SAP Audit Information and Approach

Authorization Example

1. User Master Record

User: Frank W. Lyons

Profile: Example

2. Profile: Example
Object: Authorizations:
S_Program ABAP:

3. Authorization: ABAP: Object: S_Program

Values: Fields:
* Program Group
SUBMIT, VARIANT Activity

1
Authorization System:

1. Profiles One or more assigned to a user

2. Objects Must be unique names with one or more

fields

3. Fields Contain values for authority checking

4. Authorizations Can have the same names as they are

physically and physically linked to an
object

Field group for an object has multiple values and can be shared across
objects

2
Initial Defaults
1. Initial Clients

• Client 000 Standard model

• Client 001 Model for user defined clients. (template)

2. Initial User Ids

• SAP* Default super user. A user master record is created

during installation but it is not needed by SAP* to access the
complete system. If the SAP* master record is deleted, the SAP*
account has the following special privileges:
• It is not subject to authorization checks and therefore has
all authorizations
• It has the password “PASS”, which can not be changed
without creating a new user master record.
• To prevent deletion, assign SAP* user to a group called
SUPER and only super user should be able to maintain user
group SUPER.

3
3. Initial Security Parameters

• Parameters for user logon

• login/min_password/lng
• Minimum password length default is (3)
• login/password_expiration_time
• Number of days after which a password must be
changed. The default is zero, which does not enforce
password changes. Recommended value = 45.
• login/fails_to_session_end
• Number of times a user can enter an incorrect
password before the system ends the login attempt.
The default is (3).
• login/fails_to_user_lock
• Number of times a user can enter an incorrect
password before the system locks the user against
further logon attempts. The default is (12).
Recommend (3). When a password is locked in this
manner, it is automatically unlocked by the system at
the start of the next day (midnight).

4
Adding Users
1. Each user must have a master record.

2. Each user master record refers to one or more profiles that determine
the access rights for the user.

3. Master record contains:

• User ID
• Password
• User groups
• User type
• Period of validity
• references to authorization profiles

Master records can be deleted but it will affect the audit trail. Better to lock
the user’s master record Menu Path: Tools - Administration - User
Maintenance - User - Lock/Unlock.

4. User Group

• If a person is assigned to a user group, only the administrators who

are authorized for that user group can alter user master records. If
a user is not assigned to a group then any user administrator can
alter the user master record.

5
Adding Profiles
Profiles and Authorizations exist in both maintenance and active versions.
Allows for updates to maintenance before it is activated. Separation of
maintenance and activation functions.

1. System Profiles

SAP Standard and Super User

Profiles
S_A.SYSTEM Unlimited access to all users,
profiles, and authorizations
S_A.ADMIN Authorizations for SAP system
administration. This includes all
authorizations except for:
• Maintenance of users in user
group SUPER
• Maintenance of profiles and
authorizations with names
beginning “S_A.”
S_A.CUSTOMIZ Authorizations for use in the SAP
Customizing system
S_A.DEVELOP Authorizations for use in the SAP
Development environment (excludes
any user or profile authorizations)
S_A.USER Basis system authorizations for end-
users (e.g., S_Program,
S_DBC_MONI, etc.

6
2. Startup Profiles

Profile Name Description

S_ABAP_ALL All ABAP/4 authorizations
S_ADMI_ALL All system administration functions
S_BDC_ALL All batch input activities
S_BTCH_ALL All batch processing authorizations
S_DDIC_ALL DDIC: All authorizations
S_DDIC_SU Data Dictionary: All authorizations
S_NUMBER Number range maintenance: All
authorizations
S_SCD0_ALL Change documents: All
authorizations
S_SCRP_ALL All SAPscript text, styles, layout sets
maintenance
S_SPOOL_ALL All spool authorizations
S_SYST_ALL All system authorizations
S_TABU_ALL Standard table maintenance: All
authorizations
S_TSKH_ALL All system administration
authorizations
S_USER_ALL User maintenance: All authorizations
SAP_ALL Provides unlimited access to
maintain all SAP R/3 system
authorizations, with the following
exceptions:
• Maintenance of users in user
group SUPER
• Maintenance of profiles and
authorizations with names
beginning S_USER
SAP_ANWEND All SAP R/3 (excluding system)
application authorizations
SAP_NEW Provides unlimited access to all
authorizations added with new
releases of SAP R/3.
Z_ANWEND All user authorizations (excluding
BC system)

3. Profiles and their associated authorization value sets are stored in

USRxx tables.

