Authorizations of SAP support users
Access levels define the authorizations of SAP support users when accessing customer systems.
Access Levels
|
Name |
Use |
|---|---|
|
SUPPORT_DEFAULT (Platform Analysis, Display Configuration, No Business Authorization) |
The SUPPORT_DEFAULT access level provides display access to ABAP Platform transactions, display of Customizing tables and views, display of system tables with content delivered by SAP or transported in customer systems. It also provides authorization to display, activate and deactivate transient logs and traces without access to payload data. It grants authorization for the debugging of the own user and external debugging of other users. Authorization to change values of variables or to alter the code flow in the debugger is not granted. In case business authorizations are required for support, they are agreed in customer support cases and are copied from a specific customer business user or customer communication user as additional authorization. |
|
SUPPORT_DEFAULT_APP (Platform Analysis, Display Configuration, Display Business Data) |
The SUPPORT_DEFAULT_APP access level inherits all the authorizations from the SUPPORT_DEFAULT access level. Additionally, it grants display access to application tables and selected business transactions that enable analysis. It includes display of most business application logs as well as display, activation and deactivation of transient traces with access to payload data. Authorization to change customer data is not granted. |
|
SUPPORT_EXTENDED (Platform Analysis, Limited Administration, Full Business Authorization) |
The SUPPORT_EXTENDED access level inherits all the authorizations from the SUPPORT_DEFAULT_APP access level. Additionally, it grants full business application authorization. It includes all backend transactions and reports of the application layer. It grants limited ABAP Platform administration authorization, such as deletion of caches. Authorization to change system configuration, Customizing data, or development objects is not granted. |
|
SUPPORT_CUSTOMIZING (Limited Platform Customizing, Full Business Customizing) |
The SUPPORT_CUSTOMIZING access level inherits all the authorizations from the SUPPORT_DEFAULT access level. Additionally, it grants authorization to maintain selected ABAP Platform Customizing as well as unrestricted business application Customizing. |
|
SUPPORT_CONTENT_ACT (Content Activation) |
The SUPPORT_CONTENT_ACT access level inherits all the authorizations from the SUPPORT_EXTENDED and the SUPPORT_CUSTOMIZING access levels. Additionally, it grants administrative authorization to the content framework which manages the Customizing content lifecycle. |
|
SUPPORT_DEVELOP_LOCAL (Local Development) |
The SUPPORT_DEVELOP_LOCAL access level inherits all the authorizations from the SUPPORT_EXTENDED access level. Additionally, it grants authorization to create and execute local development objects. This access level may need to be used to support frameworks that generate local development objects in the customer name space (such as extensibility or data migration). It allows to test execute all function modules and static methods. It also allows changing field values and altering the code flow in the debugger. Authorizations to modify development objects delivered by SAP are not granted. |
|
SUPPORT_DEVELOP (Unrestricted Development) |
The SUPPORT_DEVELOP access level inherits all the authorizations from the SUPPORT_DEVELOP_LOCAL access level. Additionally, it grants authorization to modify development objects delivered by SAP. Standard procedure for such changes is a hotfix or an emergency patch. This access level may only be used in emergency situations where that process is not applicable. |
|
SUPPORT_USER_ADMIN (User and Role Administration) |
The SUPPORT_USER_ADMIN access level inherits all the authorizations from the SUPPORT_DEFAULT access level. Additionally, it grants authorization for local user and role administration. This access level may be used for support cases related to business user or communication user management. |
|
SUPPORT_SYSTEM_CONFIG (System Configuration) |
The SUPPORT_SYSTEM_CONFIG access level inherits all the authorizations from the SUPPORT_EXTENDED access level. Additionally, it grants authorization to manually configure SAP managed communication scenarios. Automatic setup is mandatory for such communication scenarios in customer systems. This access level is used in situations where automatic setup failed. |
|
SUPPORT_SYSTEM_ADMIN (Unrestricted System Administration) |
The SUPPORT_SYSTEM_ADMIN access level grants unrestricted administrative access. It includes authorization profile SAP_ALL. Cloud operations may need to use it for system lifecycle management. Support teams may need to request it as the final escalation of privileges for support cases that cannot be resolved with other access levels. Root case analysis is mandated for such support cases. The root cause must be resolved. / |
Related Information