{"id":11836,"date":"2024-07-17T09:53:14","date_gmt":"2024-07-17T07:53:14","guid":{"rendered":"https:\/\/www.inprosec.com\/?p=11836"},"modified":"2024-07-17T09:53:14","modified_gmt":"2024-07-17T07:53:14","slug":"sap-table-restriction-from-organisational-criteria","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/","title":{"rendered":"SAP\u00ae Table Restriction from Organisational Criteria"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">During this article, we will analyse the authorisation related to line and organisational criteria for tables.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Tables in SAP, depending on the information they store, can be a critical resource for the system (IT tables, configuration, etc.) or for the business (approver tables, accounting periods, etc.). As such, it has always been sought to restrict access to only those users who must have it. It is quite common to consider standard table modification or display transactions (e.g. SM30 or SE16) as Critical Actions and to monitor their assignment through risk analysis tools such as the Access Risk Analysis (ARA) module of SAP\u00ae GRC.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As for all other transactions, it is possible to restrict and control access to the different SAP\u00ae tables using the standard authorisation model. Authorisation objects are the basic unit for controlling user permissions in an SAP\u00ae system, and in this case, we have 3 objects for this purpose:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S_TABU_DIS:<\/b><span style=\"font-weight: 400;\"> allows you to control access to display or modify tables, using the authorisation group to which the table belongs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S_TABU_NAM:<\/b><span style=\"font-weight: 400;\"> allows you to control access to display or modify tables, directly using the individual table you want to restrict.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>S_TABU_LIN:<\/b><span style=\"font-weight: 400;\"> allows you to control the authorisation to display or modify the contents of tables, based on a previously defined organisational criterion. This object must be used in conjunction with one of the previous two.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">To grant access to a table, it is sufficient to use one of the first two objects (S_TABU_DIS or S_TABU_NAM). However, these objects will allow the entire table to be displayed or modified, without being able to restrict according to content. Here we can use the S_TABU_LIN object, which is part of an extension of the authorisations concept called Line-Related Authorisations. In the following, we will detail this extension of the authorisations, to facilitate its implementation when needed.<\/span><\/p>\n<h2><b>Line Referenced Authorisations<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This is an authorisations concept that extends and complements the traditional one. It allows to restrict access to tables according to previously defined organisational criteria. In this way <\/span><b>it is possible to grant a user an access authorisation only to specific rows of a table.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Using the traditional authorisations, objects S_TABU_NAM and S_TABU_DIS, it is possible to allow the display or maintenance of contents in the whole table. The <\/span><b>S_TABU_LIN <\/b><span style=\"font-weight: 400;\">object, on the other hand, adds the possibility to filter at line level. For example, if you decide to use country as an organisational criterion in a table, you can restrict user access so that users can only view and modify records corresponding to their country in a table with information for all countries. The use of this object and authorisation concept is optional and must always be done in conjunction with the objects S_TABU_DIS\/S_TABU_NAM.<\/span><\/p>\n<h2>Define and Activate Organisational Criteria<\/h2>\n<p><span style=\"font-weight: 400;\">To apply the concept of line-related authorisations, an organisational criterion must be <\/span><b>defined and activated in advance.<\/b><span style=\"font-weight: 400;\"> These criteria define <\/span><b>which tables and fields are to be considered for applying a certain restriction <\/b><span style=\"font-weight: 400;\">and will be necessary when creating the authorisations as well. All of them must always be key fields of the table to be restricted.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To define an organisational criterion, it can be done from the Implementation Guide (SPRO) in the following path: <\/span><b>SAP\u00ae NetWeaver \u2192 Application Server \u2192 System Management \u2192 Users and Authorisations \u2192 Line-Related Authorisations \u2192 Define Organisational Criteria.<\/b><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11824\" aria-describedby=\"caption-attachment-11824\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11824\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-definicion-de-criterios-de-organizacion.jpg\" alt=\"\" width=\"699\" height=\"760\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-definicion-de-criterios-de-organizacion.jpg 1032w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-definicion-de-criterios-de-organizacion-276x300.jpg 276w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-definicion-de-criterios-de-organizacion-942x1024.jpg 942w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-definicion-de-criterios-de-organizacion-552x600.jpg 552w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11824\" class=\"wp-caption-text\">Image 1<i><span style=\"font-weight: 400;\">\u00a0Customizing (SPRO): pathway for the definition of organisational criteria<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11826\" aria-describedby=\"caption-attachment-11826\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11826\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Vista-de-los-criterios-de-organizacion.jpg\" alt=\"\" width=\"699\" height=\"623\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Vista-de-los-criterios-de-organizacion.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Vista-de-los-criterios-de-organizacion-300x267.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Vista-de-los-criterios-de-organizacion-1024x913.