What is wrong with SE16?

well w/ SE16 someone could try to extract data.

For ex. may be used to view email logs

It's better to filter that one too.

They could only access data from SE16 if they have the corresponding s_tabu_dis activity for the authorization group to which that table has been assigned.

If the auth group is not maintained, SE16 will assign the value '&NC&' to it and check it.

If granting s_tabu_dis for other tables sharing the same auth group is inappropriate, then these can be re-assigned in transaction SUCU.

I still don't see where SE16 or SM30 itself are problems if the user has correct authorizations.

Infact, if a user must view / maintain a table, it is much safer and cheaper to use SE16 / Sm30 than re-invent them and hardcode the table name.

*---------------------------------------------------------------------*
*       FORM AUHTORITY_CHECK_AGAIN                                    *
*---------------------------------------------------------------------*
*       ........                                                      *
*---------------------------------------------------------------------*
FORM AUTHORITY_CHECK_AGAIN USING ACT.
  GLOBAL_AUTH = 'SHOW'.
  SELECT SINGLE * FROM TDDAT WHERE TABNAME = DATABROWSE-TABLENAME.
  IF SY-SUBRC <> 0  OR  TDDAT-CCLASS = SPACE.
    TDDAT-CCLASS = '&NC&'.             " 'non classified table'
  ENDIF.

* Anzeigeberechtigung
  AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
           ID 'DICBERCLS' FIELD TDDAT-CCLASS
           ID 'ACTVT' FIELD '03'.
  IF SY-SUBRC NE 0.
    MESSAGE E419 RAISING NO_PERMISSION.
  ENDIF.
* Änderungsberechtigung
  AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
           ID 'DICBERCLS' FIELD TDDAT-CCLASS
           ID 'ACTVT' FIELD '02'.
  IF SY-SUBRC = 0.
    GLOBAL_AUTH = 'UPDA'.
  ELSE.
    IF ACT = 'ANLE'.
      MESSAGE E417 RAISING NO_PERMISSION.
    ENDIF.
  ENDIF.

  IF DD02L-CLIDEP EQ SPACE.
*  Mandnatenunabhängig
    AUTHORITY-CHECK OBJECT 'S_TABU_CLI'
                    ID 'CLIIDMAINT' FIELD 'X'.
    IF SY-SUBRC <> 0.
*      Keine Berechtigung für mandantenunabhängige Änderungen
      GLOBAL_AUTH = 'SHOW'.
      IF ACT = 'ANLE'.
        MESSAGE E417 RAISING NO_PERMISSION.
      ENDIF.
    ENDIF.
  ENDIF.
ENDFORM.

Thanks for everybody input. I like to keep this thread open for a bit longer so we can all contribute to the list and build a more complete list. Will be useful if we face an Security Audit one day.

jbussche,

I am with Cristian on SE16 and SM30 or SM31. There are over 35,000 tables in SAP. Most users only need access to handful of them. Since so many tables share the same table authorization group, and a lot of transaction utilize S_TABU_DIS. Setting up custom transaction for each table might sound a lot of work upfront, but if you compare to having users who get hold of all SSN thru PA* tables and you have no way to tell who access those tables. You will sleep better at night knowing you can at least audit who were accessing those tables.

A lot of SE* transactions are easy to give up, very very hard to take it back.

Thanks,

Lye

Hi,

The main purpose is to not have edit access to the Production data, so SE38,SA38, etc need to be put away as do almost all the transactions in the list below. For ex. if someone in the BASIS group has an access key in Prod, then SE38 and SA38 become potential audit violations as the code can be changed if the system is open. The other way to avoid these pitfalls, is to create z transactins for you r tables and programs and assign them to a role. Give that role only to a select few people.

Also, you'll face a problem on the BW side with transaction RSA1. You'll need to figure out a way to make it display only and have a "firefighter" id or the easiest way to put mitigating controls and exceptions around it.

These are some of the thoughts.Hope this helps.

Cheers,

Kedar

Hi Lye,

If I am going to be deprived of sleep because of a SAP table, then rather by the devil which I know, than one which I don't.

It is possible to understand SE16 and control the use of it and audit the authorizations for the table & corresponding program auth groups.

It is virtually impossible to understand or control or audit 100s of Z-transactions for tables and programs without auth groups.

Auditing use of SE16 is easy: A TRDIR entry is automatically generated by SAP which includes the name of the accessable table; the record of the user accessing it is SAP standard available in the application monitors and it is very difficult to take either back again.

The same can be said for SE37. On it's own, a perfectly harmless and useless transaction code from a security perspective.

Kind regards,

Julius

Julius,

I love open discussion, always learn something new. Hopefully we are not too far off track from the subject.

I know SAP keep track of what transactions a user is running, but I am curious do SAP keep the log at the field level? Do the application monitors log which table was access thru SE16? What data were query/download thru SE16? Do you know how to get these log? I would love to know.

Regarding SE37 & SE38, SAP Security Audit log do keep track of the function modules or programs being execute. But this is not preventive action. I have the experience of an ABAP developer assign himself SAP_ALL by calling PRGN_AUTH_PROFILES_ASSIGN using SE37 in debug mode. We caught in when we run the who has SAP_ALL report. If he is smart enough to delete the profile after he is done. We most probably will missed it, and will be buried in the Aduit & System log.

Thanks,

Lye

Hi Lye,

Yes, you can control access using field levels if you activate it. See the documentation on object S_TABU_LIN (SPRO -> IMG -> Basis -> System Administration -> Users and Authorizations -> Line-oriented Authorizations) and OSS 763269 "Line by line authorization check in SE16".

The application stats log exactly which table was viewed, if you get the user to use SE16 to view it... For other transactions it will not necessarily do this. See OSS 143550 for further capabilities which you can activate if you need them.

Regarding downloading etc data once displayed, there is to my knowledge no possibility for the application server to prevent or detect a screen-shot (or a photo) being made of the front end.

Regarding your (ex-)developer, I am shocked! How silly of him so have created an audit trail. There is a nifty feature in the debugger which is less noisy. Place the break-point ahead of, for example, a check routine being performed. Then place the cursor after it and right-click "Go to Statement". It will skip over the coding between without executing it.

With sy-subrc = 0,

Julius