This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems.
The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel.
Tip
To create a role with all the required authorizations, load the role authorizations from the /MSFTSEN/SENTINEL_RESPONDER file.
Alternately, deploy the SAP NPLK900271 CR on the SAP system to create the /MSFTSEN/SENTINEL_CONNECTOR role, or load the role authorizations from the /MSFTSEN/SENTINEL_CONNECTOR file.
If needed, you can remove the user role and any optional CR installed on your ABAP system.
ABAP application log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
BAPI_XBP_APPL_LOG_CONTENT_GET |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGOFF |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGON |
| S_RFC |
RFC_NAME |
BAPI_XMI_SET_AUDITLEVEL |
| S_TABU_NAM |
TABLE |
BALHDR |
| S_XMI_PROD |
EXTCOMPANY |
Microsoft |
| S_XMI_PROD |
EXTPRODUCT |
Azure Sentinel |
| S_XMI_PROD |
INTERFACE |
XBP |
| S_APPL_LOG |
ALG_OBJECT |
* |
| S_APPL_LOG |
ALG_SUBOBJ |
* |
| S_APPL_LOG |
ACTVT |
Display |
ABAP change documents log
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
CDHDR |
| S_TABU_NAM |
TABLE |
CDPOS |
ABAP CR log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
CTS_API_READ_CHANGE_REQUEST |
| S_TABU_NAM |
TABLE |
E070 |
| S_TRANSPRT |
TTYPE |
* |
| S_TRANSPRT |
ACTVT |
Display |
ABAP DB table data log
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
DBTABLOG |
| S_TABU_NAM |
TABLE |
SACF_ALERT |
| S_TABU_NAM |
TABLE |
SOUD |
| S_TABU_NAM |
TABLE |
USR41 |
| S_TABU_NAM |
TABLE |
TMSQAFILTER |
ABAP job log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
BAPI_XBP_JOB_JOBLOG_READ |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGOFF |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGON |
| S_RFC |
RFC_NAME |
BAPI_XMI_SET_AUDITLEVEL |
| S_TABU_NAM |
TABLE |
TBTCO |
| S_XMI_PROD |
EXTCOMPANY |
Microsoft |
| S_XMI_PROD |
EXTPRODUCT |
Azure Sentinel |
| S_XMI_PROD |
INTERFACE |
XBP |
ABAP security audit log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
BAPI_USER_GET_DETAIL |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGOFF |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGON |
| S_RFC |
RFC_NAME |
BAPI_XMI_SET_AUDITLEVEL |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETMLHIS |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETTREE |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETTIDBYNAME |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MS_GETLIST |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MON_GETLIST |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MON_GETTREE |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETPERFCURVAL |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MT_GETALERTDATA |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_ALERT_ACKNOWLEDGE |
| S_ADMI_FCD |
S_ADMI_FCD |
AUDD (Basis audit display auth.) |
| S_SAL |
SAL_ACTVT |
SHOW_LOG (Evaluate the file-based log) |
| S_USER_GRP |
CLASS |
SUPER |
| S_USER_GRP |
ACTVT |
Display |
| S_USER_GRP |
CLASS |
SUPER |
| S_USER_GRP |
ACTVT |
Lock |
| S_XMI_PROD |
EXTCOMPANY |
Microsoft |
| S_XMI_PROD |
EXTPRODUCT |
Azure Sentinel |
| S_XMI_PROD |
INTERFACE |
XAL |
ABAP spool logs
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
TSP01 |
| S_ADMI_FCD |
S_ADMI_FCD |
SPOS (Use of Transaction SP01 (all systems)) |
ABAP workflow log
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
SWWLOGHIST |
| S_TABU_NAM |
TABLE |
SWWWIHEAD |
All logs
| Authorization object |
Field |
Value |
| S_RFC |
RFC_TYPE |
Function Module |
| S_RFC |
RFC_NAME |
/OSP/SYSTEM_TIMEZONE |
| S_RFC |
RFC_NAME |
DDIF_FIELDINFO_GET |
| S_RFC |
RFC_NAME |
RFCPING |
| S_RFC |
RFC_NAME |
RFC_GET_FUNCTION_INTERFACE |
| S_RFC |
RFC_NAME |
RFC_READ_TABLE |
| S_RFC |
RFC_NAME |
RFC_SYSTEM_INFO |
| S_RFC |
RFC_NAME |
SUSR_USER_AUTH_FOR_OBJ_GET |
| S_RFC |
RFC_NAME |
TH_SERVER_LIST |
| S_RFC |
ACTVT |
Execute |
| S_TCODE |
TCD |
SM51 |
| S_TABU_NAM |
ACTVT |
Display |
| S_TABU_NAM |
TABLE |
T000 |
Configuration history
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
PAHI |
Optional logs, if the Microsoft Sentinel solution CR is implemented
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
/MSFTSEN/* |
SNC data
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
SNCSYSACL |
| S_TABU_NAM |
TABLE |
USRACL |
User data
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
ADCP |
| S_TABU_NAM |
TABLE |
ADR6 |
| S_TABU_NAM |
TABLE |
AGR_1251 |
| S_TABU_NAM |
TABLE |
AGR_AGRS |
| S_TABU_NAM |
TABLE |
AGR_DEFINE |
| S_TABU_NAM |
TABLE |
AGR_FLAGS |
| S_TABU_NAM |
TABLE |
AGR_PROF |
| S_TABU_NAM |
TABLE |
AGR_TCODES |
| S_TABU_NAM |
TABLE |
AGR_USERS |
| S_TABU_NAM |
TABLE |
DEVACCESS |
| S_TABU_NAM |
TABLE |
USER_ADDR |
| S_TABU_NAM |
TABLE |
USGRP_USER |
| S_TABU_NAM |
TABLE |
USR01 |
| S_TABU_NAM |
TABLE |
USR02 |
| S_TABU_NAM |
TABLE |
USR05 |
| S_TABU_NAM |
TABLE |
USR21 |
| S_TABU_NAM |
TABLE |
USRSTAMP |
| S_TABU_NAM |
TABLE |
UST04 |
Related content
For more information, see Configure your SAP system for the Microsoft Sentinel solution.