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Vista-de-los-criterios-de-organizacion-600x535.jpg 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11826\" class=\"wp-caption-text\">Image 2 <i><span style=\"font-weight: 400;\">View of organisational criteria<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The following example provides a customised table that allows you to define approvers according to the Company (BUKRS) and the Sales Organisation (VKORG), on which you want to apply a restriction using these two fields:<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11828\" aria-describedby=\"caption-attachment-11828\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11828\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/unnamed-1.png\" alt=\"\" width=\"700\" height=\"383\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/unnamed-1.png 1305w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/unnamed-1-300x164.png 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/unnamed-1-1024x560.png 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/unnamed-1-600x328.png 600w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-11828\" class=\"wp-caption-text\">Image 3 <i><span style=\"font-weight: 400;\">Table definition example<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Organisational criteria have been defined for this table as follows:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1st) A new entry has been created with the name ZRESTRICTED02, as an example.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11810\" aria-describedby=\"caption-attachment-11810\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11810\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-criterios-de-organizacion.jpg\" alt=\"\" width=\"701\" height=\"625\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-criterios-de-organizacion.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-criterios-de-organizacion-300x267.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-criterios-de-organizacion-1024x913.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-criterios-de-organizacion-600x535.jpg 600w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-11810\" class=\"wp-caption-text\">Image 4 <i><span style=\"font-weight: 400;\">Organisational criteria definition <\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When you create the criteria, it is possible to unlink it to a specific table, which will make it apply to the whole system. To do this, the table-ind column must be selected.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">2\u00ba) A first attribute of the organisation criterion has been created with the name Z_BUKRS, which in turn has been linked to the field of the same name in the example table.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11818\" aria-describedby=\"caption-attachment-11818\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11818\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-primer-atributo-del-criterio-de-organizacion.jpg\" alt=\"\" width=\"699\" height=\"435\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-primer-atributo-del-criterio-de-organizacion.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-primer-atributo-del-criterio-de-organizacion-300x187.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-primer-atributo-del-criterio-de-organizacion-1024x637.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-primer-atributo-del-criterio-de-organizacion-600x373.jpg 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11818\" class=\"wp-caption-text\">Image 5 <i><span style=\"font-weight: 400;\">\u00a0First attribute of organisational criteria definition<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11814\" aria-describedby=\"caption-attachment-11814\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11814\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-primer-atributo.jpg\" alt=\"\" width=\"699\" height=\"435\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-primer-atributo.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-primer-atributo-300x187.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-primer-atributo-1024x637.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-primer-atributo-600x373.jpg 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11814\" class=\"wp-caption-text\">Image 6 <i><span style=\"font-weight: 400;\">\u00a0Table and fields for the first attribute definition<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">3\u00ba) A first attribute of the organisation criterion has been created with the name Z_VKORG, which in turn has been linked to the field of the same name in the example table.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11820\" aria-describedby=\"caption-attachment-11820\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11820\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-segundo-atributo-del-criterio-de-organizacion.jpg\" alt=\"\" width=\"699\" height=\"435\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-segundo-atributo-del-criterio-de-organizacion.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-segundo-atributo-del-criterio-de-organizacion-300x187.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-segundo-atributo-del-criterio-de-organizacion-1024x637.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-del-segundo-atributo-del-criterio-de-organizacion-600x373.jpg 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11820\" class=\"wp-caption-text\">Image 7 <i><span style=\"font-weight: 400;\">\u00a0Second attribute of organisational criterion definition<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11816\" aria-describedby=\"caption-attachment-11816\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11816\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-segundo-atributo.jpg\" alt=\"\" width=\"701\" height=\"436\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-segundo-atributo.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-segundo-atributo-300x187.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-segundo-atributo-1024x637.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Definicion-de-la-tabla-y-campos-para-el-segundo-atributo-600x373.jpg 600w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-11816\" class=\"wp-caption-text\">Image 8 <i><span style=\"font-weight: 400;\">Table and fields for the second attribute definition<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">At this point, an organisational criterion is already available for the example table ZRESTRICTED02.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The organisational criteria are defined independently of the client and are available in all of them. However, they operate in a client-dependent manner, so they must be activated in a client-specific manner where required.