SAP Community - NW ABAP User Administration and Authorization

Issue with Screen Enhancement PBO in SAP AS03 (Asset Master) - On-Premise 2020 vs. 2023

2025-06-08T06:41:02.963000+02:00

Dear Team/Colleagues,

I am encountering an issue with a screen enhancement implemented for the Asset Master Data (transactions AS01, AS02, AS03) in our SAP on-premise 2020 system.

I followed the steps outlined in the SAP Community blog post: https://community.sap.com/t5/application-development-and-automation-blog-posts/adding-z-fields-to-asset-master-screen-aist0002-t-codes-as01-as02-as03/ba-p/13208878 to add custom Z-fields.

The problem is that the Process Before Output (PBO) module of my custom subscreen is not being triggered in our SAP on-premise 2020 release. As a result, I am unable to disable fields in AS03, and any validations or Listbox functionalities defined in the PBO are not working.

Interestingly, I've observed that the PBO is being triggered correctly for the same enhancement in an SAP on-premise 2023 release system.

Could you please help me understand why this behaviour differs between the two releases and what I might have missed or need to adjust for our 2020 environment?

Thank you

Restricting BNK_MONI T-code

2025-08-11T14:58:25.019000+02:00

Hi,

Any idea how can we restrict BNK_MONI T-code on the basis on company code since even after restricting, users are able to run for all company code?

Thanks,

Syed Imam

Can you tell me what authoirzation is missing for this SU53 screenshot

2025-09-03T15:14:20.812000+02:00

USGRPT table TEXT field translation

2025-09-03T17:39:06.080000+02:00

I was trying to translate the field TEXT from this table but it doesn't appear on the tab " go to -> translate" like others object do. So the thing is, I went to se63 transaction and tried to use the object types DOMA and DTEL but I didn't get the results I was looking for. Please, someone had the same problem as me and can bring some light to the issue? thanks in advanced.

Population of field TECHDESC in table USR21

2025-09-08T10:04:50.835000+02:00

Since recent upgrade to SAP S/4HANA, we have noticed that some workflows are checking for a value in field TECHDESC in table USR21.

In table USR21 field TECHDESC, we have records that are populated with First Name & Last Name, and we have blank records in that field also.

We would like to know what is the data flow path / update mechanism, for the field TECHDESC to get populated with a value? Is there a link to HR infotype to obtain the person's first name & last name?

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Can an S-User ID, to access Cloud Resources for S/4HANA, be assigned to an @army.mil email account?

2025-09-11T23:53:17.163000+02:00

In support of a US Army Green Field S/4HANA Private Cloud Edition implementation, there are several developers and technical team members (users) with @Army.mil e-mail accounts.
Can an S-User ID be initiated and assigned to these users, or must they register with a .com e-mail account?

Table TOBJ list of authorization EHP8

2025-09-12T20:26:35.954000+02:00

Hi Expert,

I have list authorization of table TOBJ for object class SD after upgrade to EHP8.

Anyway to know that this is new authorization object after upgrade to EHP8?

And do i need to assign this new authorization object to user role one by one.

Thanks in advance.

can we rerun SU25 step 2a,2b,2c

2025-09-14T11:18:33.518000+02:00

Hi expert

after upgrade to EHP8, can we rerun Su25 2a,2b,2c as many times as we needed?

this is just comparison. isn't it? no harm if more business users work together?

if we would like to see only new authorization object after upgrade which step to do pls?

@olgavlachova

Pls advise.

ROLE AUTHORIZATION PFCG

2025-09-17T17:34:11.718000+02:00

Good afternoon,

Let's see if someone can help me with this role issue because it's not easy at all.

I've been working with SAP for a while but I can't seem to find the solution. Let me explain:

1) I have a user (USER1) with several assigned roles. This user does not have authorization to access Tx SE16.

2) I have a role created by me (ROL1) that allows access to SE16 and contains the following: - Authorization object S_TCODE - TCD SE16 - Authorization object S_TABU_NAM - ACTVT 03, TABLE ZXX1.

