SAP Community - Security

Information on task/data access profiles

2025-11-04T12:14:48.399000+01:00

Hi,

We need your support on knowing if there is a way to understand on SAP backend (using tables) to show the authorizations given on the frontend for the business users.

When we check the table AGR_1251 the accesses are mapped as ZBPC_XXX and we need further detail on what this ZBPC_XXX is giving to the users.

Can you please help?

Thanks,

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Impact of rfc/callback_security_method Setting on Optimizer Functionality

2025-11-06T17:08:42.973000+01:00

We are experiencing issues with the parameter rfc/callback_security_method currently set to 3 in our SAP RISE environment.
Problem:

When the parameter is set to 3, the RCC_VERSION transaction and RCCF TM Optimizer do not work as expected.
The system generates an ABAP short dump with error:
CALLBACK_REJECTED_BY_WHITELIST
RFC callback call rejected by positive list

This prevents optimizer functionality, which is critical for planning and execution processes.

What is the best way to resolve this issue while keeping the system secure?

- Should we configure the whitelist for required RFC callbacks?
- Or is it acceptable to temporarily change the parameter value from 3 to 1?

2. What is the impact if we maintain the parameter value as 1?

Are there any major security risks beyond allowing RFC callbacks?
Will this affect other components or system stability?

IAS-IPS (SAP Security)

2025-11-07T15:28:51.630000+01:00

IAS & IPS

Content :

SAP Identity Authentication Service (IAS)
SAP Identity Provisioning Service (IPS)
Real World Scenario

SAP Identity Authentication Service (IAS)

IAS is SAP’s cloud-based authentication service.

Its core job is to make sure “the right user logs in securely to the right SAP application.”

Think of IAS as the gatekeeper.

What IAS Does

Authenticates Users (Login / Sign-in)

IAS verifies user identity when they try to log in to:

SAP BTP
SAP SuccessFactors
SAP Ariba
SAP Analytics Cloud
SAP S/4HANA Cloud
Any custom application connected to IAS

It checks:

Username + Password
Multi-Factor Authentication (OTP, SMS, Email, Authenticator App)
Certificates
Biometrics (via device IdP)

Single Sign-On (SSO)

IAS supports:

SAML 2.0
OAuth 2.0
OpenID Connect (OIDC)

So your users log in once and access all SAP apps without logging in again.

Acts as an Identity Provider (IdP)

IAS can serve as

Primary IdP

IAS handles authentication directly

Proxy IdP

IAS redirects authentication to:

Microsoft Azure AD
ADFS
Okta
Ping Identity
Any SAML-based IdP

IAS becomes the bridge between SAP systems and corporate identity providers.

Conditional Authentication Policies

IAS can decide:

Who can log in
From where
Under what conditions

Examples:

Allow MFA only when user logs in from outside office
Block login from certain countries
Force password reset for risky accounts
Apply SSO only for trusted devices

User Store (Identity Directory)

IAS stores user accounts, including:

Username
Email
First Name / Last Name
Groups
Password (if local authentication)

Note : BUT IAS does NOT create users automatically — IPS usually does provisioning.

Authorization Pre-Processing (via Groups → Mappings)

IAS can assign groups, and these groups can be mapped in target apps (like SAP BTP) to give role collections.

IAS Group = “FinanceUsers”

→ Mapped to

BTP Role Collection = “Finance App Access”

But IAS itself does NOT assign app roles.

Note : IAS group can only be mapped to BTP role collections, not to PFCG Role etc.

Branding & Custom Login Pages

IAS allows full customization of login screens:

Company logo
Color theme
Background
Messages
Terms & conditions

Security Enforcement

IAS applies:

Password policies
MFA rules
Account lockout rules
Device trust
Risk-based authentication

What IAS Does NOT Do

IAS does NOT create users(IPS or external IdP does)
IAS group does NOT assign roles in S/4, SAC, Ariba, etc.
IAS does NOT do provisioning(IPS does)
IAS does NOT perform GRC / SoD checks(IAG does)

SAP Identity Provisioning Service (IPS)

IPS is SAP’s central user provisioning and synchronization service.

It moves users from one system to another, ensuring that user accounts, attributes, and group/role assignments stay consistent across:

SAP BTP
IAS (Identity Authentication Service)
SAP S/4HANA Cloud
SAP Ariba
SAP SuccessFactors
SAP Analytics Cloud
Azure AD, Okta, Ping, etc.

Think of IPS as the “delivery service” for user accounts.

What IPS Does

Creates Users in Target Systems

IPS automatically provisions users into multiple systems.

