SAP Security Tip: Restricting one transaction calling another transaction and the security not checked for called transaction

SAP Security Tip: Restricting one transaction calling another transaction and the security not checked for called transaction

Problem: We are in one transaction and we click on an ICON and it goes into different transaction, even when the user does not have access to that transaction.

Cause: In the coding there is a statement called CALL TRANSACTION. Normally when user executes a transaction the system is forced to check for S_TCODE and Field TCD. But in this case the Check is missed unless the Transaction mapping is in TCDCOUPLES table. The program checks the TCDCOUPLES  table and see if the called transaction need to be checked. If there is not entry then the check is not performed and user is able to get to the transaction even when the user does not have access to this t-code.

Solution:  Go to transaction SE97 which updates TCDCOUPLES table and add the t-code. So now you will have entry in TCDCOUPLES.

Examples: KSB5 form MB51, MD04 from ME2O, MMBE from MB51 and ME2O, KSB5 from MMBE

PS: This may not work for all transaction so testing is always required

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate