10 Important SAP Tables Every Security Professional Must Master
A Deep Dive into 10 Critical Tables that simplifies the way you work in S/4HANA Authorization, Audit, and Access Controls
In SAP Security, many professionals limit their knowledge to the "famous five" – USR01, AGR_DEFINE, AGR_1251, USR40, and TSTC. But ask any seasoned auditor or security SME, and they’ll tell you — true security diligence lies beneath the surface.
SAP's internal mechanics rely heavily on technical tables that drive the solution behaviour. Whether you’re defending against fraud, troubleshooting access issues, or preparing for an audit, understanding these tables will elevate your insights far beyond role assignments.
Let’s deep dive into 10 powerful but underused SAP tables that every security consultant and auditor should know in an S/4HANA world.
1. TSTCA – Authorization Object Enforcement for Tcodes
What It Is:
The TSTCA table manages the linkage between transaction codes and their associated authorization objects. While a user may have access to a transaction in PFCG, additional authorization checks might be required at the TSTCA level. It holds data about mandatory authorization objects that must be satisfied before a user can execute the transaction.
Use Case:
Consider a user with access to SE38 - ABAP Editor through their role. Upon attempting to execute SE38, they encounter an error like "You don’t have authorization to execute SE38 ", even though PFCG it’s added through a role to the user.
This is because TSTCA has additional authorization checks that might require an additional object like `S_DEVELOP` regardless of adding the tcode in the role. See below:
Audit Tip:
When investigating access errors that don’t align with SU24 configurations, always check TSTCA. This will provide insight into whether the issue occurs from missing authorization objects not reflected in PFCG.
2. TCDCOUPLES – Coupled Transactions in the Shadows
What It Is:
The TCDCOUPLES table defines the relationship between coupled transactions—a mechanism used when one transaction triggers another. For instance, Custom programs or even standard workflows often chain transactions together. `TCDCOUPLES` reveal these hidden transaction relationships, which may allow users to access critical functions indirectly.
Use Case:
Suppose a user has access to a custom Z-program that posts to the G/L using FB01, but they do not directly have access to FB01. In such cases, the system might allow the user to execute the Z-program and indirectly perform FB01 actions because of the coupling mechanism defined in TCDCOUPLES.
Audit Insight:
During a SOD and critical access review, TCDCOUPLES is a critical table to analyze. It often exposes hidden access risks that might be overlooked when assessing direct access to standard transactions. This table also supports effective access troubleshooting and helps in role impact analysis.
Pro Tip:
Make sure to include TCDCOUPLES in your access risk assessments, particularly in customized environments where transaction coupling may bypass standard SoD controls.
3. TDDAT – Table Authorization Groups
What It Is:
The TDDAT table is used to define authorization groups for database tables. Authorization groups are used to control access to specific tables via authorization objects like S_TABU_DIS or S_TABU_NAM. This table ensures that sensitive business data within tables is accessible only to authorized users.
Use Case:
You may want to restrict access to customer master data stored in the BUT000 table. By checking TDDAT, you can identify which authorization groups are associated with this table. This allows you to manage access control on a granular level for sensitive business data.
Audit Tip:
For audit purposes, regularly review the TDDAT table to identify critical tables exposed through generic access, like S_TABU_DIS. This will help identify high-risk tables that may require stronger access controls.
Pro Tip:
Conduct a quarterly review of table-level access for highly sensitive tables such as finance, HR, and personal data to ensure that proper restrictions are applied.
4. PRGN_CUST – Customization Settings for Authorization Process
What It Is:
PRGN_CUST is a standard SAP Table which is used to store Customizing settings authorization processes in SAP systems. This includes settings that determine the rules for defining the username with parameter called BNAME_RESTRICT and profile generation parameter called PROFILE_TRANSPORT to customize to prevent the authorization profiles from being transported with the roles and much more.,
Below are the Customizing Switches from Table PRGN_CUST:
Use Case:
The authorization object S_USER_SAS is evaluated during transactions SU01, SU10, PFCG, and PFUD are executed and whenever roles, profiles, or systems are assigned to users.
To enable this check, you must activate the object by setting the Customizing switch parameter CHECK_S_USER_SAS – (Activation of Authorization Object S_USER_SAS (Note 536101) and the default value is YES) to YES in the PRGN_CUST table.
If this parameter is not activated, the system defaults to checking the older authorization objects: S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS.
Pro Tip:
Ensure PRGN_CUST is checked during role migration between different SAP systems, especially when moving roles from a development environment to production. This helps ensure consistency and correct behavior of roles across systems.
