topic Question on Sensitive T-Codes in Application Development and Automation Discussions

Question on Sensitive T-Codes

former_member184386 — Wed, 22 Nov 2006 17:08:50 GMT

Hello gurus,

One of our few remaining open Internal Audit issues is - use of t-code SM01

to lock sensitive t-codes.

The main problem we have with this one is that we do not have any

information on which t-codes are considered 'sensitive' enough to be

locked, or what is considered best practice in this area.

I checked the SAP Notes website but there is no guidance there.

Which ones were considered to be sensitive)

or if you have any guidelines or other information on which-codes should be

locked.

Thank you,

Ricky Orea

Re: Question on Sensitive T-Codes

Former Member — Thu, 23 Nov 2006 02:46:56 GMT

Hi Ricky,

I would discourage you from just obtaining a list and locking them. If it were as simple as this blanket approach, then the tcodes probably would be locked as a default!

I would suggest that you obtain this information from the Internal Controls Framework to determine the activities, and therefore the tcodes that are of a critical nature as you may find that due to other mitigating controls in place, you may not need to lock many, if any, at all. That is, the inherent risk may be high, but the residual risk may be low due to the control activities already in place according to the Internal Controls framework, such as roles that adequately restrict from executing the critical transactions.

The Internal Audit group is normally the custodians/owners of the Internal Controls documentation, so just ask them for it.

PS. 'Sensitive' normally relates to <b>information</b> that is of a sensitive nature (ie, risk of display) such as HR salary information. 'Critical' normally refers to tcodes that are able to perform an activity that may put the environment at risk (ie, risk of maintain) such as client administration.

Re: Question on Sensitive T-Codes

former_member184386 — Fri, 24 Nov 2006 16:46:53 GMT

Thanks for this info.

Regards,

Ricky

Re: Question on Sensitive T-Codes

Former Member — Sat, 25 Nov 2006 15:49:55 GMT

Usually SE* codes are considered critical based on their functionalities especially in PRD system. SM* codes too can be considered critical because it gives accessibility to some critic al tables where information about the operating procedure resides.

Senstive could mean your custom codes that gives access to pulling reports.

Re: Question on Sensitive T-Codes

Former Member — Fri, 01 Dec 2006 05:55:18 GMT

Hi Ricky,

Main info of the above can be obtained from Tcode SECR.

List of Critical transactions /Critical authorizations can be found.

But they are not specific to Business but generally recommended

by SAP which even auditors refer. Filter and review those which

your require.

regards / Jayaraman Krishnamurthy

Intelligroup.

Re: Question on Sensitive T-Codes

Former Member — Tue, 05 Dec 2006 20:38:34 GMT

Hi Jayaraman,

Was just looking through this topic and you had mentioned looking at transaction code SECR. Would this be in BW because I'm getting a message saying this transaction does not exist!!

Jayashree

Re: Question on Sensitive T-Codes

Former Member — Wed, 06 Dec 2006 09:49:17 GMT

Hi Jayashree,

In BIW you may not find the tcode. Here it is auditing is Role based. Certain predefined roles exist which you need to use as template and assign

to the user master record. (note 754273)

Ricky,

critical transaction are many. from technical point of view i would list

some of them below

SCC* transactions

Many of SE* transactions are critical.

SPRO

All basis transactions are critical if assigned to non technical users.

SLICENSE

SM49

SM59

and so on

regards / Jayaraman Krishnamurthy

Intelligroup.

Re: Question on Sensitive T-Codes

Former Member — Thu, 07 Dec 2006 21:13:11 GMT

Hi Ricky Orea,

The most sensitive t-codes people consider in SAP .