3) I have another empty user (USER2). If I assign the role created by me (ROL1), it works perfectly, and the user has access to SE16 for table ZXX1. If, for example, I try to access table ZXX2, it doesn't let me because there is no authorization. So far, everything is fine.

Now comes the strange part:

4) If I assign my role (ROL1) to user USER1, who has several roles assigned but does not have access to SE16, the user can access SE16 (correct because ROL1 allows it), but in addition to being able to access ZXX1, they can also access ZXX2 and all tables in the system.

Why can they access all tables if they only have access to ZXX1?

How can I configure it so that USER1 can only access certain tables?

Thank you in advance for your help.

How to restrict the Ledger to only 2L and YS

2025-09-25T16:28:19.971000+02:00

Hi,

I have restricted the ledger to 2L (Statutory Ledger) & YS(Tax Ledger). However user is still able to post on 0L (IFRS Ledger). Screenshot attached. Does anyone have any idea how to restrict on this ?

just to add-- this is an Security/authorization issue and not functional.

Inquiry Regarding Removal of TCD: SU01 from Authorization Object S_TCODE

2025-10-10T10:13:02.716000+02:00

Dear SAP Support Personnel,

I would like to remove TCD: SU01 from the Authorization Object: S_TCODE for a specific role.
However, since the object containing TCD: SU01 is part of the standard configuration, it cannot be deleted directly.
I would appreciate your guidance on the following two points:

1.When Authorization Object: S_TCODE is standard, is removing the SU01 node from
PFCG > Menu > Hierarchy > Role Menu the only way to delete the transaction?

2.After removing the node and updating the profile, several authorization objects were added or suggested in the Authorization Data.
Could you please advise on a simple method to compare the authorizations before and after the profile update?

Thanks and best regards,
A.

Probleme SU01 Berechtigungen

2025-10-15T11:49:03.798000+02:00

Hallo zusammen,

folgende Situation:

Die Techniker in meinem Team sollen die SU01 nutzen können. Sie sollen dabei 03 Aktivität haben und in bestimmten Fällen, z. B. für die Erstellung eines RFC Users, dürfen sie die 02 Aktivität haben.

Nun habe ich zum Test eine Rolle erstellt, die im Menü nur die Transaktion SU01 hat. Die dabei generierten Berechtigungen habe ich zum Testen erstmal alle auf Aktivität 03 gesetzt und bestimmte Berechtigungen wie z. B. für HR gelöscht/deaktiviert. Außerdem habe ich in der Berechtigung S_USER_GRP ausschließlich die User Gruppe für RFC User hinzugefügt.

Als ich die Rolle testen wollte, hatte ich dennoch vollen Zugriff auf die SU01 und konnte auch jede andere Usergruppe bearbeiten. Die Transaktion SU01 zeigt mir innerhalb der Transaktion in einer Message-Box eine rote Error-Meldung an, dass mir die nötigen Berechtigungen fehlen, um Änderungen durchzuführen, jedoch kann ich es trotzdem machen.

Bisherige Tests:

– Ich habe meinem User alle Rollen nehmen lassen und nur diese Rolle für SU01 hinzufügen lassen. Ergebnis bleibt, dass ich bearbeiten kann.

– Mein User hat kein extra Profil oder SAP_ALL etc., nur das Profil, welches aus der Rolle für SU01 generiert wird.

-In der SU53 werden mir auch, korrekt, meine fehlenden Aktivität wie die 02 in der Berechtigung S_USER_GRP angezeigt. Wie oben beschrieben kann ich dennoch bearbeiten.

-In der SUIM habe ich über die komplexe Berechtigungsobjektsuche die Berechtigung S_USER_GRP mit der Aktivität 02 gesucht und das System hat mir die Rolle angezeigt, die ich erstellt habe und die ausschließlich die Aktivität 03 hat.