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To activate an organisational criterion, this can be done from the Implementation Guide (SPRO) in the following path: <\/span><b>SAP\u00ae NetWeaver \u2192 Application Server \u2192 System Management \u2192 Users and Authorisations \u2192 Line-Related Authorisations \u2192 Activate Organisational Criteria.<\/b><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11822\" aria-describedby=\"caption-attachment-11822\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11822\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-activacion-de-criterios-de-organizacion.jpg\" alt=\"\" width=\"700\" height=\"761\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-activacion-de-criterios-de-organizacion.jpg 1032w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-activacion-de-criterios-de-organizacion-276x300.jpg 276w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-activacion-de-criterios-de-organizacion-942x1024.jpg 942w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/ruta-para-la-activacion-de-criterios-de-organizacion-552x600.jpg 552w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><figcaption id=\"caption-attachment-11822\" class=\"wp-caption-text\">Image 9 Customizing (SPRO): <i><span style=\"font-weight: 400;\">\u00a0organisational criteria route of activation.<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">From this tool, the previously created organisational criteria have been activated by ticking the activated box and saving the changes.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11804\" aria-describedby=\"caption-attachment-11804\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11804\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Activacion-del-criterio-de-organizacion.jpg\" alt=\"\" width=\"699\" height=\"435\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Activacion-del-criterio-de-organizacion.jpg 1259w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Activacion-del-criterio-de-organizacion-300x187.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Activacion-del-criterio-de-organizacion-1024x637.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Activacion-del-criterio-de-organizacion-600x373.jpg 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11804\" class=\"wp-caption-text\">Imagen 10 Activaci\u00f3n del criterio de organizaci\u00f3n<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><b>Role and Authorisation Construction<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The table maintenance transactions at first check the existing values for the S_TABU_DIS\/S_TABU_NAM objects. If the check is successful, they check whether any organisational criteria have been defined for the key fields of the table. If so, it checks whether you have authorisation for the different values of the fields defined in the criterion, using the S_TABU_LIN object. Only those values for which the authorisation check is successful are displayed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This behaviour inherent to standard maintenance transactions also extends to those parameter transactions that have been created from them. Therefore, the restrictions will also apply to custom table maintenance transactions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Following the example above, a role has been created that will give a user access to modify the created table, but only for the desired values of Company and Sales Organisation.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11806\" aria-describedby=\"caption-attachment-11806\" style=\"width: 701px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11806\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Autorizaciones-del-rol-construido-para-el-ejemplo-actual.jpg\" alt=\"\" width=\"701\" height=\"393\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Autorizaciones-del-rol-construido-para-el-ejemplo-actual.jpg 1600w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Autorizaciones-del-rol-construido-para-el-ejemplo-actual-300x168.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Autorizaciones-del-rol-construido-para-el-ejemplo-actual-1024x574.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Autorizaciones-del-rol-construido-para-el-ejemplo-actual-600x336.jpg 600w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><figcaption id=\"caption-attachment-11806\" class=\"wp-caption-text\">Imagen 11 <i><span style=\"font-weight: 400;\">Authorisations of the role constructed for the current example<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The role created includes the object S_TABU_NAM, which is necessary to give access to the table; but it also includes the object S_TABU_LIN, with the organisational criteria defined in the previous example and the values 1000 and ES02 for Company and Sales Organisation respectively.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_11808\" aria-describedby=\"caption-attachment-11808\" style=\"width: 699px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\" wp-image-11808\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Comparativa-usuario-con-SAP_ALL-vs-usuario-restringido.jpg\" alt=\"\" width=\"699\" height=\"337\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Comparativa-usuario-con-SAP_ALL-vs-usuario-restringido.jpg 1430w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Comparativa-usuario-con-SAP_ALL-vs-usuario-restringido-300x145.jpg 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Comparativa-usuario-con-SAP_ALL-vs-usuario-restringido-1024x494.jpg 1024w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Comparativa-usuario-con-SAP_ALL-vs-usuario-restringido-600x290.jpg 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><figcaption id=\"caption-attachment-11808\" class=\"wp-caption-text\">Imagen 12 <i><span style=\"font-weight: 400;\">\u00a0User with SAP_ALL vs restricted user comparison<\/span><\/i><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><strong>Key Points<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Tables will continue to be a widely used element in SAP\u00ae, both for configuration tasks and business needs. It is often necessary for users to be able to view and modify data, but at the same time it must be considered that the necessary tools are available to give these accesses in an appropriate, restricted way and always based on specific needs.