7
Adding Authorizations
Authorization objects are used to check a user’s authority to perform actions
and access data in R/3. A user’s action is approved only if the user passes
the authorization test for each field listed in an object.

1. Authorization Objects

• SAP contains a number of authorization objects that are used to

restrict the ability of users to perform certain functions and access
information. Authorization objects can contain up to ten
authorization IDs representing such system elements as
transactions, tables, fields, or programs.
• A user is allowed access if the their master record lists the object
for which the authorization is being tested and the user passes the
authorization test for each authorization ID.
• An authorization value set is required for access 02 = change
• Authorization Profiles are used to grant the authorization value sets
to a user. The user master record refers to profiles and the profiles,
in turn, refer, to value sets that determine the access capabilities of
the user.
• New authorization objects can be created by Menu Path: System -
Services - Table Maintenance. Merely creating a new object does
not initiate any authorization checking. Either ABAPs need to be
modified to test the new objects, or additional authorization checks
need to be defined.
• First assign a object class for the new object.
• Next use AUTHORITY-CHECK for ABAP/4 programs
• Or add additional authorization checks to the TSTC
(transaction table) Menu Path: System - Services - Table
Maintenance.

8
2. Objects

• Objects are defined in the system and contain one or more fields
that are used to test user access.

3. Authorization Value Sets

• Are lists of all values (for each field) for which a user is
authorized.
• Usually used to define tasks
• Profile allocate the tasks (authorization value set) to logical
functions. These profiles are assigned to a physical user (master
record).

9
4. Basis System Authorization Objects

Object Fields Uses

S-PROGRAM Program group Activity ABAP/4 programs that
may be run.
S_EDITOR Program group Activity ABAP/4 programs that
may be displayed or
edited
ABAP/4 Query Activity Whether a user can run
S_QUERY queries and whether the
user can maintain
ABAP/4 Query user
groups
System Administration Administration A variety of system
Functions Functions functions such as:

1. Whether a user may

enter a value
interactively to pass an
authorization test that
he does not have
authorization for in his
user master record
2. Access to the
ABAP/4 Dictionary
3. Access to the
interface painter
4. System trace
authority
5. Ability to add or
delete additional
authorization tests in
the TSTC table
6. Execute host
operating system
commands

Central Field Selection Activity Which ABAP/4

Authorization group programs a user can use
to dynamically alter

10
 attributes of fields
Table Maintenance Authorization class Authorize users to view
Activity and/or modify table
contents
Batch Processing: Administrator Give user administrator
Batch Administrator authorization over
background processing
Batch Processing: Authorized user Specify user Ids that a
Batch User Name user may specify as the
authorization for
running background
jobs
Batch Processing: Operations Job Group Specify the operations
Operations on Batch that users may perform
Jobs on background jobs
(Release, delete, etc.)
Batch Input Queue group name Authorize a user to
Authorizations Activity work with batch input
sessions
Queue Management Queue group name Management of queues
Authorizations Activity for trouble-shooting or
problem analysis
Authorization Check for Administration To authorized users to
SM04, SM50 lock or unlock
transactions and to
manage user sessions
other than their own.
Authorization for Administration Authorization to
Update Administration manage update records
for other users
Enqueue: Activities Authorize users to
Displaying and Deleting maintain lock entries of
Lock Entries other users
Spool: Device Output Device Authorizes users to use
Authorization particular printers
Spool Actions Spool action Value Authorizes an
administrator to
perform specified
actions on the spool
system
Public Holiday and Activity Authorization to display

11
Calendar Access and/or maintain
Privileges calendars
Number Range Activity Authorize users to
Maintenance Number range object maintain number ranges
Change Documents Activity Authorization to
display, maintain,
and/or delete change
documents
Tools Performance Authorization name Authorization to use
Monitor sensitive functions of
the performance
monitor

12
Objects - Authorizations
• S_TOOLS_EX Access to view logon parameters

• S_PROGRAM ABAP program access

Fields Values Comments

P_GROUP * Program group

P_ACTION SUBMIT Execute program
EDIT Maintain program attributes and texts
VARIANT Start and maintain variants
BTCSUBMIT Submit programs for background
execution