Example:
SuccessFactors → IPS → IAS → BTP → S/4HANA

IPS can create user accounts in:

IAS
SAP BTP
S/4HANA Cloud
SAP Ariba
SAP Concur
SAP Analytics Cloud (via SCIM)

Updates User Attributes

If an employee changes department, email, manager, etc., IPS updates the data in all connected systems.

Example:
SuccessFactors updates → IPS sync → IAS/BTP/S4/Ariba update

Deletes / Deactivates Users

When an employee leaves the company, IPS can mark them inactive or delete their user account.

Maps and Transforms Attributes

IPS allows:

Attribute mapping
Attribute transformation
Conditional provisioning

Example:
IF user.department = "Finance" → assign group “FIN_USERS”

Assigns Groups / Roles (but not everywhere)

IPS can assign:

IAS Groups
BTP Role Collections
S/4HANA Business Roles
SAP Ariba groups
SAC roles (via SCIM)

But only where system supports it.

Connects to Many Identity Sources

IPS can read users from:

Azure AD
SuccessFactors
IAS
LDAP
Okta
On-premise systems (via Cloud Connector)

What IPS does NOT do

IPS does NOT Authenticate Users (IAS does)

Real World Scenario

Company:

A global manufacturing company using:

SAP SuccessFactors (HR system of record)
SAP BTP (custom apps, Integration Suite)
SAP S/4HANA Cloud (ERP)
SAP Ariba (Procurement)
SAP IAS (Authentication)
SAP IPS (Provisioning)
SAP IAG (Access Governance)

Scenario 1: A New Employee Joins the Company

Step 1 — Employee is Hired in SuccessFactors

HR creates a new employee: Rohan Sharma with below details

Department: Finance
Location: India
Manager: Priya Singh
Job: Accounts Payable Analyst

SuccessFactors stores all HR attributes.

Step 2 — IPS Reads Rohan’s Data from SuccessFactors

IPS acts as the "provisioning engine."

Flow: SuccessFactors → IPS → IAS

IPS automatically:

Reads new user
Maps attributes
Creates user in IAS
Assigns IAS group “Finance_Employees”
Pushes email, username, and department

Step 3 — IAS Creates User Entry + Prepares Authentication

IAS now has user:

Username: rohan.sharma
Email: rohan.sharma@company.com
Group: Finance_Employees
Status: Active

IAS does NOT assign roles.

IAS only sets up login policies:

MFA required
Corporate SSO allowed
Conditional rule: India region → allow password login

Step 4 — IAG Triggers Access Request Workflow

Rohan needs access to:

SAP BTP Finance App
S/4HANA Finance Business Roles
Ariba Buyer Role

In large companies, users cannot get access automatically,they must request access via IAG.

Flow:

Rohan goes to IAG Access Request Portal
Selects: "Finance Analyst Access Package"
Request goes to Manager (Priya Singh)
IAG performs SoD checks  No conflicting roles  No risk
Manager approves

Step 5 — IAG Sends Provisioning Action to IPS

After approval:

IAG → IPS → Target Systems

IPS now provisions the approved roles

In SAP BTP: Assigns BTP Role Collection:

Finance_Analyst_RoleCollection

In S/4HANA Cloud: Assigns Business Roles:

AP_STANDARD

FIN_POSTING

FIN_DISPLAY

In SAP Ariba: Assigns Ariba group:

Buyer_Professional

Step 6 — Rohan Logs In to SAP Systems

Rohan logs in to:

SAP BTP App

IAS checks login
IAS → BTP trusts IAS
BTP picks up role collection assigned via IPS

S/4HANA Cloud

Login route:
Browser → IAS → S/4
S/4 checks Business Role assignments provisioned via IPS

Ariba

IAS federates login → Ariba validates user groups

Step 7 — Rohan Changes Department (Employee Movement)

After 1 year, Rohan moves from Finance to Supply Chain.

HR updates this in SuccessFactors.

IPS reads update
IPS updates IAS + BTP + S/4HANA + Ariba
IAG dynamically checks if old roles must be removed.
Roles get de-provisioned: Finance roles removed & New Supply Chain roles added

Step 8 — Employee Exit

When Rohan leaves company:

HR marks employee as terminated in SuccessFactors
IPS deactivates him in IAS
IPS removes roles in BTP, S/4, Ariba
IAS blocks login

User access fully revoked

Passing Data Access control in datasphere to Power BI

2025-11-11T14:52:58.545000+01:00

I am implementing a critical reporting solution connecting Power BI Service to SAP Datasphere and want to enforce Data Access Control (DAC)/Row-Level Security (RLS) defined in Datasphere.
The Goal is- To ensure that the Data Access Control (DAC) defined on Analytical Models in SAP Datasphere is respected when the data is consumed by individual users in a Power BI report.

