SAP S/4 HANA Data Extraction Guide — S/4 HANA Security Assessment

Prerequisites & Access Requirements

Before extraction begins, confirm the following access levels are available. Read-only access is sufficient throughout.

SAP Basis Administrator

Required for ABAP system transactions (SE16, SUIM, SM59, SCC4, etc.). A dialog user with S_TCODE authorization for the relevant transactions and read access to the tables below is sufficient. No write access is needed.

HANA Studio / Cockpit Access

Required for HANA database-level extractions (hana_users, hana_granted_roles, hana_audit_policies, hana_encryption, hana_password_policy). A HANA DB user with CATALOG READ or DATA ADMIN privilege on system views is sufficient.

SAP BTP Cockpit Access

Required for BTP and Integration Suite exports (btp_roles, btp_trust_config, btp_iflows, btp_api_proxies). A BTP subaccount administrator or security administrator role is required. Alternatively, a BTP CLI user with viewer permissions.

Read-only throughout. All procedures in this guide are extraction-only. No system settings are modified, no data is written, and no configuration changes are made. The SE16 / SE16N table browser and report RSPFPAR are used in display mode only.

Production system caution. Where possible, extract from a copy of the production system or during off-peak hours. Large SE16 extracts on active tables (USR02, AGR_USERS, AGR_1251) may cause brief performance spikes on undersized systems. Set appropriate maximum row limits (see Tips section).

Minimum Required Files vs. Optional Files

Required files must be present for a complete assessment. Optional files enhance coverage but are not blocking.

File

Purpose

Status

Domain

hana_users.csvHANA DB user accounts & lockout stateRequiredHANA DB

hana_granted_roles.csvHANA role assignments per user/granteeRequiredHANA DB

hana_audit_policies.csvHANA audit policy configurationRequiredHANA DB

hana_encryption.csvVolume & data encryption statusRequiredHANA DB

hana_password_policy.csvHANA password policy parametersRequiredHANA DB

role_auth_objects.csvAuthorization objects assigned to rolesRequiredABAP Auth

user_role_matrix.csvUser-to-role assignment mappingRequiredABAP Auth

critical_users.csvUser master data (USR02)RequiredABAP Auth

profile_parameters.csvSAP instance profile parametersRequiredBasis

rfc_connections.csvRFC destination inventoryRequiredRFC

audit_log_config.csvSecurity audit log filter configurationRequiredAudit

client_settings.csvClient configuration (SCC4)RequiredBasis

user_details.csvExtended user master (email, dept, etc.)RequiredUser Lifecycle

background_jobs.csvBackground job definitions & run-as usersRequiredJobs

software_components.csvSupport package levels per componentRequiredPatching

odata_services.csvActive OData/Gateway servicesOptionalFiori

icf_services.csvActive ICF HTTP servicesOptionalFiori

transport_requests.csvTransport request historyOptionalChange Mgmt

btp_roles.csvBTP role collection assignmentsIf BTP usedBTP

btp_trust_config.csvBTP identity provider configurationIf BTP usedBTP

btp_iflows.csvIntegration Suite iFlow listIf Int. SuiteBTP

btp_api_proxies.csvAPI Management proxy listIf API MgmtBTP

installed_notes.csvApplied SAP Security NotesOptionalPatching

eam_log.csvEmergency access / firefighter logIf GRC usedEAM

payment_runs.csvF110 payment run logOptionalFinance

HANA Database (5 files)

Run these SQL queries in SAP HANA Studio, HANA Cockpit Database Explorer, or any JDBC/ODBC client connected to the HANA system database. The executing user must have SELECT on SYS schema views.

hana_users.csv

HANA database user accounts — logon state, password status, lockout

Required

SQL Query

SELECT USER_NAME, USER_DEACTIVATED, PASSWORD_CHANGE_NEEDED, LAST_SUCCESSFUL_CONNECT, FAILED_LOGON_ATTEMPTS, USER_VALID_FROM, USER_VALID_UNTIL, CREATOR FROM SYS.USERS

