In SAP users access the system through a set of transaction codes or menu paths. User access can be controlled through transaction codes that a user can access. I had discussed in an earlier post about authorization object S_TCODE thorugh which transaction code access can be controlled. In SAP R/3, securing transaction codes can be cruicial. Since in SAP R/3 transaction codes are tied to activities a user can perform e.g. transaction code VA01 enables users to create a sales order.

In most SAP R/3 systems transaction code security is sufficient. When we secure SAP transactions, we are contoliing both the application area as well as the actions a user can take in the application area. S_TCODE authorization object acts as the first security frontier since all transaction need to pass this access test. Specialized software can be used to check which users have access to transaction codes via S_TCODE and TCODE authorization objects. Once this information is found out, one can go ahead with securing transaction codes from the user roles.

Related Posts

SAP R/3 Auditor Authorizations
SAP BEx Analyzer Toolbar
SAP CATT Computer Aided Test Tool
SAP Basis Transaction Codes