You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An offline security audit tool for SAP S/4HANA RISE and BTP environments
Overview
SAP S/4HANA RISE Security Scanner analyzes exported SAP configuration data (CSV/JSON) and produces an interactive HTML dashboard with findings, severity ratings, and actionable remediation guidance.
No direct system connection required β offline & agentless; ideal for RISE environments with restricted RFC access
Zero external dependencies β runs on Python 3.8+ stdlib only
289+ security checks across 20 audit modules β from ABAP authorizations and HANA DB to BTP/Cloud and permission-level Segregation of Duties
Standards-aligned β mapped to the CIS SAP Benchmark, DSAG best-practice guide, and the SAP Security Baseline
Privileged DB users (SYSTEM, password lifetime, dormancy), PUBLIC & system-privilege grants, _SYS_BI_CP_ALL analytic bypass, DB auditing, HANA security parameters
π° SAP Security Notes / HotNews
HOTNEWS-000β004 (5)
Missing HotNews (Priority 1) & High (Priority 2) SAP Security Notes since 2020, actively-exploited (CISA KEV) unpatched CVEs, partially-implemented notes β diffed from your SNOTE export against a curated, verified catalog
π ABAP Authorization & Critical Access
AUTH-001β015 (15)
Role-content analysis from AGR_1251: Debug&Replace (runtime auth bypass), trusted-RFC impersonation (S_RFCACL), OS command/file access (S_LOG_COM/S_DATASET), authorization forging (S_USER_AUT), broad S_RFC, generic table maintenance (S_TABU_*), run-any-report (S_PROGRAM), batch impersonation, and sensitive Basis transactions β attributed to the users who hold each role
π System Trust & Standard Users
TRUST-001β008, STDUSR-001β003 (11)
Trusted/trusting RFC (inbound trust from a lower tier, self-trust, unmigrated 2020 method, trusted destination with a fixed user), SAProuter wildcard routes, message-server port separation, UCON RFC allowlist, gateway proxy ACL β plus standard users (SAP* kernel auto-logon, default passwords, unlocked SAP*/DDIC/SAPCPIC/EARLYWATCH/TMSADM)
π§± Security Baseline Parameters
BASELINE-001β010 (10)
SAP Security Baseline / DSAG / CIS profile parameters the other modules don't cover: RFC authorization engine (auth/rfc_authority_check, auth/no_check_in_some_cases), SNC insecure-connection fallback, SAP GUI Scripting, weak legacy password hashes (downwards compatibility), sapstartsrv / Host-Agent web methods, gateway ACL mode, SSO ticket & session-cookie transport, ICM security log & error disclosure
The cloud-era authorization layer: super-admin business-role templates (SAP_BR_ADMINISTRATOR*), business-role restrictions left 'Unrestricted', business-catalog sprawl, CDS views with @AccessControl.authorizationCheck disabled, published OData V4 service groups without S_SERVICE, Cloud Connector system mappings without principal propagation, over-assigned Cloud Foundry Org Manager / Space Developer, and birthright role collections mapped to the Default IdP group
βοΈ Access Risk Analysis (SoD)
ARA-* (27 risks + user score)
GRC-style offline Segregation-of-Duties from AGR_1251 + AGR_USERS. Resolves each user's transactions and authorization object/field/activity across all roles, then evaluates a verified ruleset at the permission level (so display-only access is not a false positive): 25 SoD conflicts across Procure-to-Pay, Order-to-Cash, Record-to-Report, Hire-to-Retire and Basis/Security, plus 2 HR critical accesses. Honours documented mitigating controls (with expiry) and produces a per-user risk profile. Extensible via a custom ruleset JSON. (Supersedes the coarse transaction-level SoD in Advanced IAM, which now defers to this module when AGR_1251 is available.)
βοΈ Basis Jobs & OS Commands
JOBCMD-CMD/JOB-* (11)
The realised host-command-execution surface: external OS-command definitions (SM69 / SXPGCOSTAB) that wrap a shell/interpreter, allow runtime argument injection (ADDPAR), resolve to an unqualified/user-writable path, or wrap a destructive/exfil utility β plus armed background jobs (TBTCO/TBTCP) whose step user (AUTHCKNAM) is SAP*/DDIC/SAP_ALL, that shell out to an OS command/program, that run RSBDCOS0 (SM69-allowlist bypass) or unreviewed custom code, whose step user is deleted/locked/dialog, or differs from the scheduler (identity borrowing). Reuses users/profiles to resolve privileged step users. Complements the ABAP Authorization module (which covers who can act) with what is actually defined and scheduled.
