Tag: SE16

Solving generic SM30 and SE16 access with dedicated transactions

In a high secure environment data access to SE16 and SM30 needs to be restricted. In many cases either IT or business still needs to maintain data via SM30 mechanism or some support people still need to see certain table data.

This blog will explain a more dedicated approach to create a dedicated transaction for each table. The generic SM30 and SE16 access can be revoked and replaced with targeted authorizations for the specific table and transaction.

Setup transaction to call SM30 for single table

Start transaction SE93 and enter the transaction you want to created and push the Create button:

On the next screen provide a description and choose the option Transaction with Parameters:

Now fill out the transaction detail:

The text is free of choice. In the transaction put SM30 (we will create a parameterized version) and select to skip initial screen. You can inherit the GUI attributes. In the default values put VIEWNAME and in the value the table you want to update. Add the second value for UPDATE with value X.

Save your work and test the transaction.

By entering the transaction code you now jump to the maintenance of the table (in our case the ZTESTTABLE as specified).

Setup transaction to call SE16 for single table

For SE16 repeat the above steps:

The text is free of choice. In the transaction put SE16 (we will create a parameterized version) and select to skip initial screen. You can inherit the GUI attributes. In the default values put DATABROWSE-TABLENAME and in the value the table you want to update.

Authorization team work

The authorization team can now remove SM30, SE16 and generic table access. Only table maintenance for this specific table is required along with access the newly created Z transaction.

SE16N_BATCH program

SE16N_BATCH is a very powerful and dangerous program. You can use it to run SE16 queries for large datasets in batch mode and later pick up the results from the spool.

But it can also be misused to fetch data that you are not authorized to see, but a batch user can see.

Good use

For example you need a lot of records from BSEG:

This might fail online. If you run it in batch mode, you can simply pick up the spool later with the needed data:

Misuse

The program can be used for hacking purposes as well. Suppose you want to get all user password hashes. SE16N for USR02 is blocked. Now run the program in batch (not with your own user, but with a batch job user with rights to read USR02 data). Now all data is available in the spool for the hacker….

OSS notes

3443282 – “submit se16n_batch exporting list to memory” doesn’t work in background run

How to check SE16N usage?

SE16, SE16N and SE16H are frequently used transactions. They can be used in positive way to quickly fetch data. They can also be a security risk, since it might lead to unwanted data display.

Questions that will be answered in this blog are:

  • Which users used SE16N?
  • How much data do the user pull using SE16N?
  • Which tables did the users read using SE16N?
  • How to check which changes were performed using SE16N?

Which users are using SE16?

Start transaction ST03 or ST03N, and create detailed settings for recording of SE16N:

Save the values and let the system collect the data.

Now in ST03 in the tree below Transaction Profile, the Details for SE16N are shown. Double clicking on the EXEC function will give details on the execution step:

The DB data is normally shown more to the right.

This will give you information on who used SE16N, and how much data transfer was happening.

Which tables were read using SE16N?

If you want to know which table was read during SE16N, you must first activate activity DU9 (generic table access) in the SAP audit log. Go to transaction RSAU_CONFIG and make sure this activity is on:

Now you can use audit log display the audit log with transaction RSAU_READ_LOG or RSAU_READ_LOG_ADM (this is the version without user ID and terminal):

Select DU9 only to make the report faster.

You can now see the tables accessed via SE16N:

In many analysis cases it is sufficient to see which tables are read, and how frequently.

Use RSAU_READ_LOG to see also user and terminal information.

The audit log is a powerful tool. Be aware of privacy related rules in your company.

SE16N performance

Notes on SE16N performance:

Changes done with SE16N

On ECC or S4HANA systems, changes to SE16N are recorded in tables SE16N_CD_DATA and SE16N_CD_KEY. You can display the changes done using report RKSE16N_CD_DISPLAY:

OSS notes for RKSE16N_CD_DISPLAY: