SAP Community - Security

START_REPORT in SUIM Change Documents

2025-11-28T17:23:43.442000+01:00

Hi SAP Security Gurus,

My SUIM change documents reports showing START_REPORT with my User ID in Production system. Like I have done role assignment/deletion using START_REPORT into Transaction Code column.

Any idea, why it is showing and did I ran any report using SUIM or something else. This is an audit concern.

I made composite role adjusment i.e. remove / add roles but my transport date moved to PROD and this SUIM START_REPORT does not match.

Set up custom security logs

2025-12-08T20:45:19.377000+01:00

Hello Community,

I have a request from a customer who needs to implement monitoring on the following events to comply with their internal Security requirements :

User logons and logon attempts (successful and failed)
User account modifications (creation, modification, deletion, role changes)
Access to sensitive data and critical transactions
Unauthorized access attempts (authorization failures)
System configuration and security parameter changes
Privileged user activities (administrators)

Their Security requirements are the following:

Confirmation that the Security Audit Log is enabled on their tenant with capture of critical security events
Access to the “Display Security Audit Log” Fiori application for security/audit teams
Documentation on the complete list of events captured in their Cloud edition
Ability to export these logs to enable automated security alerting and monitoring

I was advised that CAS (Cloud Application Services) could address these kind of needs but these are not for "one shot" request, CAS are indeed used for recurring activities ; I also raised a CISA request but the URL they've provided seems to be outdated.

Thanks much in advance

Monitor GR/IR Account Reconciliation app issue

2025-12-18T06:14:43.277000+01:00

For the app Monitor GR/IR Account Reconciliation(F3303), user is able to view the data for few company codes and for few he's not able to view, if i give personal area as *, user is able to view the data for missing company codes.
personal area is maintained on the basis of each company code, but it is not working for few company codes, what can be the issue

List authorization objects to be maintained for a developer role in S4 HANA.

2025-12-23T06:55:07.357000+01:00

Any standard sap role available in S4 HANA to create a copy of ?

If we create developer role from SAP_ALL, List authorization objects to be maintained for a developer role in S4 HANA.

List the authorization objects to be removed?

Share the list of tcodes to be white listed. share the range of tcodes to be maintained in S_TCODE

Seeking Advice on Tools & Methodology for Legacy RFC User Permissions Cleanup

2026-01-06T03:45:52.366000+01:00

Hello SAP Security & Basis Experts,

We are embarking on a critical security remediation project to address over-privileged RFC users across our SAP landscape with 600+ systems. Many of these users and connections are years old, lack clear ownership, and serve various backend tasks.

Our goal is to understand what business operations each RFC user/interface actually performs and then redesign brand new ones following the principle of least privilege without disrupting genuine business processes.

There are several key challenges we meet:

1) Many RFC users were created long ago with no clear current responsible person.

2) Activities are often triggered by background jobs, making them less visible.

3) We must not miss crucial but infrequent operations (e.g., year-end financial closing), which short-term monitoring would fail to capture.

We are seeking practical advice on the following specifically:

1) Tool Recommendation: beyond native SM19/SM20 and STUSOBTRACE, what commercial or open-source tools have you successfully used for cross-system RFC user discovery, permission analysis, and activity monitoring? What are their pros/cons for this use case?

2) Methodology for business need collection: How do you practically identify the business purpose behind legacy technical RFC accounts? Are there effective techniques for correlating job schedules (SM37), interface configurations (BD64/WE20), and log data to reverse-engineer their function?

3) Capturing low-frequency activities: What is the best practice to ensure yearly/quarterly critical processes are identified? Are there technical methods to trace such execution history?

We greatly appreciate any insights, war stories, or links to useful resources you can share. Thank you for helping us!

Reccommended C_SEC "SAP Security Administration" Practical (not Theoretical) certification material?