Kindly also suggest which connection method will be the best considering the requirement.

Any guidance, particularly from those who have successfully implemented this integration, would be greatly appreciated.

Cloud Integration Certificate with Key Size upper than 2048

2025-11-21T10:20:27.144000+01:00

Hi All,

it should be possibile to obtain directly from SAP, using an SR request, a new sap_cloudintegrationcertificate on IS Tenant with:

Key Size: 3072
Signature Algorithm: sha256ECDSA
Issude by: DigiCert

I know tha we have already the 2048 one, but for security constraint we need a new version with a 3072 Key Size.

Thanks

Regards

SU01 User group mandatory field

2025-11-27T11:19:32.300000+01:00

Are there any SAP Note to inform how to configure in SU01 tcode that the User group mandatory is a mandatory field to avoid creation of user with blank groups?

START_REPORT in SUIM Change Documents

2025-11-28T17:23:43.442000+01:00

Hi SAP Security Gurus,

My SUIM change documents reports showing START_REPORT with my User ID in Production system. Like I have done role assignment/deletion using START_REPORT into Transaction Code column.

Any idea, why it is showing and did I ran any report using SUIM or something else. This is an audit concern.

I made composite role adjusment i.e. remove / add roles but my transport date moved to PROD and this SUIM START_REPORT does not match.

Set up custom security logs

2025-12-08T20:45:19.377000+01:00

Hello Community,

I have a request from a customer who needs to implement monitoring on the following events to comply with their internal Security requirements :

User logons and logon attempts (successful and failed)
User account modifications (creation, modification, deletion, role changes)
Access to sensitive data and critical transactions
Unauthorized access attempts (authorization failures)
System configuration and security parameter changes
Privileged user activities (administrators)

Their Security requirements are the following:

Confirmation that the Security Audit Log is enabled on their tenant with capture of critical security events
Access to the “Display Security Audit Log” Fiori application for security/audit teams
Documentation on the complete list of events captured in their Cloud edition
Ability to export these logs to enable automated security alerting and monitoring

I was advised that CAS (Cloud Application Services) could address these kind of needs but these are not for "one shot" request, CAS are indeed used for recurring activities ; I also raised a CISA request but the URL they've provided seems to be outdated.

Thanks much in advance

Monitor GR/IR Account Reconciliation app issue

2025-12-18T06:14:43.277000+01:00

For the app Monitor GR/IR Account Reconciliation(F3303), user is able to view the data for few company codes and for few he's not able to view, if i give personal area as *, user is able to view the data for missing company codes.
personal area is maintained on the basis of each company code, but it is not working for few company codes, what can be the issue

List authorization objects to be maintained for a developer role in S4 HANA.

2025-12-23T06:55:07.357000+01:00

Any standard sap role available in S4 HANA to create a copy of ?

If we create developer role from SAP_ALL, List authorization objects to be maintained for a developer role in S4 HANA.

List the authorization objects to be removed?

Share the list of tcodes to be white listed. share the range of tcodes to be maintained in S_TCODE

Seeking Advice on Tools & Methodology for Legacy RFC User Permissions Cleanup

2026-01-06T03:45:52.366000+01:00

Hello SAP Security & Basis Experts,

We are embarking on a critical security remediation project to address over-privileged RFC users across our SAP landscape with 600+ systems. Many of these users and connections are years old, lack clear ownership, and serve various backend tasks.

Our goal is to understand what business operations each RFC user/interface actually performs and then redesign brand new ones following the principle of least privilege without disrupting genuine business processes.

There are several key challenges we meet:

1) Many RFC users were created long ago with no clear current responsible person.

2) Activities are often triggered by background jobs, making them less visible.

3) We must not miss crucial but infrequent operations (e.g., year-end financial closing), which short-term monitoring would fail to capture.

We are seeking practical advice on the following specifically:

1) Tool Recommendation: beyond native SM19/SM20 and STUSOBTRACE, what commercial or open-source tools have you successfully used for cross-system RFC user discovery, permission analysis, and activity monitoring? What are their pros/cons for this use case?

2) Methodology for business need collection: How do you practically identify the business purpose behind legacy technical RFC accounts? Are there effective techniques for correlating job schedules (SM37), interface configurations (BD64/WE20), and log data to reverse-engineer their function?

3) Capturing low-frequency activities: What is the best practice to ensure yearly/quarterly critical processes are identified? Are there technical methods to trace such execution history?

We greatly appreciate any insights, war stories, or links to useful resources you can share. Thank you for helping us!

