🔒
Account Locked
📧 Contact Sales

🕐 Analysis History

No previous analyses found.
Run an analysis to see history here.

⚙️ Org Settings

⚠️ You have unsaved changes. Click Save Mapping to apply.
Entries: Last updated by: Updated:
Custom TCode (Z/Y) Maps To (SAP Standard)
Upload History (last 5)
Loading...
Loading users...
SAP S/4HANA  ·  Segregation of Duties Analyzer

SOD Violation
Detection System

Advanced Authorization Analysis with Object-Level Validation
SODPulse v1.09.0014  ·  Build 30 Apr 2026
SODPulse

Upload Authorization Data

📄 CSV format required (.csv)

🏢 Organization:

📁

Select Authorization File

Upload your SAP user authorization export file (Excel format)

0%

📋 File Columns — Mandatory & Optional

Your extract must be a CSV file (.csv). Column names are case-insensitive and the app recognises multiple naming variants from different ABAP report layouts.

⚠️ Mandatory Columns (extract will be rejected if any are missing)
Column Accepted Header Names SAP ABAP Field Description
SAP IDSAP ID, SAPID, SAP_ID, USER_IDBNAME / UNAMEUser login ID
User NameUSER NAME, USERNAME, NAMEUSRID_LONG / VORNA+NACHNFull display name
RoleROLE, ROLE NAME, ROLE_NAMEAGR_NAMEAssigned SAP role/profile
T-CodeT-CODE, TCODE, TRANSACTIONLOW (TCD object)Transaction code granted by role
ObjectOBJECT, AUTH OBJECT, AUTH.OBJECTOBJECTAuthorization object (e.g. M_EINK_FRG)
ValueVALUE, AUTH VALUE, FIELD VALUELOW / HIGHAuth value(s) — space or comma-separated (e.g. 01 02 06)
⚠️ Field Column — Critical for Accurate Detection
Column Accepted Header Names SAP Source If Missing
Field FIELD, AUTH FIELD, AUTH_FIELD, Auth. Field AGR_1251.FIELD Engine defaults to ACTVT — multi-field objects (e.g. M_EINK_FRG) produce false positives & missed violations
Authorization fields extracted by ZBS_USER_ROLE_AUTH v4.2 (15-field whitelist):
ACTVTActivity — 01 Create · 02 Change · 03 Display · 06 Delete · * Wildcard
BWARTMovement type (MM/WM) AUARTOrder type (SD/PM) BEWTPValuation type RLTYPRole type
INFTYHR Infotype TTYPETime type (HR) FLDGRField group (HR tables) S_ADM_FULLBasis full admin flag
CTS_ACTVTTransport activity CTS_ADMFCTTransport admin function (v4.2) S_ADMI_FCDSystem admin function code (v4.2) BTCADMINBackground job admin JOBACTIONJob action type KLARTClassification type (v4.2)

🔧 Extraction: Use the SODPulse ABAP Generator (abap-generator.html) to produce the extraction code. Run report ZBS_USER_ROLE_AUTH in SE38 — the generator produces ready-to-paste ABAP. The extract automatically covers all 15 fields above via P_OBJECT select-option. Rows with MODIFIED = 'D' are excluded. AUTH field is not included in the key (v4.2 fix — prevents duplicate rows).

🔐 Optional — Direct Profile Assignment File (USR12)

SAP_ALL, SAP_NEW, and other critical profiles are often assigned directly to users via profile assignment (transaction SU01 / table USR12), not through roles. These are invisible to the main role-based extract. Upload a separate profile assignment CSV in the Premium → Direct Assignments pillar to enable confirmed detection.

Column Accepted Header Names SAP Source Description
SAP IDSAP ID, BNAME, USER_IDUSR12.BNAMEUser login ID
ProfilePROFILE, PROF, PROFILE_NAMEUSR12.PROFILEProfile name — e.g. SAP_ALL, SAP_NEW, S_A.ADMIN
User NameUSER NAME, USERNAME, NAMEUSR21 / ADRPFull display name (optional but recommended)

🔧 Run SE16 → USR12 filtered by PROFILE like SAP* or S_A* to export. Upload this file in the Direct Assignments pillar of the Premium Workbench.