Technische Details: Mein System ist ein BW System mit der Installierten Version SAP BW/4HANA 2021 SP/FP 08 03/2024

Ich hoffe nun das jemand von euch mir dabei helfen kann.

Copy users and production profiles to quality

2025-10-15T23:31:16.207000+02:00

Good morning, could you please advise me on the possible options for copying users and profiles from production to quality? I need to have the users and profiles certified in both environments.

STAUTHTRACE

2025-10-30T07:01:19.807000+01:00

what does access filtering column in STAUTHTRACE result means? And how is it useful?

IAS-IPS (SAP Security)

2025-11-07T15:28:51.630000+01:00

IAS & IPS

Content :

SAP Identity Authentication Service (IAS)
SAP Identity Provisioning Service (IPS)
Real World Scenario

SAP Identity Authentication Service (IAS)

IAS is SAP’s cloud-based authentication service.

Its core job is to make sure “the right user logs in securely to the right SAP application.”

Think of IAS as the gatekeeper.

What IAS Does

Authenticates Users (Login / Sign-in)

IAS verifies user identity when they try to log in to:

SAP BTP
SAP SuccessFactors
SAP Ariba
SAP Analytics Cloud
SAP S/4HANA Cloud
Any custom application connected to IAS

It checks:

Username + Password
Multi-Factor Authentication (OTP, SMS, Email, Authenticator App)
Certificates
Biometrics (via device IdP)

Single Sign-On (SSO)

IAS supports:

SAML 2.0
OAuth 2.0
OpenID Connect (OIDC)

So your users log in once and access all SAP apps without logging in again.

Acts as an Identity Provider (IdP)

IAS can serve as

Primary IdP

IAS handles authentication directly

Proxy IdP

IAS redirects authentication to:

Microsoft Azure AD
ADFS
Okta
Ping Identity
Any SAML-based IdP

IAS becomes the bridge between SAP systems and corporate identity providers.

Conditional Authentication Policies

IAS can decide:

Who can log in
From where
Under what conditions

Examples:

Allow MFA only when user logs in from outside office
Block login from certain countries
Force password reset for risky accounts
Apply SSO only for trusted devices

User Store (Identity Directory)

IAS stores user accounts, including:

Username
Email
First Name / Last Name
Groups
Password (if local authentication)

Note : BUT IAS does NOT create users automatically — IPS usually does provisioning.

Authorization Pre-Processing (via Groups → Mappings)

IAS can assign groups, and these groups can be mapped in target apps (like SAP BTP) to give role collections.

IAS Group = “FinanceUsers”

→ Mapped to

BTP Role Collection = “Finance App Access”

But IAS itself does NOT assign app roles.

Note : IAS group can only be mapped to BTP role collections, not to PFCG Role etc.

Branding & Custom Login Pages

IAS allows full customization of login screens:

Company logo
Color theme
Background
Messages
Terms & conditions

Security Enforcement

IAS applies:

Password policies
MFA rules
Account lockout rules
Device trust
Risk-based authentication

What IAS Does NOT Do

IAS does NOT create users(IPS or external IdP does)
IAS group does NOT assign roles in S/4, SAC, Ariba, etc.
IAS does NOT do provisioning(IPS does)
IAS does NOT perform GRC / SoD checks(IAG does)

SAP Identity Provisioning Service (IPS)

IPS is SAP’s central user provisioning and synchronization service.

It moves users from one system to another, ensuring that user accounts, attributes, and group/role assignments stay consistent across:

SAP BTP
IAS (Identity Authentication Service)
SAP S/4HANA Cloud
SAP Ariba
SAP SuccessFactors
SAP Analytics Cloud
Azure AD, Okta, Ping, etc.

Think of IPS as the “delivery service” for user accounts.

What IPS Does

Creates Users in Target Systems

IPS automatically provisions users into multiple systems.

Example:
SuccessFactors → IPS → IAS → BTP → S/4HANA

IPS can create user accounts in:

IAS
SAP BTP
S/4HANA Cloud
SAP Ariba
SAP Concur
SAP Analytics Cloud (via SCIM)

Updates User Attributes

If an employee changes department, email, manager, etc., IPS updates the data in all connected systems.