Alternative Methods

HANA Cockpit: navigate to Security → User Management → select all users → Export as CSV
HANA Studio: Systems → [System] → Security → Users → right-click → Export

Expected Columns

USER_NAMEUSER_DEACTIVATEDPASSWORD_CHANGE_NEEDEDLAST_SUCCESSFUL_CONNECTFAILED_LOGON_ATTEMPTSUSER_VALID_FROMUSER_VALID_UNTILCREATOR

hana_granted_roles.csv

HANA role grants — which roles are assigned to which users or roles

Required

SQL Query

SELECT GRANTEE, GRANTEE_TYPE, ROLE_NAME, GRANTOR, IS_GRANTABLE FROM SYS.GRANTED_ROLES

Notes

GRANTEE_TYPE will be USER or ROLE. Filter to USER grantees for direct user assignments. Include role-to-role grants for privilege escalation analysis.

Expected Columns

GRANTEEGRANTEE_TYPEROLE_NAMEGRANTORIS_GRANTABLE

hana_audit_policies.csv

HANA audit policy configuration — active events, targets, trail types

Required

SQL Query

SELECT POLICY_NAME, EVENT_STATUS, EVENT_ACTION, TARGET_OBJECT_NAME, TARGET_OBJECT_TYPE, AUDIT_TRAIL_TYPE FROM SYS.AUDIT_POLICIES

Alternative Methods

HANA Cockpit: navigate to Security → Audit Policy → Export
HANA Studio: Systems → [System] → Security → Audit Policies → Export list

Expected Columns

POLICY_NAMEEVENT_STATUSEVENT_ACTIONTARGET_OBJECT_NAMETARGET_OBJECT_TYPEAUDIT_TRAIL_TYPE

hana_encryption.csv

HANA volume and data encryption status

Required

SQL Query — Volume Encryption

SELECT VOLUME_ID, ENCRYPTION_ACTIVE, FILE_TYPE FROM SYS.M_VOLUME_ENCRYPTION_STATUS

SQL Query — Encryption Overview

SELECT * FROM SYS.M_ENCRYPTION_OVERVIEW

Expected Columns

VOLUME_IDENCRYPTION_ACTIVEFILE_TYPECOMPONENT

hana_password_policy.csv

HANA password policy — complexity, expiry, lockout thresholds

Required

SQL Query

SELECT PROPERTY, VALUE FROM SYS.M_PASSWORD_POLICY

Notes

This returns a simple PROPERTY / VALUE pair table. Key properties to confirm: maximum_password_lifetime, minimal_password_length, maximum_invalid_connect_attempts, password_lock_time.

Expected Columns

PROPERTYVALUE

Fiori / OData & ICF Services (2 files)

Covers SAP Gateway OData services and active ICF HTTP endpoints. Both are critical for internet-facing attack surface assessment.

odata_services.csv

Active OData / SAP Gateway services and their authentication settings

Optional

Transaction

/IWFND/MAINT_SERVICESE16 → /IWFND/I_SRV_MONI

Step-by-Step Instructions

Log on to the SAP Gateway Hub system (or the embedded gateway if using a single-system landscape)
Enter transaction /IWFND/MAINT_SERVICE in the command field and press Enter
The Service Catalog is displayed. Choose Filter → set Active = X to show only active services
Go to List → Export → Spreadsheet to download the active service list as CSV/XLSX
Alternatively: run SE16 → enter table /IWFND/I_SRV_MONI → set field ACTIVE = X → Execute → Export → Spreadsheet

