SAP Fiori t-codes: what IAM teams should review first

TL;DR: SAP Fiori transaction codes for launchpad, Gateway, and OData administration concentrate high-value configuration and troubleshooting functions in a small set of paths, which makes access scoping, segregation of duties, and change control central to SAP governance, according to Pathlock. The issue is not the codes themselves but the control assumptions around who can register services, adjust aliases, and manage launchpad content.

NHIMG editorial — based on content published by Pathlock: List SAP Fiori T-Codes by Function and Type

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should security teams govern SAP Fiori administration access?

A: Security teams should treat SAP Fiori administration as privileged access, not routine application support.

Q: Why do SAP Fiori transaction codes create segregation-of-duties risk?

A: They create segregation-of-duties risk because the same administrative surface can register services, change aliases, manage launchpad content, and inspect logs.

Q: What breaks when Fiori service activation and maintenance are not separated?

A: When activation and maintenance are not separated, administrators can change service availability and then adjust metadata or aliases without independent review.

Practitioner guidance

• Segment Fiori administration by function Separate launchpad content management, Gateway service administration, and troubleshooting roles so one operator cannot change content, routing, and logs in the same entitlement set.
• Review system alias and service activation permissions Treat /UI2/GW_SYS_ALIAS, /UI2/GW_ACTIVATE, and /IWFND/MAINT_SERVICE as high-risk paths and require named approvers for changes.
• Log and recertify troubleshooting access Track use of /IWFND/ERROR_LOG, /UI2/GW_ERR_LOG, and /UI2/GW_APPS_LOG through tickets, then recertify access against actual support duties.

What's in the full article

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• The complete SAP Fiori transaction code catalogue organised by function and type.
• The practical descriptions of each Gateway and OData maintenance code.
• The troubleshooting uses of the error log and application log t-codes.
• The SAP module navigation context that helps administrators map codes to daily tasks.

👉 Read Pathlock's SAP Fiori transaction code guide for administration and Gateway tasks →

SAP Fiori t-codes: what IAM teams should review first?

Explore further

View Full Forum →  |  NHI Foundation Course →