Professional Documents
Culture Documents
Security Tables
USR* table contains user master information.
AGR* tables dontains data about roles.
USH* table has change documents information.
You can use SQVI or SE16 to get data from these tables.
Table Description
AGR_1016 Name of the activity group profile
AGR_1016B Name of the activity group profile
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE Role definition
AGR_HIER2 Menu structure information - Customer vers
AGR_HIERT Role menu texts
AGR_OBJ Assignment of Menu Nodes to Role
AGR_PROF Profile name for role
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TEXTS File Structure for Hierarchical Menu - Cus
AGR_TIME Time Stamp for Role: Including profile
AGR_USERS Assignment of roles to users
USER_ADDR Address Data for users
USGRP User groups
USGRPT Text table for USGRP
USH02 Change history for logon data
USOBT Relation transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBX_C Check Table for Table USOBT_C
USOBXFLAGS Temporary table for storing USOBX/T* chang
USR01 User Master Data (runtime data)
USR02 Logon data (password,user name, validity date etc..)
USR04 User master authorization (one row per user)
USR06 License data
USR10 Authorisation profiles (i.e. &_SAP_ALL)
USR11 Text for authorisation profiles
USR12 Authorisation values
USR13 Short text for authorisation
USR40 Table for illegal passwords ( never enter * in this table)
UST04 User profiles (multiple rows per user)
UST10C Composit profiles (i.e. profile has sub profile)
Return to :-
SAP ABAP/4 Programming, Basis Administration, Configuration Hints and Tips
Go to start of metadata
Accessing Tables
SAP Tables can be accessed and maintained by TCodes SE16 and SM30.
User Administration
USR01 - User Master Table : Contains information we provide in SU01
USR02 - Logon Data, Lock status, password in encrypted format
USR03 - User Address data as we see is SU01
USR04 - Profiles assigned to user
USR05 - Parametes assigned to users; These values you can see in parameters tab in su01
USRSTAMP- Last modification time to user. Eg. profile assignment, password change etc.
SAP Security
Client Administration
Spool Administration
Go to start of metadata
In every company, organization don't want to give access for SE16 to end user or super user.
Here with the help of my content, you can give access to SE16 with limited table access.
Suppose you need to give just one (or more) Z table access to an end user. Rest of this Z
table, the user will not be able to see any data of any tables.
You need to create a authorization group from SE54. Go to SE54, select Authorization
Groups and click Create / Change as shown as below :
Then click on the new entries, then enter a Authorization Group name and correspond
Description.
Then save your data and go back.
Then select the radio button Assign Authorization Group and click on the Create/Change.
Then select both option Table name and Authorization Group and press continue. Then again
press continue.
Then click on the New Entries and enter the Z table name along with the authorization group
ZDEV (which you have created earlier) as below :
Then save your data. System will ask to save this in a TR, You need to save this into a TR for
future transportation it to other client. Create a TR and assigned to it.
Then go to user profile and take the role which is assigned to the user profile. You will find
this in SU01 - User - Role
Here is the role as MM_TRAN_1.
Go to t-code PFCG, enter the role then click edit, then go to tab Authorization and click
change authorization data and search for the authorization object S_TABU_DIS. You may
need to insert it by clicking Selection criteria.
Then Assign the Activity as "Display" and assign the Authorization Group as ZDEV (which
you have created earlier from SE54) as below :
You will receive a message as "You are not authorized to display this table" immediately as
below :
Then that way you can give authorization of SE16 with limited table access. If you want to
add more table, then you can easily add new table in SE54 (as per given instruction on screen
shot no 3).
SU24 Concept
•Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the
relationships between the particular transaction and its authorization objects. It is possible to add or
subtract the checks performed in the transaction by changing the appropriate flag.
•The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups
using the Profile Generator.
•When new transactions are added, the Profile Generator will add all authorization values maintained
in SU24 for the transaction(s).
•When deleting transaction the Profile Generator will remove all authorization values that are
maintained in SU24 for the transaction.
•Activities performed:
•Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and
has since been filled with a value
•Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has
been changed from the SAP default value.
•Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it
was not proposed by the Profile Generator).
•Authorization objects are maintained in SU24 for a particular transaction code. When a transaction
code is added to role, only the authorization objects having check as check indicator value
and yes as proposal value, maintained for that tcode will be added into the role group.
•When a new tcode is added to a role, going in either change authorization data or expert
mode provides the same result. All the authorizations maintained for the tcode at SU24 level is added
to the role.
•The program adds new standard authorizations for objects in the roles If the authorization default
values contain objects that were previously not existing
if the authorization fields contain identical authorizations in the status Standard in both authorizations,
and the fields maintained in the old authorizations are empty in the new standard authorization.
If the authorization data is changed for any tcode in SU24 and tcode is already present in the role,
then going in the expert mode with option “read old data and compare with new data” will only reflect
the additional changes. Change authorization data will not pull the new data for the tcode maintained
at SU24 level
When you remove transactions from the role menu, this has the following effect on the authorizations.
•A standard authorization for which the associated transaction was removed from the role menu is
removed during the merge, unless at least one other transaction that remains in the menu uses the
same authorization default value. This applies both for active and inactive standard authorizations.
•Authorizations in the statuses Changed and Manual are not affected by the merge. They are
therefore always retained.
To correct authorization objects that are not linked to transaction codes correctly
TDDAT.
TBRG - contains all auth groups and gives you information about relation
between Auth object and Auth group.