Critical Tcode in SAP for ITGC and Sox Audit
While conducting IT General Controls (ITGC) review and SOX Audit, we need to check which users have access to SAP critical TCodes. In this article, we discuss which TCodes are critical, and why (i.e. risk for those TCodes)
SE01, SE09, SE10
Use
SE01 is the main screen of the Change and
SE09 is the workbench transport requests transaction. Developers can track changes to all ABAP workbench objects (dictionary, reports, module pools, etc). This is a developer-specific transaction and mostly all developers have access to this transaction.
SE10 is the customizing request display transaction – this displays all the customizing requests in the system. Again, this could be restricted to Business analysts if required, since they would be doing most of the customizing changes in the system.
Risk
The main risk is unauthorised changes in configuration. Users having access to transport changes may change the configuration.
Control
Access should be restricted to basis administrators only. Auth Object – S_TRANSPRT, Field – ACTVT
PFCG
Use
Transaction code PFCG is a role maintenance administration to manage roles and authorization data. Using PFCG, we can change and assign roles, create roles, create composite roles and transport and
Risk
The users who have this access to Auth Object – S_USER_AUT, have the ability to create, change and delete authorizations. The users who have this access also, have the ability to assign/delete & modify authorization profile to users.
The users who have access to Auth Object – S_USER_PRO, have the ability to assign/delete & modify authorization profile to users.
Control
Access should be restricted to basis administrators only. Auth Object – S_USER_AGR, S_USER_AUT, S_USER_PRO. Field – ACTVT – 01 or 02 or 06
SCC4
Use
Transaction code SCC4 is used to define the client. This is a cross-client transaction; any changes made will affect all the clients in the SAP system
Risk
The users who have this access, have the ability to make changes directly to the production system without going through appropriate change management process.
Control
No users should have access to this TCode. The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period.
SE11, SE14
Use
The users who have this access, have the ability to maintain programs and the data dictionary.
Risk
There is a risk of accidental or deliberate corruption of the production system.
Control
No users should have access to this TCode. The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period.
SE06
Use
The users, who have this access, can set up workbench organizer Correction & Transport System.
Risk
Aunauthorised workbench correction & transportation
Control
Access should be restricted to basis team only.
SE38
Use
The users who have this access, have the ability to perform development related functions in the production system.
Risk
Aunauthorised changes in production system.
Control
Access should be restricted to developers in the development system. Developers should not have access to this TCode in the Production system. Auth Object – S_DEVELOP, Filed – ACTVT – 01 or 02 or 06
SU01, SU02, SU03, SU12, SU21
Use
The users who have access to SU01 (Auth Object – S_USER_GRP, Activity – 01 or 02 or 06) have the ability to create, change groups assigned to users.
The users who have this access to SU02 (Auth Object – S_USER_AUT) have the ability to create, change groups assigned to users. While having access to Auth Object – S_USER_PRO allows the user to maintain user authorisations and profiles. [Activity – 01 or 02]
The users having access to SU03 (Auth Object – S_USER_AUT, Activity – 01 or 02 or 06) have the ability to maintain authorizations.
The users who have access to SU12 (Auth Object – S_DEVELOP, Activity – 01 or 02), have the ability to maintain authorization objects.
The users who have access to SU21, have the ability to perform user
Risk
Aunauthorised changes to user access.
Control
Access should be restricted to basis team only.
SM12
Use
Users with access to SM12 transaction code have the ability to remove the lock entries when two processes are searching the same source.
Locks are put on a table and/or table entries when a process needs exclusive access to this DB table and/or record. Removing this lock could let for example another process to change the same data while the process is still running thus generating inconsistency.
Risk
Make the transaction processing inconsistent. If changes are made using this TCode, the embedded
Control
The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period. Auth Object – S_ENQUE
SM31
Use
The users, who have this access, have the ability to maintain all tables- allows all users to customize and configure the system. The risk may be reduced by the locking the client for direct changes. However, a user with this access could maintain all tables during periods when the configuration is allowed.
Risk
Make the transaction processing inconsistent. If changes are made using this TCode, the embedded
Control
The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period. Auth Object – S_ENQUE
SM01
Use
The users who have this access, have the ability to lock or unlock sensitive transactions which should not be run in the production system.
Risk
Make the transaction processing inconsistent. If changes are made using this TCode, the embedded
Control
The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period. Auth Object – S_ADMI_FCD
SM35
Use
Users with access to SM35 and a value of ‘RELE’ for the authorization object S_BDC_MONI can delete or release batch jobs. VALUE RELE refers to RELEASE which is a standard SAP configuration.
Risk
Unauthorised changes to Batch jobs.
Control
Access to SM35 should be restricted to basis team only.
SM35
Use
Users with access to SM35 and a value of ‘RELE’ for the authorization object S_BDC_MONI can delete or release batch jobs. VALUE RELE refers to RELEASE which is a standard SAP configuration.
Risk
Unauthorised changes to Batch jobs.
Control
Access to SM35 should be restricted to basis team only.
STMS
Use
The users who have this access can transport changes to the production instance.
Risk
Unauthorised changes to Production System as well as configuration.
Control
Access to SM35 should be restricted to users authorised to transport changes from quality to the production. Auth Object – S_TRANSPRT, Field – ACTVT -01 or 02 or 43 or 60
SE80
Use
The users who have this access, have the ability to SAP’s ABAP workbench. The user has access to a set of tools and libraries for designing, implementing, testing and maintaining transactions and reports written in ABAP Objects.
Risk
Unauthorised changes to Reports and other objects.
Control
Access to SE80 should be restricted only to Basis team. Auth Object – S_DEVELOP. Filed – ACTVT – 01 or 02.
The above list of critical TCodes is in no way a complete and exhaustive. Based on the client we audit, we need to add more TCodes to this list. The above list is a standard list which I check. If I come to know of more critical TCodes, will add to this list.
Have I missed any important codes? Let me know in comments below.
Thanks to Nikita Lakhotia for identifying Auth Objects
Thanks for the compilation of all Critical TCodes. I don’t think anything is missing.
Great, to see that your website explores Microsoft as well as SAP technology. I’m my self a well-known SAP blogger. It is just that I don’t do technologies other than SAP.
Regards, Pavan Golesar
Cover the SM37 tcode also!
Great information, thanks for share!