Maintain T-codes with SE93
New t-codes can be created through the transaction SE93. In the example below, the t-code is created to call a program during execution. We can also create parameter transactions to which call standard sap transactions (like SE16 or SM30) or launch an ABAP query.
From the security perspective SE93 allows us to add a value for the authorization object field. This authorization object with the values specified for its fields, will be checked in addition to S_TCODE before the transaction is started.
Below we see the Se93 entry for the common HR t-code PP01. To start this transaction an user would need P_TCODE with TCD value PP01 in his user buffer, in addition to S_TCODE entry.
SE93 – Auth Obj for Transaction Start
SHD0 – Maintain Transaction Variants
Transaction variants allows us to selectively mask certain fields in SAP transactions/screens. Though strictly not a security tool, transaction variants can have applications in security by helping to prevent users from updating fields which are not protected through authorization objects.
Transaction Variants are created trough the SHD0 t-code. The initial screen SHD0 is given below. To create a transaction variant we mention the name of the parent transaction, give a name of the variant and click the create button.
Desired to gain proficiency on SAP Security? Explore the blog post on SAP Security Training to become a pro in SAP Security.
In our example below, we create a transaction variant ZSU01 for the very common SU01 tcode. The transaction variant allows an administrator only to reset passwords and hides all other functions of SU01. Each transaction variant contains of one or more screen variants depending on the number of screens being called in the entire transaction flow. We don’t have to manually keep track of the screen variants when we are working with transaction variants. As we move from one screen to the next, SHD0 automatically creates and appends a new screen variant to the sequence.
On clicking the create button for ZSU01, we are taken to the standard SU01 screen. We enter a user name and click the change password button. A pop-up window appears with a list of the screen fields. This window contains the attributes of our first screen variant. Its here where we enter a name of the screen variant and can selectively mark screen fields to invisible/output only/required, etc.
SHD0 – Confirm screen entries for SU01 initial screen
The screen variant window has a button for “Menu Functions” where we can selectively hide/deactivate menu items or toolbar buttons. Since our intention is to disable everything except password change options, we end up with below screen.
On clicking the check button from the screen variant we are taken to the next screen and need to save our entries for the password change screen.
SHD0 – Confirm screen entries for password change
On clicking, the save and exit button we are taken to the overview screen for the transaction variant. As shown below, this screen gives the definition of the individual screen variants which form part of the transaction variant. On saving our entries, we are taken to the SHD0 initial screen which shows the transaction variant and the screen variants defined under it.
SHD0 provides a test button here we can check if the newly created transaction variants works as per our requirement. Once tested we create a new Z transaction (ZSU01) for the transaction variant by following the menu path Goto>Create Variant Transaction
Check out the top SAP Security Interview Questions now!
SE93 – Create variant transaction
Once set up, this new transaction can be assigned to a user’s role just like a normal transaction. Executing, ZSU01 display a modified form of SU01 screen with all functions other than change password button is disabled.
Executing transaction variant for SU01