SAP Security - User Admin - Part 03
SAP User Administration – Key Tables (Original Summary)
1. User
Master Data
These tables
store the core details of SAP users.
- USR02 – Logon-related data such
as password status, validity dates, and lock flags
- USR21 – Links SAP user IDs to
person numbers (HR / address integration)
- USR01 – User defaults (date
format, decimal notation, logon language)
- USR03 – Last logon information
and logon statistics
- USR04 – User-specific
authorizations (older authorization concept)
2. Roles
and Profiles
Used to
manage role-based access control.
- AGR_DEFINE – Role header
information (single and composite roles)
- AGR_USERS – Assignment of users
to roles
- AGR_1251 – Authorization data
contained in roles
- AGR_1252 – Organizational level
values in roles
- AGR_PROF – Profiles generated
from roles
- UST04 – Profiles directly
assigned to users
3.
Authorization Objects & Values
Controls
what actions users can perform.
- USOBX_C – Check indicators for
authorization objects
- USOBT_C – Authorization object
default values
- UST10C – Authorization profiles
and their descriptions
- UST12 – Authorization values for
profiles
4. User
Groups & Administration Control
Helpful for
segregation and admin ownership.
- USGRP – User groups for
administration and security separation
- S_USER_GRP – (Authorization
object, not a table, but critical for admins)
5.
Password & Lock Information
Security-focused
monitoring tables.
- USH02 – Password history (used
to prevent reuse)
- USR40 – Password rules and
security parameters
6. Logs
& Change Tracking
Used for
audits and compliance.
- DBTABLOG – Table change logs
(when logging is enabled)
- CDHDR – Change document headers
- CDPOS – Change document details
- RSAU_BUF_DATA – Security audit
log buffer
7.
HR-Linked User Data (If SAP HCM Is Active)
- PA0105 – Communication data (SAP
user ID stored as subtype)