List of Transactions Display/Change/Modify ?

chris_hall2 · ‎06-10-2009

I have a list of 3,000 tcodes.

Is there a way to find out if a tcode is a display only transaction or does it have change/create/delete capability and do this in a timely fashion?

Thanks,

CH

Former Member · ‎06-10-2009

I don't know of any foolproof way to do it.

Easiest (not the best and most accurate) way to identify if transaction is used for display or update is

to first by looking at the description of the transaction and also most of the *3s are display and *1's, *2's, *6's are change.

this way you should be able to categorize most of your transactions, if not all.

chris_hall2 · ‎06-10-2009

Thanks SG....

Most of these transactions are custom. I need this info for categorizing the transaction before considering the risk within compliance calibrator.

I just didn't want this to be a huge drawn out process.

Former Member · ‎06-10-2009

Custom transactions are even more complicated to categorize.

if it was 10 or 20 then you could look at the program and look for authority-check and then the activity codes. Its almost impossible to do that for your current volume.

Former Member · ‎06-19-2009

I just didn't want this to be a huge drawn out process.

- Consider taking a sample of the transactions to see whether the naming convention was kept.

- Also do a code scan on them for update task type coding, and use where-used-lists to track them down.

- Talk to the developers about the concept (over time) and the samples you have found.

There might not be an easy solution... depending on how good the peer reviews and QA checks were - assuming that a "developer guideline" was available.

If this is a historical topic, many of these will anyway be report programs or paramater / variant transactions. So you can hone in on the TSTC* tables (e.g. TSTCP) to "tune" your samples.

Cheers,

Jülius

Edited by: Julius Bussche on Jun 19, 2009 11:36 PM

Former Member · ‎06-10-2009

Sometimes naming conventions help, but also have restraints.

In ancient times SAP used xx01 for create, xx02 for change, xx03 for display, xx06 for delete, etc...

These corresponded to the activities of important application authorization objects...

But this is a pain during projects, because it makes it difficult to modularize the coding if the granular checks are not in the correct places... and many folks believe in "tcodes"...

If your 3k custom tcodes used released functions, then you could with relative ease class them via the BAPI's they use. Actually, all business applications should ideally provide a complete set of released BAPIs (Business Application Program Interfaces) which correspond to their functional tcode equivalents.

As this is unfortunately not the always the case and others persuade SAP to hardcode S_TCODE checks into the wrong level of coding - you end up with a mess.

I would recommend that you contact one of the developers who is security aware, and run the whole lot through the SAP Code Inspector (transaction SCI) for a start to get a feeling for what you are dealing with.

Some folks go for a program group concept (S_PROGRAM) to fix this. But it is not granular and only works for "blunt" reports.

Cheers,

Julius

Former Member · ‎06-10-2009

>


> I have a list of 3,000 tcodes.
> 
> Is there a way to find out if a tcode is a display only transaction or does it have change/create/delete capability and do this in a timely fashion?
> 
> Thanks,
> CH

Are these 3k tcodes part of a security role/roles?

chris_hall2 · ‎06-19-2009

Sorry for the day, I was locked out....

We use the composite role model, so yes they are within roles.

Former Member · ‎06-19-2009

>


> Sorry for the day, I was locked out....
> 
> We use the composite role model, so yes they are within roles.

Chris,

Try this approachu2026 the goal is to get the autho object in all your roles with ACTVT u201C03u201D and associate them with the transactions in your roles. I hope this can get you started and you can just keep refining your query.

1. SE16->AGR_1251->ROLE: (paste all your applicable simple roles)->OBJECT: S_TCODE - this will be output #1

2. SE16->AGR_1251->ROLE: (paste all your applicable simple roles)->FIELD NAME: ACTVT->VALUE: 03 - this will be output #2

3. SE16->USOBX->NAME: Paste output #1->OBJECT: Paste output#2 - the output will be a match of transactions with activity of display for your roles.

Review the report output and keep refining your query.

Good Luck!

sdipanjan · ‎06-19-2009

Can you please let us know the purpose of such finding? Where and how you are using this information?

By the way... if you are going to create role and have a set if Tcodes with you... now you are not sure which of them are Update and which are Display.. then I can suggest one more approach inline with other methods already described...

Find the C/M objects for those TCodes from table USOBT_C ... extract the list..

then go to table TACTZ .. copy and paste those objects and find out the permitted ACTVT (if present there as SAP proposal.. only then you may get help form this approach) ...

You already have the list of activities and their meaning ... merge the values of two tables in excel and from this you can make an idea of this TCodes... and build roles ..

(Don't know how much this will help you)

Regards,

Dipanjan