Tracking if a user is trying to access restricted programs/ tcodes via SM20/SM21

Hello Team,

Overview:

Last week, I was trying to find out if a user forcefully run a program by “by-passing” the authority check function in Test.

After scanning some sap standard programs by basis, I bumped into these transaction codes – sm20/sm21.

Although this is the first time I have used these tcodes, it did wonders for me so I have decided to share it.

Test Scenario:

I have a limited access to run a program (even in DEV) that edit the transport’s status so I need to “by-pass” authority check.

I did succeed however in making the edit button displayable – see below highlighted:

Now, one method to trace this is by using sm20

This we can track the ff in the “Audit classes” or the items to be tracked on by simply ticking

Enter the client and the user if you know

press enter and then F8

You will see a consolidated security log like below – focus on the highlighted in orange

It says that the user (me) tried to change the SY- SUBRC field  in program LSTR9U03

and this is exactly what we did in debug mode

Now the other tcode is SM21.

SM21 as per sap docs is the system logs that logs all the system errors, warnings, user locks due to failed logon attempts from known users etc.

Now we enter the date/time and the user we need to spy on 😀

press execute

it says that the user is trying to change the SY-SUBRC of program LSTR9U03 – same as in sm20 output too.

There is also a more detailed technical info once you double clicked a record

going back to the sm21 selection screen, we can see a button called “Use old System log tcode”

This is just the old tcode but will yield as much as the same output but of course with the previous layout

No client filter so both clients 111 and 222 shows up

a more technical view also will display once a record was double clicked