{"id":417,"date":"2018-02-12T08:00:25","date_gmt":"2018-02-12T07:00:25","guid":{"rendered":"http:\/\/akquinet-security-en.blog\/?p=417"},"modified":"2020-07-07T11:53:11","modified_gmt":"2020-07-07T09:53:11","slug":"maximum-access-protection-for-your-sap-tables-and-abap-programs","status":"publish","type":"post","link":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/","title":{"rendered":"Maximum access protection for your SAP tables and ABAP programs"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-419 alignleft\" src=\"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg\" alt=\"AdobeStock_105300132w_jpg\" width=\"300\" height=\"200\" srcset=\"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg 640w, https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg-300x200.jpg 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>The use of critical transactions is one of the most frequent items to be found on the lists of deficiencies prepared by auditors. And rightly so, since accessing SAP tables and ABAP programs with these kinds of transactions is unfortunately often associated with major security risks.<\/p>\n<p>So how can you protect yourself from critical transaction accesses while ensuring your users have the permissions they need? Find out with our best practice tip.<\/p>\n<p><!--more--><\/p>\n<p>The problem is of course not to be found in accesses to SAP tables or ABAP programs as such, but in the use of transaction calls such as SE16\/SM30 or SA38. Particularly since these are all too rarely restricted to access to specific tables or ABAP programs.<\/p>\n<p>The object S_TABU_NAM offers one option for setting restrictions to specific tables with its TABLE field. Note that the use of the conventional object S_TABU_DIS and field DICBERCLS has an additive effect, however. This means that if a user owns both objects with different definitions, this user is ultimately able to access a whole series of tables and the intended restriction disappears into thin air. It is astonishing how often we see this setup in practice. Table groups often have hundreds of tables assigned to them.<\/p>\n<p>One possible approach for this example would be using S_TABU_NAM to authorize by specific table name. The same applies for the S_PROGNAM object with its P_PROGNAM field and counterpart S_PROGRAM. These can be used to restrict the execution of specific ABAP programs and program groups.<\/p>\n<p>The securest way to authorize tables and ABAP programs, however, is to utilize a parameter transaction or report transaction \u2013 and these transactions are already provided by standard SAP for many tables and ABAP programs. If these are not available, you have the option of creating a new parameter transaction or report transaction with the help of SAP Basis transaction SE93 (maintain transaction codes).<\/p>\n<p>This offers you the advantage of being able to create transactions for specific programs and tables, and easily authorize them for users via roles. And, on the other hand, completely avoid all use of the powerful \u2013 and therefore critical \u2013 transactions SE16\/SM30 and SA38.<\/p>\n<p>As a next step after creating a transaction, we recommend the parallel maintenance of the authorization default values (SUS24) with the specific object definitions S_TABU_NAM and S_PROGNAM. This ensures that the correct default values are always offered for future role maintenance work.<\/p>\n<p>The SAST SUITE naturally offers you a more user-friendly way to automatically secure critical transactions. And the same applies for the one-click creation of a large number of transactions plus SU24 updates.<br \/>\nTalk to use today \u2013 we look forward to helping you: <a href=\"mailto:knowhow@akquinet.de\" target=\"_blank\" rel=\"noopener noreferrer\">knowhow@akquinet.de<\/a><\/p>\n<p>Or attend one of our <a href=\"https:\/\/sast-solutions.de\/en\/news\/events-webinars\/index.jsp\" target=\"_blank\" rel=\"noopener noreferrer\">webinars<\/a>: these are a time-saving way to find out more about these and other current topics in SAP security and compliance \u2013 live and designed to provide answers to your questions.<\/p>\n<h6><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-412\" src=\"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/referent_steffenmaltig_akquinet-e1517509266646.jpg\" alt=\"\" width=\"131\" height=\"98\" srcset=\"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2018\/02\/referent_steffenmaltig_akquinet-e1517509266646.jpg 649w, https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2018\/02\/referent_steffenmaltig_akquinet-e1517509266646-300x225.jpg 300w\" sizes=\"auto, (max-width: 131px) 100vw, 131px\" \/><br \/>\nSteffen Maltig<br \/>\nHead of SAST Authorization Management at AKQUINET<\/h6>\n","protected":false},"excerpt":{"rendered":"<p>The use of critical transactions is one of the most frequent items to be found on the lists of deficiencies prepared by auditors. And rightly so, since accessing SAP tables and ABAP programs with these kinds of transactions is unfortunately often associated with major security risks.<br \/>\nSo how can you protect yourself from critical transaction accesses while ensuring your users have the permissions they need? Find out with our best practice tip.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[68],"class_list":["post-417","post","type-post","status-publish","format-standard","hentry","category-sap-authorizations-grc","tag-sap-authorizations"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Maximum access protection for your SAP tables and ABAP programs<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Maximum access protection for your SAP tables and ABAP programs\" \/>\n<meta property=\"og:description\" content=\"The use of critical transactions is one of the most frequent items to be found on the lists of deficiencies prepared by auditors. And rightly so, since accessing SAP tables and ABAP programs with these kinds of transactions is unfortunately often associated with major security risks. So how can you protect yourself from critical transaction accesses while ensuring your users have the permissions they need? Find out with our best practice tip.