SAP Security Reports: Authorizations, Roles & Users

When we working on SAP tasks (implementation tasks, daily, weekly, mounthly operation tasks etc.), we have encounter the topic of Authorization, Roles & Users very often. SAP has provided a set comprehensive reports to help us on this.

Under the User Information System (TCODE: SUIM), you can find a comprehensive reports as below can be used.


RSUSR000 : Currently Active Users

RSUSR002 : Users by Complex Selection Criteria

RSUSR002_ADDRESS : Users by address data

RSUSR003 : Check the Passwords of Users SAP* and DDIC in All Clients

RSUSR004 : Restrict User Values to the Following Simple Profiles and Auth. Ob

RSUSR005 : List of Users With Critical Authorizations

RSUSR006 : Locked Users and Users with Incorrect Logons

RSUSR007 : Display Users with Incomplete Address Data

RSUSR008 : Critical Combinations of Authorizations at Transaction Start

RSUSR008_009_NEW : List of Users With Critical Authorizations

RSUSR009 : List of Users With Critical Authorizations

RSUSR010 : Transactions for User, with Profile or Authorization

RSUSR011 : Lists of transactions after selection by user, profile or obj.

RSUSR012 : Search authorizations, profiles and users with specified object va

RSUSR020 : Profiles by Complex Selection Criteria

RSUSR030 : Authorizations by Complex Selection Criteria

RSUSR040 : Authorization Objects by Complex Selection Criteria

RSUSR050 : Comparisons

RSUSR060 : Where-used lists

RSUSR060OBJ : Where-Used List for Authorization Object in Programs and Transacti

RSUSR061 : Enter Authorization Fields

RSUSR070 : Roles by Complex Selection Criteria

RSUSR080 : Users by License Data

RSUSR100 : Change Documents for Users

RSUSR101 : Change Documents for Profiles

RSUSR102 : Change Documents for Authorizations

RSUSR200 : List of Users According to Logon Date and Password Change

RSUSR300 : Set External Security Name for All Users

RSUSR301 : Fill non-checking transactions with auth.object S TCODE

RSUSR302 : Delete authorization check on object S TCODE from table TSTCA

RSUSR304 : Reload Table TSTCA From Table TSTCA_C

RSUSR400 : Test Environment Authorization Checks (SAP Systems Only)

RSUSR401 : Report to give all SAPCPIC users profile S_A.CPIC

RSUSR402 : Download user data for CA manager from Secude

RSUSR403 : Assign Profile S_A.CPIC to User SAPCPIC in Current Client

RSUSR404 : Conversion Program for Authorizations of Basis Development Environ

RSUSR405 : Reset all user buffers in all clients (uncritical)

RSUSR406 : Automatically Generate Profile SAP_ALL

RSUSR406_OLD : Automatically Generate Profile SAP_ALL

RSUSR408 XPRA : Conversion of USOBX-OKFLAG, USOBX-MODIFIED for upgrade tool

RSUSR409 : Transfer all translated titles to generated transaction codes

RSUSR421 : Clean-up report: TSTC-CINFO if no check in TSTCA

RSUSR500 : User Administration: Compare Users in Central System

RSUSR500D : Report RSUSR500D

RSUSR998 : Call Reporting Tree Info System

RSUSREXT : Enter Correct SNC Names in Table View VUSREXTID (from SAP R/3 4.5)

RSUSREXTID : Enter Correct SNC Names in Table View VUSREXTID (from SAP R/3 4.5)

RSUSRLOG : Log Display for Central User Administration

RSUSRSCUC : CUA: Synchronization of the Company Addresses

RSUSRSUIM : User Information System

RSUSR_S_USER_SAS : Activate Authorization Object S_USER_SAS

RSUSR_S_USER_SAS_01 : Complete Authorization Data for S_USER_SAS in Roles

RSUSR_S_USER_SAS_02 : Convert Authorization Defaults

RSUSR_SYSINFO_PROFILE : Report cross-system information/profile

RSUSR_SYSINFO_ROLE : Report cross-system information/role

RSUSR_SYSINFO_ZBV : Report cross-system information/CUM



User/Security tables

DEVACCESS : Table of development users including dev access key

USR02 : Logon data

USR04 : User master authorization (one row per user)

UST04 : User profiles (multiple rows per user)

USR10 : Authorisation profiles (i.e. &_SAP_ALL)

UST10C : Composit profiles (i.e. profile has sub profile)

USR11 : Text for authorisation profiles

USR12 : Authorisation values

USR13 : Short text for authorisation

USR40 : Tabl for illegal passwords

OBJT : Authorisation objetc table


Tables connected to roles

AGR_DEFINE : Role definition

AGR_PROF : Profile name for role

AGR_USERS : Assignment of roles to users

AGR_TCODES : Assignment of roles to Tcodes

AGR_1251 : Roles with authorization objects and value (as seen in su01 -> roles)

AGR_1016 : Name of the activity group profile

USR10 : User master authorization profiles

UST12 : User master authorizations

USOBT : Relation transaction > authorization object; which objects are checked