Expected Columns

SERVICE_NAMESERVICE_VERSIONNAMESPACEIS_ACTIVEREQUIRES_AUTHCREATED_BYCREATED_DATE

icf_services.csv

Active ICF (Internet Communication Framework) HTTP services

Optional

Transaction

SICFSE16 → ICFSERVLOC

Step-by-Step Instructions

Enter transaction SICF and press Enter
Choose Execute to display the ICF service tree
From the menu go to List → Display Active Services to filter to activated services only
Use List → Download to save the list locally as a spreadsheet
Alternative via SE16: open table ICFSERVLOC, set ICFACTIVE = X, set max rows to 50,000, Execute → Export → Spreadsheet

Expected Columns

SERVICE_PATHACTIVEAUTH_REQUIREDHANDLER_CLASSLOGON_PROCEDURECREATED_BYLAST_CHANGED

ABAP Authorization & User Management (3 files)

Core identity and access data extracted from ABAP user management tables. These three files power SoD analysis, privilege review, and user lifecycle checks.

role_auth_objects.csv

Authorization objects and field values contained in each role

Required

Transaction

SUIMSE16 → AGR_1251

Step-by-Step (Recommended — SE16)

Enter transaction SE16 and press Enter
Enter table name AGR_1251 and press Enter
Leave all selection fields blank, set Maximum number of hits to 500000
Press Execute (F8)
In the ALV result, go to System → List → Save → Local file → select Spreadsheet → confirm path and save

Expected Columns

ROLE_NAMEAUTH_OBJECTFIELD_NAMELOW_VALUEHIGH_VALUEACTIVE

user_role_matrix.csv

User-to-role assignment matrix with validity dates

Required

Transaction

SUIMSE16 → AGR_USERS

Step-by-Step (Recommended — SE16)

Enter transaction SE16 → enter table AGR_USERS → press Enter
Leave selection fields blank, set maximum hits to 500000
Press Execute (F8)
Go to System → List → Save → Local file → Spreadsheet → save
Alternative via SUIM: SUIM → Roles → By Users (Complex) → leave user field blank → Execute → Export

Expected Columns

USERNAMEROLE_NAMEPROFILE_NAMEVALID_FROMVALID_TOUSER_TYPE

critical_users.csv

User master data — lock status, logon history, user type (USR02)

Required

Transaction

SE16 → USR02SU01 Info System

Step-by-Step

Enter transaction SE16 → enter table USR02 → press Enter
Set Maximum number of hits to 50000 (adjust if user count exceeds this)
Press Execute (F8) — do not filter by client if extracting all clients
Go to System → List → Save → Local file → Spreadsheet → save

Expected Columns

USERNAMEUSER_TYPEVALID_FROMVALID_TOLOCKEDPASSWORD_HASHLAST_LOGONFAILED_LOGONSCLIENTUSER_GROUPCREATED_BY

BTP & Integration Suite (4 files)

Extracted from SAP Business Technology Platform Cockpit. Required only if the organisation uses BTP services including Integration Suite or API Management.

btp_roles.csv

BTP role collection assignments per user and subaccount

If BTP

Source

BTP Cockpitbtp CLI

Step-by-Step

Log on to cockpit.btp.cloud.sap and navigate to your Global Account → Subaccount
Go to Security → Role Collections
Click each Role Collection → view Users → export using the Download button, or take a full export from the Role Collections overview
Alternative (BTP CLI): btp list security/role-collection --subaccount [ID] --output json then convert to CSV

Expected Columns

USER_EMAILROLE_COLLECTIONSUBACCOUNTCREATED_DATEASSIGNED_BY

btp_trust_config.csv

BTP identity provider trust configurations per subaccount

If BTP

Source

BTP Cockpit → Security → Trust Configuration

Step-by-Step

In BTP Cockpit, navigate to Subaccount → Security → Trust Configuration
The list shows all configured identity providers (default SAP ID Service and any custom IdPs)
Use the Export or screenshot-and-compile approach — note IDP name, type, status, and whether it is the default IdP

