Required ABAP authorizations

Article
12/17/2024

This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems.

The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel.

Tip

To create a role with all the required authorizations, load the role authorizations from the /MSFTSEN/SENTINEL_RESPONDER file.

Alternately, deploy the SAP NPLK900271 CR on the SAP system to create the /MSFTSEN/SENTINEL_CONNECTOR role, or load the role authorizations from the /MSFTSEN/SENTINEL_CONNECTOR file.

If needed, you can remove the user role and any optional CR installed on your ABAP system.

ABAP application log

Authorization object	Field	Value
S_RFC	RFC_NAME	BAPI_XBP_APPL_LOG_CONTENT_GET
S_RFC	RFC_NAME	BAPI_XMI_LOGOFF
S_RFC	RFC_NAME	BAPI_XMI_LOGON
S_RFC	RFC_NAME	BAPI_XMI_SET_AUDITLEVEL
S_TABU_NAM	TABLE	BALHDR
S_XMI_PROD	EXTCOMPANY	Microsoft
S_XMI_PROD	EXTPRODUCT	Azure Sentinel
S_XMI_PROD	INTERFACE	XBP
S_APPL_LOG	ALG_OBJECT	*
S_APPL_LOG	ALG_SUBOBJ	*
S_APPL_LOG	ACTVT	Display

ABAP change documents log

Authorization object	Field	Value
S_TABU_NAM	TABLE	CDHDR
S_TABU_NAM	TABLE	CDPOS

ABAP CR log

Authorization object	Field	Value
S_RFC	RFC_NAME	CTS_API_READ_CHANGE_REQUEST
S_TABU_NAM	TABLE	E070
S_TRANSPRT	TTYPE	*
S_TRANSPRT	ACTVT	Display

ABAP DB table data log

Authorization object	Field	Value
S_TABU_NAM	TABLE	DBTABLOG
S_TABU_NAM	TABLE	SACF_ALERT
S_TABU_NAM	TABLE	SOUD
S_TABU_NAM	TABLE	USR41
S_TABU_NAM	TABLE	TMSQAFILTER

ABAP job log

Authorization object	Field	Value
S_RFC	RFC_NAME	BAPI_XBP_JOB_JOBLOG_READ
S_RFC	RFC_NAME	BAPI_XMI_LOGOFF
S_RFC	RFC_NAME	BAPI_XMI_LOGON
S_RFC	RFC_NAME	BAPI_XMI_SET_AUDITLEVEL
S_TABU_NAM	TABLE	TBTCO
S_XMI_PROD	EXTCOMPANY	Microsoft
S_XMI_PROD	EXTPRODUCT	Azure Sentinel
S_XMI_PROD	INTERFACE	XBP

ABAP security audit log

Authorization object	Field	Value
S_RFC	RFC_NAME	BAPI_USER_GET_DETAIL
S_RFC	RFC_NAME	BAPI_XMI_LOGOFF
S_RFC	RFC_NAME	BAPI_XMI_LOGON
S_RFC	RFC_NAME	BAPI_XMI_SET_AUDITLEVEL
S_RFC	RFC_NAME	BAPI_SYSTEM_MTE_GETMLHIS
S_RFC	RFC_NAME	BAPI_SYSTEM_MTE_GETTREE
S_RFC	RFC_NAME	BAPI_SYSTEM_MTE_GETTIDBYNAME
S_RFC	RFC_NAME	BAPI_SYSTEM_MS_GETLIST
S_RFC	RFC_NAME	BAPI_SYSTEM_MON_GETLIST
S_RFC	RFC_NAME	BAPI_SYSTEM_MON_GETTREE
S_RFC	RFC_NAME	BAPI_SYSTEM_MTE_GETPERFCURVAL
S_RFC	RFC_NAME	BAPI_SYSTEM_MT_GETALERTDATA
S_RFC	RFC_NAME	BAPI_SYSTEM_ALERT_ACKNOWLEDGE
S_ADMI_FCD	S_ADMI_FCD	AUDD (Basis audit display auth.)
S_SAL	SAL_ACTVT	SHOW_LOG (Evaluate the file-based log)
S_USER_GRP	CLASS	SUPER
S_USER_GRP	ACTVT	Display
S_USER_GRP	CLASS	SUPER
S_USER_GRP	ACTVT	Lock
S_XMI_PROD	EXTCOMPANY	Microsoft
S_XMI_PROD	EXTPRODUCT	Azure Sentinel
S_XMI_PROD	INTERFACE	XAL

ABAP spool logs

Authorization object	Field	Value
S_TABU_NAM	TABLE	TSP01
S_ADMI_FCD	S_ADMI_FCD	SPOS (Use of Transaction SP01 (all systems))

ABAP workflow log

Authorization object	Field	Value
S_TABU_NAM	TABLE	SWWLOGHIST
S_TABU_NAM	TABLE	SWWWIHEAD

All logs

Authorization object	Field	Value
S_RFC	RFC_TYPE	Function Module
S_RFC	RFC_NAME	/OSP/SYSTEM_TIMEZONE
S_RFC	RFC_NAME	DDIF_FIELDINFO_GET
S_RFC	RFC_NAME	RFCPING
S_RFC	RFC_NAME	RFC_GET_FUNCTION_INTERFACE
S_RFC	RFC_NAME	RFC_READ_TABLE
S_RFC	RFC_NAME	RFC_SYSTEM_INFO
S_RFC	RFC_NAME	SUSR_USER_AUTH_FOR_OBJ_GET
S_RFC	RFC_NAME	TH_SERVER_LIST
S_RFC	ACTVT	Execute
S_TCODE	TCD	SM51
S_TABU_NAM	ACTVT	Display
S_TABU_NAM	TABLE	T000

Configuration history

Authorization object	Field	Value
S_TABU_NAM	TABLE	PAHI

Optional logs, if the Microsoft Sentinel solution CR is implemented

Authorization object	Field	Value
S_RFC	RFC_NAME	/MSFTSEN/*

SNC data

Authorization object	Field	Value
S_TABU_NAM	TABLE	SNCSYSACL
S_TABU_NAM	TABLE	USRACL

User data

Authorization object	Field	Value
S_TABU_NAM	TABLE	ADCP
S_TABU_NAM	TABLE	ADR6
S_TABU_NAM	TABLE	AGR_1251
S_TABU_NAM	TABLE	AGR_AGRS
S_TABU_NAM	TABLE	AGR_DEFINE
S_TABU_NAM	TABLE	AGR_FLAGS
S_TABU_NAM	TABLE	AGR_PROF
S_TABU_NAM	TABLE	AGR_TCODES
S_TABU_NAM	TABLE	AGR_USERS
S_TABU_NAM	TABLE	DEVACCESS
S_TABU_NAM	TABLE	USER_ADDR
S_TABU_NAM	TABLE	USGRP_USER
S_TABU_NAM	TABLE	USR01
S_TABU_NAM	TABLE	USR02
S_TABU_NAM	TABLE	USR05
S_TABU_NAM	TABLE	USR21
S_TABU_NAM	TABLE	USRSTAMP
S_TABU_NAM	TABLE	UST04

For more information, see Configure your SAP system for the Microsoft Sentinel solution.