Top 5 Common Dummy Authorization Checks in ST01

Below is a list of the top 5 common dummy authorization checks that you will come across in transaction ST01. For those who are unfamiliar with transaction ST01, from a SAP security perspective, transaction ST01 is primarily used to identify authorization errors a specific user is hitting.

This is useful when the SU53 screenshot is not helpful. The SU53 screenshot only gives you the last authorization error that had occurred even when there are multiple authorization errors and/or if the actual error occurred way before the most recent error.

The dummy authorizations listed below should almost always not be assigned to the business users.

The list of common dummy authorization checks are:

Common Dummy Authorization #1

S_ALV_LAYO Dummy Error

S_ALV_LAYO Dummy Error

Authorization Object: S_ALV_LAYO (ALV Standard Layout)
Authorization Field: ACTVT (Activity)
Authorization Value: 23 (Maintain)

Common Dummy Authorization #2

S_DOKU_AUT and S_TRANSLAT Dummy Authorization Error

S_DOKU_AUT and S_TRANSLAT Dummy Authorization Error

Authorization Object: S_DOKU_AUT (SE61 Documentation Maintenance Authorization)

Authorization Field: DOKU_ACT (Editing Status)
Authorization Field: DOKU_DEVCL (Package for which Docu. Auth.)
Authorization Field: DOKU_MODE (Authorization to maintain, tra)

and

Authorization Object: S_TRANSLAT (Translation environment authorization object)
Authorization Field: ACTVT (Activity)
Authorization Value: 02 (Change)
Authorization Field: TLANGUAGE (Target Language)
Authorization Value: E (English)
Authorization Field: TRANOBJ (Translation: Text type name)
Authorization Value: LONG (Long Text)

Common Dummy Authorization #3

S_ADMI_FCD Dummy Authorization Error

S_ADMI_FCD Dummy Authorization Error

Authorization Object: S_CTS_ADMI (Administration Functions in Change and Transport System)
Authorization Field: CTS_ADMFCT (Administration Tasks for Change)
Authorization Value: TABL (Change Workbench Organizer Control Tables)


Common Dummy Authorization #4

S_CTS_ADMI Common Dummy Authorization Error

S_CTS_ADMI Common Dummy Authorization Error

Authorization Object: S_CTS_SADM (System-Specific Administration (Transport)
Authorization Field: CTS_ADMFCT (Administration Tasks for Change)
Authorization Value: TABL (Change Workbench Organizer Control Tables)
Authorization Field: DOMAIN (TMS: Transport Domain)
Authorization Field: DESTSYS (Logical System)

Common Dummy Authorization # 5

S_ADMI_FCD Dummy Authorization Error

S_ADMI_FCD Dummy Authorization Error

Authorization Object: S_ADMI_FCD (System Authorizations)
Authorization Field: S_ADMI_FCD (System Administration Function)
Authorization Value:  PADM (Process Administration Using Trans. SM04, SM50)


Common Dummy Authorization #6 (I know, but had to squeeze in this)

S_DEVELOP Common Dummy Authorization Error

S_DEVELOP Common Dummy Authorization Error

Authorization Object: S_DEVELOP (ABAP Workbench)
Authorization Field: ACTVT (Activity)
Authorization Value: 03 (Display)
Authorization Field: DEVCLASS (Package)
Authorization Field:  OBJNAME (Object Name)
Authorization Field: P_GROUP (Authorizationi Group ABAP4 Pro)

Hope you find these SAP Security tips helpful.

– SAP Security Help

Posted in Security, Troubleshooting | Tagged , , , , , , , , , , , , , , | Leave a comment

Restricting Measurement Documents (IK11, IK34)

After further testing, measurement document restrictions are based off of measuring points. There are no standard authorization checks restricting on plant occurring when creating a measurement document via IK11.

However, if an authorization group is maintained within a measuring point in IK02 or IK01, when creating a measurement document in IK11, a standard authorization check occurs based on the authorization group of the measuring point the measurement document is referencing. Maintaining authorization groups for measuring points is an option to restrict the measurement documents in IK11 or even IK34.

– SAP Security Help

Posted in Plant Maintenance, Security | Tagged , , , , , , | Leave a comment

Checking the Password Status of Standard SAP Users

Whenever a new SAP system is built, upgraded, copied, or restored from backup, one of the very first tasks a SAP Security Administrator should do is to check whether the default standard users provided by SAP has had their default password changed, locked, in in some cases, have their profiles removed.

Below are the default passwords for the standard users in SAP.

User Description Clients Default Password
SAP* SAP system super user 000, 001, and 066

New Clients

06071992

 

PASS

EARLYWATCH Dialog user for the Early Watch service 066 support
DDIC Software logistics and ABAP Software logistics super user 000 and 001 19920706

A report that can be run to make sure the default passwords for the standard SAP users above is RSUSR003. This report will list all standard users in each client and will indicate whether the standard password has been changed.

To run this RSUSR003 report:

1. Go to transaction SA38

2. Enter RSRUSR003 in the program feild

3. Click the Execute button on the top-left or press F8

Execute RSUSR003 in SA38

Ener RSUSR003 and press F8

4. Uncheck “Display Profile Parameters”

5. Hit Execute or press F8

RSUSR003 - Uncheck Display Profile Parameters

RSUSR003 - Uncheck Display Profile Parameters

6. You will now see a list of standard SAP users along with information indicating whether the user is locked and if the password has been changed from it’s default password.

RSUSR003 Report

RSUSR003 Report

Depending on your organization’s requirements, you may have some, all, or none of the users locked. But you definitely want to make sure that at the very minimum, your default password has been changed. Hope you find this information on RSUSR003 helpful.

– SAP Security Help

Posted in Security, Tutorial | Tagged , , , , , , , , , , , , , | Leave a comment