SAP Super Role Assignments
In SAP environments, access to Production systems must be strictly monitored. This article will discuss an audit that should be performed frequently to manage Super Role assignments with precision.
This blog will break down the purpose, scope, and steps of the audit process conducted to ensure compliance, reduce risk, and maintain proper oversight of elevated access in Production.
Why SAP Super Roles Require Extra Scrutiny
Super Roles grant elevated access, often equivalent to administrative or support-level privileges. While this access is sometimes necessary, it should only be used as a last resort, when no Firefighter ID (FFID) solution can be leveraged.
Key policy requirements for Super Role use:
- Must have the proper approval to be assigned these roles.
- Assignment should be temporary and revoked immediately after task completion.
Audit Objective
To ensure compliance, your team should conduct a two-part audit using your list of Super Roles:
Part I: Current Assignments
A point-in-time query needs to be performed to identify all current assignments of Super Roles across each Production system. This helps determine:
- Which users currently have elevated access.
- Whether the access is still valid.
- If any assignments were made outside of policy (e.g., long-term assignments).
Part II: Assignment Lookback (Historical Analysis)
This lookback procedure tracks:
- Who was given access to Super roles, or who had Super roles removed during the queried time period.
- When the access was assigned or revoked.
- Who performed the assignment/removal.
By reviewing this change history from the beginning of the previous calendar month (recommended time frame), the team ensures that all role activity is traceable, documented, and justified.
Step-by-Step Audit Instructions
Part I – Current Assignments
Transaction Code: SE16
Table: AGR_USERS
1. Upload the list of Super Roles into the Role field.
2. Set the End Date field:
From = First of previous month
To = 12/31/9999
3. Clear the “Maximum No. of Hits” field.
4. Your query should end up looking like something like this:
5. Execute, then use the “Upload from Clipboard” feature and confirm the number of roles uploaded.
6. Export the results to an Excel file.
7. Include the list of Super Roles used for the query in the spreadsheet for reference.
Part II – Assignment Lookback
Transaction Code: SUIM
Path: Change Documents → For Role Assignment
1. Upload all Super Roles into the Role Name field.
2. Set From Date to the first day of the previous calendar month.
3. Check the “Take Archive Data into Account” box.
4. Your query should look like this:
5. Run the query and export the results into the designated Excel section (Part II).
SAP Super Role Audit Completion
You have now completed the execution of the audit. The next step is to review your results, and work towards remediation for any dangerous findings. For example, if you find users are assigned Super Roles when they shouldn’t be, you will need to remove this access. You will also need to discover who assigned them this access and why. It is important to gather all evidence explaining why, or why not, a user should have a Super Role assigned.
In reviewing the lookback (Part II), you will be able to see exactly who received Super Role access, and who exactly assigned it. Use this information to discover why the Super Role was assigned. It is important to receive proper Business Justification for actions like this.
Why Regular Audits Matter
Regular auditing of Super Role usage in Production systems:
- Prevents unauthorized access
- Supports SOX, GDPR, and internal policy compliance
- Helps teams respond to audit requests or incidents with clear evidence
Final Thoughts
Super Role audits are not just checkbox exercises — they are fundamental control in safeguarding business-critical SAP environments. By enforcing proper procedures, tracking role assignments, and ensuring timely removal, organizations can significantly reduce risk and maintain compliance across all systems.
Author Tate Bullman