Select Page

Critical Tcode in SAP for ITGC and Sox Audit

Critical Tcode in SAP for ITGC and Sox Audit

While conducting IT General Controls (ITGC) review and SOX Audit, we need to check which users have access to SAP critical TCodes. In this article, we discuss which TCodes are critical, and why (i.e. risk for those TCodes)

SE01, SE09, SE10

Use

SE01 is the main screen of the Change and transport Organizer. From here the user can achieve all tasks related to transport requests – such as create, change, view logs, display client/delivery transports, etc. SE09 and SE10 can also be accessed from here. However, not all developers might be granted access to this transaction.

SE09 is the workbench transport requests transaction. Developers can track changes to all ABAP workbench objects (dictionary, reports, module pools, etc). This is a developer-specific transaction and mostly all developers have access to this transaction.

SE10 is the customizing request display transaction – this displays all the customizing requests in the system. Again, this could be restricted to Business analysts if required, since they would be doing most of the customizing changes in the system.

Risk
The main risk is unauthorised changes in configuration. Users having access to transport changes may change the configuration.
Control

Access should be restricted to basis administrators only. Auth Object – S_TRANSPRT, Field – ACTVT

PFCG

Use

Transaction code PFCG is a role maintenance administration to manage roles and authorization data. Using PFCG, we can change and assign roles, create roles, create composite roles and transport  and distributing roles.

Risk

The users who have this access to Auth Object – S_USER_AUT, have the ability to create, change and delete authorizations. The users who have this access also, have the ability to assign/delete & modify authorization profile to users.

The users who have access to Auth Object – S_USER_PRO, have the ability to assign/delete & modify authorization profile to users.

Control

Access should be restricted to basis administrators only. Auth Object – S_USER_AGR, S_USER_AUT, S_USER_PRO. Field – ACTVT – 01 or 02 or 06

SCC4

Use

Transaction code SCC4 is used to define the client. This is a cross-client transaction; any changes made will affect all the clients in the SAP system

Risk

The users who have this access, have the ability to make changes directly to the production system without going through appropriate change management process.

Control

No users should have access to this TCode. The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period.

SE11, SE14

Use

The users who have this access, have the ability to maintain programs and the data dictionary.

Risk

There is a risk of accidental or deliberate corruption of the production system.

Control

No users should have access to this TCode. The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period.

SE06

Use

The users, who have this access, can set up workbench organizer Correction & Transport System.

Risk

Aunauthorised workbench correction & transportation

Control

Access should be restricted to basis team only.

SE38

Use

The users who have this access, have the ability to perform development related functions in the production system.

Risk

Aunauthorised changes in production system.

Control

Access should be restricted to developers in the development system. Developers should not have access to this TCode in the Production system. Auth Object – S_DEVELOP, Filed – ACTVT – 01 or 02 or 06

SU01, SU02, SU03, SU12, SU21

Use

The users who have access to SU01 (Auth Object – S_USER_GRP, Activity – 01 or 02 or 06) have the ability to create, change groups assigned to users.

The users who have this access to SU02 (Auth Object – S_USER_AUT) have the ability to create, change groups assigned to users. While having access to Auth Object – S_USER_PRO allows the user to maintain user authorisations and profiles. [Activity – 01 or 02]

The users having access to SU03 (Auth Object – S_USER_AUT, Activity – 01 or 02 or 06) have the ability to maintain authorizations.

The users who have access to SU12 (Auth Object – S_DEVELOP, Activity – 01 or 02), have the ability to maintain authorization objects.

The users who have access to SU21, have the ability to perform user maintainence mass changes.

Risk

Aunauthorised changes to user access.

Control

Access should be restricted to basis team only.

SM12

Use

Users with access to SM12 transaction code have the ability to remove the lock entries when two processes are searching the same source.

Locks are put on a table and/or table entries when a process needs exclusive access to this DB table and/or record. Removing this lock could let for example another process to change the same data while the process is still running thus generating inconsistency.

Risk

Make the transaction processing inconsistent. If changes are made using this TCode, the embedded capplication controls cannot be relied upon.

Control

The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period. Auth Object – S_ENQUE

SM31

Use

The users, who have this access, have the ability to maintain all tables- allows all users to customize and configure the system. The risk may be reduced by the locking the client for direct changes. However, a user with this access could maintain all tables during periods when the configuration is allowed.

Risk

Make the transaction processing inconsistent. If changes are made using this TCode, the embedded capplication controls cannot be relied upon.

Control

The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period. Auth Object – S_ENQUE

SM01

Use

The users who have this access, have the ability to lock or unlock sensitive transactions which should not be run in the production system.

Risk

Make the transaction processing inconsistent. If changes are made using this TCode, the embedded capplication controls cannot be relied upon.

Control

The use should be restricted only for firefighting. Thus we should check if access to this TCode was provided to any user in audit period. Auth Object – S_ADMI_FCD

SM35

Use

Users with access to SM35 and a value of ‘RELE’ for the authorization object S_BDC_MONI can delete or release batch jobs. VALUE RELE refers to RELEASE which is a standard SAP configuration.

Risk

Unauthorised changes to Batch jobs.

Control

Access to SM35 should be restricted to basis team only.

SM35

Use

Users with access to SM35 and a value of ‘RELE’ for the authorization object S_BDC_MONI can delete or release batch jobs. VALUE RELE refers to RELEASE which is a standard SAP configuration.

Risk

Unauthorised changes to Batch jobs.

Control

Access to SM35 should be restricted to basis team only.

STMS

Use

The users who have this access can transport changes to the production instance.

Risk

Unauthorised changes to Production System as well as configuration.

Control

Access to SM35 should be restricted to users authorised to transport changes from quality to the production. Auth Object – S_TRANSPRT, Field – ACTVT -01 or 02 or 43 or 60

SE80

Use

The users who have this access, have the ability to SAP’s ABAP workbench. The user has access to a set of tools and libraries for designing, implementing, testing and maintaining transactions and reports written in ABAP Objects.

Risk

Unauthorised changes to Reports and other objects.

Control

Access to SE80 should be restricted only to Basis team. Auth Object – S_DEVELOP. Filed – ACTVT – 01 or 02.

The above list of critical TCodes is in no way a complete and exhaustive. Based on the client we audit, we need to add more TCodes to this list. The above list is a standard list which I check. If I come to know of more critical TCodes, will add to this list.

Have I missed any important codes? Let me know in comments below.

Thanks to Nikita Lakhotia for identifying Auth Objects

About The Author

CA, ISA, CISA, BCAF. Friends call me Techno Savvy Chartered Accountant. I work at EY in System Audit

4 Comments

  1. Thanks for the compilation of all Critical TCodes. I don’t think anything is missing.

  2. Great, to see that your website explores Microsoft as well as SAP technology. I’m my self a well-known SAP blogger. It is just that I don’t do technologies other than SAP.
    Regards, Pavan Golesar

  3. Cover the SM37 tcode also!

  4. Great information, thanks for share!

Archives

Subscribe To my Newsletter

Subscribe To my Newsletter

Join the mailing list to receive the latest news and updates from the blog

You have Successfully Subscribed!