The Curse of the Unused: Z_UNUSED_TCODE and Y_UNUSED_ROLE

Cursed

In 1914, American judge Louis Brandeis coined the famous quote “Sunlight is said to be the best of disinfectants,” and it has proven to be most accurate in 2014 too.

Many of our current and potential clients fear what may be revealed when the light is shined upon them. Some say it loud and some say it quietly in their hearts, “What if, when we use your software it’s revealed that 50% of our own developed T-Codes are not being used? Who will justify the huge development of Z T-Codes that was asked for which no one utilizes? Will I be the scapegoat?” Ignorance is bliss. If you don’t know about it, then you don’t have to deal with the reality of the situation and no one can be guilty of anything. This is the secret point of view of people who resist implementing auditing software.


Note: This blog is not related to GRC, which of course some companies are obligated to maintain. I’m referring to security and authorizations – all the auditing stuff of knowing who-is-using-what. 

Someone in the organization has to be brave enough to say, “We want to know what’s really going on. We want to take the responsibility to improve our situation!” And indeed, after taking the step and implementing ProfileTailor Dynamics Security and Authorizations, they easily identify and solve a lot of authorization-related issues, which, lets face it, might become security breaches.

Here are the top three most common solutions that our customers choose to focus on, after implementing the software:

1. Eliminating Unused T-Codes and Authorizations: When you know what is being used, then you know what is not being used. From there, the most sensible action from a security point of view is to eliminate the T-Codes that nobody is using, so they will not be misused.

For example, if someone developed Z_INVOICE to issue invoices and nobody uses it, lock it via T-Code SM01. This way you ensure that nobody can misuse it to issue false invoices. It’s a simple action with high impact. Afterwards, if someone really needs this T-Code, the request can be examined and the T-Code can be unlocked again.
The same goes for authorization roles: If no one uses a specific authorization role, delete it everywhere except in the QA system. This way you will still have access to it, but there won’t be potential to misuse it in production.

2. Watching Sensitive Data Directly: It is amazing to see the impact on customers when they discover who is looking at sensitive data in production. Using T-Codes like SE16 and SE16N and also using simple SAP queries, sophisticated users like IT people, top-users and even employees who are good at Google Search can access very sensitive data, and in most organizations – yes, they will! People are most interested in financial data and salary information – “How much are they paying the outsourcing company for my services?” is often asked by external employees, “What is our revenue?” is asked by people who hold company stock, and “Let’s find out what my boss’s salary is…” is asked a lot too.

Our customers can see the access to financial data tables like BKPF and BSEG (and even BSIK and BSAK) by people who are not meant to be there, but thought that it would be interesting to take a peek anyway. Following these findings, our customers can reevaluate access to SE16 and SE16N and inspect SAP queries more seriously.

Let me take a step back and say that in fact we only find a few cases of misuse of SE16, SE16N and SAP queries because most uses are for legitimate purposes. But the ones that break the rule, the non-legitimate purposes, that is what worries CISOs and Authorization Managers.

3. Access to Company Codes and Other Organizational Objects: When you have the data, it is very simple to produce an Excel sheet that lists employees to company codes, for example. Then you can easily trace potential security breaches, like employees from the warehouse who can access the company codes for management. When the data is stored (a.k.a. “buried”) inside roles and authorization objects – nobody has the time or patience to inspect it thoroughly, but when it lies in a simple Excel table, mistakes can be easily traced by managers and they can take action to fix the situations.

Share With Your Network

Share on facebook
Share on google
Share on twitter
Share on linkedin
Close Menu

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you, in order to personalize your experience. To find out more about the cookies we use, see our Privacy Policy.