π‘οΈ Advanced IAM β Full Check List
Segregation of Duties (IAM-SOD-*)
Check
Description
Severity
IAM-SOD-FIN-001
SoD: Vendor Master β Payment Processing
CRITICAL
IAM-SOD-FIN-002
SoD: Purchase Order β Goods Receipt
HIGH
IAM-SOD-FIN-003
SoD: Journal Entry β GL Account Master
HIGH
IAM-SOD-FIN-004
SoD: Customer Master β Sales Order / Billing
HIGH
IAM-SOD-HR-001
SoD: HR Master Data β Payroll Execution
CRITICAL
IAM-SOD-SEC-001
SoD: User Administration β Role Administration
CRITICAL
IAM-SOD-BASIS-001
SoD: Transport Management β Development
HIGH
SoD checks support three data strategies: pre-computed matrix (sod_matrix.csv), role resolution (user_roles.csv + role_tcodes.csv), or heuristic role-name matching.
Firefighter / Emergency Access (IAM-FF-*)
Check
Description
Severity
IAM-FF-001
Sessions exceeding max duration (default: 4h)
HIGH
IAM-FF-002
Sessions without documented justification
HIGH
IAM-FF-003
Sessions not reviewed by controller
CRITICAL
IAM-FF-004
Sessions self-approved (reviewer = requestor)
CRITICAL
IAM-FF-005
Users with excessive firefighter usage frequency
MEDIUM
Role Expiry & Validity (IAM-EXP-*)
Check
Description
Severity
IAM-EXP-001
Role assignments without expiry dates (indefinite)
MEDIUM
IAM-EXP-002
Expired role assignments still present in user master
LOW
IAM-EXP-003
Role assignments with excessive validity periods
MEDIUM
Cross-System Identity (IAM-XID-*)
Check
Description
Severity
IAM-XID-001
BTP users without corresponding S/4HANA account
MEDIUM
IAM-XID-002
S/4HANA locked users still active in BTP (incomplete offboarding)
HIGH
IAM-XID-003
BTP users with administrative role collections
HIGH
Access Review Compliance (IAM-REV-*)
Check
Description
Severity
IAM-REV-001
Overdue access review campaigns
HIGH
IAM-REV-002
Reviews marked complete but with incomplete coverage
MEDIUM
IAM-REV-003
Reviews without assigned reviewer
MEDIUM
Role Design Quality (IAM-ROLE-*)
Check
Description
Severity
IAM-ROLE-001
Custom roles without descriptions
LOW
IAM-ROLE-002
Custom roles without designated owners
MEDIUM
IAM-ROLE-003
Empty roles with no menu/transaction assignments
LOW
Other IAM Checks
Check
Description
Severity
IAM-ORPH-001
Users assigned to non-existent/deleted roles
MEDIUM
IAM-USRGRP-001
Active users in default/unassigned user groups
LOW
IAM-REF-001
Dialog users misused as reference users
HIGH
IAM-PRIV-001
Users with privilege escalation capability (self-escalation paths)
CRITICAL
π₯ BTP Cloud Attack Surface β Full Check List
Cloud Connector (BTP-CC-*)
Check
Description
Severity
BTP-CC-001
Wildcard resource mappings on backends
CRITICAL
BTP-CC-002
High-risk paths exposed (WebGUI, ADT, SOAP RFC)
HIGH
BTP-CC-003
Excessive number of backend systems
MEDIUM
BTP-CC-004
Unrestricted access control lists
HIGH
BTP-CC-005
Certificates expiring or expired
HIGH
BTP-CC-006
Certificates with weak cryptography (SHA-1, <2048 bit)
HIGH
BTP-CC-007
Stale/unused backend configurations
MEDIUM
Service Bindings (BTP-SB-*)
Check
Description
Severity
BTP-SB-001
Bindings not rotated in 180+ days
HIGH
BTP-SB-002
Bindings with admin-level scopes
HIGH
BTP-SB-003
Orphaned bindings (deleted instances)
MEDIUM
Destination Service (BTP-DST-*)
Check
Description
Severity
BTP-DST-001
Destinations with stored credentials
HIGH
BTP-DST-002
Destinations with TLS verification disabled
CRITICAL
BTP-DST-003
Proxy type mismatch (Internet vs OnPremise)
MEDIUM
BTP-DST-004
Stale destinations (365+ days unmodified)
LOW
Identity Authentication Service (BTP-IAS-*)
Check
Description
Severity
BTP-IAS-001
Apps without conditional authentication rules
MEDIUM
BTP-IAS-002
Apps without IP-based restrictions
MEDIUM
BTP-IAS-003
Apps without multi-factor authentication
HIGH
Entitlement Governance (BTP-ENT-*)