Reccommended C_SEC "SAP Security Administration" Practical (not Theoretical) certification material?

2026-01-07T22:45:15.307000+01:00

Hello, I am looking to take the C_SEC "SAP Certified Associate - Security Administrator" Practical (not Theoretical, as now that version of the examination is retired) certification:

https://learning.sap.com/certifications/sap-certified-associate-security-administrator

Does anyone have recommendations on practice materials relevant to the practical version, that are not listed below? (because I am already reviewing them):

All "Recommended steps to prepare for the exam" Learning Journeys/Courses on the webpage
All digital exercises in each Learning Journey attached (quizzes, step-by-step exercises)
All Live Sessions attached to each Learning Journey (under "Level up your skills" section)
And the following Hands-On practice systems: Hands-on Practice for Exploring the Authorization Concept for SAP Fiori on SAP S/4HANA (for textbook ADM945), Hands-on Practice for Exploring the Authorization Concept for SAP S/4HANA and SAP Business Suite (for textbook ADM940)

The Live Sessions directly recommended for this certification are spread out across several months, and not all of them have recordings of previous sessions. I'm not sure what other Hands-On Practice systems or Live Sessions would be beneficial as there are only two Hands-On practice systems directly recommended for this.

Thank you for any advice

Authorisations of Business Partners Roles

2026-01-13T12:39:00.282000+01:00

We are struggling with the authorizations of Business Partners.

Our process:

Creation of a business partner by finance FLN00 or CLU00 by the finance department
Extend the supplier or customer BP data by the business, with multiple addresses, contacts, etc..

When using the Manage Supplier Master Data App, we like to extend the supplier BP data with the role FLN01, so the supplier contains both roles FLN00 (set up/ maintained by Finance department) and FLN01 (maintained by Business). But this is not working. Without authorizations for the role 000000, we are not able to extend a supplier. NO data can be extended, like contacts.

With the 000000 role users can change with the supplier/ customer master data app also change financial data like bank accounts etc.. They are not allowed to do this. In our governance only people from finance department are allowed to maintain this data.

Can you advise us how we can use the supplier and customer master data apps without giving the role 000000 in te authorization?

ACCESS FOR CREATING PURCHASE REQUISITION

2026-01-19T12:30:05.549000+01:00

Hello,

I am creating a business role On SAP public Cloud that allows users to create purchase requisitions. I have assigned the following business catalogs to the role: SAP_MM_BC_PURCH_DOC_DSP_PC, SAP_PS_BC_PROJ_FIN_ANLYTC_MC, and SAP_MM_BC_PR_MANAGE_PC.

However, users still encounter the error “Missing authorization: PReq Create: Doc. Type” when attempting to create a requisition. My intention is to keep the role limited to core access only.

Please advise which additional business catalog is required to resolve this authorization issue.

Thank you.

Forms Service by Adobe (BTP): Persistent "No client with requested id" Error after Configuration

2026-01-20T20:49:08.473000+01:00

Hello SAP Community,

I am seeking assistance with a persistent authentication issue while setting up SAP Forms Service by Adobe in the BTP Cloud Foundry environment.

Despite following the standard setup documentation, I am unable to access the Template Store UI. I consistently receive the following error: No client with requested id: sb-ads-xsappname!b65488

What I have configured so far:

Entitlements: Added "Forms Service by Adobe" and "Forms Service by Adobe API" (free plans).
Subscription: Successfully subscribed to "Forms Service by Adobe" (default plan).
Instance: Created a service instance for "Forms Service by Adobe API" in my space.
Role Collections: Created and assigned a Role Collection containing ADSAdmin and TemplateStoreAdmin.
Direct Access: I have tried accessing the UI via the "Go to Application" link and via the direct URL found in the destination configuration.

Steps taken to resolve the issue (but failed):

Verified that the Application Identifier in the Role Collection matches the subscription.
Unsubscribed and re-subscribed to force a new OAuth registration.
Cleared browser cache and used Incognito/Guest modes.
Waited for propagation (over 30 minutes).

It seems the XSUAA service is still looking for a specific client ID (!b65488) that perhaps isn't being correctly mapped or registered in the Trust Configuration.

System Details:

Environment: Cloud Foundry
Region: US10
Identity Provider: Default and Custom

Has anyone encountered this specific mismatch before? Is there a way to force a refresh of the OAuth2 clients in the subaccount, or is this a backend issue that requires an SAP Support ticket?

Thank you for your help!

Best Practice for Managing Business Role Changes After an Upgrade

2026-01-22T14:03:24.158000+01:00

Dear community,

what is in your opinion the best way to manage the changes after an upgrade in consideration of transports of software collections?