Expected Columns

IDP_NAMEIDP_TYPESTATUSDEFAULT_IDPCREATED_DATE

btp_iflows.csv

Integration Suite iFlow list — deployed integration scenarios

If Int. Suite

Source

Integration Suite → DesignOData API

Step-by-Step

Open SAP Integration Suite from BTP Cockpit subscriptions
Go to Design → Integrations — this shows all packages and iFlows
Export the package list using the Download icon on each package, or use the Integration Suite OData API: GET /api/v1/IntegrationPackages
Note the authentication type (OAuth, Basic, Certificate) for each deployed iFlow

Expected Columns

IFLOW_NAMEPACKAGESTATUSAUTH_TYPECREATED_BYLAST_MODIFIED

btp_api_proxies.csv

API Management proxy definitions — target URLs, auth, rate limiting

If API Mgmt

Source

BTP Cockpit → API Management → APIs

Step-by-Step

Open API Management from the BTP Cockpit subscriptions (or the API Portal URL)
Navigate to APIs — all deployed proxies are listed
Use the Export option or manually note each proxy: name, target URL, authentication type, whether rate limiting is enabled, and status

Expected Columns

PROXY_NAMETARGET_URLAUTH_TYPERATE_LIMIT_ENABLEDCREATED_BYSTATUS

Basis & System Configuration (2 files)

System-level configuration including profile parameters and client settings — foundational controls reviewed in every SAP security assessment.

profile_parameters.csv

Active SAP instance profile parameter values

Required

Transaction

SA38 → RSPFPARRZ11SE16 → PAHI

Step-by-Step (Recommended)

Enter transaction SA38, enter report name RSPFPAR, and press Execute (F8)
Leave the parameter name field blank to retrieve all parameters
From the ALV results, go to System → List → Save → Local file → select Spreadsheet → save
Alternative (table export): SE16 → table PAHI → set max rows 1000 → Execute → Export → Spreadsheet

Expected Columns

PARAMETER_NAMEPARAMETER_VALUEINSTANCELAYER

client_settings.csv

Client configuration — change options, CATT, production lock (SCC4)

Required

Transaction

SCC4

Step-by-Step

Enter transaction SCC4 and press Enter
The client overview is displayed. Ensure the display mode is active (do not click Edit)
Go to Table View → Print / Display → Export → Spreadsheet, or use System → List → Save → Local file
Confirm all clients are included (000, 001, production client, and any sandbox clients)

Expected Columns

CLIENTDESCRIPTIONCITYCHANGE_OPTIONCATT_ENABLEDCLIENT_ROLELOGICAL_SYSTEM

Change & Transport Management (1 file)

Transport request history provides evidence of change management controls and identifies direct-to-production changes.

transport_requests.csv

Transport request list — released and open requests, approvals

Optional

Transaction

SE10SE09SE16 → E070

Step-by-Step

Enter transaction SE10 → press Enter to open Transport Organizer
Set the User field to * and select status options: Released and Modifiable
Set a date range (recommend last 12 months minimum for an annual assessment)
Press Display to retrieve the list
Go to List → Export → Spreadsheet to save locally
Alternative: SE16 → table E070 → set date range → Execute → Export

Expected Columns

REQUEST_IDTYPESTATUSOWNERDESCRIPTIONCREATED_DATERELEASED_DATETARGET_SYSTEMAPPROVED_BY

User Lifecycle & RFC Connections (2 files)

Extended user details for provisioning and termination review, plus RFC destination inventory for interface security analysis.

user_details.csv

Extended user master — email, department, position, validity

Required

Transaction

SUIM → Users → By Logon DateSE16 → USR21

Step-by-Step

Enter transaction SUIM → navigate to Users → By Logon Date and Time
Leave the user filter blank, set date range from system inception to today, and press Execute
Export the result via List → Export → Spreadsheet
Alternatively, use SE16 → table USR21 (user address cross-reference) → Execute → Export for email and address data