Check
Description
Severity
BTP-ENT-001
Services entitled but never provisioned
LOW
BTP-ENT-002
Security services entitled but unused (audit, credstore)
MEDIUM
Event Mesh (BTP-EM-*)
Check
Description
Severity
BTP-EM-001
Queues with wildcard topic subscriptions
HIGH
BTP-EM-002
Queues without access control policies
HIGH
BTP-EM-003
Cross-namespace event subscriptions
MEDIUM
Cloud Integration / CPI (BTP-CPI-*)
Check
Description
Severity
BTP-CPI-001
Credentials not rotated in 180+ days
HIGH
BTP-CPI-002
Credentials using basic/plaintext auth
MEDIUM
BTP-CPI-003
iFlows with hardcoded/embedded credentials
CRITICAL
BTP-CPI-004
iFlows with no sender authentication
HIGH
BTP-CPI-005
iFlows using unencrypted HTTP endpoints
HIGH
Network Isolation (BTP-NET-*)
Check
Description
Severity
BTP-NET-001
Services using public internet endpoints
MEDIUM
BTP-NET-002
Critical services without Private Link
HIGH
Subaccount Governance (BTP-GOV-*)
Check
Description
Severity
BTP-GOV-001
Subaccounts without audit logging
HIGH
BTP-GOV-002
Subaccounts using default SAP IDP only
MEDIUM
XSUAA Migration (BTP-MIG-*)
Check
Description
Severity
BTP-MIG-001
Apps still using XSUAA (not migrated to IAS)
MEDIUM
π Network & Integration Layer β Full Check List
API Management (INTG-APIM-*)
Check
Description
Severity
INTG-APIM-001
API proxies missing required security policies
HIGH
INTG-APIM-002
API proxies without authentication policies
CRITICAL
INTG-APIM-003
API proxies allowing unencrypted HTTP
HIGH
INTG-APIM-004
API proxies allowing deprecated TLS versions
HIGH
INTG-APIM-005
API proxies in pass-through mode (zero policies)
CRITICAL
IDOC Port & Partner Security (INTG-IDOC-*)
Check
Description
Severity
INTG-IDOC-001
IDOC ports without encryption (TLS/SNC)
HIGH
INTG-IDOC-002
IDOC file ports with insecure directories
MEDIUM
INTG-IDOC-003
IDOC partners with wildcard message types
HIGH
INTG-IDOC-004
IDOC partners handling sensitive message types
MEDIUM
Web Services / SOAMANAGER (INTG-WS-*)
Check
Description
Severity
INTG-WS-001
High-risk BAPIs/RFCs exposed as web services
HIGH
INTG-WS-002
Excessive active web service endpoints
MEDIUM
INTG-WS-003
Web services with weak/no authentication
CRITICAL
Webhook & Callback Security (INTG-WH-*)
Check
Description
Severity
INTG-WH-001
Webhook callbacks using unencrypted HTTP
HIGH
INTG-WH-002
Webhooks without HMAC signature verification
HIGH
INTG-WH-003
Webhooks delivering to external endpoints
MEDIUM
INTG-WH-004
Stale webhook registrations
LOW
Gateway ACL Deep Analysis (INTG-GW-*)
Check
Description
Severity
INTG-GW-001
Secinfo with overly permissive permit rules
CRITICAL
INTG-GW-002
Secinfo missing deny-all default rule
HIGH
INTG-GW-003
Secinfo permits external program execution
HIGH
INTG-GW-004
Reginfo permits unrestricted RFC registration
CRITICAL
INTG-GW-005
Reginfo missing deny-all default rule
HIGH
Integration Monitoring (INTG-MON-*)
Check
Description
Severity
INTG-MON-001
Missing integration monitoring alert rules
HIGH
INTG-MON-002
Integration events not forwarded to SIEM
MEDIUM
CPI Data Stores (INTG-CPI-DS-*)
Check
Description
Severity
INTG-CPI-DS-001
Data stores with sensitive names, no encryption
HIGH
INTG-CPI-DS-002
Global variables with potentially sensitive names
MEDIUM
INTG-CPI-DS-003
Data stores with excessive entries
LOW
OAuth Client Governance (INTG-OAUTH-*)
Check
Description
Severity
INTG-OAUTH-001
OAuth clients with admin/wildcard scopes
HIGH
INTG-OAUTH-002
OAuth clients using deprecated grant types
HIGH
INTG-OAUTH-003
OAuth clients unused for 180+ days
MEDIUM
Integration Topology (INTG-TOPO-*)
Check
Description
Severity
INTG-TOPO-001
Integration connections without encryption
HIGH
INTG-TOPO-002
Hub systems with excessive connections
