Sometimes it is necessary to create new (custom) transactions in the SAP systems. These customized transactions should always be taken into account when doing an audit/analysis on the authorizations concept.How to identify the authorization checks for these custom transactions?
Not all custom transactions will be very critical (hopefully). But how to make sure you are including the critical ones in your analysis? First, have a look at the custom transactions that are existing. In the table TSTC, all available transactions are stored.
1.Via Se16 -> TSTC
2.Custom transactions will begin with the letter Y or Z. Search on the y* and z* transactions
3.You get the overview of all existing custom transactions
Not all custom transactions are critical, but the critical ones should be included in your analysis.
You can have a look at the name of the custom transaction via table TSTCT, but even custom transactions with harmless names can be critical. So you have to go through every custom transaction to see what it really is.
Once you have your list of critical transactions you want to include these in your rule set for auditing. But how to check if authorizations checks are included into the custom transaction? Normally a transaction can be secured by either having the authorization check included in the report itself, or by calling another transaction. How to check if the custom transaction has authorizations check(s):
- Transactions that are secured via Call transactions and/or authority checks
1. Via SE93 Enter the custom transaction and click button Display (example below is for transaction FD01)
2. Double click on the program
3. This will show the program (ABAP code). Open the Find option