Expected Columns

USERNAMEFULL_NAMEEMAILDEPARTMENTPOSITIONVALID_TOLAST_LOGONCREATED_BYUSER_TYPELOCKED

rfc_connections.csv

RFC destination inventory — types, stored credentials, trusted systems

Required

Transaction

SM59

Step-by-Step

Enter transaction SM59 and press Enter
Expand all connection type groups (A = ABAP, G = HTTP, H = HTTP(S), L = Logical, T = TCP/IP, W = WebRFC)
Select all entries, then go to Goto → RFC Destinations → Print List or List → Export → Spreadsheet
For each Type 3 (ABAP-to-ABAP) connection, note whether it is a Trusted System connection and whether a stored user/password exists

Expected Columns

DEST_NAMEDEST_TYPEHOSTSYSTEM_IDCLIENTLOGON_METHODTRUSTED_SYSTEMSNC_ENABLEDSTORED_USERSTORED_PASSWORDRFC_AUTH_CHECKCREATED_BYLAST_USED_DATE

Audit Logging, Security Notes, EAM & Operational Files (5 files)

Covers security audit log configuration, SAP Note currency, emergency access management, background job security, and payment run controls.

audit_log_config.csv

Security audit log filter configuration — event classes, user filters

Required

Transaction

SM19

Step-by-Step

Enter transaction SM19 → press Enter to open Security Audit Log Configuration
Click Display Active Profile to see the currently active configuration
Note each filter entry: number, active status, event class selections, user filter, client filter, and log level
Since SM19 does not have a built-in export, manually compile each filter row into the CSV. Most systems have 5–15 filter entries
Confirm whether the audit log is active at all (status icon in the header area)

Expected Columns

FILTER_NUMBERACTIVEEVENT_CLASSUSER_FILTERCLIENT_FILTERLOG_LEVEL

installed_notes.csv

Applied SAP Security Notes — note numbers, versions, applied dates

Optional

Transaction

SNOTESE16 → CWBNTHEAD

Step-by-Step

Enter transaction SNOTE → press Enter to open SAP Note Assistant
Navigate to Utilities → Applied Notes to see all applied notes
Export via List → Export → Spreadsheet
Alternative: SE16 → table CWBNTHEAD → filter NOTE_TYPE = SN → Execute → Export

Expected Columns

NOTE_NUMBERNOTE_VERSIONNOTE_TYPEDESCRIPTIONAPPLIED_DATEAPPLIED_BYPRIORITY

eam_log.csv

Emergency access management / firefighter usage log

If GRC

Transaction / Source

GRC → GRFN/GRCPI/GRIA_EAMCustom EAM Table

Step-by-Step

If SAP GRC Access Control is deployed: navigate to GRFN transaction or run report /GRCPI/GRIA_EAM → set date range → Execute → Export
If custom EAM is in use: identify the custom log table with your Basis team → SE16 → open table → date filter → Execute → Export
If no formal EAM exists: note this in the assessment — absence of an EAM log is itself a finding

Expected Columns

LOG_IDFIREFIGHTER_IDUSED_BYREASONSTART_TIMEEND_TIMEREVIEWED_BYREVIEW_DATETRANSACTIONS_USED

software_components.csv

Software component versions and support package levels

Required

Transaction

SPAMSAINT

Step-by-Step

Enter transaction SPAM → press Enter to open the Support Package Manager
Navigate to Display → Component Information or the Component List view
This shows all installed software components (SAP_BASIS, SAP_ABA, S4CORE, etc.) with their release and patch levels
Export via List → Export → Spreadsheet
If Add-On components are also required: run SAINT for add-on installation status

Expected Columns

COMPONENTDESCRIPTIONRELEASEPATCH_LEVELLAST_UPDATED

background_jobs.csv

Background job definitions — run-as users, schedules, programs

Required

Transaction

SM37SE16 → TBTCO

Step-by-Step

Enter transaction SM37 → press Enter
Set Job name = *, User name = *, and tick all Status checkboxes (Active, Scheduled, Released, Ready, Running, Finished, Cancelled)
Set a date range — for a security assessment, cover at least the last 90 days of job history
Press Execute, then List → Export → Spreadsheet to save
Alternative: SE16 → table TBTCO → Execute → Export for the full job definition table

