What are your organization’s top three most sensitive T-Codes; the ones that you’re really careful about granting? You’ve had to think about this before, either during an authorization-inspection project, a GRC project or when asked by an auditor. Can you name the “top three?” I’m sure you can. And I’m sure you probably wouldn’t give it a second thought.
You’ll say it’s obvious, the most sensitive T-Codes are the ones dealing with access, the ones dealing with invoices, the ones dealing with new accounts. Well, as George Bernard Shaw so eloquently put it, “No question is so difficult to answer as that to which the answer is obvious.”
You have to dig deeper because there is no one universal answer. To get to the truth, you must do your due diligence.
Defining high-risk (sensitive) activities or T-Codes is an essential part of every authorization-related project because of the significant impact they could have on the company if they are misused. To manage them requires a list, and once this list is defined, leverage it: Get alerts when granting sensitive activities and when they are used irregularly, find authorization roles that include sensitive activities so you can narrow them down, and see a distinct icon in your reports when sensitive activities appear.
But what are the actual sensitive activities you’re being alerted about? How do you make this list? Sensitive T-Codes vary significantly depending on some key factors.
The List of Sensitive T-Codes
They aren’t as obvious as you think. When our customers set up our software, they reach a step in the implementation path best practice where they are prompted to define high-risk activities. They think this step will take them an hour because of course they know what the sensitive activities are, but when they really put their minds to it, it even takes them days to finalize the list. The reason why is because they need to be at the same time both specific and broad – defining many high-risk activities is not efficient, defining the RIGHT ones is the issue.
From our experience, here are some interesting findings about the most sensitive T-Codes:
Interesting Findings about Sensitive T-Codes
Interesting Findings about Sensitive T-Codes
- The answer depends on the time of the year – if your answer is FS00 (G/L Account Creation), FB01 (Post Document) and SU01 (User Maintenance), my guess is that the security guys have just had their annual audit of finance related issues, or maybe you’ve had a regular meeting with your internal auditor. If your answer is FB01 (Post Document), MIGO (Goods Movement) and MIRO (Enter Incoming Invoice), there’s a good chance that you’re fresh out from a thorough SOX/SoD compliance check or GRC audit. People tend to name their “top three” most sensitive T-Codes based on the last thing they were working on or stressed out about, and often the same person will inadvertently give different answers following different auditing tasks.
- The answer depends on the department – of course, each department will have their subjective answer. The “top three” most sensitive T-Codes in finance are probably F110 (Automatic Payment), FB01 (Post Financial Documents), and FS00 (G/L Account Master Record Maintenance) for most power users. But if you’re more involved with infrastructure and authorizations, you will probably say SU01 (User Maintenance), PFCG (Role Maintenance) and SCC4 (Client Administration). People see sensitivity through the glasses of their own department and can therefore identify risk in what they understand best.
- The answer depends on the position – even within the same department, you’ll get different answers. Different answers from a power user in finance, from the authorization manager for finance and from the IT reference person in the financial department. This is because every person understands the word “sensitive” to have unique meanings. For example, if the end-user utilizes a T-Code that can be changed from “Display” mode to “Change” mode, this will probably disturb authorization and security guys, but the power user in finance will probably not even think of it as a risk.
- The answer depends on the type of the organization and the usage – each organization has its “favorite” most used activities, and the scope of sensitive T-Codes varies accordingly. We discovered that even companies in the same industry can disagree on the list of sensitive activities. For instance, automobile manufacturers fall under the industry of “production,” and so do some companies in the food industry. Although they both make goods, the difference in risk between stealing during the shipping process from a 1 MM shipment of canned corn and a shipment of 3 automobiles is obvious. Same goes for the finance-related industry; although insurance companies and banks both deal with money, insurance companies are more concerned about fraudulent claims than they are about someone making a standard withdrawal from their account.
So why is it so important for you to know the answer?
“Sensitive” means dangerous and dangerous means that you must track usage. If you track usage, then from time to time you’ll find “surprises” (e.g., suspicious behavior) like someone utilizing XK01 (Create Vendor) in the middle of the night, or F110 (Automatic Payment) to transfer money on an unexpected date. Defining the “list” of the most sensitive T-Codes for your organization will enable you to know who can use them, what the true risk is and who really is using them. Just as importantly, you’ll be able to determine which sensitive T-Codes can be taken off from the people who don’t use them, in order to reduce the risk of misuse.
So you see, the “most sensitive T-Codes” is a thorough compilation of many subjective answers whittled down to the core. It’s doing your due diligence and having the ability to be both specific and broadminded.
…And yes, you must have that list.