Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The Dreaded SAP_ALL Power Profile

  • Font size: Larger Smaller
  • Hits: 8300
  • Print

How you can maintain GRC compliance if you have users with dangerous SAP_ALL

(This is the short version of an article regarding the pervasive SAP_ALL Authorization Profile. Download the full article including examples and screenshots here).

The authorization profile, SAP_ALL has such vast amounts of authorizations inside that it is mistakenly known as “the profile that can grant everything in the SAP system”. Dangerous? Sure. Very dangerous. And it’s not alone – there are other, more powerful profiles like SAP_NEW, S_A.ADMIN, S_A.SYSTEM and more.

b2ap3 thumbnail image002


So, why are people still using and requesting SAP_ALL?

Usually because of ego and because it’s easy.

Users tend to ask for SAP_ALL authorizations because “they know what they’re doing,” “they need lots of authorizations,” and, “so the work doesn’t stop due to annoying ‘no-authorization’ messages”. Sure, by using the SAP_ALL authorization profile, there aren’t any “no-authorizations” messages anymore, but the user becomes a hacker-favorite for taking over. Most hackers prefer to use an SAP account that was granted SAP_ALL authorization profile for their underhanded activities – it’s really a genuine time-saver and a great advantage for committing fraud or stealing information.

People grant SAP_ALL profiles because it’s a quick solution when the stress is on. System administrators often tell us it’s much simpler to grant SAP_ALL to the new developer in the IT department than to tediously identify exactly which authorizations are required.

Granting SAP_ALL and similar power profiles to user accounts creates and then expands security-holes, grants an unnecessarily huge amount of authorizations to people that can’t justify them, and exposes the organization to new possibilities of fraud and internal hacking.

Cleary, GRC auditors do not like users with powerful authorization profiles, i.e., power-users. So, organizations will try to remove SAP_ALL and grant only the required Authorization Roles. Removing SAP_ALL is easy. What’s hard is deciding which roles to assign to the user instead. 

Get clean: How to really solve current SAP_ALL situations

There are two ways to solve the SAP_ALL situation: through “trial & error” and by using “behavior-based profiling”. 

  1. 1. “Trial & error” means taking off the powerful profiles from the user and granting him Authorization Roles that fit his job. For 1-2 users this may be a decent solution (although not perfect), but what about 10, 20 or even 50 users who have SAP_ALL?
  2. 2. “Behavior-based profiling” analyzes the user’s behavior for 3-6 months and creates precise Authorization Roles for him. Xpandion’s behavior-based software tool ProfileTailor Dynamics is one such solution, or you can create a long trace file and analyze it on your own.
Assuming you’ve done this, you’re “clean”. Now, you have to stay “clean” by implementing a set of controls to avoid granting powerful authorization profiles again.

How to stay clean?

To stay on the safe side of GRC, you should do the following:
  1. 1. Implement a dedicated external system like ProfileTailor Dynamics, so you can define powerful, “sensitive” authorization profiles and activate an alert for when they’re granted that gets sent to the security officer.
  2. 2. Implement a practical tool like Xpandion’s Emergency Access. If users need privileged access for a limited time, this mechanism allows them to open a username or grant a special Authorization Role for that limited amount of time. 
Download the full article including examples and screenshots here.
Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Yoav Michaeli

How to Become a Successful Security/Authorization Manager

The more Security and SAP Licensing Managers that Xpandion works with, the more confirmation we receive that there is a distinct difference in the actions taken by successful managers vs.  unsuccessful managers.  Using ProfileTailor Dynamics/ LicenseAuditor these successful managers implem...
in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.

in Security & AuthorizationsPosted by Dror Aviv

Granting SAP_ALL to Everybody – Crazy or Not?

True Story A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintai...
in Security & AuthorizationsPosted by Yoav Michaeli

The Three Most Sensitive T-Codes Ever: What Are They?

What are your organization’s top three most sensitive T-Codes; the ones that you’re really careful about granting? You’ve had to think about this before, either during an authorization-inspection project, a GRC project or when asked by an auditor. Can you name the “top three?” I’m sure you can. And ...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India