Daniel Berlin on Security SAP Security, SAP Authorizations, IT Audit… and all the rest

11Dec 11

SAP authorization limits

Hello everybody,
in this post, we'll analyze the most important SAP authorization limits. If you came across this page, you probably know that they exist – and may have made an unpleasant acquaintance with them.
However, did you ever wonder about the reasons ?

Profiles per user

A maximum of 312 profiles can be assigned per user.
This includes standalone profiles (SU02) as well as role profiles; composite profiles (like SAP_ALL) count as one; roles may consist of more than one profile (see below).

Reason :
The profile-to-user assignment is stored in table USR04; the relevant fields are BNAME (user name) and PROFS (list of assigned profiles).
The field PROFS has a length of 3750 characters and the first two characters are reserved for the user’s change flag ("C" = created, "M" = modified) plus a space character. The remaining 3748 characters hold the list of profiles names (12 characters reserved for each, shorter names are right-padded with spaces).

Thus, the maximum number of profiles is :

(3750 – 2) / 12 = 312,3… » 312

Remark : on "older" systems this limit used to be 300 due to a hard-coded limitation (see SAP Note 841612).

Authorizations per profile

The maximum number of authorizations per profile is 170.

Reason :
The authorizations assigned to a profile are stored in table USR10, which holds the profile name in field PROFN and the list of authorizations in field AUTHS.
Analogous to the profile-to-user assignment, this field is 3750 characters long and starts with two reserved characters: the profile’s change flag ("C" = created, "M" = modified) plus space.
Each entry in the remaining space consists of the authorization object (10 characters) plus the authorization itself (12 characters).

Hence, the calculation is :

(3750 – 2) / (10 + 12) = 170,36… » 170

Profiles per role

One single role may consist of up to 101 profiles holding the authorization data.

Background :
When generating a role, one profile is created for every chunk of 170 authorizations.
Those profiles are "numbered" using a two-character appendix starting with " " (two spaces), then "1 ", "2 " … "10" …
When the appendix reaches "99" it is incremented to "*0" (asterisk-zero), because it's not an integer but a character variable. After the next 170 authorizations, SAP tries to increment it again – which is impossible, since the variable is not numeric any more.
Short dump
This leads to a "CONVT_NO_NUMBER" short dump in PFCG and SUPC.