SAP authorization limits


Welcome everybody!

In this post, we’ll analyze the most important SAP authorization limits. If you came across this page, you probably know that they exist – and may have made an unpleasant acquaintance with them.
However, did you ever wonder about the reasons?

Profiles per user

A maximum of 312 profiles can be assigned per user.
This includes standalone profiles (SU02) as well as role profiles; composite profiles (like SAP_ALL) count as one; roles may consist of more than one profile (see below).

Reason:
The profile-to-user assignment is stored in table USR04; the relevant fields are BNAME (user name) and PROFS (list of assigned profiles).
The field PROFS has a length of 3750 characters and the first two characters are reserved for the user’s change flag (“C” = created, “M” = modified) plus a space character. The remaining 3748 characters hold the list of profiles names (12 characters reserved for each, shorter names are right-padded with spaces).

Thus, the maximum number of profiles is:

(3750 – 2) / 12 = 312,3… ➜ 312

Remark: on “older” systems this limit used to be 300 due to a hard-coded limitation (see SAP Note 841612).

Authorizations per profile

The maximum number of authorizations per profile is 170.

Reason:
The authorizations assigned to a profile are stored in table USR10, which holds the profile name in field PROFN and the list of authorizations in field AUTHS.
Analogous to the profile-to-user assignment, this field is 3750 characters long and starts with two reserved characters: the profile’s change flag (“C” = created, “M” = modified) plus a space character.
Each entry in the remaining space consists of the authorization object (10 characters) plus the authorization itself (12 characters).

Hence, the calculation is:

(3750 – 2) / (10 + 12) = 170,36… ➜ 170

Profiles per role

One single role may consist of up to 101 profiles holding the authorization data.

Background:
When generating a role, one profile is created for every chunk of 170 authorizations.
Those profiles are “numbered” using a two-character appendix starting with ” ” (two spaces), then “1 “, “2 ” … “10” …
When the appendix reaches “99” it is incremented to “*0” (asterisk-zero), because it’s not an integer but a character variable. After the next 170 authorizations, SAP tries to increment it again – which is impossible, since the variable is not numeric any more.
Short dump
This leads to a “CONVT_NO_NUMBER” short dump in PFCG and SUPC.

See you!

+++ End of article +++