Expected Columns

JOB_NAMEJOB_STATUSSCHEDULED_BYRUN_AS_USERRUN_AS_USER_TYPECLIENTPROGRAM_NAMEVARIANTSTART_TYPEPERIOD_MINSLAST_RUN_DATENEXT_RUN_DATETARGET_SERVERPRIVILEGED

payment_runs.csv

F110 payment run log — dual control, approvals, total amounts

Optional

Transaction

F110SE16 → REGUH

Step-by-Step

Enter transaction F110 → press Enter
Enter the run date range in the Run Date field and an identification if known, or leave blank to see all runs
Select a run → click Display to see the full run log including who proposed, approved, and executed
Export via List → Export → Spreadsheet
Alternative: SE16 → table REGUH → set date range in LAUFD field → Execute → Export. Note: REGUH contains settlement data per payment run

Expected Columns

RUN_IDRUN_DATEPROPOSED_BYAPPROVED_BYEXECUTED_BYPAYMENT_METHODTOTAL_AMOUNTCURRENCYBANK_ACCOUNTPOSTING_DATESTATUSDUAL_CONTROLCHANGED_AFTER_APPROVALVENDOR_COUNT

Quick Reference — All Transactions & Sources

Print this table and hand it to your Basis team or SAP administrator.

Transaction / Source	Description	Used For (Files)	Domain
`SYS.USERS` (SQL)	HANA user account system view	hana_users.csv	HANA DB
`SYS.GRANTED_ROLES` (SQL)	HANA role grant system view	hana_granted_roles.csv	HANA DB
`SYS.AUDIT_POLICIES` (SQL)	HANA audit policy system view	hana_audit_policies.csv	HANA DB
`SYS.M_VOLUME_ENCRYPTION_STATUS`	HANA volume encryption monitoring view	hana_encryption.csv	HANA DB
`SYS.M_ENCRYPTION_OVERVIEW`	HANA encryption component overview	hana_encryption.csv	HANA DB
`SYS.M_PASSWORD_POLICY` (SQL)	HANA password policy parameters view	hana_password_policy.csv	HANA DB
`/IWFND/MAINT_SERVICE`	SAP Gateway service maintenance	odata_services.csv	Fiori
`SICF`	ICF service tree maintenance	icf_services.csv	Fiori
`SE16 → AGR_1251`	Role authorization data table	role_auth_objects.csv	ABAP Auth
`SE16 → AGR_USERS`	User-role assignment table	user_role_matrix.csv	ABAP Auth
`SUIM`	User Information System — roles, auths, users	role_auth_objects.csv, user_role_matrix.csv, user_details.csv	ABAP Auth
`SE16 → USR02`	User master data — logon, lock status	critical_users.csv	ABAP Auth
`SE16 → USR21`	User address cross-reference	user_details.csv	User Lifecycle
`BTP Cockpit → Security → Role Collections`	BTP role collection assignments	btp_roles.csv	BTP
`BTP Cockpit → Security → Trust Configuration`	BTP identity provider configuration	btp_trust_config.csv	BTP
`Integration Suite → Design → Integrations`	Integration Suite iFlow listing	btp_iflows.csv	BTP
`API Management → APIs`	API proxy listing	btp_api_proxies.csv	BTP
`SA38 → RSPFPAR`	Profile parameter report	profile_parameters.csv	Basis
`RZ11`	Profile parameter display (individual)	profile_parameters.csv	Basis
`SE16 → PAHI`	Profile parameter history table	profile_parameters.csv	Basis
`SE10 / SE09`	Transport Organizer	transport_requests.csv	Change Mgmt
`SE16 → E070`	Transport request header table	transport_requests.csv	Change Mgmt
`SM59`	RFC destination maintenance	rfc_connections.csv	RFC
`SM19`	Security audit log configuration	audit_log_config.csv	Audit
`SNOTE`	SAP Note Assistant — applied notes	installed_notes.csv	Patching
`SE16 → CWBNTHEAD`	SAP Note header table	installed_notes.csv	Patching
`SCC4`	Client settings maintenance	client_settings.csv	Basis
`GRFN / /GRCPI/GRIA_EAM`	GRC EAM firefighter log report	eam_log.csv	EAM / GRC
`SPAM`	Support Package Manager	software_components.csv	Patching
`SAINT`	Add-on Installation Tool	software_components.csv	Patching
`SM37`	Background job overview	background_jobs.csv	Jobs
`SE16 → TBTCO`	Background job definition table	background_jobs.csv	Jobs
`F110`	Payment run — display & log	payment_runs.csv	Finance
`SE16 → REGUH`	Payment settlement header table	payment_runs.csv	Finance

Tips & Troubleshooting

Common issues encountered during SAP data extraction and how to resolve them.

SE16 Maximum Row Limit

By default SE16 returns a maximum of 200 rows. You must increase this before running the query. In the selection screen, set the Maximum Number of Hits field to a sufficiently large number (e.g. 500000 for AGR_1251, 50000 for USR02). If the exact row count is unknown, temporarily set it to 9999999 and note the actual count returned for your working papers.

Authorization Error on SE16

If SE16 returns an authorization error for a specific table, the extracting user may be missing S_TABU_DIS authorization for that table's authorization group, or S_TABU_NAM for the specific table name. Ask your Basis admin to grant read-only access to the specific table. Do not request SAP_ALL — only the minimum required authorizations.

CSV Character Encoding Issues

When saving from the SAP ALV list as a local file, select Spreadsheet format (not text / tab delimited) where possible. If CSV format is required, ensure the file is saved as UTF-8 with BOM to avoid corruption of special characters (umlauts, accented characters in user names). In Excel, use Data → From Text/CSV and select UTF-8 encoding when opening.

HANA SQL — Insufficient Privileges

If the HANA SQL queries return an error such as "insufficient privilege: Not authorized", the executing DB user is missing CATALOG READ or SELECT privilege on the SYS schema. Ask your HANA DBA to grant GRANT CATALOG READ TO [user] or GRANT SELECT ON SYS.USERS TO [user]. This is a read-only privilege and does not allow any data modification.

Performance on Large Systems

On production systems with millions of records, run large SE16 extracts during off-peak windows (e.g. weekends or batch maintenance windows). For AGR_1251 and AGR_USERS, consider using SE16N instead of SE16 — it offers better performance via optimised SQL. When extracting USR02, consider filtering by client to reduce result sets if a multi-client landscape is in scope.

Export File Naming Convention

Name each file exactly as specified in this guide (e.g. hana_users.csv, role_auth_objects.csv) before uploading to AuditCore. The assessment engine uses these exact filenames for classification. Include the client number or system ID as a suffix if exporting from multiple systems (e.g. critical_users_PRD300.csv). Confirm the file encoding is UTF-8 and that the first row contains column headers.

Transaction Not Found

If a transaction such as /IWFND/MAINT_SERVICE or SNOTE is not available, it may not be installed on this system (e.g. OData gateway is on a separate hub system). Consult your Basis team to identify the correct system in the landscape. For SNOTE, ensure the SAP Note Assistant add-on (SAP_BASIS component) is at a sufficient release level.

HANA Studio Not Available

If SAP HANA Studio is not installed, use SAP HANA Cockpit (browser-based) instead. Navigate to the Database Overview → SQL Console to run SQL queries. Alternatively, use the SAP HANA Database Explorer plugin in SAP Business Application Studio (BAS) if BTP Dev Space access is available. All queries in this guide are standard ANSI SQL compatible with HANA's SQL console.