• S_EDITOR ABAP program access

Fields Values Comments

P_GROUP * Program group

EDIT_ACTION SHOW Display program source
EDIT Amend program source

• S_BDC_MONI Batch input session

Fields Values Comments

BDCGROUPID * Name of batch session for which a user is

authorized (e.g. “FRANK”)
BDCAKTI ABTC Submit sessions for execution
AONL Run sessions in interactive mode
ANAL Analyze sessions, log and queue
FREE Release sessions
LOCK Lock/unlock sessions
DELE Delete sessions

13
 • S_NUMBER Number range authorization

Fields Values Comments

NROBJ * Number range object name for a vendor

ACTVT 02 Change
03 Display
11 Change the last-used number in a number
range interval
13 Initialize the last-used number when
transporting ranges between clients
17 Maintain number range object (pre 3.0)

• S_SCDO Change document authorization

Fields Values Comments

ACTVT 02 Maintain and display change documents

06 Delete change documents
08 Display change documents
12 Maintain change document objects

14
Processes
1. Batch Number of transactions entered into the system as
a batch. Batch inputs can take place in the
background where no changes can be made or in
the foreground where transactions containing
errors
can be interactively corrected.

• Restricting Access
• The Batch Input object restricts user activities in different batch
input sessions.
• ANAL Analyze sessions. Display session, log, and queue dump
• DELE Delete sessions
• LOCK Lock and unlock sessions
• FREE Release sessions
• ABTC Submit sessions for background execution
• AONL Run sessions in interactive modes

2. On-Line

3. Background Program executes on a background processing

server without interactive user input. To run it
must
be scheduled.

This can be done two ways:

Menu Path: ABAP/4 - System Services - Reporting - Batch Request function

From background processing menu by selecting goto - Batch Request

In either case the user must have a User ID to run the job. Users could be
authorized to run background jobs but not foreground jobs.

Before a background job can run, it must be released. The releasing of jobs
is usually restricted to “Batch Administrators”.

• Restricting Access

15
 • The field Admin in the Batch Admin object is used to give a user
administration authorizations. If this field contains a “Y”, the user
has access to all background jobs in a SAP system and can perform
any operation on any job.
• The field Activity in the S_PROGRAM object determines
activities users are able to perform on an ABAP. A value of
BTCSUBMIT allows a user to schedule the ABAP/4 program for
background execution.
• The Auth user field of the Batch User Name object is used to
restrict user-IDs specified as the authorized user for running a job.
• The Operation field of the Operations on Batch Jobs object is
used to specify the operations that a user can perform on their own
jobs. This is used to restrict users from deleting or releasing jobs.

4. Services

Can run on different servers.

• Dialog
• Update
• Enqueue
• Background
• Message Server
• CPI-C Gateway Server
• Spool

5. Work Processes

• TSKH Task Handler

• DYNP Screen Processor
• ABAP Program Processor
• DB-SS Database interface that converts ABAP/4 SQL into
DBMS SQL.

16
Transactions
SAP transactions allow different functions to be performed within R/3.
Menu selection also generates transactions. To see which transaction is
currently executing select Menu Path: System - Status.

System transactions are applicable to the basis system and application

transactions are specific to a certain module.

Transactions can be locked and unlocked using Menu Path: Administration -

Tcode Administration. When a transaction is locked, users can not execute
that transaction. To perform this function, a user requires the authorization
object Authorization check for SM04, SM05 with a value of S in the
Admin field.

1. Controlled by DYNP processor

• Checks whether additional authorization checks are required to run

the transaction (in TSTC Table).
• Interprets the Dynpros, which involves creating the screens and
applying the logic defined in the dynpro (field checks, etc.).

2. All transactions are listed in the TSTC Table. This table includes:

• An indicator that the transaction has been locked or is available to

be used. The ability to lock and unlock transactions is controlled
using authorization object Authorization Check for SM04, SM50.
• Additional authorization checks to be performed. Only users with
the value TCOD in the field, Admin Functions in object,
System Admin Functions have the ability to add, alter, or
delete these additional authorization tests.
• If a transaction is not marked as requiring authorization checks
then any user can run the transaction.

