How the skilled use of SAP wildcard characters can shed light on the analysis of the SAP authorization system

How the skilled use of SAP wildcard characters can shed light on the analysis of the SAP authorization systemFor SAP experts worldwide, data display tools like the Data Browser (SE16), Quick Viewer (SQVI), and Query Start (SQ00) are basic components of their everyday work. They have become accustomed to using selection screens, variants, and ALV functions in the output lists of the Data Browser. In this post, we’ll show you examples from the SAP authorization system that illustrate less well-known possibilities for finding what you need in large datasets through the skilled use of wildcard characters during selection.

 

Wildcard characters differ in their meanings and effects

Both the technical functions for accessing the SAP database in SAP NetWeaver AS ABAP and the SAP authorization system support the use of wildcard characters, such as the asterisk (*) or plus sign (+). The meanings of these characters can differ between the two application areas, however, and thus often return surprising results during the analysis of datasets in the Data Browser (SUIM). The following table compares and contrasts the meanings and effects of the different wildcard characters between SAP database access in general, using the Data Browser as an example, and the SAP authorization system:

SAST Blog: How the skilled use of SAP wildcard characters can shed light on the analysis of the SAP authorization system

Use of wildcards for typical tasks in the daily routine of an SAP user

We’ll show you how you can use a variety of selection options quickly and efficiently for the analysis of datasets.

Example 1: Selection of all PFCG roles with display function

The naming conventions of the PFCG roles have the following structure in an SAP application client:

SAST Blog: How the skilled use of SAP wildcard characters can shed light on the analysis of the SAP authorization system
Let’s take a look at the example role “YFI_C_XXXX:AA-POSTING: Postings in Asset Accounting”.

From the naming convention, you can see that the differentiation characteristic display/work role is encoded at position 5 of the technical role name.

To select all the display roles from the role catalog, proceed as follows:

  • Call transaction SE16
  • Table: AGR_DEFINE
  • Enter the following character string in the AGR_NAME field of the selection screen:
    Y+++D*

You now see a filter selection of all roles with the D indicator (display role) in position 5 of the technical role name. 

Example 2: Selection of all PFCG roles with active (valid) full authorization (field value *) in the ACTVT field

  • Call transaction SE16
  • Table: AGR_1251
  • Enter the following values on the selection screen:
    AGR_NAME: Y*
    FIELD: ACTVT
    LOW: #* (pound sign # followed by asterisk)
    DELETED: Multiple Selection >> Exclude Single Value >> X

You then see an overview of all roles with valid full authorization in the ACTVT field. 

Example 3: Selection of all PFCG roles with blank authorization values

People who work with the Data Browser on a daily basis are often unsure about how they can select by blank fields. Simply entering a blank character in the selection field always results in an empty hit list.

  • Call transaction SE16
  • Table: AGR_1251
  • Enter the following values on the selection screen:
    AGR_NAME: Y*
    LOW: Multiple Selection >> Select Single Values >> Maintain Selection Options >> Single Value = _ (blank)
    DELETED: Multiple Selection >> Exclude Single Values >> X

All roles with valid, yet blank authorization field values are now selected.

We will be happy to support you with making data selection even simpler

Our SAST SUITE can help you adapt and streamline your SAP roles effectively, for example, by creating suitable role templates that save you time and money.

You can trust in our skills and ask about our flexible consulting and support services at any time. We look forward to hearing from you and welcoming you to our website.

Ansgar Rümpker (SAST SOLUTIONS)
Ansgar Rümpker (Principal SAP Consultant, SAST SOLUTIONS)

 

More tips from the SAP authorisation system:

Practical tip: How you can avoid special roles and create new organizational levels in your SAP system based on an authorization field

Create and modify app catalogs easily – with SAP Fiori Launchpad Content Manager