Saturday, December 3, 2011

SAP Table- Restricting Data Acces


SAP Table

Table is part of SAP System. All the data entered in SAP is stored in tables in the backed database.  From the SAP application you will be able see the data through SAP Transaction SE16, SE16n, SE17, and SE11. When the user is given unrestricted access to these transactions he will be able to see all the data in the SAP Table. This is a huge security hole in the system.  For example if the user is knowledgeable he can go to HR table and pull out all the salary information of the entire company  or get the product pricing information of all the products sold in the company. This security breach could be used to blackmail the company or sold to competitors


SAP Table option for grouping

SAP has grouped tables by authorization groups.  So for example if the tables belongs to Human Resources personal administration then they group them into HRPA authorization group. This will be helpful in Security for restricting the role to particular sap table. So it  is a best practice to assign a authorization group to all the custom tables created by the client. Usually the customer crated tables will start with Z or Y. The system will not let you start the table with any other naming convention
SAP Table Authorization Group
SAP Table Authorization Group

SAP Table - Securing in the Role

The table in the role can be secured with the authorization object S_TABU_DIS.  This object has two fields. One is authorization group and the other is activity.  This authorization group is the group which the table belongs to.  But you do not want to give the user any of the table browsing transaction such as SE16, SE17 and SE16N. So the only option is to create a custom transaction and link the table to the custom transaction

Assigning the SAP Table to Authorization Group:

If the client has lot of custom tables which are not assigned to an authorization group then these table have to be assigned to proper authorization groups. Once you have the list of tables then we will consult the development and functional team to identify the authorization groups. These authorization groups can be existing or we can create new authorization group.
Audit Best Practice- Locking SAP Table with Custom Transaction
One of the best practice is to create a custom transaction to the table so the user will only be able display or maintain that particular table. The custom transaction can be create in transaction SE93.  The transaction should be a call transaction type. This will let the user only maintain that particular SAP Table with transaction SM30

Learning SAP|SAP Tutorials|SAP Demo

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)