Example:
SuccessFactors updates → IPS sync → IAS/BTP/S4/Ariba update

Deletes / Deactivates Users

When an employee leaves the company, IPS can mark them inactive or delete their user account.

Maps and Transforms Attributes

IPS allows:

Attribute mapping
Attribute transformation
Conditional provisioning

Example:
IF user.department = "Finance" → assign group “FIN_USERS”

Assigns Groups / Roles (but not everywhere)

IPS can assign:

IAS Groups
BTP Role Collections
S/4HANA Business Roles
SAP Ariba groups
SAC roles (via SCIM)

But only where system supports it.

Connects to Many Identity Sources

IPS can read users from:

Azure AD
SuccessFactors
IAS
LDAP
Okta
On-premise systems (via Cloud Connector)

What IPS does NOT do

IPS does NOT Authenticate Users (IAS does)

Real World Scenario

Company:

A global manufacturing company using:

SAP SuccessFactors (HR system of record)
SAP BTP (custom apps, Integration Suite)
SAP S/4HANA Cloud (ERP)
SAP Ariba (Procurement)
SAP IAS (Authentication)
SAP IPS (Provisioning)
SAP IAG (Access Governance)

Scenario 1: A New Employee Joins the Company

Step 1 — Employee is Hired in SuccessFactors

HR creates a new employee: Rohan Sharma with below details

Department: Finance
Location: India
Manager: Priya Singh
Job: Accounts Payable Analyst

SuccessFactors stores all HR attributes.

Step 2 — IPS Reads Rohan’s Data from SuccessFactors

IPS acts as the "provisioning engine."

Flow: SuccessFactors → IPS → IAS

IPS automatically:

Reads new user
Maps attributes
Creates user in IAS
Assigns IAS group “Finance_Employees”
Pushes email, username, and department

Step 3 — IAS Creates User Entry + Prepares Authentication

IAS now has user:

Username: rohan.sharma
Email: rohan.sharma@company.com
Group: Finance_Employees
Status: Active

IAS does NOT assign roles.

IAS only sets up login policies:

MFA required
Corporate SSO allowed
Conditional rule: India region → allow password login

Step 4 — IAG Triggers Access Request Workflow

Rohan needs access to:

SAP BTP Finance App
S/4HANA Finance Business Roles
Ariba Buyer Role

In large companies, users cannot get access automatically,they must request access via IAG.

Flow:

Rohan goes to IAG Access Request Portal
Selects: "Finance Analyst Access Package"
Request goes to Manager (Priya Singh)
IAG performs SoD checks  No conflicting roles  No risk
Manager approves

Step 5 — IAG Sends Provisioning Action to IPS

After approval:

IAG → IPS → Target Systems

IPS now provisions the approved roles

In SAP BTP: Assigns BTP Role Collection:

Finance_Analyst_RoleCollection

In S/4HANA Cloud: Assigns Business Roles:

AP_STANDARD

FIN_POSTING

FIN_DISPLAY

In SAP Ariba: Assigns Ariba group:

Buyer_Professional

Step 6 — Rohan Logs In to SAP Systems

Rohan logs in to:

SAP BTP App

IAS checks login
IAS → BTP trusts IAS
BTP picks up role collection assigned via IPS

S/4HANA Cloud

Login route:
Browser → IAS → S/4
S/4 checks Business Role assignments provisioned via IPS

Ariba

IAS federates login → Ariba validates user groups

Step 7 — Rohan Changes Department (Employee Movement)

After 1 year, Rohan moves from Finance to Supply Chain.

HR updates this in SuccessFactors.

