Introduction
What if you find out that a SAP user can access a transaction without having access via the S_TCODE object? Your first reaction might be this isn’t even possible, or there must be something wrong in the sap system. But in reality, SAP does allow users to access transactions without s_tcode check, Let’s learn How and why.
Transaction couples & SE97
You probably have heard of transaction coupling(TCDCOUPLES) at some point in SAP Security. Transaction coupling is basically a way for SAP to group related transactions, These transactions are often called by one another without the end user being aware of this. For example: Transaction – ME22N – Change Purchase Order will jump to transaction MM03 when displaying Material. For the end user it is a seamless transition from ME22N to MM03
We can use transaction SE97 to control whether the system SAP should restrict or allow a transaction indirectly called by a user. This is useful if you find out that a user can access a transaction indirectly even though he or she is not authorised to do so. Each time a user invokes a transaction code from the SAP GUI menu, the kernel checks the transaction code against the S_TCODE authorisation object
Example
Imagine you have started transaction ME22N (Change Purchase Order) from the menu SAP GUI and are processing purchase order 3004000250. As shown in Figure 1, you see the material number DPC-CPU -2600.
If you double-click on the material number field, you will jump to transaction MM03 (Display Material), as shown in figure 2.
If you look at the ABAP source code behind this action, you will see that transaction MM03 is called indirectly from transaction ME22N via the ABAP statement CALL TRANSACTION. Therefore, you should lock or manage transaction MM03.
In the further course of the ABAP code, you will notice that the table TCDCOUPLES is responsible for the explicit authorisation of the called transaction. You can display (and change) the contents of table TCDCOUPLES with transaction SE97.
First, specify the calling transaction (in the example this is ME22N). Figure 3 shows all possible transactions related to ME22N.
You also need to know the possible combinations in the “Check Ind.” column:
- If the value is set to YES, an authorisation check is performed when the ABAP statement CALL TRANSACTION is executed.
- If the value is set to NO, no authorisation check is performed.
- If the value is set to a blank, one of the preceding check indicators is not yet set. In the current version, no authorisation check is carried out. However, this may change in future releases
Note that in this example MM03 is set to a space. If the values are set to YES or NO, the description is unique. If the value is set to a blank, the behaviour of the system depends on the further setting of the system parameter “auth/check/calltransaction”.
You can see the values using the ABAP report RSPARAM, as shown in Figure 4.
The meaning of the value 2 is described in OSS note 515130 and SAP note 358122. Figure 5 shows part of OSS Note 515130. In our system SAP (ECC6), if the value in the table TCDCOUPLES is not defined (empty), the authorisation check is not performed for the called transaction action because the value of parameter “auth/check/call transaction” is set to the value 2 and there is an “n” in the third row (no entry in TCDCOUPLES).
Note that in the newer S4 systems, the behaviour is different, the system forces an authorization check if tcdcouples tables value is not defined.
You can use transaction SE97 to adjust the values of the TCDCOUPLES records to your security objectives.