MEDIUM
INTG-TOPO-003
Connections to deprecated/legacy systems
MEDIUM
π Data Protection & Privacy β Full Check List
Read Access Logging (DPP-RAL-*)
Check
Description
Severity
DPP-RAL-001
RAL disabled or no active configurations
CRITICAL
DPP-RAL-002
RAL missing coverage for key channels (OData, RFC, ALV)
HIGH
DPP-RAL-003
RAL log channels with insufficient retention
MEDIUM
Information Lifecycle Management (DPP-ILM-*)
Check
Description
Severity
DPP-ILM-001
Retention policies exceeding maximum period
MEDIUM
DPP-ILM-002
Policies without automatic data destruction
MEDIUM
DPP-ILM-003
Policies without end-of-purpose definitions
HIGH
DPP-ILM-004
Personal data tables without ILM retention policies
HIGH
Data Masking β Non-Production (DPP-MASK-*)
Check
Description
Severity
DPP-MASK-001
Non-production systems without PII data masking
CRITICAL
DPP-MASK-002
Production copies in non-prod without masking
CRITICAL
DPP Toolkit (DPP-TOOLKIT-*)
Check
Description
Severity
DPP-TOOLKIT-001
DPP toolkit features not configured (deletion report, consent, breach notification)
HIGH
Purpose of Processing (DPP-POP-*)
Check
Description
Severity
DPP-POP-001
Purposes without documented legal basis (GDPR Art.6)
HIGH
DPP-POP-002
Expired purposes still active
MEDIUM
Sensitive Field Inventory (DPP-FIELD-*)
Check
Description
Severity
DPP-FIELD-001
PII fields without Read Access Logging
HIGH
DPP-FIELD-002
Sensitive fields not masked in non-production
MEDIUM
DPP-FIELD-003
Known sensitive SAP fields missing from classification inventory
MEDIUM
Data Residency & Cross-Border (DPP-RES-*)
Check
Description
Severity
DPP-RES-001
Cross-border transfers without legal safeguards (SCCs/BCRs)
CRITICAL
DPP-RES-002
Special category data in cross-border transfers
HIGH
Data Subject Requests (DPP-DEL-*)
Check
Description
Severity
DPP-DEL-001
Data subject requests overdue (>30 day SLA)
CRITICAL
DPP-DEL-002
Requests marked complete but incomplete
HIGH
DPP-DEL-003
Requests without documentation
MEDIUM
System Landscape (DPP-LAND-*)
Check
Description
Severity
DPP-LAND-001
Systems without data classification assignment
MEDIUM
π» Code & Transport Security β Full Check List
Code Injection / SQL Injection (CODE-INJ-*)
Check
Description
Severity
CODE-INJ-001
SQL injection patterns in custom code (dynamic WHERE, EXEC SQL)
Audit trail written to a CSV text file (tamperable)
HIGH
HANADB-AUDIT-003
No active HANA audit policies
HIGH
HANADB-AUDIT-004
Audit policies do not cover critical action groups
MEDIUM
Security Parameters (HANADB-PARAM-*)
Check
Description
Severity
HANADB-PARAM-001
Weak HANA password-policy parameters
HIGH
HANADB-PARAM-002
Detailed connect errors exposed to clients
MEDIUM
HANADB-PARAM-003
TLS not enforced for HANA SQL connections
HIGH
Distinct from Cryptographic Posture's CRYPTO-HANA-* (encryption-at-rest); this module covers users, privileges, auditing and ini parameters.
π° SAP Security Notes / HotNews β Full Check List
Check
Description
Severity
HOTNEWS-000
SAP Note implementation status not provided (no SNOTE export)
MEDIUM
HOTNEWS-001
Missing HotNews (Priority 1) SAP Security Notes
CRITICAL
HOTNEWS-002
Missing High-priority (Priority 2) SAP Security Notes
HIGH
HOTNEWS-003
Missing notes for actively-exploited SAP vulnerabilities (CISA KEV)
CRITICAL
HOTNEWS-004
Critical SAP Notes only partially implemented
HIGH
Diffs your applied_notes.csv (SNOTE export) against a built-in, verified catalog of major SAP Security Notes since 2020 β including RECON (CVE-2020-6287), ICMAD (CVE-2022-22536), and the 2025 NetWeaver VC RCE (CVE-2025-31324). Note matching is leading-zero-insensitive; not-yet-implemented statuses fail safe to "missing". Extensible via an optional sap_security_notes.json.
