Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Support Package Upgrade: How to Update SAP Authorization Roles, Part 1

  • Font size: Larger Smaller
  • Hits: 7413
  • Print

If you haven’t already noticed, in some SAP support packages several T-Codes have been replaced with other T-Codes. These changes create a challenge in maintaining your company’s authorizations, and there are also implications to the GRC module. So, what do you do?


Follow these two main steps:

1. Update user authorizations so they match the T-Code changes

2. Update the relevant GRC rules and add the new T-Codes

Step #1: Updating User Authorizations

An authorization manager, a customer of ours, was requested to modify all employee authorization roles to accommodate for the T-Code changes during a support package upgrade project. But, considering the amount of users and the amount of roles in the organization, the task was estimated to take at least three weeks worth of work.

The current user authorizations had already been bothering him. He felt that the user authorizations were too widespread and for some time he’d wanted to narrow them down according to actual de-facto usage. Replacing the T-Codes now would be prolonging a situation that was not efficient.

He decided to use the opportunity to his advantage and came up with a better idea from a security point of view – one that would be much more efficient in terms of SAP authorizations. He would replace the T-Codes only for the users who really use these T-Codes, and delete them from users who don’t. This would get the job done well, and increase the security level. Great idea.

So now Step 1 (Update user authorizations so they match the T-Code changes) has become two sub-steps:

1a. Identify who really used the old T-Codes

1b. Update user roles and authorizations according to actual usage

Step 1a: Identify who really used the old T-Codes

How would this authorization manager know which T-Codes were in use, and by whom?

He could have used ST03N in order to identify the T-Codes that were recently used, but not only would that have taken him a significant amount of time, he would also have had to work hard on the raw data in order to get usable results for the project. Because he was using ProfileTailor Dynamics anyway, he was able to identify within a matter of minutes who really used the old T-Codes. He created an Activity Group “Old T-Codes” and produced the report called “Activity to Users (Real Use).” Since the software is based on user behavior analysis, the report showed him a list of users and the T-Codes they’d been using over the past year including the amount of use. He was able to see the most active T-Codes (see image below) and also the most active users with these T-Codes, so he could easily know where to put his focus.

Authorizations_Report_Pivot_Excel.pngThis report showing activities and their corresponding usage percentages allows the authorization manager to focus on the most active ones. The tabs at the bottom of the spreadsheet include the raw data.


Step 1a? Check.

Now the authorization manager is on his way to updating SAP authorization roles for the SAP support package upgrade.

Look for our next posts to see how he accomplished 1b and Step 2.

See how ProfileTailor Dynamics can help you put your authorizations in order.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • Guest
    Punit Bafna 04/06/2014

    Hi Yoav, Good Article. Can we have a demo of the ProfileTailor Dynamics tool and how it can coexist with GRC10 and other tools in place.

  • Guest
    Yoav Michaeli 04/06/2014

    Hi Punit Bafna,
    Thank you for your kind words. Yes, I will ask our sales team to contact you.
    Regards, Yoav

Leave your comment

Guest 28/06/2017


in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India