Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Take Your Hands off of SAP T-Code SU01!

  • Font size: Larger Smaller
  • Hits: 8358
  • Print

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.



SU01 is used for different purposes, most commonly to create new user accounts, reset users' passwords and Lock/Unlock user accounts. System Administrators use SU01 to create users and change user's details, and the helpdesk team uses SU01 to unlock users and reset passwords (because most of them have just forgotten their passwords).

Using SU01 Widely Ensures Unhappy Auditors

What's the problem? The main problem is that there are a lot of sensitive possibilities within this T-Code and that the actions done within SU01 are finite and not documented. You don't need to provide an explanation or be pre-approved in order to create a new user account in the production system using SU01, you don't have to explain anything to anyone if you want to unlock an inactive user account through SU01. Most organizations will implement such procedures on paper, but this isn't reliable enough - in order to enforce procedures you can't just count on luck – you need a compensating control. You can understand what a gap it leaves, and what a hassle it is, for the System Administrator to maintain paperwork for every time a new account is opened or for the help desk team to have to keep a call-log that provides evidence of users that have asked to be unlocked. I get a headache just thinking about it.

Be Smart. Take the Secure Way: Replace SU01 with a Portal!

Instead of using sensitive T-Code SU01, use a portal and put the most common tasks in it. Then, remove most everyone's access from SU01 and take a break - you've just averted some major risks.

First implement the most used tasks:

  • Creating Users – Establish a pre-configured workflow starting with the HR request (or an event from the HR system about a new employee), continuing on with approval by a Security Manager, and ending in automatically creating the user. The final step is to send an email letting stakeholders know that a user was created.

The benefits? There's no manual work, no option to abuse the process and create fake users, no option for unattended licenses, and most importantly – a documented, secured workflow process that auditors can easily inspect.

b2ap3 thumbnail Untitled

  • Unlock Users – Create a self-request screen for the user to fill out, then configure the system to perform reasonability checks, such as examining recent activity and access from allowed IP addresses, and viola!, the user is unlocked.

The benefits? 70% less hassle for the help desk team, a secured process with reasonability checks built in, a well documented procedure for auditors.

Ah yes, alternates to the pitfalls of SAP T-Code SU01. What a lifesaver. But how will you get these workflows in place? We'll help you. Contact us to hear about our solutions.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in Security & AuthorizationsPosted by Dror Aviv

The SAP Security Paradox: Irregular User Activity

“How Many Times?” We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about...
in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.




157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India