17
Transaction types:

• SU93 and SU91 Displays changes master records and

profiles
• SE30 Trace function
• SU53 Authorization check failures
• SU02 Activation of profiles
• SU03 Activation of authorizations
• SU0 Assignment of user ID
• SU01 Assignment of users to profiles and alter the
password of any user
• SU10 Assignment of profiles for a range of users
• SU12 Delete all users
• TU02 View logon parameters
• SM52 Unix command line prompt
• SU21 Grouping of objects into object classes
(example is Basis Administration,
Financial Accounting)

18
Tables
SAP is characterized by the use of thousands of application and control
tables. The setup of the control tables, to a large extent, determines in which
way a SAP installation functions.

Logical views provided by the ABAP/4 Dictionary of all data (control data,
master data, and transaction data) stored in SAP system.

All control tables start with the letter “T”.

Control tables can be displayed and maintained on-line. Menu Path: System
- Services - Table Maintenance. In order to restrict tables a number of table
authorization classes should be defined. All standard tables have been
assigned to authorization classes. Authorization object, Table
Maintenance is used to maintain the tables in each authorization class.
Two levels of access are allowed value = 02 (add, change, or delete) and 03
(display only).

To modify a table structure Menu Path: Tools - CASE - Development - Data

Dictionary - Maintenance.

Logging of changes can be accomplished by using change document objects

to specify which tables are logged and the level of logging performed on
each table.

19
1. TSTC Transactions

2. MAC Matchcodes

3. T001 Details about a company

4. T001B Defines accounting periods for company T001.

5. USRxx Profiles

6. TUSR04 Authorization Profiles

7. TUSR01 User master record

8. TUSR02 User ID and password

9. TUSR03 Extended information about the user.

10. TUSR05 Field defaults for each R/3 user and field.

11. TOBJ Pre-defined authorization objects and fields

12. TOBJT Descriptive text of the authorization objects.

13. TUSR10 Authorization Profiles and Descriptions

and
TUSR11

14. T055 Field group fields

15. T055G Field groups

16. T055T Field Group descriptions

17. AUTH Internal table - Financial objects

18. TACT Activity codes

19. TACTT Activity codes descriptions

20
20. TACTZ Valid activity codes for each authorization object

21. USR40 Custom password checks

22. TDDAT Defines the link between tables and their authorization
classes

23. T000 SAP Clients

24. T001 SAP companies

25. TGSB Business Areas and Plants

21
Logs
Errors and important events are logged in the system logs. These logs
should be reviewed daily.

The servers in an SAP system record events and problems in a set of local
and central system logs. These logs may be displayed and maintained on-
line from the Menu Path: Tools - Administration - Monitoring - System log.

Local logs keep only messages issued by the local application server. Each
application server has a local log file.

System logs are configured by setting parameters in the system profile.

Transaction SU93 and SU91 display changes made to a user’s master record
or profiles.

Logging of Changes to Authorizations:

• All changes to user master records, profiles, and authorization

value sets. For example, user master records will display added or
deleted from the list in the user master records. It will not display
modified profiles rather, the log of changes to profiles could be
used to identified changed profiles.
• Changes to a user’s password, user type, user group, period of
validity, and account number.
• For each item in the log, the system reports both the old and new
version of any lines that have changed. This log is a valuable
control over unauthorized changes to users’ access capabilities and
needs to be reviewed daily.

22
Reports for Auditing Security

• Menu Path: Information - Current Information

• Displays detailed information on user master records,

authorization profiles, authorization objects, and
authorization value sets. With this facility, it is possible to
display all user master records and/or profiles that contain a
specific object.
Modules
SAP application modules.

1. BC SAP Basis module

2. Logistics: SD, MM, PP, QM, PM

3. Human Resources: HR

4. Financial and Administration: FI, CO, AM, PS, OC

Change Management

Backup and Recovery

Daily backups are necessary to ensure the recoverability of data, in the event
of a disaster.

SAP includes SAPDBA program that is used to perform database

administration tasks.

SAP can be backed up on-line.

Redo logs (Oracle) should also be archived daily.

Security Administration

23
Users who are able to change user master records, profiles and/or
authorization value sets need to be tightly controlled. The system provides a
number of standard authorization objects that can be used.

• User Groups S_USER_GRP

Fields Values
User group Names of the user groups for
which an administrator is
authorized.

Administrator 01: Create user master records

actions add profiles to new or
existing records
02: Edit
03: Display
05: Lock or unlock user
06: Delete a user master record
08: Display user change records

24
• Authorization Profile S_USER_PRO

Fields Values
Profile name The profile names for
which an administrator is
authorized.

