Hi Sandipan,

Good to hear from you

However still I am not able to figure out how the user is getting access to XD02 ?

Below is the list of transaction executed by users :

In below listed which I got from ST03 it shows that the user has executed XD02 however the user is not having access to XD02.

Also I checked TCDCOUPLES table and check indicator is marked as "X" for called transaction XD02 calling transaction code FD32 that is the S_TCODE check will be performed.

FB70

FBL5N

FB03

ZFKORD50

XD02

FD32

F150

RFC

FBL3N

ZV332126

SESSION_MANAGER

<AD_DISPLACE>

QISR1

FD03

IQS3

<AD_RESET_USR02>

QISR

IQS2

SAPMSEM1

SAPMSYST

SU53

F-32

<AD_DEL_USER>

/sap/bc/gui/sap/its/qisr

RSBTCRTE

iac/wa/webgui/style/1x1.gif

FB08

/sap/bc/gui/sap/its/qisr/~flNUQVRFPTc5O

/sap/bc/gui/sap/its/qisr/~flNUQVRFPTMwO

/sap/bc/gui/sap/its/qisr/~flNUQVRFPTIxN

/sap/bc/gui/sap/its/ZISR_AKNB/!

SAPF150S2

SAPF150S2

FB1D

FB00

This list you have posted cannot be from TCDCOUPLES.

Looks more like a statistics monitor display list....

Cheers,

Julius

Hello Julius,

This is the list that I got from ST03 transaction for the week in which this Issue has been raised.

This is not the list from TCDCOUPLES.

Hi,

This is the list that I got from ST03 transaction for the week in which this Issue has been raised.

Ah okay, my fault for not reading carefully...

What does ZV332126 do? Same for ZFKORD50?

Also there is RFC (no surprises there) and BSPs so take a look in the RFC server profiles at what was called and what do they do?

SAPGui transaction codes are not the only entry ponits into the system to start applications.

Cheers,

Julius

Edited by: Julius Bussche on Aug 26, 2011 2:17 PM

Hi Julius ,

Thanks for your reply.

Below is the list of Information that I got from RFC Server Statistics (ST03n) for the User

Is there any possibility that user can make changes to customer master records by raising an ISR ?

Report/Transaction RFC Destination RFC Program

FBL5N NONE SAPLSGOSITS

FBL5N NONE SAPLSGOSITS

FBL5N NONE SAPLSGOSITS

IQS2 NONE SAPLSGOSITS

FBL5N NONE SAPLSGOSITS

IQS3 NONE SAPLSGOSITS

IQS3 NONE SAPLSGOSITS

IQS3 NONE SAPLSGOSITS

IQS3 NONE SAPLSGOSITS

FB03 NONE SAPLSGOSITS

QISR1 SAPGUI SAPLAWRT

RFC NONE SAPLARFC

RFC NONE SAPLARFC

RFC NONE SAPLARFC

RFC NONE SAPLARFC

FB03 NONE SAPLSGOSITS

RFC NONE SAPLARFC

FB03 NONE SAPLSGOSITS

QISR SAPGUI SAPLAWRT

SBWP NONE SAPLSIWWP2

SBWP NONE SAPLSIWWP2

SBWP NONE SAPLSIWWP2

SESSION_MANAGER ukblx177_EU3_01 SAPLTHFB

SESSION_MANAGER ukblx178_EU3_01 SAPLTHFB

SESSION_MANAGER ukblx178_EU3_01 SAPLTHFB

SESSION_MANAGER ukblx255_EU3_01 SAPLTHFB

SO01 NONE SAPLSIWWP2

SESSION_MANAGER ukblx255_EU3_01 SAPLTHFB

SESSION_MANAGER ukblx275_EU3_01 SAPLTHFB

SESSION_MANAGER ukblx275_EU3_01 SAPLTHFB

SESSION_MANAGER ukblx275_EU3_01 SAPLTHFB

QISR1 SAPGUI SAPLAWRT

QISR1 SAPGUI SAPLAWRT

QISR SAPGUI_QUEUE SAPLOLEA

QISR SAPGUI SAPLAWRT

QISR SAPGUI SAPLAWRT

QISR SAPGUI SAPLAWRT

QISR SAPGUI SAPLAWRT

RFC NONE SAPLSGOSITS

RFC NONE SAPLSGOSITS

RFC NONE SAPLSGOSITS

RFC NONE SAPLSGOSITS

RFC NONE SAPLSO00

From the RFC calls to destination SAPGUI it looks as if they have some sort of a client scripting / end-user upload tool.

It is quite possible that exposing server side intended RFC access to client side end-users (as some bolt-on tools will force you to do...) can give them the opportunity to process things without seeming to have the required authorizations. Sometimes the front end tools make it really user-friendly for them to break your processes and security...

However whether or not it is in fact critical and /or does deviate from the business process in this case is another matter.

Are the master data owners complaining about these unauthorized changes? Are the changes cause quality problems with the master data?

Or is this just some "business process controls" checks which are done and now everyone needs to explain how the system works (with their hands up in the air and a stone tied to their feet ;-).

Cheers,

Julius