Data Extraction Guide
for SAP Business One
Global SME ERP security assessment with enhanced support for East African regulatory requirements. Step-by-step instructions for your IT team to extract security and controls data from SAP B1 via Service Layer REST API or direct SQL for the V/ergent assessment. Includes Release 5 programme packs: 25 AML / Wolfsberg controls + 50 cross-system SoD rules + (SAP-only) 30 SAP-GRC-parity fraud patterns.
Recommended extraction path
Use the V/ergent extractor first. It writes CSVs to a timestamped folder under C:\Vergent\Export, then you upload that folder into the audit project.
Manual path if automated extraction is blocked
Use the required-file list below as the manual checklist. Keep filenames unchanged, leave unavailable files empty with only headers, and record any missing source in the upload notes before running the audit.
Extract-VergentSAPB1.ps1 which supports both the Service Layer REST API (recommended for B1 10.0+) and direct SQL against the company database (for older versions or when Service Layer is unavailable).| Requirement | Details | Where to find it |
|---|---|---|
| SAP B1 User | Manager-level or Super User account | Administration → Setup → General → Users |
| Service Layer URL | https://b1server:50000 or http://b1server:50000 | Ask your B1 administrator or check IIS on the server |
| Company DB Name | e.g. ACME_LIVE, SBODemoKE | Help → About SAP Business One → Company DB |
| SQL Access (fallback) | SQL Server login with db_datareader on the company DB | SQL Server Management Studio → Security → Logins |
| B1 Version | B1 9.3 or newer (Service Layer available) | Help → About SAP Business One |
All files are CSV format. The PowerShell script produces these exact filenames. Upload whichever files you can access — V/ergent runs checks on available data.
User Accounts (OUSR)
All B1 users: UserCode, Locked status, SuperUser flag, Admin flag, department, email, last login date, password expiry
User Authorization Groups (USR1/OUSRG)
Mapping of users to authorization groups: UserCode, AuthGroup, GroupName, module codes
License Assignments
License type per user (Professional, Limited, Starter), status, and expiry date
Audit Trail / Change Log (ADTF)
B1 change log: LogDate, UserCode, object changed, field, old value, new value. Critical for detecting unauthorised vendor bank changes.
Approval Templates (OATM)
Approval workflow definitions: template code, document type covered, active status, min/max amounts, approvers
Journal Entry Headers (OJDT)
Manual journal entries: TransId, dates, user, memo, manual flag, totals. Used to detect unapproved posting and backdating.
Journal Entry Lines (JDT1)
Line-level detail: account codes, debit/credit amounts, contra account. Used to detect round amounts and missing references.
Vendor / Supplier Master (OCRD)
All suppliers: CardCode, name, bank code, account number, balance, creation and update dates. Used for ghost vendor detection.
Outgoing Payments (OVPM)
All outgoing payments: DocNum, vendor, date, total, currency, user who posted, bank account used
Company / Admin Settings (OADM)
System-wide settings: manager password, multiple login allowance, negative inventory, B1 version, backup date, encryption status
Password Policy
Password rules: minimum length, expiry days, complexity requirement, lockout attempts, session timeout
Service Layer Access Log
REST API calls: client IP, user, endpoint, HTTP method, response code, protocol (HTTP vs HTTPS). Detect plain-text API usage.
Installed Add-Ons / ISV Solutions
Add-on name, publisher, version, SAP certification status, install date. Uncertified add-ons can bypass B1 security controls.
Database-Level Users
SQL Server users with direct DB access: role, last login, host. Direct DB access bypasses all B1 application-level controls.
Bank Master (OBNK)
Company bank accounts: bank code, name, account number, currency, SWIFT, active status
Native coverage: 26 B1-native SoD rules (6 in segregation_of_duties.py + 20 in extended_segregation_of_duties.py) covering OUSRG authorisation groups, OATM approval templates, OINV billing, OPCH purchasing, ODSC payment runs, and SuperUser flag abuse.
Plus the three Release 5 programme packs that run alongside this platform's audit:
- AML / Wolfsberg Programme Controls — 25 controls spanning sanctions-list cadence, PEP / KYC review, CTR / SAR filing, structuring detection, transaction-monitoring tuning. Wired into all 7 ERP connectors (skips on cloud-only audits). Guide.
- Cross-System SoD — 50 multi-ERP conflict patterns spanning SAP × Oracle × D365 × NetSuite × Sage × AWS × Azure. Detects fraud paths a single-system review will never see. Guide.
- SAP Fraud Patterns — 30 SAP-GRC-parity patterns (STAD audit-log delete, debugger replace in PROD, Z* shadow SAP_ALL, dormant SAP_ALL, posting-period unlock + GL post, etc.). Guide.
Every finding carries citations across 13 frameworks (COSO 2013, COBIT 2019, NIST CSF 2.0, ISO 27001:2022, CIS v8, SOX ITGC, SOC 2 TSC, PCI DSS v4, HIPAA, DORA, NIS2, GDPR, Kenya DPA) — 11 of 13 at ≥75% mapped coverage. See the Check Packs page for per-pack framework coverage badges.