2026-01-07T22:45:15.307000+01:00

Hello, I am looking to take the C_SEC "SAP Certified Associate - Security Administrator" Practical (not Theoretical, as now that version of the examination is retired) certification:

https://learning.sap.com/certifications/sap-certified-associate-security-administrator

Does anyone have recommendations on practice materials relevant to the practical version, that are not listed below? (because I am already reviewing them):

All "Recommended steps to prepare for the exam" Learning Journeys/Courses on the webpage
All digital exercises in each Learning Journey attached (quizzes, step-by-step exercises)
All Live Sessions attached to each Learning Journey (under "Level up your skills" section)
And the following Hands-On practice systems: Hands-on Practice for Exploring the Authorization Concept for SAP Fiori on SAP S/4HANA (for textbook ADM945), Hands-on Practice for Exploring the Authorization Concept for SAP S/4HANA and SAP Business Suite (for textbook ADM940)

The Live Sessions directly recommended for this certification are spread out across several months, and not all of them have recordings of previous sessions. I'm not sure what other Hands-On Practice systems or Live Sessions would be beneficial as there are only two Hands-On practice systems directly recommended for this.

Thank you for any advice

Authorisations of Business Partners Roles

2026-01-13T12:39:00.282000+01:00

We are struggling with the authorizations of Business Partners.

Our process:

Creation of a business partner by finance FLN00 or CLU00 by the finance department
Extend the supplier or customer BP data by the business, with multiple addresses, contacts, etc..

When using the Manage Supplier Master Data App, we like to extend the supplier BP data with the role FLN01, so the supplier contains both roles FLN00 (set up/ maintained by Finance department) and FLN01 (maintained by Business). But this is not working. Without authorizations for the role 000000, we are not able to extend a supplier. NO data can be extended, like contacts.

With the 000000 role users can change with the supplier/ customer master data app also change financial data like bank accounts etc.. They are not allowed to do this. In our governance only people from finance department are allowed to maintain this data.

Can you advise us how we can use the supplier and customer master data apps without giving the role 000000 in te authorization?

ACCESS FOR CREATING PURCHASE REQUISITION

2026-01-19T12:30:05.549000+01:00

Hello,

I am creating a business role On SAP public Cloud that allows users to create purchase requisitions. I have assigned the following business catalogs to the role: SAP_MM_BC_PURCH_DOC_DSP_PC, SAP_PS_BC_PROJ_FIN_ANLYTC_MC, and SAP_MM_BC_PR_MANAGE_PC.

However, users still encounter the error “Missing authorization: PReq Create: Doc. Type” when attempting to create a requisition. My intention is to keep the role limited to core access only.

Please advise which additional business catalog is required to resolve this authorization issue.

Thank you.

Forms Service by Adobe (BTP): Persistent "No client with requested id" Error after Configuration

2026-01-20T20:49:08.473000+01:00

Hello SAP Community,

I am seeking assistance with a persistent authentication issue while setting up SAP Forms Service by Adobe in the BTP Cloud Foundry environment.

Despite following the standard setup documentation, I am unable to access the Template Store UI. I consistently receive the following error: No client with requested id: sb-ads-xsappname!b65488

What I have configured so far:

Entitlements: Added "Forms Service by Adobe" and "Forms Service by Adobe API" (free plans).
Subscription: Successfully subscribed to "Forms Service by Adobe" (default plan).
Instance: Created a service instance for "Forms Service by Adobe API" in my space.
Role Collections: Created and assigned a Role Collection containing ADSAdmin and TemplateStoreAdmin.
Direct Access: I have tried accessing the UI via the "Go to Application" link and via the direct URL found in the destination configuration.

Steps taken to resolve the issue (but failed):

Verified that the Application Identifier in the Role Collection matches the subscription.
Unsubscribed and re-subscribed to force a new OAuth registration.
Cleared browser cache and used Incognito/Guest modes.
Waited for propagation (over 30 minutes).

It seems the XSUAA service is still looking for a specific client ID (!b65488) that perhaps isn't being correctly mapped or registered in the Trust Configuration.

System Details:

Environment: Cloud Foundry
Region: US10
Identity Provider: Default and Custom

Has anyone encountered this specific mismatch before? Is there a way to force a refresh of the OAuth2 clients in the subaccount, or is this a backend issue that requires an SAP Support ticket?

Thank you for your help!

Best Practice for Managing Business Role Changes After an Upgrade

2026-01-22T14:03:24.158000+01:00

Dear community,

what is in your opinion the best way to manage the changes after an upgrade in consideration of transports of software collections?

