Using Google Chrome?

Download my
free Chrome Extension, Power Notes Searcher, to make searching for and evaluating SAP notes, much easier.

Friday, January 04, 2013

HowTo: Hide SAP tables including USR02

Print Friendly and PDF
Within an SAP system, the user account passwords are hashed and stored in the SAP schema table USR02.
If the SAP system users have access to transaction SE16, then it's possible for them to view the USR02 table by default.

This would present the user with the opportunity of seeing the password hash values.

It would be possible to spot a commonly used password hash and provided the user knows the actual password text that generated the hash, could use it to log in as a different SAP user, maybe with higher privileges.

More importantly, if the user manages to modify the table through transaction SM30, they could set their own hashes.

It is better to create a new authorisation group for the USR02 table, then exclude this specific auth group from the user roles via auth object S_TABU_DIS and setting the "Authorization Group" field.

An example would be to create a new authorisation group "ZZND" (zz no display) in transaction SE54.
Then, still in SE54, assign all the tables you do not wish anyone to see, to the new auth group.

Use transaction PFCG to edit your roles and change authorisation S_TABU_DIS, so that the field "Authorization Group" is set to a range "$*" to "ZY*" (it excludes ZZ*):

The next time the users try to access the table, they will receive a no authorization prompt in SE16.

UPDATE 30/05/2014: The post above was based on R/3 4.7.  Later releases may have an SC auth group already defined with the USR* tables, plus others, already defined.  You may still wish to create your own ZZND auth group to ensure continuity across upgrades and for your own standardisation practices if you must customise the list of tables in the auth group.  Thanks Matt.


Isabelle Dainezi said...

Change this Authorization group, can impact the transaction and programs which does select in table USR02?
How to avoid this risk?

Darryl Griffiths said...

Hi Isabelle,

The authorization is user role/profile specific.
It only affects the users, not the actual transactions.
So, if you need a specific user to be able to execute the transaction which reads from USR02, then assign a role/profile to that user which permits activity "DISPLAY" for Auth Group ZZND.

Hope that answers your question.