maintained by TCodes SE16 and SM30.

User Administration
USR01 - User Master Table : Contains information we provide in SU01
USR02 - Logon Data, Lock status, password in encrypted format
USR03 - User Address data as we see is SU01
USR04 - Profiles assigned to user
USR05 - Parametes assigned to users; These values you can see in parameters tab in su01
USRSTAMP- Last modification time to user. Eg. profile assignment, password change etc.

SAP Security

AGR1251 Authorization data for the activity group

AGR1252 Organizational elements for authorizations ( this table gives only
organizational data)
AGR_DEFINE Role definition
AGR_USERS Rolese assigned to users
AGR_AGRS Roles in Composite Roles
TOBJ Authorization Objects
TDDAT Maintenance Areas for Tables
TSTC SAP Transaction Codes
TPGP ABAP/4 Authorization Groups
USOBT Relation transaction > authorization object
USOBX Check table for table USOBT
USOBT_C Relation Transaction > Auth. Object (Customer)
USOBX_C Check Table for Table USOBT_C

Transport Management System

E070 Give Request number, status, target client and Desrcription

E071 Request ID and Object Name

Client Administration

T000 Logical System description. Gives details from TCode SCC4.

Spool Administration

TST01 TemSe: List of objects and parts

TST02 TemSe: Protection rules
TST03 TemSe data

System Component Version

UVERS Deployed component version

CVERS Detailed deployed component version

SVERS Kernel Release Number

Other Useful Tables

SMEN_BUFFC To know end users favorite list of transaction codes

Give authorization of SE16 with limited
table access
Skip to end of metadata

 Created by Dibyendu Patra on Dec 06, 2014

Go to start of metadata

In every company, organization don't want to give access for SE16 to end user or super user.
Here with the help of my content, you can give access to SE16 with limited table access.
Suppose you need to give just one (or more) Z table access to an end user. Rest of this Z
table, the user will not be able to see any data of any tables.

You need to create a authorization group from SE54. Go to SE54, select Authorization
Groups and click Create / Change as shown as below :

Then click on the new entries, then enter a Authorization Group name and correspond
Description.
Then save your data and go back.

Then select the radio button Assign Authorization Group and click on the Create/Change.
Then select both option Table name and Authorization Group and press continue. Then again
press continue.

Then click on the New Entries and enter the Z table name along with the authorization group
ZDEV (which you have created earlier) as below :

Then save your data. System will ask to save this in a TR, You need to save this into a TR for
future transportation it to other client. Create a TR and assigned to it.

Then go to user profile and take the role which is assigned to the user profile. You will find
this in SU01 - User - Role
Here is the role as MM_TRAN_1.

Go to t-code PFCG, enter the role then click edit, then go to tab Authorization and click
change authorization data and search for the authorization object S_TABU_DIS. You may
need to insert it by clicking Selection criteria.

Then Assign the Activity as "Display" and assign the Authorization Group as ZDEV (which
you have created earlier from SE54) as below :

Then save you data.

Now log on to the user profile in SAP system. and go to SE16 and enter the table
ZMM_ACD. You can see system will allow to access the table ZMM_ACD. Then enter a
table instead of ZMM_ACD and press enter.

You will receive a message as "You are not authorized to display this table" immediately as
below :

Then that way you can give authorization of SE16 with limited table access. If you want to
add more table, then you can easily add new table in SE54 (as per given instruction on screen
shot no 3).
SU24 Concept

•Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the
relationships between the particular transaction and its authorization objects. It is possible to add or
subtract the checks performed in the transaction by changing the appropriate flag.
•The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups
using the Profile Generator.

•When new transactions are added, the Profile Generator will add all authorization values maintained
in SU24 for the transaction(s).

•When deleting transaction the Profile Generator will remove all authorization values that are
maintained in SU24 for the transaction.

•Activities performed:

•Check/Maintain Authorization Values

•Addition of Authorization Object to tcode

•Deletion of Authorization Object from tcode

Check Proposal Meaning Explanation

Ind.

Check YS Check The object will be inserted along

/Maintained with the values in the role. The
object will be checked along with
the values during runtime of the
transaction.

Check NO Check This object will not be inserted into

the roles. A check on the object
along with the values will be done
during the runtime of the
transaction

Do not NO Do Not Check The object will not be inserted into

Check the roles and there will not be any
check performed

during runtime of the transaction

Status Texts for authorizations

•Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP
defaults

•Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and
has since been filled with a value

•Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has
been changed from the SAP default value.

•Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it
was not proposed by the Profile Generator).

Effect of SU24 changes in Role Groups

•Authorization objects are maintained in SU24 for a particular transaction code. When a transaction
code is added to role, only the authorization objects having check as check indicator value
and yes as proposal value, maintained for that tcode will be added into the role group.

1) Adding Tcodes to a role

When a new Tcode is added to a role

•When a new tcode is added to a role, going in either change authorization data or expert
mode provides the same result. All the authorizations maintained for the tcode at SU24 level is added
to the role.

•The program adds new standard authorizations for objects in the roles If the authorization default
values contain objects that were previously not existing

Or only had authorizations in the status Changed or Manual

•A new standard authorization is not included

if the authorization fields contain identical authorizations in the status Standard in both authorizations,
and the fields maintained in the old authorizations are empty in the new standard authorization.

If there were already authorizations in the status Maintained (active or inactive)

or Inactive Standard before the merge, the program compares the values and the maintenance status
of all authorization fields to determine whether new standard authorizations must be extended.

Changing SU24 values for a tcode

If the authorization data is changed for any tcode in SU24 and tcode is already present in the role,
then going in the expert mode with option “read old data and compare with new data” will only reflect
the additional changes. Change authorization data will not pull the new data for the tcode maintained
at SU24 level

2) Removing Tcodes from the role

When you remove transactions from the role menu, this has the following effect on the authorizations.
 •A standard authorization for which the associated transaction was removed from the role menu is
removed during the merge, unless at least one other transaction that remains in the menu uses the
same authorization default value. This applies both for active and inactive standard authorizations.

•Authorizations in the statuses Changed and Manual are not affected by the merge. They are
therefore always retained.

When to use SU24?

To correct authorization objects that are not linked to transaction codes correctly

 To correct authorization objects that have unacceptable default values.

 To change default values to ones that will always be appropriate for all roles that will ever use the
transaction. This means having blank fields where you need to allow different roles to have different
values.

TDDAT.
TBRG - contains all auth groups and gives you information about relation
between Auth object and Auth group.