Critical SAP Authorization Objects
Grants access to critical system administration functions, such as starting/stopping services, performing system configuration changes, and maintaining system settings.
Allows full administrative control over all batch jobs in the system, regardless of ownership.
Provides authority to create, schedule, release, and manage batch jobs. Note that managing jobs not owned by the user also depends on settings in S_BTCH_NAM.
Controls which users can schedule batch jobs under different user names, effectively managing the ability to run jobs as another user.
Controls access to execute specific function modules, which are central to various business processes and system functionalities.
Grants the ability to perform file operations on the application server, such as reading, writing, and deleting files. This access can be highly sensitive depending on the data involved.
Controls display and maintenance access to table contents based on table authorization groups, which is critical since tables often contain business and configuration data.
Allows maintenance access to specific tables based on individual table names rather than authorization groups, providing more granular control.
Controls the ability to maintain cross-client tables, affecting data that spans all clients within the SAP system.
Controls access to execute specific SAP transactions, serving as the first line of defense in transaction-level security.
Governs permissions for Remote Function Calls (RFC), which can execute functions remotely and are critical for system integration and communication.
Controls access to the ABAP development environment, including the ability to create, modify, or delete custom ABAP code and development objects, impacting system functionality and security.
Controls access to execute, create, and maintain ABAP programs and variants, which can perform a wide range of system and business functions.
Provides access to create, modify, and delete authorization roles (activity groups). Note: Assigning roles to users is controlled by S_USER_GRP and S_USER_SUA.
Manages which user groups a user can maintain, effectively controlling access to user master records within specified groups.
Grants the ability to manage authorization profiles, which are collections of authorizations that can be assigned to users.
Allows maintenance of special attributes in user master records, such as Secure Network Communications (SNC) names used for Single Sign-On (SSO).
Manages system assignments in user master records, particularly important in Central User Administration (CUA) environments.
Controls activities related to the Transport Management System (TMS), including the ability to import and export transport requests, which can move configurations and developments between systems.
Manages permissions for Graphical User Interface (GUI) activities, such as file download/upload and clipboard access, which can be used to extract or inject data.
Authorizes the user to manage system load balancing settings and configurations, ensuring proper distribution of workload across servers.
Provides access to modify SAP screen layouts using the SAP Screen Painter tool, allowing customization of user interfaces.
Allows administration of Secure Network Communications (SNC) configurations, which are used for Single Sign-On (SSO) and secure communication between SAP systems and external entities.