π ABAP Authorization & Critical Access β Full Check List
Role-content analysis of the AGR_1251 export (role β object β field β value), attributing each risky role to the users who hold it.
Super-admin business-role template assigned in production (SAP_BR_ADMINISTRATOR*)
CRITICAL
S4AUTHZ-002
Business-role restriction left 'Unrestricted'
HIGH
S4AUTHZ-003
Business role bundles more than 30 business catalogs
MEDIUM
S4AUTHZ-004
CDS view exposes data with authorization checking disabled
HIGH
S4AUTHZ-005
OData V4 service group published without authorization
HIGH
S4AUTHZ-006
Cloud Connector system mapping without principal propagation
HIGH
S4AUTHZ-007
Cloud Foundry privileged platform role over-assigned
HIGH
S4AUTHZ-008
Birthright role collection auto-granted to all federated users
MEDIUM
βοΈ Access Risk Analysis (SoD) β Full Risk List
GRC-style offline, permission-level Segregation of Duties from AGR_1251 + AGR_USERS. Each risk resolves the user's transaction codes and authorization object/field/activity across all roles; a conflict fires only when the maintain activity is held (display-only access is not a false positive). Documented mitigating controls (with expiry) suppress a user/risk and are reported as residual.
βοΈ Basis Jobs & OS Commands β Full Check List
External OS-command definitions (JOBCMD-CMD-*) β from SM69 / SXPGCOSTAB
Check
Description
Severity
JOBCMD-CMD-001
External OS command wraps a shell/interpreter or embeds shell metacharacters
CRITICAL
JOBCMD-CMD-002
External OS command allows runtime additional parameters (ADDPAR = X)
HIGH
JOBCMD-CMD-003
External OS command resolves to an unqualified (PATH-hijack) or user-writable path
HIGH
JOBCMD-CMD-004
Destructive / exfiltration utility defined as a standing command (rm/dd/curl/nc/β¦)
MEDIUM
JOBCMD-CMD-005
External OS command not bound to a specific operating system
LOW
Background jobs & step users (JOBCMD-JOB-*) β from TBTCO / TBTCP
Check
Description
Severity
JOBCMD-JOB-001
Armed job runs under SAP*/DDIC or a SAP_ALL step user
CRITICAL
JOBCMD-JOB-001B
Armed job runs under a standard/technical step user (SAPCPIC/EARLYWATCH/TMSADM)
HIGH
JOBCMD-JOB-002
Job step executes an external OS command / program
HIGH
JOBCMD-JOB-003
Job runs RSBDCOS0 (SM69-allowlist bypass) or unreviewed custom code under a privileged user
HIGH
JOBCMD-JOB-004
Armed job step user is deleted, locked, expired, or a dialog user
MEDIUM
JOBCMD-JOB-005
Job step user differs from scheduler (identity borrowing)
MEDIUM
Only armed jobs (STATUS scheduled/released/ready/active) are evaluated; finished/cancelled jobs are out of scope. Complements the ABAP Authorization module (authz), which covers who is authorized to run commands / set a foreign step user (S_LOG_COM, S_BTCH_NAM) β this module reports the actual command catalog and the actual scheduled jobs.
