🔐

SAP Security Architecture — 6-Theme Course Curriculum

Curriculum derived from SAP security best practices — covering user administration, authorization design, ABAP security, GRC governance, upgrade management, and audit compliance. Adapted for structured practitioner-focused course delivery.

📋 Curriculum Overview

#
Theme
Core Focus
1
User Master Record Fundamentals & Management
Identity lifecycle & naming
2
Authorization Design & The Profile Generator (PFCG)
Role architecture & sustainability
3
Development & Transactional Security
Custom code & access control
4
Segregation of Duties (SoD) & Governance
GRC, risk & compliance
5
Handling Upgrades & Conversions
Upgrade readiness & migration
6
Auditing & Continuous Compliance
Monitoring & revalidation

🎯 Theme 1: User Master Record Fundamentals & Management

Foundational tasks for user administrators — accurate identification and efficient daily maintenance.

Learning Objectives

  • Establish sustainable SAP User ID naming conventions (e.g., personnel numbers) for long-term manageability
  • Improve user record accuracy using hidden fields in Transaction SU01 for non-SAP HCM environments
  • Perform mass maintenance using BAPIs (BAPI_USER_CHANGE) and Transaction SU10
  • Customize auto-generated password rules balancing complexity and user-friendliness

Topics

1.1 Identification & Naming
  • SAP User ID naming conventions using personnel numbers
  • Long-term naming sustainability and governance
  • Pattern design for scale and management
1.2 Data Accuracy
  • Hidden fields in Transaction SU01
  • Use cases for non-SAP HCM environments
  • Data completeness and quality strategies
1.3 Efficient Maintenance
  • BAPI_USER_CHANGE for programmatic user management
  • Transaction SU10 for mass maintenance
  • Bulk address data updates
1.4 Authentication Control
  • Auto-generated password customization rules
  • Complexity vs. usability balance
  • Password policy best practices

Key Transactions & BAPIs

  • SU01 — User Maintenance
  • SU10 — Mass User Maintenance
  • BAPI_USER_CHANGE — Programmatic user record change

🎯 Theme 2: Authorization Design & The Profile Generator (PFCG)

Technical design of roles and authorizations — building a sustainable, scalable security concept.

Learning Objectives

  • Implement a role naming pattern language encoding module, type, and access mode
  • Design and maintain job role templates aligned with derived localized roles
  • Optimize Transaction PFCG for troubleshooting and authorization tree navigation
  • Mass-adjust derived roles using SUPRN_REGENERATE_DEPENDENT

Topics

2.1 Sustainable Naming
  • Role naming pattern language design
  • Encoding: module, role type (template / derived / composite), access mode (management / edit / view)
  • Naming convention governance and enforcement
2.2 Role Architecture
  • Job role template concept
  • Template roles vs. derived (localized) roles
  • Composite role design strategies
2.3 Technical Optimization
  • Permanently enabling technical name views in PFCG
  • Simplifying and navigating authorization trees
  • Troubleshooting and debugging role issues
2.4 Mass Adjustments
  • SUPRN_REGENERATE_DEPENDENT for mass re-generation of derived roles
  • Keeping derived roles in sync with parent roles
  • Change management workflows for role updates

Key Transactions & Programs

  • PFCG — Profile Generator
  • SUPRN_REGENERATE_DEPENDENT — Mass derived role regeneration

🎯 Theme 3: Development & Transactional Security

Securing custom ABAP code and managing user access to system functionalities.

Learning Objectives

  • Use the Code Inspector (SE38) to scan ABAP code for security vulnerabilities pre-production
  • Apply Transaction SHD0 to restrict access beyond standard authorization objects
  • Control indirectly called transactions using Transaction SE97
  • Define parameter transactions to prevent direct access to sensitive transactions

Topics

3.1 Code Validation
  • Standard Code Inspector (Transaction SE38)
  • Scanning ABAP code for backdoors and security holes
  • Pre-production security review process
3.2 Restricting Access
  • Transaction SHD0 — Transaction Variants
  • Hiding buttons and setting static values
  • When standard authorizations are insufficient
3.3 Managing Called Transactions
  • Transaction SE97 — controlling CALL TRANSACTION statements
  • Blocking indirectly called transactions
  • Risk scenarios and mitigation strategies
3.4 Parameter Transactions
  • Avoiding direct access to SE16, SE38, and similar high-risk transactions
  • Defining parameter transactions for specific programs or tables
  • Security-by-design in transaction architecture

Key Transactions

  • SE38 / Code Inspector — ABAP code security review
  • SHD0 — Transaction variants for access restriction
  • SE97 — Transaction call authorization control

🎯 Theme 4: Segregation of Duties (SoD) & Governance

Using SAP GRC Access Control to manage risks and ensure compliance with internal and external policies.

