Introduction:
More than once I have seen mistakes made with security and development to assign custom transaction codes to standard SAP reports because no one can find the standard assigned transaction code for a report. This blog will show a common mistake made by security, analyst, and sometimes ABAP resources when looking for transaction codes associated with standard SAP reports.
Intended Audience:
- Security
- Analyst
- ABAP programmer
Example Scenario:
- ECC 6.0
- A few business users have access to transaction SA38 in production to run program RSSCD100 (Display Change Documents)
- A decision is made by Security and Audit to no longer allow SA38 in production
- Security looks at the RSSCD100 program and determines there is no standard SAP tcode
- Security opens a request with ABAP Team to add a custom transaction to RSSCD100
- A custom transaction is added; ZRSSCD100
- Security roles are updated to add the new tcode
- The new tcode and updated roles are moved to Production
What Went Wrong:
Security relied on table TSTC (SAP Transaction Codes) to see if a transaction code was assigned to the program; they found no entries in the table. Note: The same result would be found if looking at the program via SE80; i.e., there would be no "Transactions" folder showing assigned tcodes. With this finding, Security then proceeded to request the custom development from the ABAP Team.
What They Needed to Know:
Transaction codes have what are called "Start Objects." For transactions where the start object is a program, then searching table TSTC (SAP Transaction Codes) by program name (PGMNA) is sufficient. But for programs that have been assigned a transaction code that uses a start object of "Transaction with parameters" the program name is in the parameters. For these transactions, PGMNA in table TSTC will be blank. The additional information that links the program name to the tcode is found in table
TSTCP (Parameters for Transactions).
Here is an example of what a "Transaction with parameters" that calls a report might look like:
How to Search Table TSTCP:
Notice in the below screenshots that two (2) assigned transaction codes are found; RSSCD100 and S_ALR_87101238.
♦ Tip: Put a semi-colon after the program name to ensure you do not pick-up other entries that are named similar to the program name you are searching. The data in the PARAM field is separated by semi-colons.
Conclusion:
When searching for transaction codes assigned to a program do the following:
- Search Table TSTC where PGMNA = program name
- If nothing is found in Step 1 (or even if something is found), then search Table TSTCP where PARAM includes pattern *program name;*
If Security would have followed these steps in our example scenario, then they would have still made the role updates, but could have avoided additional custom (and unnecessary) development.