Administrator 01: Create profiles and enter

actions authorizations into them

02: Edit
03: Display
06: Delete a profile
08: Display change records
22: Add profiles to user master
record
• Authorizations Value Sets S_USER_AUT

Fields Values
Object name The names of the authorization
objects for which an
administrator is authorized.

Authorization The names of the authorization

name value sets for which an
administrator is authorized

Administrator 01: Create authorization value

actions set
02: Edit
03: Display
06: Delete
07: Activate
08: Display change records
22: Enter authorizations into a
profile

• Table Maintenance S_TABU_DIS

25
 Fields Values

DICBERCLS Table classes for which a user

access is authorized

ACTVT Activity code

• Table Maintenance Across Clients S_TABU_CLI

Fields Values

CLIDMAINT Access indicator

Object S_USER_GRP

• Determines which user groups can be administered and

consequently all users who are assigned to those groups.

26
Object S_ADMI_FCD

• “Systems Administration Functions” provides powerful systems

administration functions, including the following (field = “Systems
Administration Functions”):
• NADM - Network Administration (SM54, 55,
59)
• UADM - Update Administration (SM13)
• T000 - Create New Client
• TLCK - Lock/Unlock Transactions
• SPAD- Authorization for spool administration in all
clients
• SPAR- Authorization for client-dependent spool
administration
• SP01 - Authorization for administration of spool
requests in spool output control (all users
and clients)
• SPOR- Spool administration
• BTCH - Test environment, batch
• UNIX- Execute UNIX commands from
SAPMSOS0
• RSET - Reset/delete data without archiving
• SYNC - Reset buffers

27
ABAP/4 Dictionary
R/3 uses an external database (Oracle in most cases) to hold application
data, but it makes use of its own ABAP/4 Dictionary. This Dictionary gives
R/3 the functionality to control the environment.

1. Each field in the ABAP/4 Dictionary is described by a domain. When

any input is not valid in terms of the domain, it will not be accepted
and the user will have to correct the entry in the DYNPRO screen
before continuing. The ABAP/4 Dictionary provides the following
domain checks:

• The format of the field must match the definition in the ABAP/4
Dictionary (character, numeric, date, etc.)
• A number of discrete values may be contained in the domain that
are valid for the field.
• A table can be specified that contains all the values allowed for a
particular field. If a table is specified, there must be procedures for
ensuring that the table’s contents are kept up-to-date.

• Restricting Access
• Controlled by the authorization object System Admin
Functions. Only users with the value = DDIC in the Admin
Function fields can make changes to the ABAP/4 Dictionary or use
the database table utility.
• It is not possible to further restrict access to alterable tables.
• Changes are logged by the system and can be queried using the
ABAP/4 Dictionary Information System Menu Path: Development
- ABAP/4 Dictionary - Info System
• Dictionary changes should be reviewed daily.

28
ABAP/4 Programming
ABAP/4 is the fourth generation interpretative language in which all R/3
applications are written. The Basis System is written in C.

ABAP/4 is a comprehensive programming language. ABAP statements can

be written that will read and update data, create new records, etc. ABAP
also can contain SQL statements allowing almost unrestricted access to the
database.

ABAP/4 must be tightly controlled. No ABAP statement changes should be

allowed in the production system’s environment.

1. Location

• On Application Server

• Restricting Access

Each ABAP needs to be assigned to an authorization group in the report

attributes set when creating an ABAP report. Any ABAP that has not
been assigned to an authorization group may be run by any user with
authorization for object S_PROGRAM.

29
ABAP that have been assigned to a program group can only be run by users
who are authorized to that program group using object S_PROGRAM.
This object further restricts the manner in which a user is able to run an
ABAP.

• SUBMIT The user may start programs interactively

• BTCSUBMIT The user may submit programs for execution in the
background partition.
• EDIT The user can maintain attributes and text elements
and use utilities for copying and deleting reports (
This does not allow the user to edit ABAP/4
programs).
• VARIANT The user may maintain variants. Variants are
parameters that are passed to an ABAP program.

In the standard system, none of the ABAPs are assigned to authorization

groups. Therefore any user that can run transaction SA38 (or SE38 to
develop ABAP/4 programs), can run any of the standard ABAPs. It is
recommended that all ABAPs be placed in authorization classes and that
users should only have authorization for authorization classes (ABAPs) that
are required for their job functions. No matter what, the database interface
checks are still in play for all ABAPs and the user will not be able to act on
data for which they have no authority.