📝 Data Format Example:

One row per User + T-Code + Object + Field combination:

SAP ID  | USER NAME  | ROLE   | T-CODE | OBJECT     | FIELD  | VALUE
--------|------------|--------|--------|-----------|--------|-------
ABC123 | John Doe | Z_AP | ME21N | M_EINK_FRG| ACTVT | 01 02
ABC123 | John Doe | Z_AP | ME21N | M_EINK_FRG| BSART | *
ABC123 | John Doe | Z_AP | MIRO | M_RECH_WRK| ACTVT | 01,02
ABC123 | John Doe | Z_AP | MIRO | M_RECH_WRK| WERKS | 1000
DEF456 | Jane Smith | Z_FI | FB60 | F_BKPF_BUK| ACTVT | 01 02 06
DEF456 | Jane Smith | Z_FI | FB60 | F_BKPF_BUK| BUKRS | *

✓ Same user appears on multiple rows — one per T-Code / Object / Field
✓ Values can be space-separated "01 02", comma-separated "01,02", or mixed "01, 02"
✓ Blank value cell = unrestricted (*) — treated as wildcard
✓ Z/Y custom T-Codes are supported — map them in Org Settings for accurate detection

ℹ️ Important Notes:

  • Violation detection requires both T-Code and authorization object to match a rule — T-Code alone is never sufficient
  • The Field column (from AGR_1251.FIELD) is essential — without it the engine cannot distinguish ACTVT from BWART, INFTY, etc. on the same object
  • Risky ACTVT values include: 01 (Create), 02 (Change), 06 (Delete), 16 (Execute), * (Wildcard — always Critical)
  • Display-only access (ACTVT = 03) is never flagged — 69 display-only ACTVT values are filtered before analysis
  • Blank value cell = unrestricted (*) — treated as wildcard, always matched as risky
  • The extract joins AGR_1251 → AGR_TCODES via AGR_NAME only — AGR_1251 has no TCD column
  • Custom Z/Y T-Codes: map them to SAP standard equivalents in ⚙️ Org Settings — unmapped Z/Y codes show a warning banner after analysis
  • Column headers are case-insensitive — multiple naming variants are accepted (see table above)
  • Delta extracts (date-filtered) are supported — use the Delta Extract generator for incremental reviews

Violation Dashboard

⚠️ Coverage Gap — Unmapped Custom T-Codes Detected
The following Z/Y transaction codes in your extract have no standard SAP equivalent mapped. Violations involving these codes may be missed until mappings are configured.
⚠️ Sensitive Data — Wildcard Access Detected: 0 user(s)
These users have unrestricted (*) access to sensitive data objects. They likely have read access to HR, pricing, or IP data even though display-only rows were filtered from the extract.
🚨 0 user(s) with unrestricted SAP_ALL / SAP_NEW access detected
These users bypass all SOD controls and have unrestricted access to the entire SAP system. This is the highest-risk finding in any SAP audit. Immediate review recommended.
0
Total Violations
0
Critical Risk
0
High Risk
0
Medium Risk
0
Users Affected

Violations by Risk Level

Violations by Process

SOD Rules Configuration

SOD Rules loaded

🔐
Protected Content: SOD rules are blurred for your subscription tier. Upgrade to Full access to reveal the complete ruleset configuration.

Detected Violations

🎨 Authorization Value Color Coding:
01, 02, 06, * Risky values (Create, Change, Delete, Wildcard) 03 Safe values (Display)
⚠️ Coverage Gap: 0 unmapped Z/Y T-code(s) — some violations may be missed
🚨 0 user(s) with unrestricted SAP_ALL / SAP_NEW access detected
These users bypass all SOD controls and have unrestricted access to the entire SAP system. Immediate review recommended.

Generate Reports

📄
Executive Summary
KPI metrics, methodology note, recommendations & auditor sign-off
📊
Detailed Violation Report
Full violation details with T-Codes, auth objects & user information across all pages

Advanced Analytics

Top 10 Users with Most Violations

Most Common Conflict Types

Debug Information

📊 Data Summary

No data loaded yet. Please upload a file first.

👤 Sample User Data

No data loaded yet.

🔍 All User T-Codes

No data loaded yet.
SODPulsePowered by SODPulse
SODPulse v1.09.0014  ·  Build 30 Apr 2026