IPS reads update
IPS updates IAS + BTP + S/4HANA + Ariba
IAG dynamically checks if old roles must be removed.
Roles get de-provisioned: Finance roles removed & New Supply Chain roles added

Step 8 — Employee Exit

When Rohan leaves company:

HR marks employee as terminated in SuccessFactors
IPS deactivates him in IAS
IPS removes roles in BTP, S/4, Ariba
IAS blocks login

User access fully revoked

SU01 User group mandatory field

2025-11-27T11:19:32.300000+01:00

Are there any SAP Note to inform how to configure in SU01 tcode that the User group mandatory is a mandatory field to avoid creation of user with blank groups?

Seeking Advice on Tools & Methodology for Legacy RFC User Permissions Cleanup

2026-01-06T03:45:52.366000+01:00

Hello SAP Security & Basis Experts,

We are embarking on a critical security remediation project to address over-privileged RFC users across our SAP landscape with 600+ systems. Many of these users and connections are years old, lack clear ownership, and serve various backend tasks.

Our goal is to understand what business operations each RFC user/interface actually performs and then redesign brand new ones following the principle of least privilege without disrupting genuine business processes.

There are several key challenges we meet:

1) Many RFC users were created long ago with no clear current responsible person.

2) Activities are often triggered by background jobs, making them less visible.

3) We must not miss crucial but infrequent operations (e.g., year-end financial closing), which short-term monitoring would fail to capture.

We are seeking practical advice on the following specifically:

1) Tool Recommendation: beyond native SM19/SM20 and STUSOBTRACE, what commercial or open-source tools have you successfully used for cross-system RFC user discovery, permission analysis, and activity monitoring? What are their pros/cons for this use case?

2) Methodology for business need collection: How do you practically identify the business purpose behind legacy technical RFC accounts? Are there effective techniques for correlating job schedules (SM37), interface configurations (BD64/WE20), and log data to reverse-engineer their function?

3) Capturing low-frequency activities: What is the best practice to ensure yearly/quarterly critical processes are identified? Are there technical methods to trace such execution history?

We greatly appreciate any insights, war stories, or links to useful resources you can share. Thank you for helping us!

Password deactivation through BAPI_USER_CHANGE

2026-01-27T11:52:36.366000+01:00

Hi team,

We are using IDM to manage our user provisioning. As we are implementing SNC, we got a requirement to deactivate password during the new user creation. We are using BAPI_USER_CHANGE to set the password .We are trying to deactivate the password now, but the field LOGONDATA-CODVN is an internal field only.

Please suggest how to deactivate the password for users through the BAPI.

12 characters limit on UserID in SU01

2026-02-03T13:41:51.062000+01:00

We are not able increase the 12 character limit on UserID created in SU01. it is not accepting UserID longer than 12 characters.

Fiori "My Inbox" Error - Intermittent issue,

2026-02-17T03:28:43.975000+01:00

Hello,

I encounter an issue in fiori " My Inbox". The error is intermittent (sometimes there's an error but sometimes it is working properly)

sample uri with error(sorry but I cannot post the whole URI): /sap/opu/odata/IWPGW/TASKPROCESSING;v=2;mo/TaskCollection/$count/?$filter=Status%20eq%20%27READY%........

Method: GET

Status code: 500 after successful login, 400 after clicking the My Inbox with error

If the tile has error , this error message will appear

I think there's no issue in the configuration because sometimes it is working

The RFC Destination is NONE, and connection Type is "I" (Internal Connection)

the ZTASKPROCESSING we maintained in /IWFND/MAINT_SERVICE and the taskprocessing maintained in SICF is activated

no dump in ST22

no duplicate keys/task

but there is an error in /IWFND/ERROR_LOG and IWBEP/ERROR_LOG

Frontend - An exception was raised

Backend - Soapfaultcode: Authentication failed (not sure yet if this is the root cause)

FYI: we are using BPM for the workflow, the standard software version we used in /IWFND/ROUTING is /IWPGW/BPM, current system is ECC. The tasks in the "My Inbox" is coming from custom table

what could be the other possible cause of the intermittent error, any idea or anyone has experienced this kind of issue? or can you share your techniques on how to find the root cause of error