AL01 SAP alert monitor

AL02 Database alert monitor

AL03 Operating system alert monitor

AL04 Monitor call distribution

AL05 Monitor current workload

AL06 Performance: Upload/Download

AL07 EarlyWatch Report

AL08 Users logged on

AL09 Data for database expertise

AL10 Download to Early Watch

AL11 Display SAP Directories

AL12 Display table buffer (Exp. Session)

AL13 Display shared memory (Expert mode)

AL15 Customize SAPOSCOL destination

AL16 Local alert monitor for operating system

AL17 Remote alert monitor for operating system

AL19 Remote file system monitor

AL20 EarlyWatch data collector list

DB01 Analyze exclusive lockwaits

DB02 Analyze tables and indexes

DB03 Parameter changes in database

DB12 Overview of backup logs

DB14 Show SAPDBA action logs

OS01 LAN check with ping

OS02 Operating system configuration

OS03 O/S parameter changes

OS04 Local system configuration

OS05 Remote system configuration

OS06 Local operating system activity

OS07 Remote operating system activity

PFCG Profile Generator

RZ01 Job Scheduling Monitor

RZ02 Network graphics for SAP instances

RZ03 Presentation, Control SAP instances

RZ04 Maintain SAP instance

RZ08 SAP Alert Monitor

RZ10 Profile parameters

RZ11 Dynamic change of parameters

SCC4 Client creation

SCC5 Client deletion

SCC7 Post-Client Import Methods

SCC8 Client Export

SCC9 Remote Client Copy

SDBE Matchcode objects (test)

SE01 old, replaced by Workbench Organizer

SE06 Used to set up and maintain the Workbench Organizer (Dictionary Access)

SE09 - Enables the ABAP/4 Development Workbench

SE10 - Customizing

SE11 ABAP/4 Data Dictionary Maintenance

SE12 ABAP/4 Data Dictionary Display

SE12 ABAP/4 Dictionary Display

SE13 Maintain Technical Settings (Tables)

SE14 Utilities for Dictionary Tables

SE15 ABAP/4 Repository Information System

SE16 Data Browser

SE30 ABAP/4 Runtime Analysis

SE38 ABAP/4 Editor

SM02 System Messages

SM04 User Overview

SM12 Display and delete locks

SM13 Display update records

SM18 Reorganize Security Audit Log

SM19 Security Audit Configuration

SM20 Security Audit Log Assessment

SM21 System log

SM28 Installation check

SM37 Background job overview

SM39 Job analysis

SM50 Work Process Overview

SM51 List of SAP servers

SM52 Unix command line

SM56 Number Range Buffer

SM58 Asynchronous RFC Error log

SM59 RFC Destinations (Display/Maintain)

SM65 Background processing analysis tool

SM66 Systemwide work process overview

SMGW Gateway monitor

SMLG Maintain logon group

SP01 Output controller

ST01 System Trace In file /usr/sap/<SID>/<Instance>/log/Trace000

ST02 Setups/Tune Buffers Contains a list including all authorization objects

ST03 Performance, SAP statistics, workload that were checked and their required values, for

ST04 Select activity of the databases each entered transaction code.

ST05 SQL Trace

ST06 Operating System Monitor

ST07 Application Monitor

ST08 Network Monitor

ST09 Network Alert Monitor

ST10 Table call statistics

ST11 Display developer traces

ST12 Application monitor

ST14 Application analysis

ST22 ABAP/4 Runtime Error Analysis

STAT Local transaction statistics

STUN Menu performance monitor

SU01 Maintain users

SU02 Allocate authorizations to a profile

SU03 Maintenance of Authorizations

SU10 Delete/add a profile for all users

SU12 Delete all users

SU24 Auth. Obj. Check Under Transactions

SU50 Maintain user defaults

SU53 Authorization Trace

TKOF Turn off oracle trace

TKON Turn off oracle trace

TKPR Display trace file

TU01 Call statistics

TU02 Parameter changes

Thanks,

Shyam

Re: Question on Sensitive T-Codes

Former Member — Tue, 12 Dec 2006 04:19:19 GMT

Be aware however, that many of the above transactions are business critical. That is, if you lock them, your production system will not be administered properly (eg, SU01 is used to maintain users. If you lock it, then you can't create users!). They may have a certain level of risk associated with these tcodes, but they shouldn't all be 'forbidden' to be used in a production system. If you follow fundamental role design (ie, ensure risks are appropriately mitigated), then the more 'risky' tcodes will only be assigned to the appropriate users, under the appropriate conditions, with the appropriate mitigating controls.

I maintain that you should consult the internal audit/compliance/internal controls team for their internal controls framework and from that you can extrapolate the transactions that should be locked (if any).