Need help with extraction? Vergent can develop a custom ABAP extraction report as part of a professional engagement, automating the SE16/SUIM-based exports (files 6–10, 15–25) into correctly formatted CSVs in a single execution. HANA-layer files (1–5) always require direct HANA DB or Cockpit access. BTP files (11–14) require BTP Cockpit access and cannot be automated via ABAP. Contact support@vergent.co.ke to discuss.

Live Connection — Enterprise Plan Enterprise Plan Feature

The Enterprise plan connects AuditCore directly to your SAP S/4 HANA system for real-time assessment without manual CSV exports. This section explains how to prepare your SAP environment.

A. How the Live Connection Works

RFC-based read-only connection to your SAP system

AuditCore connects via RFC (Remote Function Call) to read data directly from the SAP system using the same underlying tables as the manual export. No ABAP development is installed on the client system — the connection is read-only and uses standard SAP APIs. A dedicated RFC destination is created on the SAP system pointing to the AuditCore assessment server.

B. Prerequisites Checklist

Confirm these items before enabling live connection

SAP S/4 HANA 1709 or higher (on-premise or RISE with SAP)
Network connectivity: AuditCore server IP whitelisted on SAP firewall for port 33XX (where XX = SAP instance number, typically 00)
RFC-enabled audit user created (see step C below)
SAP Message Server accessible (for group logon) or Application Server host known
SNC (Secure Network Communications) recommended for encrypted RFC — certificate exchange required

C. Creating the RFC Audit User

Transaction: SU01 — run by a Basis or Security Administrator

1 In SU01, create user VERGENT_AUDIT with user type S (System) — not Dialog

2

Assign the following roles/profiles — create a custom role (e.g. ZAUDITCORE_READ) containing ONLY these authorization objects with display/read values:

Auth Object	Values
`S_RFC`	RFC_TYPE=FUGR, RFC_NAME=*, ACTVT=16 (Execute)
`S_TABU_DIS`	DICBERCLS=*, ACTVT=03 (Display only)
`S_TCODE`	Restricted to: SE16, SM59, SM19, SM37, SU01, SUIM, SCC4
`S_ADMI_FCD`	S_ADMI_FCD=ST0R (for profile parameter read)

3 Set a strong password — minimum 12 characters, uppercase, digit, special character
4 Set validity end date — recommended 90 days, renewable per engagement
5 Lock the user between assessments — SU01 → Lock

D. RFC Destination Setup

Transaction: SM59 — for on-premise AuditCore deployments only

Not required for cloud-hosted AuditCore — the connection is outbound from SAP. For on-premise AuditCore deployments, create an RFC destination in SM59 using the parameters below.

Field	Value
Connection type	3 (ABAP Connection)
Target host	AuditCore server IP/hostname
System number	Provided by Vergent
Logon	Technical user credentials

E. Firewall / Network Requirements

Where XX = SAP instance number (usually 00 → port 3300)

Port	Protocol	Direction	Purpose
33XX	RFC/TCP	Inbound to SAP	RFC connection from AuditCore
443	HTTPS	Outbound from SAP	Results upload (optional)
8080	HTTP	Inbound to SAP	SAP Message Server (group logon)

F. SNC Encryption (Recommended)

Secure Network Communications — X.509 certificate or Kerberos

If SNC is enabled on the SAP system, AuditCore supports SNC/Kerberos and X.509 certificate-based encryption. Contact support@vergent.co.ke for the AuditCore SNC certificate to import into your SAP trust store.

Important Security Note. The VERGENT_AUDIT user must be locked between assessments. Never grant SAP_ALL or S_DEVELOP to this user. All RFC calls made by AuditCore are SELECT-only — no INSERT, UPDATE, or DELETE operations are performed. A full activity log is provided post-assessment.