SAP S/4 HANA & HANA DB

SAP S/4 HANA Data Extraction Guide

Share this with your Basis team or SAP administrator before starting an assessment. All extractions require read-only access — no changes are made to the system. Includes Release 5 programme packs: 25 AML / Wolfsberg controls + 50 cross-system SoD rules + (SAP-only) 30 SAP-GRC-parity fraud patterns.

25Export Files

15Required

520+Checks + R5 rules

9Domains

Back to Dashboard

Quick start

Recommended extraction path

Use the V/ergent extractor first. It writes CSVs to a timestamped folder under C:\Vergent\Export, then you upload that folder into the audit project.

Get extractor

1. Confirm accessUse the read-only role/API scopes listed below.

2. Download with codePaid/active users receive an email code before download.

3. Run locallyPowerShell writes CSV output; V/ergent does not receive credentials.

4. Upload and auditUpload CSVs, confirm file match, then run the audit.

Manual path if automated extraction is blocked

Use the required-file list below as the manual checklist. Keep filenames unchanged, leave unavailable files empty with only headers, and record any missing source in the upload notes before running the audit.

Prerequisites & Access Requirements

Before extraction begins, confirm the following access levels are available. Read-only access is sufficient throughout.

SAP Basis Administrator

Required for ABAP system transactions (SE16, SUIM, SM59, SCC4, etc.). A dialog user with S_TCODE authorization for the relevant transactions and read access to the tables below is sufficient. No write access is needed.

HANA Studio / Cockpit Access

Required for HANA database-level extractions (hana_users, hana_granted_roles, hana_audit_policies, hana_encryption, hana_password_policy). A HANA DB user with CATALOG READ or DATA ADMIN privilege on system views is sufficient.

SAP BTP Cockpit Access

Required for BTP and Integration Suite exports (btp_roles, btp_trust_config, btp_iflows, btp_api_proxies). A BTP subaccount administrator or security administrator role is required. Alternatively, a BTP CLI user with viewer permissions.

Read-only throughout. All procedures in this guide are extraction-only. No system settings are modified, no data is written, and no configuration changes are made. The SE16 / SE16N table browser and report RSPFPAR are used in display mode only.

Production system caution. Where possible, extract from a copy of the production system or during off-peak hours. Large SE16 extracts on active tables (USR02, AGR_USERS, AGR_1251) may cause brief performance spikes on undersized systems. Set appropriate maximum row limits (see Tips section).

Minimum Required Files vs. Optional Files

Required files must be present for a complete assessment. Optional files enhance coverage but are not blocking.

File

Purpose

Status

Domain

hana_users.csvHANA DB user accounts & lockout stateRequiredHANA DB

hana_granted_roles.csvHANA role assignments per user/granteeRequiredHANA DB

hana_audit_policies.csvHANA audit policy configurationRequiredHANA DB

hana_encryption.csvVolume & data encryption statusRequiredHANA DB

hana_password_policy.csvHANA password policy parametersRequiredHANA DB

role_auth_objects.csvAuthorization objects assigned to rolesRequiredABAP Auth

user_role_matrix.csvUser-to-role assignment mappingRequiredABAP Auth

critical_users.csvUser master data (USR02)RequiredABAP Auth

profile_parameters.csvSAP instance profile parametersRequiredBasis

rfc_connections.csvRFC destination inventoryRequiredRFC

audit_log_config.csvSecurity audit log filter configurationRequiredAudit

client_settings.csvClient configuration (SCC4)RequiredBasis

user_details.csvExtended user master (email, dept, etc.)RequiredUser Lifecycle

background_jobs.csvBackground job definitions & run-as usersRequiredJobs

software_components.csvSupport package levels per componentRequiredPatching

odata_services.csvActive OData/Gateway servicesOptionalFiori

icf_services.csvActive ICF HTTP servicesOptionalFiori

transport_requests.csvTransport request historyOptionalChange Mgmt

btp_roles.csvBTP role collection assignmentsIf BTP usedBTP

btp_trust_config.csvBTP identity provider configurationIf BTP usedBTP

btp_iflows.csvIntegration Suite iFlow listIf Int. SuiteBTP

btp_api_proxies.csvAPI Management proxy listIf API MgmtBTP

installed_notes.csvApplied SAP Security NotesOptionalPatching

eam_log.csvEmergency access / firefighter logIf GRC usedEAM

payment_runs.csvF110 payment run logOptionalFinance

Detailed extraction steps require sign-in

The full extraction guide — including SQL queries, transaction codes, PowerShell scripts, and the complete file/table reference — is available to V/ergent customers. The overview above tells you what's involved; sign in to access the operational detail.

Already a customer? Sign in here.

Ready to start your assessment?

Upload your extracted files to V/ergent and receive a full S/4 HANA security assessment report.

Go to Dashboard

What V/ergent ships for SAP S/4 HANA (Release 5)

Native coverage: 194 SoD rules in the unified S/4HANA conflict matrix + 30 SAP fraud-pattern rules (FRAUD-001..030).

Plus the three Release 5 programme packs that run alongside this platform's audit:

AML / Wolfsberg Programme Controls — 25 controls spanning sanctions-list cadence, PEP / KYC review, CTR / SAR filing, structuring detection, transaction-monitoring tuning. Wired into all 7 ERP connectors (skips on cloud-only audits). Guide.
Cross-System SoD — 50 multi-ERP conflict patterns spanning SAP × Oracle × D365 × NetSuite × Sage × AWS × Azure. Detects fraud paths a single-system review will never see. Guide.
SAP Fraud Patterns — 30 SAP-GRC-parity patterns (STAD audit-log delete, debugger replace in PROD, Z* shadow SAP_ALL, dormant SAP_ALL, posting-period unlock + GL post, etc.). Guide.

Every finding carries citations across 13 frameworks (COSO 2013, COBIT 2019, NIST CSF 2.0, ISO 27001:2022, CIS v8, SOX ITGC, SOC 2 TSC, PCI DSS v4, HIPAA, DORA, NIS2, GDPR, Kenya DPA) — 11 of 13 at ≥75% mapped coverage. See the Check Packs page for per-pack framework coverage badges.