Daniel Berlin on Security Insight on SAP security, development stuff… and all the rest

11Dec 11

SAP authorization limits

Hello everybody,
in this post, I'd like to analyze the most important SAP authorization limits. If you came across this page, you probably know that they're there – and may have made an acquaintance with them.
However, did you ever wonder about the reasons ?

Profiles per user

A maximum of 312 profiles can be assigned per user.
This includes standalone profiles (SU02) as well as role profiles; composite profiles (like SAP_ALL) count as one; roles may consist of more than one profile (see below).

Reason :
The profile-to-user assignment is stored in table USR04; the relevant fields are BNAME (user name) and PROFS (list of assigned profiles).
The field PROFS has a length of 3750 characters and the first two characters are reserved for the user’s change flag ("C" = created, "M" = modified) plus a space character. The remaining 3748 characters hold the list of profiles names (12 characters reserved for each, shorter names are right-padded with spaces).

Thus, the maximum number of profiles is :

(3750 – 2) / 12 = 312,3… » 312

Remark : on "older" systems this limit used to be 300 due to a hard-coded limitation (see SAP Note 841612).

Authorizations per profile

The maximum number of authorizations per profile is 170.

Reason :
The authorizations assigned to a profile are stored in table USR10, which holds the profile name in field PROFN and the list of authorizations in field AUTHS.
Analogous to the profile-to-user assignment, this field is 3750 characters long and starts with two reserved characters: the profile’s change flag ("C" = created, "M" = modified) plus space.
Each entry in the remaining space consists of the authorization object (10 characters) plus the authorization itself (12 characters).

Hence, the calculation is :

(3750 – 2) / (10 + 12) = 170,36… » 170

Profiles per role

One single role may consist of up to 101 profiles holding the authorization data.

Background :
When generating a role, one profile is created for every chunk of 170 authorizations.
Those profiles are "numbered" using a two-character appendix starting with " " (two spaces), then "1 ", "2 " … "10" …
When the appendix reaches "99" it is incremented to "*0" (asterisk-zero) :shock:, because it's not an integer but a character variable. After the next 170 authorizations, SAP tries to increment it again – which is impossible, since the variable is not numeric any more.
Short dump
This leads to a "CONVT_NO_NUMBER" short dump in PFCG and SUPC.

Comments (14) Trackbacks (0)
  1. Hi Daniel,
    totally loved the way you explained the logic behind this.
    One question: Let us suppose there is only one object (suppose S_TCODE) in the role.
    How many transactions can we add in the role (I guess unlimited – as per the explanation – but this is not possible).
    So after adding how many t-codes second profile will be created and why?

    Thanks in advance 🙂

    • Hi Avnish,
      the authorization values for S_TCODE are (among other places) stored in table USR12, field VALS.

      Since the length of this field is limited, new lines are created once the preceding line is “full”. The exact amount of tcodes per line differs depending on their lengh; in my test 332 tcodes with a length of 10 characters fit into a single USR12-line, but only 608 tcodes with 5 characters length (due to an increased overhead).

      Once 99 lines are filled (number 00 … 98), a new line with number 99 would be created – but in this case subroutine CREATE_AUTH in include LSUSBF01 detects an overflow and skips all further actions.
      As a result your profile is not fully generated and PFCG issues an error message like this one:

      At least one authorization for object S_TCODE contains too many values

      Have fun, Daniel

  2. Hi,
    could you please clarify: as far I know, there can be a maximum of 150 authorization in a role.

    Thanks

  3. Hello Daniel,
    can you please explain what exactly you mean by maximum number of authorizations per profile is 170?
    It will great, if you will give us such some real scenarios 🙂

    Thank you!

    • Hi Tarun,
      an authorization consists of an authorization object and its values; since standalone profiles are (hopefully) not used anymore, you usually add such an authorization to a role. If you add 170 authorizations to a role, the next one will make SAP create a second sub-profile for the role in question – you won’t notice this, since PFCG reserves the last two characters of the profile name to number the profiles of the role (up to 101 – see above). If you go to table AGR_1016, you can see the profiles, which belong to a role – so you can check the stuff above yourself. Simply add 170 authorizations, then compile and check AGR_1016 (→ 1 profile). Then add another auth. and check again (→ 2 profiles).

      Have fun, Daniel

  4. Hello,
    I would like to know, how can I calculate the benefits of removing more than 2.000 roles of production environment (storage, performance, etc.).
    Is there any way to know the size of a role in terms of storage?

    Thanks,
    Hugo Castro

    • Hi Hugo,
      roles are nothing more than entries in a number of AGR_* tables (e.g. AGR_DEFINE); to get a rough(!) idea of the database space a roles consumes, you could could download it from PFCG to a text file.
      To cut a long story short: it’s not worth the effort!

      Apart from that there is no performance gain, when you delete roles…

      Best regards,
      Daniel

  5. Great information,
    thank you for sharing. 🙂

  6. Hey. Thanks for the incredible piece of information…

    One question (might sound silly) that pops up in my head is that when we talk about the number of authorizations per profile to be 170, then it would also count in deleted authorizations right… cause the entries are still being occupied???

    • Hello VivekRJ09.

      If we’re talking about profiles that belong to roles (the ones in the “Authorizations” tab in PFCG):
      ➡ active authorizations are stored in the profile – no matter whether the values have been partially or fully maintained
      ➡ inactive authorizations are not stored in the profile (i.e. they do not affect the maximum number of 170 authorizations)

      If we’re talking about “standalone” profiles (SU02):
      ➡ all objects in a profile count (no matter whether an authorization exists or values are maintained)

      Regards,
      Daniel

      • Thanks for the response… you are awesome 🙂

        • Great info, Daniel.
          There are some exercise, but SAP note 410993 says that 150 authorizations per profile. However, we do understand sequenced profile will get generated when more than 150 or 170 authorizations are added, but how can I find that how many authorizations a role contain and is there any table which can help?

          • Hello Shanker,
            a role can have up to 101 profiles with 170 authorizations each… so the answer to your question is: a role can consist of up to 17170 authorizations (which should be sufficient in most cases 😉 ).


Leave a comment


No trackbacks yet.