At the moment it seems for me, you have to maintain the changes two times with a 3 landscape system:

1. Update the business roles in Test system to make the changes available for testing the release

2. Update the business roles in Q system again after the release was deploy to Q and Productive System to transport the changes with the software collection to all 3 systems

Is this the correct procedure? Is there a better way which I am missing?

thank you for your inputs,

kind regards

Regina

Password deactivation through BAPI_USER_CHANGE

2026-01-27T11:52:36.366000+01:00

Hi team,

We are using IDM to manage our user provisioning. As we are implementing SNC, we got a requirement to deactivate password during the new user creation. We are using BAPI_USER_CHANGE to set the password .We are trying to deactivate the password now, but the field LOGONDATA-CODVN is an internal field only.

Please suggest how to deactivate the password for users through the BAPI.

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

12 characters limit on UserID in SU01

2026-02-03T13:41:51.062000+01:00

We are not able increase the 12 character limit on UserID created in SU01. it is not accepting UserID longer than 12 characters.

OData V4 URL Encoding Issue with SAP Web Dispatcher + Proxy (Sales Order Management App)

2026-02-06T16:09:11.380000+01:00

Hi SAP Community,

We are facing an issue with OData V4 URL encoding after activating the standard Sales Order Management application in S/4HANA.

Note: An SAP incident has already been created, and in parallel we are reaching out to the community to learn from experts who may have faced a similar issue.

Issue summary

The problem occurs because equal signs (=) in the OData V4 request URL are being URL-encoded (%3D) before the request reaches the S/4HANA ICM.

In the browser, the request URL is correct and the = signs are not encoded:

https://etgwdsp.etgworld.com/sap/opu/odata4/sap/c_salesordermanage_srv/srvd_f4/sap/c_orgdivisionvaluehelp/0001;ps='srvd-c_salesordermanage_sd-0001';va='com.sap.gateway.srvd.c_salesordermanage_sd.v0001.ae-c_salesordermanage.createwithsalesordertype.organizationdivision.SalesOrderManageType.X'/$metadata?sap-language=EN

However, when the request reaches the ICM, the raw HTTP request shows that:

= is encoded as %3D
%27 is converted back to '

Example from ICM level 3 trace:

GET /sap/opu/odata4/.../0001;ps%3D'srvd-c_salesordermanage_sd-0001';va%3D'com.sap.gateway.srvd.c_salesordermanage_sd.v0001.ae-c_salesordermanage.createwithsalesordertype.organizationdivision.SalesOrderManageType.X'/$metadata?sap-language=EN

The SAP Gateway expects the “=” characters to remain unencoded, and because of this encoding, the request fails.

Landscape and behavior

Middleware involved

SAP Web Dispatcher
Corporate HTTP Proxy

Observed behavior

All apps work when the proxy is bypassed (Web Dispatcher active)
All apps work when the Web Dispatcher is bypassed (proxy active)
The issue occurs only when both proxy and Web Dispatcher are active

This strongly indicates that the URL is being modified due to an interaction between the proxy and Web Dispatcher.

Troubleshooting performed

All required roles, authorizations, services, and ICF nodes are active
Web Dispatcher profile parameters adjusted to prevent URL encoding
Web Dispatcher mod file changes attempted for OData V4 handling
→ Issue still persists

As per internal network team analysis:

A change may be required in the Web Dispatcher index file
Neither the network team nor BASIS team has access to modify it
Only SAP can make changes at this level

Questions to the community

Has anyone experienced a similar OData V4 URL encoding issue with Web Dispatcher + proxy?
Is this a known limitation or defect in SAP Web Dispatcher for OData V4?
Are there any supported parameters, SAP Notes, or workarounds to prevent encoding of = in the URL?
Should this be handled via ICM settings, Web Dispatcher configuration, or proxy rules?
Is there any recommended architectural workaround until SAP provides a fix?

Any guidance, experiences, or references would be greatly appreciated.

Thanks in advance for your support.