Learning Objectives

  • Tailor ad-hoc risk analysis in SAP GRC using custom groups and advanced selection criteria
  • Define structured firefighter user ID naming conventions for improved emergency access management
  • Apply Organizational-Level Mapping and Business Role type in GRC 10.0 for simplified role derivation
  • Identify and remove invalid mitigation controls to keep GRC tables accurate

Topics

4.1 Risk Analysis
  • Ad-hoc analysis in SAP GRC Access Control
  • Custom groups and new selection criteria (GRC 10.0+)
  • Interpreting and acting on SoD conflict reports
4.2 Emergency Access (Firefighter)
  • Firefighter user ID structured naming conventions
  • Identifying emergency users and improving log collection performance
  • Governance framework for emergency access
4.3 Role Management in GRC
  • Organizational-Level Mapping
  • Business Role type in GRC 10.0
  • Role derivation and abstraction strategies
4.4 Clean Systems
  • Standard reports for identifying invalid mitigation controls
  • Mitigation table hygiene
  • Periodic cleanup and governance processes

Key Tools

  • SAP GRC Access Control 10.0+
  • Firefighter / Emergency Access Management (EAM)
  • GRC Risk Analysis Workbench

🎯 Theme 5: Handling Upgrades & Conversions

Strategies for maintaining authorizations during release upgrades and transitioning from older security models.

Learning Objectives

  • Master critical steps of Transaction SU25 — especially step 2c for authorization merging
  • Convert obsolete manual profiles to modern role-based authorizations using SU25 step 6
  • Identify and map new transaction codes introduced during upgrades via Table PRGN_CORR2
  • Communicate new password rules to end users via logon screen messages (Transaction SE61)

Topics

5.1 Transaction SU25 Mastery
  • Overview of all SU25 upgrade steps
  • Step 2c — authorization merging in detail
  • Pre-upgrade role preparation to avoid errors
5.2 Conversion Strategies
  • SU25 step 6 — converting manual profiles to role-based authorizations
  • Identifying obsolete profiles for conversion
  • Transition planning and rollback strategies
5.3 Transaction Mapping
  • New transaction codes introduced in upgrades
  • Browsing Table PRGN_CORR2 for corrections
  • Mapping new transactions to existing roles
5.4 Change Communication
  • Alerting end users to new password rules (e.g., case sensitivity introduction)
  • Static logon screen messages via Transaction SE61
  • End-user communication best practices during upgrades

Key Transactions & Tables

  • SU25 — Authorization upgrade tool
  • PRGN_CORR2 — Transaction code corrections table
  • SE61 — Document maintenance for logon screen messages

🎯 Theme 6: Auditing & Continuous Compliance

Monitoring system activity and preparing documentation for periodic reviews and external audits.

Learning Objectives

  • Configure the Security Audit Log (SM19/SM20N) to monitor superuser activity
  • Activate table logging for critical custom tables and configure change documents for security structures
  • Use workload statistics (ST03N) to identify unused roles and enforce minimum authorization principles
  • Build revalidation documentation using pivot tables and SQVI queries for business owner annual reviews

Topics

6.1 Audit Logging
  • Security Audit Log configuration (Transactions SM19 / SM20N)
  • Monitoring superuser and privileged user activity
  • Customizing event classifications for targeted monitoring
6.2 Table & Change Tracing
  • Activating table logging for critical custom tables
  • Configuring change documents for security organization structures
  • Forensic traceability and evidence collection best practices
6.3 Usage Statistics
  • Transaction ST03N — workload monitor
  • Identifying unused roles in the system
  • Enforcing the minimum authorization principle
6.4 Revalidation Documentation
  • Pivot table techniques for access revalidation reporting
  • Specialized queries via Transaction SQVI
  • Delivering understandable data to business owners
  • Annual revalidation process design and governance

Key Transactions

  • SM19 / SM20N — Security Audit Log
  • ST03N — Workload Monitor for usage statistics
  • SQVI — QuickViewer for custom revalidation queries

🗓️ Suggested Delivery Schedule

Week
Theme
Format
Week 1
Theme 1: User Master Record Fundamentals
Lecture + Hands-on (SU01, SU10)
Week 2
Theme 2: Authorization Design & PFCG
Lecture + Role Design Lab
Week 3
Theme 3: Development & Transactional Security
Case Study + SE38/SHD0 Lab
Week 4
Theme 4: SoD & Governance
GRC Workshop + Risk Simulation
Week 5
Theme 5: Upgrades & Conversions
SU25 Simulation Exercise
Week 6
Theme 6: Auditing & Compliance
Audit Simulation + Final Assessment

🏆 Assessment Framework

Per Theme (Formative):
  • Concept quiz (Kahoot-style — 10 questions)
  • Hands-on transaction exercise in sandbox system
  • Scenario-based mini-case discussion
End of Course (Summative):
  • Capstone project: Design a full security concept for a fictional SAP landscape covering all 6 themes
  • Peer review and presentation session
  • Certification readiness self-assessment checklist

📚 Source Reference

This curriculum is structured from SAP security best practices book content, adapted for a 6-week practitioner course. It covers the complete lifecycle of SAP security — from foundational user administration through advanced auditing — in a progressive, hands-on format.
Last updated: March 2026 | SAP Security Architecture Series | SuccessLabs Academy