• ABAPs may be developed on-line using the SAP ABAP editor.

The ABAP programs can be assigned to authorization groups. The
S_EDITOR authorization object is used to restrict authorization
groups a user is able to edit. Any user with S_EDITOR
authorization object is able to edit any ABAP program that has not
been assigned to an authorization group.

No users should have S_EDITOR. Otherwise they may write a

dynamic SQL that allows complete access to all client’s data.

ABAP/4 Query

30
ABAP/4 Query is the report writing software that allows users to generate
reports quickly and easily without programming knowledge. It generates an
ABAP program. Users cannot access any information to which the user
would otherwise not have access.

• Restricting Access
• Must be assigned to a user group before they can be run
• User group contains the functional areas and the names of all
people authorized to run queries.
• Ensure that procedures are in effect to update the user groups when
job assignments change.
• Any user can run any queries defined for a user group of which
he/she is a member, regardless of who wrote the query.
• In order to create or maintain ABAP/4 Queries, a user must be a
member of one or more user groups and have a value = 02
(change) in the activity field of the ABAP/4 Query authorization
object.
• In order to maintain the ABAP/4 Query user groups, a user needs
the value = 23 (Maintain Environment) in the activity field of the
ABAP/4 Query authorization object. This should be restricted to
administrators.

31
Operating Systems
1. Unix

• Start-Up Profiles are stored in /usr/sap<SAP System

Name>/sys/profile

2. NT

Database Management Systems

1. Oracle

Dynpros Screen Generator

Dynpros are the input screens used when processing SAP transactions. They
include details of the processing logic to be performed on the fields.

1. Dynpros can be developed on-line using the standard SAP Dynpro

Screen Painter Menu Path: Tools - Case - Development - Screen
Painter.

2. Controls need to be in place to ensure that changes to Dynpros are

authorized, tested, and approved.

32
Number Ranges
SAP provides an “internal” and “external” numbering mechanism

1. Internal numbers are sequential codes given by the system for

documents, article numbers, personnel numbers, etc.

2. Both internal and external numbers are stored in a file SYSV.

Matchcodes
These are secondary indexes to enable users to find specific records when
the primary key is unknown.

1. Stored in Table MAC

2. Table MAC can be edited on-line using transaction SM31 and

accessible through the Menu Path: System - Services - Table
Maintenance.

33
Weaknesses
1. In the standard system, none of the ABAPs are assigned to
authorization groups.

2. Do not use native SQL calls in ABAPs as they will bypass the
dictionary consistency checks. Use open SQL statements.

Unlike normal ABAP statements, native SQL and open SQL do not
trigger any authorization checks at run time. But using ABAPs with
AUTHORITY-CHECK statement, the users authority can be checked
at run time for specified objects.

3. SAP* is the default user ID and it has unlimited access capabilities. It

should only be given to the system administrators (SUPERUSER).

4. Default system profiles may provide too much authority.

5. Default logon Ids

• SAP* password = 06071992

• SAP* password = PASS
• DDIC password = 19920706
• Oracle
• Sys password = change_on_install
• System password = manager
• Sapr3 password = sapr3
• SAP/R3 application ID
• SAPDBA
• Front-end to SQL*DBA
• Can perform all DBA functions within SAP
• Authentication is completed in UNIX

34
6. Ad-hoc Queries

• SQL*Plus
• ODBC

7. Oracle Tables

• User02 Table contains all SAP user IDs and passwords

35
Standard Reports
RSAVGL00 Table comparison across clients
RSDECOMP Comparing tables across two systems
RSDELSAP Delete SAP* from client 066 (EarlyWatch client)
RSKEYS00 Tables comparison: system versus sequential file
RSTABL00 As for RSKEYS00
RSSTAT92 Table changes for a selected month
RSSTAT95 Table access statistics
RSPARAM Display system parameters settings
RSUSER01 Test SAP_ALL
RSUSR000 List all active users

36
Financial
Authorization Objects

Master Data
- GL
- Customer
- Vendor
- Bank
Documents
Balance Sheets
Credit Control Data
Payment Runs
Dunning Runs

Example:

Object = Company Codes

Fields Values

Company codes 01 Create

02 Change
03 Display
05 Block/Unblock
06 Delete
08 Display change documents

37