This website is not affiliated with, sponsored by, or approved by SAP AG.

SE93 - Proper Use

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SE93 - Proper Use

Postby Gary Morris » Thu Oct 25, 2012 1:51 pm

I have observed Z transactions in SE93 with S_TCODE in the authorization field. Isn't this useless? Isn't a Z transaction going to require the user to have the tcode in S_TCODE in one of their roles anyway, or does this have to use a function in the code? I thought the creation of any new z tcode is automatically enforced for S_TCODE.
Gary Morris
SAP Security Consultant
garydavidmorris@gmail.com
Gary Morris
 
Posts: 399
Joined: Sun Oct 20, 2002 10:42 pm
Location: San Antonio, Texas

Re: SE93 - Proper Use

Postby jurjen » Thu Oct 25, 2012 2:02 pm

As far as I know the S_TCODE check is a kernel check so there's no need to put it in SE93 as well.
jurjen
 
Posts: 298
Joined: Wed May 17, 2006 8:17 am
Location: The Netherlands

Re: SE93 - Proper Use

Postby Sharpshooter » Thu Oct 25, 2012 4:03 pm

Unless you wish to check a different Tcode than the Z-code. For example, say you have a custom BOM maintenance transaction that uses SAP APIs. You could add a check for Tcode CS02 in your Z-transaction.
Although I would say it's best practise to check the proper application-specific auth object(s) instead.
Good luck!
Sharpshooter
 
Posts: 1171
Joined: Wed Mar 17, 2010 12:01 pm
Location: In the dark

Re: SE93 - Proper Use

Postby henrik » Thu Oct 25, 2012 4:58 pm

I fully agree that it's pointless with S_TCODE check in SE93 in "modern" versions of SAP. Back before the S_TCODE check was introduced as standard, it made sense.
Technically, you can turn the S_TCODE check off, but that will also turn off the profile generator, so not really likely to happen anywhere, unless you want to go really old-school and create all your profiles through Su02 and su03... :P
www.turnkeyconsulting.com.au
henrik
 
Posts: 493
Joined: Wed Oct 23, 2002 6:38 am
Location: London, UK

Re: SE93 - Proper Use

Postby Gary Morris » Tue Oct 30, 2012 10:47 am

Thanks Everyone. I thought it was a waste of time, and was wondering if my client had been told to do this, as it was their policy on all Z transaction, and yet this is not even audit compliant since it is the same as relying only on tcode to secure a custom transaction and needs at least an application specific authorization object in SE93 or an Authority Check statement with a custom object or SAP object in the code.
Gary Morris
SAP Security Consultant
garydavidmorris@gmail.com
Gary Morris
 
Posts: 399
Joined: Sun Oct 20, 2002 10:42 pm
Location: San Antonio, Texas

Re: SE93 - Proper Use

Postby os » Fri Nov 02, 2012 3:16 am

It is not exactly the same. Place your cursor on the authorization field in SE93 and hit F1.

This check will take place in call transaction after the S_TCODE is skipped but before the screen to be skipped is displayed or the SE97 couples are checked in the program behind the Tcode.

That can make it useful, but more for academics and special cases. Mainstream use would be more for an application object as plausibility to continue the call.

My 2 cents.
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 7 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.