Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Review massive t-code whether has Org Level Restriction

Former Member

‎02-19-2016 9:42 AM

0 Kudos

I was tasked to review all t-codes ( SAP standard and my company's custom Z t-code, total 1000+ ) whether the appropriate Org Level Authorization Check is in place.  i.e. if a user has access to a t-code, he could only run that t-code for his company code / organization.

I link the t-code with SU24 data, then check SU24 contains any authorization objects with Org Level field. However, the outcome is not accurate.

Is there any efficient way to scan those t-codes’ program to make sure Org Level restriction is in place?

6 REPLIES 6

michael_kozlowski
Active Contributor

‎02-19-2016 10:00 AM

0 Kudos

Check whether table USOBX suits your needs.

Former Member

‎02-26-2016 8:30 PM

0 Kudos

Can you explain further about how the SU24 data is resulting in inaccurate results?  While SU24 does not necessarily control which authorizations are required to use the tcode, it does show you which authorizations will be added to a role when the tcode is added.

SU24 is a good starting point - if the tcode has objects with SU24 indicators Check Indicator=Check, and Proposal=YES, then the authorization will be included in the role when adding the tcode.  This typically means that tcode requires it, but not 100% of the time.  Go to SU24, within Authorization Object tab enter F_BKPF_BUK for the Authorization Object field value, type of application=Transaction, and execute.  In the output, if a tcode has Check Indicator=Check, and Proposal=YES, then you can posit that the tcode requires org-level security.  Of course, negative testing is the only way to prove with 100% certainty.

I would also look at table AGR_1251, include the roles that are assigned to users, and see if the org-level objects exist within the role.  If the role contains some org-level objects, then you can view the role's authorizations in PFGC and click to view which tcodes the object relates to (which is the same info as in SU24).  Then you could test those particular tcodes and see if restricting the org-level object limits the access. Example, for role X that includes object F_BKPF_BUK, first restrict the BUKRS field to specific Company Codes, generate the role, assign the role to a test account, execute the tcodes within that role as the test account, and see if you can access data within the tcode to company codes other than the Company Codes that you have restricted within the role.  If you cannot get to the data for the other company codes, then you know the org-level security is required for that tcode.

Give us some more context about your task and we can try to elaborate more.

-Ken

Former Member
In response to Former Member

‎02-28-2016 2:53 PM

0 Kudos

Hi Ken,

,

Testing those t-code one by one would a huge time consuming. I am a SAP Security guy. I may not familiar with all business t-codes, which is a huge challenge for myself to verify how t-codes runs.

I understand SU24 (also table USOBT_C, USOBX_C) can only be used as a indicator.  although we can run report RSABAPSC to scan, but the result is not always correct as I expected.

thank you anyway for your help.

James CHEN

Colleen
Advisor
Advisor

‎02-27-2016 4:14 AM

0 Kudos

Hi James

SU24 is a good starting point but not definitive. Also, some objects fields may not be org relevant (e.g. profit centre)

custom transaction codes - huge reliance on the developer or security person maintaining SU24 with the correct mappings

Scanning the code, running traces and testing is the most accurate way to perform the analysis. You might be able to get a bit of a head start to check logs to see which transactions are actually used in the landscape and remove obsolete transactions from design to reduce footprint

Regards

Colleen

Former Member
In response to Colleen

‎02-28-2016 2:52 PM

0 Kudos

Hi Collen,

Testing those t-code one by one would a huge time consuming. I am a SAP Security guy. I may not familiar with all business t-codes, which is a huge challenge for myself to verify how t-codes runs.

I understand SU24 (also table USOBT_C, USOBX_C) can only be used as a indicator.  although we can run report RSABAPSC to scan, but the result is not always correct as I expected.


thank you anyway for your help.

James CHEN

Colleen
Advisor
Advisor
In response to Colleen

‎03-02-2016 9:57 AM

0 Kudos

Hi James

Yes, a lot of people have no idea or appreciation as to how time consuming proper security analysis and investigation can be. As it's typically undestimated you end up with a big mess and effort required to clean it up.

It's why there are a lot of nice market consultancies out there who have design and built their own security tools to facilitate this type of work

Some of your transaction codes can be reduced by checking TSTCP table to see if they are a parameter transaction. If they are for a table, the you can identified the S_TABU_NAM value easily and reduce your efforts.

Regards

Colleen