Varsha J S

#SAP #S4HANA #ODataV4 #SAPGateway #SAPWebDispatcher #ICM #SAPBasis #SAPFiori #SAPCommunity
@SAP @SAPCommunity @SAPSupport

looking for clarification for auth object. If role has multiple entries

2026-02-13T15:51:57.007000+01:00

If a security role has F_BKPF_BLA has two entries one with ACTVT=03 BRGRU=* second has ACTVT=01,02 and BRGRU=ZDZ4. Is the finale combination be ACTVT=01,02,03 for BRGRU=*.

Does it make a difference if the same auth object is in One role vs two roles

XSUAA not getting the subject name identifier as ID

2026-03-11T07:57:57.377000+01:00

Hi,

We're trying to change `req.user.id` used from xsuaa to the User ID of IAS instead of the email.

BTP is connected to IAS with OpenID Connect (so "Default Name ID Format = Unspecified" as with SAML is not available).

In the IAS logs the sub is changed to the expected value `jwtPayload="{"sub":"`.

However the req.user.id we get in CAP / JWT token remains the email.

Not sure if it's related, but adding a custom atribute in `xs-security.json` and in IAS attributes also isn't reflected in `req.user.attr`. (it only shows the default value configured in `xs-security.json`)

Anyone have some insights on how to get the id ?

Is transaction S_ALR_87005540 a reporting tcode?

2026-03-14T13:47:45.379000+01:00

I have to create a role for tcode S_ALR_87005540. I asked my colleague to if this is a reporting tcode and he said yes it is however, chatgpt and copilot is saying it is not a reporting tcode.

ZBV / CUA is not working as expected

2026-03-23T13:40:39.929000+01:00

Hello experts,

I'm currently having a strange issue with the CUA. Everything is working perfectly in our CUA system. We don't have duplicate company addresses, and users are assigned the correct one. Our Q-system is also working as expected. We are currently on S4/HANA 2023 SP 03/2025.

But here’s the problem: We’re currently having issues with our P-system. In this system, there are several users assigned to a different company; for example, the correct company address would be 41000 – Standard Company, and now we have about 90 addressesSAP with a new number and a new description -> 41001 – Standard Company0000012345, etc.

We have deleted or corrected these incorrect company addresses in the CUA system, the Dev system, and the Q system, but we cannot delete them in the P system. Do you have any idea how we can delete these incorrect entries? I tried using transaction SUCOMP, but it doesn’t work. I receive the following error message when I try to delete a company address, and the address we want to use is the default address:

And even if I assign a new company to the user, I still can't delete that incorrect company.
Sincerely, Dominik 🙂

ECS broke our RISE PCE WAF 2 and ECS cannot fix it

2026-03-31T14:03:24.712000+02:00

After 4 years in RISE PCE (Azure) we finally were requested by SAP to raise a ticket with ECS to migrate from WAF v1 to WAF v2.

it looks like ECS have hand crafted the configuration - its not via a defined terraform, bicep or arm template. the WAF v2 rules are in restricted mode and nothing really works...

Fiori tiles won't work; icon image are missing

ECS won't provide an export of the WAF config so we can compare and review - even though its our tenant and a shared security model.

you will have to forgive my ignorance in that as RISE PCE the WAF should have a defined security template that doesn't need any tweaking.

we already know SAP don't follow MS best practice for SAP on azure; or i would have had WAF v2 4 years ago.

Anyone got any suggestions i can bat back into ECS?

Sap certification

2026-04-11T03:05:47.327000+02:00

Hello all

I want to schedule SAP certification exam security administrator C_sec_2601 exam , how should I prepare for it ? It's system based exam with new format.

Please guide

saprouter reverse invoke : Design guidelines and Performance best practices

2026-04-11T15:43:45.910000+02:00

Dear Community,

As per the security documentation, the usage of reverse invoke saprouter can offer better protection as ports dont have to be opened from DMZ to SAP network zones.

Using saprouter with reverse invoke would mean that all traffic that otherwise would go directly from frontend (e.g gateway) to backend (e.g S4) networks would now go via the two saprouter (one in DMZ acting as client one in backend acting as server).

There is little information in help.sap or sap notes on this topic. Please can you someone share your experience of using saprouter in this manner (i.e. reverse invoke)

around

best practices /
desgin recommendations /
throughtput and performance /
typical problems like stuck situations and
ofcourse the requirement to have high availability for saprouter as this now becomes the single point of failure for SAP end users etc

Thx