At the moment it seems for me, you have to maintain the changes two times with a 3 landscape system:

1. Update the business roles in Test system to make the changes available for testing the release

2. Update the business roles in Q system again after the release was deploy to Q and Productive System to transport the changes with the software collection to all 3 systems

Is this the correct procedure? Is there a better way which I am missing?

thank you for your inputs,

kind regards

Regina

Password deactivation through BAPI_USER_CHANGE

2026-01-27T11:52:36.366000+01:00

Hi team,

We are using IDM to manage our user provisioning. As we are implementing SNC, we got a requirement to deactivate password during the new user creation. We are using BAPI_USER_CHANGE to set the password .We are trying to deactivate the password now, but the field LOGONDATA-CODVN is an internal field only.

Please suggest how to deactivate the password for users through the BAPI.

12 characters limit on UserID in SU01

2026-02-03T13:41:51.062000+01:00

We are not able increase the 12 character limit on UserID created in SU01. it is not accepting UserID longer than 12 characters.

OData V4 URL Encoding Issue with SAP Web Dispatcher + Proxy (Sales Order Management App)

2026-02-06T16:09:11.380000+01:00

Hi SAP Community,

We are facing an issue with OData V4 URL encoding after activating the standard Sales Order Management application in S/4HANA.

Note: An SAP incident has already been created, and in parallel we are reaching out to the community to learn from experts who may have faced a similar issue.

Issue summary

The problem occurs because equal signs (=) in the OData V4 request URL are being URL-encoded (%3D) before the request reaches the S/4HANA ICM.

In the browser, the request URL is correct and the = signs are not encoded:

https://etgwdsp.etgworld.com/sap/opu/odata4/sap/c_salesordermanage_srv/srvd_f4/sap/c_orgdivisionvaluehelp/0001;ps='srvd-c_salesordermanage_sd-0001';va='com.sap.gateway.srvd.c_salesordermanage_sd.v0001.ae-c_salesordermanage.createwithsalesordertype.organizationdivision.SalesOrderManageType.X'/$metadata?sap-language=EN

However, when the request reaches the ICM, the raw HTTP request shows that:

= is encoded as %3D
%27 is converted back to '

Example from ICM level 3 trace:

GET /sap/opu/odata4/.../0001;ps%3D'srvd-c_salesordermanage_sd-0001';va%3D'com.sap.gateway.srvd.c_salesordermanage_sd.v0001.ae-c_salesordermanage.createwithsalesordertype.organizationdivision.SalesOrderManageType.X'/$metadata?sap-language=EN

The SAP Gateway expects the “=” characters to remain unencoded, and because of this encoding, the request fails.

Landscape and behavior

Middleware involved

SAP Web Dispatcher
Corporate HTTP Proxy

Observed behavior

All apps work when the proxy is bypassed (Web Dispatcher active)
All apps work when the Web Dispatcher is bypassed (proxy active)
The issue occurs only when both proxy and Web Dispatcher are active

This strongly indicates that the URL is being modified due to an interaction between the proxy and Web Dispatcher.

Troubleshooting performed

All required roles, authorizations, services, and ICF nodes are active
Web Dispatcher profile parameters adjusted to prevent URL encoding
Web Dispatcher mod file changes attempted for OData V4 handling
→ Issue still persists

As per internal network team analysis:

A change may be required in the Web Dispatcher index file
Neither the network team nor BASIS team has access to modify it
Only SAP can make changes at this level

Questions to the community

Has anyone experienced a similar OData V4 URL encoding issue with Web Dispatcher + proxy?
Is this a known limitation or defect in SAP Web Dispatcher for OData V4?
Are there any supported parameters, SAP Notes, or workarounds to prevent encoding of = in the URL?
Should this be handled via ICM settings, Web Dispatcher configuration, or proxy rules?
Is there any recommended architectural workaround until SAP provides a fix?

Any guidance, experiences, or references would be greatly appreciated.

Thanks in advance for your support.

Varsha J S

#SAP #S4HANA #ODataV4 #SAPGateway #SAPWebDispatcher #ICM #SAPBasis #SAPFiori #SAPCommunity
@SAP @SAPCommunity @SAPSupport

looking for clarification for auth object. If role has multiple entries

2026-02-13T15:51:57.007000+01:00

If a security role has F_BKPF_BLA has two entries one with ACTVT=03 BRGRU=* second has ACTVT=01,02 and BRGRU=ZDZ4. Is the finale combination be ACTVT=01,02,03 for BRGRU=*.

Does it make a difference if the same auth object is in One role vs two roles