5. SSM_CUST – Set Value for the Session Manager / Profile Generator
What It Is:
SSM_CUST is a standard SAP table used to store the Set Values for the Session Manager / Profile Generator. This table contains customer-specific data that is used to control system settings.
This table is particularly useful for customizing the SAP Easy Access menu and managing user interface behavior in the SAP GUI Launchpad. For example:
The visibility of the SAP menu can be controlled using the parameter SAP_MENU_OFF.
The user menu visibility can be managed with the parameter CUSTOMER_MENU_OFF.
For a list of customizing switches from the SSM_CUST table relevant to User and Role Administration, refer to the below SAP help portal:
Use Case:
Adding or Changing the Logo on the SAP Easy Access Logon Screen
If you want to customize or restrict the standard SAP GUI Launchpad or SAP Easy Access screen, the SSM_CUST table can be used to modify the default screen, menu options etc.,
Audit Tip:
Check SSM_CUST for users who might be accessing extra menus or unnecessary entry points. You can hide unnecessary options to limit unnecessary exposure of functionality.
6. USOB_CONTAINER – SU24 Authorization Object Containers
What It Is:
The USOBCONTAINER table links authorization objects to transactions and applications. It is one of the core tables that supports SU24 in newer SAP versions and is essential for managing the object grouping and association within transactions and applications.
Use Case:
When customizing SU24 to set authorization defaults for custom transactions, USOBCONTAINER is used to ensure accurate object linkage and inheritance. Misconfiguration here can lead to roles being either overloaded with unnecessary authorizations or missing required objects.
Audit Tip:
During role configuration audits, verify the contents of USOBCONTAINER to ensure that authorization objects are correctly mapped to transactions. Missing or misassigned objects can lead to security gaps.
Pro Tip:
Before moving roles into production, ensure that USOBCONTAINER is fully aligned with business requirements, particularly for custom transactions or enhanced applications.
7. AGR_APPL_VARS – Application Variables in Roles
What It Is:
The AGR_APPL_VARS table is used to store dynamic parameters or application-specific variables within roles, and this table will help to maintain the variables.
Use Case:
This table is especially helpful when creating template roles for applications such as HR or SRM, where values like region, organizational unit, or other context-specific factors may vary.
Audit Relevance: From an audit perspective, this table provides visibility into environment-specific variations of roles and helps determine whether post-go-live adjustments are required.
8. /UI2/FLIA – Fiori Launchpad Intent Analysis
What It Is:
The /UI2/FLIA - FIORI Launchpad Intent Analysis allows to manage and troubleshoot FIORI launchpad intents (semantic objects and actions). It facilitates the analysis of errors in target mappings and provides detailed insights into semantic objects and actions based on user roles assignments.
Use Case:
When a user clicks on a Fiori tile but is redirected to the wrong app or the app fails to launch, /UI2/FLIA helps you trace and debug the mapping between the intent, the assigned roles, and the user’s role assignments.
To use this tool, execute transactions /UI2/FLIA. You will find multiple filtering options to narrow down your analysis.
Enter the intent by specifying the semantic object and action, separated by a hyphen (*-*).
After entering the intent, execute the search and review the “Message” column to identify any errors.
9. /UI2/V_ALIASMAP - Alias Mappings
What It Is:
/UI2/V_ALIASMAP is typically used to view and manage the mapping of system aliases in SAP Fiori environments. System aliases are essential for routing Fiori apps and OData services to the correct backend system, especially in hub deployment scenarios where the Fiori Launchpad runs on a front-end server but calls backend services from different systems.
Use Case:
When deploying Fiori apps in a distributed landscape (e.g., Frontend Server + multiple Backend Servers), /UI2/V_ALIASMAP helps maintain and verify which alias points to which backend.
Useful during troubleshooting connectivity issues or when setting up new backend connections.
10. E070 – Transport Requests Header Table
What It Is:
The E070 table stores the header data for all transport requests. It tracks changes to roles, authorizations, and SU24 updates, providing an audit trail of who changed what, when, and how it moved through the system landscape.
Use Case:
When performing an audit or investigating unauthorized role changes, E070 provides visibility into the transport request, including the developer or admin who made the changes and the timestamp of the modification.
Audit Tip:
Always review E070 when conducting audits to ensure that role changes and authorization adjustments were properly documented and transported through the correct channels.
Conclusion: These Tables Tell the Story
Security in SAP is not just about users and roles. It’s about understanding how the system behaves, how authorization logic is triggered, and where configurations quietly influence security posture. Whether you're implementing a S/4HANA greenfield, optimizing Fiori security, or preparing for your next audit, mastering these hidden gems will set you apart.