This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems.
The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel.
ABAP application log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
BAPI_XBP_APPL_LOG_CONTENT_GET |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGOFF |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGON |
| S_RFC |
RFC_NAME |
BAPI_XMI_SET_AUDITLEVEL |
| S_TABU_NAM |
TABLE |
BALHDR |
| S_XMI_PROD |
EXTCOMPANY |
Microsoft |
| S_XMI_PROD |
EXTPRODUCT |
Azure Sentinel |
| S_XMI_PROD |
INTERFACE |
XBP |
| S_APPL_LOG |
ALG_OBJECT |
* |
| S_APPL_LOG |
ALG_SUBOBJ |
* |
| S_APPL_LOG |
ACTVT |
Display |
ABAP change documents log
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
CDHDR |
| S_TABU_NAM |
TABLE |
CDPOS |
ABAP CR log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
CTS_API_READ_CHANGE_REQUEST |
| S_TABU_NAM |
TABLE |
E070 |
| S_TRANSPRT |
TTYPE |
* |
| S_TRANSPRT |
ACTVT |
Display |
ABAP DB table data log
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
DBTABLOG |
| S_TABU_NAM |
TABLE |
SACF_ALERT |
| S_TABU_NAM |
TABLE |
SOUD |
| S_TABU_NAM |
TABLE |
USR41 |
| S_TABU_NAM |
TABLE |
TMSQAFILTER |
ABAP job log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
BAPI_XBP_JOB_JOBLOG_READ |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGOFF |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGON |
| S_RFC |
RFC_NAME |
BAPI_XMI_SET_AUDITLEVEL |
| S_TABU_NAM |
TABLE |
TBTCO |
| S_XMI_PROD |
EXTCOMPANY |
Microsoft |
| S_XMI_PROD |
EXTPRODUCT |
Azure Sentinel |
| S_XMI_PROD |
INTERFACE |
XBP |
ABAP security audit log
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
BAPI_USER_GET_DETAIL |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGOFF |
| S_RFC |
RFC_NAME |
BAPI_XMI_LOGON |
| S_RFC |
RFC_NAME |
BAPI_XMI_SET_AUDITLEVEL |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETMLHIS |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETTREE |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETTIDBYNAME |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MS_GETLIST |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MON_GETLIST |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MON_GETTREE |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MTE_GETPERFCURVAL |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_MT_GETALERTDATA |
| S_RFC |
RFC_NAME |
BAPI_SYSTEM_ALERT_ACKNOWLEDGE |
| S_ADMI_FCD |
S_ADMI_FCD |
AUDD (Basis audit display auth.) |
| S_SAL |
SAL_ACTVT |
SHOW_LOG (Evaluate the file-based log) |
| S_USER_GRP |
CLASS |
SUPER |
| S_USER_GRP |
ACTVT |
Display |
| S_USER_GRP |
CLASS |
SUPER |
| S_USER_GRP |
ACTVT |
Lock |
| S_XMI_PROD |
EXTCOMPANY |
Microsoft |
| S_XMI_PROD |
EXTPRODUCT |
Azure Sentinel |
| S_XMI_PROD |
INTERFACE |
XAL |
ABAP spool logs
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
TSP01 |
| S_ADMI_FCD |
S_ADMI_FCD |
SPOS (Use of Transaction SP01 (all systems)) |
ABAP workflow log
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
SWWLOGHIST |
| S_TABU_NAM |
TABLE |
SWWWIHEAD |
All logs
| Authorization object |
Field |
Value |
| S_RFC |
RFC_TYPE |
Function Module |
| S_RFC |
RFC_NAME |
/OSP/SYSTEM_TIMEZONE |
| S_RFC |
RFC_NAME |
DDIF_FIELDINFO_GET |
| S_RFC |
RFC_NAME |
RFCPING |
| S_RFC |
RFC_NAME |
RFC_GET_FUNCTION_INTERFACE |
| S_RFC |
RFC_NAME |
RFC_READ_TABLE |
| S_RFC |
RFC_NAME |
RFC_SYSTEM_INFO |
| S_RFC |
RFC_NAME |
SUSR_USER_AUTH_FOR_OBJ_GET |
| S_RFC |
RFC_NAME |
TH_SERVER_LIST |
| S_RFC |
ACTVT |
Execute |
| S_TCODE |
TCD |
SM51 |
| S_TABU_NAM |
ACTVT |
Display |
| S_TABU_NAM |
TABLE |
T000 |
Configuration history
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
PAHI |
Optional logs, if the Microsoft Sentinel solution CR is implemented
| Authorization object |
Field |
Value |
| S_RFC |
RFC_NAME |
/MSFTSEN/* |
SNC data
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
SNCSYSACL |
| S_TABU_NAM |
TABLE |
USRACL |
User data
| Authorization object |
Field |
Value |
| S_TABU_NAM |
TABLE |
ADCP |
| S_TABU_NAM |
TABLE |
ADR6 |
| S_TABU_NAM |
TABLE |
AGR_1251 |
| S_TABU_NAM |
TABLE |
AGR_AGRS |
| S_TABU_NAM |
TABLE |
AGR_DEFINE |
| S_TABU_NAM |
TABLE |
AGR_FLAGS |
| S_TABU_NAM |
TABLE |
AGR_PROF |
| S_TABU_NAM |
TABLE |
AGR_TCODES |
| S_TABU_NAM |
TABLE |
AGR_USERS |
| S_TABU_NAM |
TABLE |
DEVACCESS |
| S_TABU_NAM |
TABLE |
USER_ADDR |
| S_TABU_NAM |
TABLE |
USGRP_USER |
| S_TABU_NAM |
TABLE |
USR01 |
| S_TABU_NAM |
TABLE |
USR02 |
| S_TABU_NAM |
TABLE |
USR05 |
| S_TABU_NAM |
TABLE |
USR21 |
| S_TABU_NAM |
TABLE |
USRSTAMP |
| S_TABU_NAM |
TABLE |
UST04 |
Related content
For more information, see Configure your SAP system for the Microsoft Sentinel solution.