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With the concept of line-related authorisations, more control is available with very little effort. These restrictions also become particularly relevant when customised tables come into play, where the fields do not necessarily have to match the standard, and often there are no authorisation objects that perfectly match what you want to restrict. In short, greater flexibility is achieved for the authorisation model and better protection of the information, adapted to the specific needs of the client.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>During this article, we will analyse the authorisation related to line and organisational criteria for tables. Tables in SAP, depending on the information they store, can be a critical resource for the system (IT tables, configuration, etc.) or for the business (approver tables, accounting periods, etc.). As such, it has always been sought to restrict&#8230;<\/p>\n","protected":false},"author":6,"featured_media":11834,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[61,52],"tags":[],"class_list":["post-11836","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sap-security-en-2","category-technical-article"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.3 (Yoast SEO v27.5) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SAP\u00ae Table Restriction from Organisational Criteria - Inprosec<\/title>\n<meta name=\"description\" content=\"Discover how to restrict access to SAP\u00ae tables using organizational criteria. Learn to use authorization objects such as S_TABU_DIS, S_TABU_NAM, and S_TABU_LIN to control permissions and protect critical data. Implement line-based authorizations to grant specific access according to organizational needs, ensuring greater security and flexibility in your SAP\u00ae system.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP\u00ae Table Restriction from Organisational Criteria\" \/>\n<meta property=\"og:description\" content=\"Discover how to restrict access to SAP\u00ae tables using organizational criteria. Learn to use authorization objects such as S_TABU_DIS, S_TABU_NAM, and S_TABU_LIN to control permissions and protect critical data. Implement line-based authorizations to grant specific access according to organizational needs, ensuring greater security and flexibility in your SAP\u00ae system.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-17T07:53:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"SAP\u00ae Table Restriction from Organisational Criteria\",\"datePublished\":\"2024-07-17T07:53:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/\"},\"wordCount\":1355,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg\",\"articleSection\":[\"SAP Security\",\"Technical Article\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/\",\"name\":\"SAP\u00ae Table Restriction from Organisational Criteria - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg\",\"datePublished\":\"2024-07-17T07:53:14+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"description\":\"Discover how to restrict access to SAP\u00ae tables using organizational criteria. Learn to use authorization objects such as S_TABU_DIS, S_TABU_NAM, and S_TABU_LIN to control permissions and protect critical data. Implement line-based authorizations to grant specific access according to organizational needs, ensuring greater security and flexibility in your SAP\u00ae system.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-table-restriction-from-organisational-criteria\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP\u00ae Table Restriction from Organisational Criteria\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAP\u00ae Table Restriction from Organisational Criteria - Inprosec","description":"Discover how to restrict access to SAP\u00ae tables using organizational criteria. Learn to use authorization objects such as S_TABU_DIS, S_TABU_NAM, and S_TABU_LIN to control permissions and protect critical data. Implement line-based authorizations to grant specific access according to organizational needs, ensuring greater security and flexibility in your SAP\u00ae system.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/","og_locale":"en_US","og_type":"article","og_title":"SAP\u00ae Table Restriction from Organisational Criteria","og_description":"Discover how to restrict access to SAP\u00ae tables using organizational criteria. Learn to use authorization objects such as S_TABU_DIS, S_TABU_NAM, and S_TABU_LIN to control permissions and protect critical data. Implement line-based authorizations to grant specific access according to organizational needs, ensuring greater security and flexibility in your SAP\u00ae system.","og_url":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/","og_site_name":"Inprosec","article_published_time":"2024-07-17T07:53:14+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"SAP\u00ae Table Restriction from Organisational Criteria","datePublished":"2024-07-17T07:53:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/"},"wordCount":1355,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg","articleSection":["SAP Security","Technical Article"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/","url":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/","name":"SAP\u00ae Table Restriction from Organisational Criteria - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg","datePublished":"2024-07-17T07:53:14+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"description":"Discover how to restrict access to SAP\u00ae tables using organizational criteria. Learn to use authorization objects such as S_TABU_DIS, S_TABU_NAM, and S_TABU_LIN to control permissions and protect critical data. Implement line-based authorizations to grant specific access according to organizational needs, ensuring greater security and flexibility in your SAP\u00ae system.","breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/07\/Restriccion-de-Tablas-SAP\u00ae-a-partir-de-Criterios-de-Organizacion.jpg","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/sap-table-restriction-from-organisational-criteria\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"SAP\u00ae Table Restriction from Organisational Criteria"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/11836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=11836"}],"version-history":[{"count":1,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/11836\/revisions"}],"predecessor-version":[{"id":11838,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/11836\/revisions\/11838"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/11834"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=11836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=11836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=11836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}