Quick Start
git clone https://github.com/Krishcalin/SAP-S4HANA-RISE-Security-Scanner.git
cd SAP-S4HANA-RISE-Security-Scanner
# Run against sample data (included)
python sap_scanner.py --data-dir ./sample_data --output report.html
# Generate the detailed PDF hand-over report (or both formats)
python sap_scanner.py --data-dir ./exports --output report.pdf --format pdf
python sap_scanner.py --data-dir ./exports --output report.html --format both
# Run specific modules
python sap_scanner.py --data-dir ./exports --modules btpcloud iam
python sap_scanner.py --data-dir ./exports --modules intglayer network
# Filter by severity
python sap_scanner.py --data-dir ./exports --severity HIGH
# Custom thresholds
python sap_scanner.py --data-dir ./exports --config baseline.json
Available Modules
users β User & Authorization (USR-*)
iam β Advanced IAM (IAM-*)
params β Security Parameters (PARAM-*)
network β Network & Service Exposure (NET-*)
rise β RISE / BTP Core (RISE-*)
btpcloud β BTP Cloud Attack Surface (BTP-*)
intglayer β Network & Integration Layer (INTG-*)
dataprot β Data Protection & Privacy (DPP-*)
codetrans β Code & Transport Security (CODE-*)
logmon β Logging, Monitoring & IR (LOG-*)
fiori β Fiori & UI Layer (FIORI-*)
crypto β Cryptographic Posture (CRYPTO-*)
hanadb β HANA Database Security (HANADB-*)
hotnews β SAP Security Notes / HotNews (HOTNEWS-*)
authz β ABAP Authorization & Critical Access (AUTH-*)
systrust β System Trust & Standard Users (TRUST-*, STDUSR-*)
baseline β Security Baseline Parameters (BASELINE-*)
s4authz β S/4HANA & Cloud Authorization (S4AUTHZ-*)
ara β Access Risk Analysis / offline SoD (ARA-*)
jobcmd β Basis Jobs & OS Commands (JOBCMD-*)
all β Run everything (default)
Examples with the newer modules:
# Offline Segregation-of-Duties + ABAP critical-access review
python sap_scanner.py --data-dir ./exports --modules ara authz
# HANA DB hardening + missing SAP Security Notes
python sap_scanner.py --data-dir ./exports --modules hanadb hotnews
# System trust, standard users, and Security Baseline parameters
python sap_scanner.py --data-dir ./exports --modules systrust baseline
Reports
Choose the output with --format html (default), --format pdf, or --format both. The output path's extension is respected; with both, the companion file is written alongside it.
Format
Best for
Contents
HTML
Interactive triage
Dark dashboard with risk score, severity/category breakdown, live severity filter, and collapsible findings β each with its detailed risk narrative and step-by-step remediation. Single self-contained file.
PDF
Formal hand-over to the SAP Basis / security team
A multi-page assessment report: cover page (scope, overall risk posture, severity summary), executive summary (posture narrative, severity table, category breakdown, top-priority findings), and per-finding detail pages β each with the affected objects, a detailed Security Risk explanation, and a numbered, step-by-step Remediation procedure, plus references. Running header/footer, page numbers, confidentiality banner. Built with a pure-standard-library PDF engine β no extra dependencies.
Detailed findings β knowledge base
Every finding is rendered with an in-depth Security Risk explanation (what the weakness is, the concrete attack/abuse scenario, and the business/compliance impact) and a numbered, step-by-step remediation procedure naming the exact SAP transactions, reports, IMG paths, parameters and tables to change, how to verify the fix, and rollout cautions. This content lives in a bundled knowledge base (data/finding_details.json) keyed by check-id (with family-prefix fallback); where an entry is absent, the report falls back to the finding's own description and remediation, so the report is always complete.
Data Sources
All files are optional β the scanner runs only checks for which data is available. See docs/EXPORT_GUIDE.md for detailed export instructions.
π Core & IAM data files
File
Source
Description
users.csv
RSUSR002 / SU01
User master data (BNAME, USTYP, UFLAG, TRDAT, etc.)
Reuses users.csv (USR02) and profiles.csv (USR04) to resolve whether a job step user is SAP*/DDIC or a SAP_ALL holder, locked, expired or a dialog account.
Custom Baseline
Override default thresholds by creating a JSON config file:
Access Risk Analysis can also be driven by a custom SoD ruleset β drop an ara_ruleset.json into your --data-dir to extend or override the built-in 27-risk ruleset (entries matching a built-in risk_id override it; new ids are added).
Detailed PDF hand-over report + per-finding risk/remediation knowledge base
Scan comparison mode (diff two scans)
CI/CD integration with exit codes
PDF report export
Requirements
Python 3.8+ β No external packages required to run the scanner.
Testing
The scanner has a pytest suite that runs every audit module against the bundled
sample_data (crafted to trigger each check) and validates the full pipeline β
no SAP system needed. It checks that each module fires, handles empty input
without crashing, honours the finding contract (field types / severities β this
catches bugs like a description accidentally being a tuple), has no cross-module
check-id collisions, renders the HTML report, and runs end-to-end via the CLI.
CI (GitHub Actions, .github/workflows/tests.yml) runs the suite on Python
3.8β3.12 plus a full sap_scanner.py smoke run on every push and pull request.
This tool is for authorized security assessments only. The scanner performs offline analysis of exported data and does not connect to or modify any SAP system.