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/\" \/>\n<meta property=\"og:site_name\" content=\"SAST BLOG\" \/>\n<meta property=\"article:published_time\" content=\"2018-02-12T07:00:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-07-07T09:53:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg\" \/>\n<meta name=\"author\" content=\"securityblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"securityblog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/\"},\"author\":{\"name\":\"securityblog\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/person\\\/cd70e3749cca136a7e8a37dc1d3cfc26\"},\"headline\":\"Maximum access protection for your SAP tables and ABAP programs\",\"datePublished\":\"2018-02-12T07:00:25+00:00\",\"dateModified\":\"2020-07-07T09:53:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/\"},\"wordCount\":511,\"publisher\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/02\\\/adobestock_105300132w_jpg.jpg\",\"keywords\":[\"SAP Authorizations\"],\"articleSection\":[\"SAP Authorizations &amp; GRC\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/\",\"name\":\"Maximum access protection for your SAP tables and ABAP programs\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/02\\\/adobestock_105300132w_jpg.jpg\",\"datePublished\":\"2018-02-12T07:00:25+00:00\",\"dateModified\":\"2020-07-07T09:53:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#primaryimage\",\"url\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/02\\\/adobestock_105300132w_jpg.jpg\",\"contentUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/02\\\/adobestock_105300132w_jpg.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/02\\\/12\\\/maximum-access-protection-for-your-sap-tables-and-abap-programs\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Maximum access protection for your SAP tables and ABAP programs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#website\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\",\"name\":\"SAST BLOG\",\"description\":\"SAP Security &amp; Compliance\",\"publisher\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\",\"name\":\"SAST BLOG\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/sast-solutions-logo.png\",\"contentUrl\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/sast-solutions-logo.png\",\"width\":358,\"height\":155,\"caption\":\"SAST BLOG\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/person\\\/cd70e3749cca136a7e8a37dc1d3cfc26\",\"name\":\"securityblog\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Maximum access protection for your SAP tables and ABAP programs","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/","og_locale":"en_US","og_type":"article","og_title":"Maximum access protection for your SAP tables and ABAP programs","og_description":"The use of critical transactions is one of the most frequent items to be found on the lists of deficiencies prepared by auditors. And rightly so, since accessing SAP tables and ABAP programs with these kinds of transactions is unfortunately often associated with major security risks. So how can you protect yourself from critical transaction accesses while ensuring your users have the permissions they need? Find out with our best practice tip.","og_url":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/","og_site_name":"SAST BLOG","article_published_time":"2018-02-12T07:00:25+00:00","article_modified_time":"2020-07-07T09:53:11+00:00","og_image":[{"url":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg","type":"","width":"","height":""}],"author":"securityblog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"securityblog","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#article","isPartOf":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/"},"author":{"name":"securityblog","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/person\/cd70e3749cca136a7e8a37dc1d3cfc26"},"headline":"Maximum access protection for your SAP tables and ABAP programs","datePublished":"2018-02-12T07:00:25+00:00","dateModified":"2020-07-07T09:53:11+00:00","mainEntityOfPage":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/"},"wordCount":511,"publisher":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#organization"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#primaryimage"},"thumbnailUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg","keywords":["SAP Authorizations"],"articleSection":["SAP Authorizations &amp; GRC"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/","url":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/","name":"Maximum access protection for your SAP tables and ABAP programs","isPartOf":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#primaryimage"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#primaryimage"},"thumbnailUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg","datePublished":"2018-02-12T07:00:25+00:00","dateModified":"2020-07-07T09:53:11+00:00","breadcrumb":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#primaryimage","url":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg","contentUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/02\/adobestock_105300132w_jpg.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/02\/12\/maximum-access-protection-for-your-sap-tables-and-abap-programs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sast-solutions.com\/blog-en\/"},{"@type":"ListItem","position":2,"name":"Maximum access protection for your SAP tables and ABAP programs"}]},{"@type":"WebSite","@id":"https:\/\/sast-solutions.com\/blog-en\/#website","url":"https:\/\/sast-solutions.com\/blog-en\/","name":"SAST BLOG","description":"SAP Security &amp; Compliance","publisher":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sast-solutions.com\/blog-en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sast-solutions.com\/blog-en\/#organization","name":"SAST BLOG","url":"https:\/\/sast-solutions.com\/blog-en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/logo\/image\/","url":"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2021\/03\/sast-solutions-logo.png","contentUrl":"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2021\/03\/sast-solutions-logo.png","width":358,"height":155,"caption":"SAST BLOG"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/person\/cd70e3749cca136a7e8a37dc1d3cfc26","name":"securityblog"}]}},"_links":{"self":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/comments?post=417"}],"version-history":[{"count":3,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/417\/revisions"}],"predecessor-version":[{"id":1289,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/417\/revisions\/1289"}],"wp:attachment":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/media?parent=417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/categories?post=417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/tags?post=417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}