User Experience Insights
Steps to perform before adding a custom t-code to any role.
We often get a requirement to add a custom t-code to a role. SAP customized transaction codes are an important part of the SAP systems as SAP has a wide range of customization capabilities, allowing companies to tailor the system to their exact needs. Customizing transaction codes is a way to create a unique identifier for every task that needs to be completed specific to organization’s need.
From a security consultant’s point of view, in order to add any customized t-code to a role in order to provide access to intended group of people, there are certain checks and steps that need to be performed before adding a custom t-code.
1. Check if required authorization checks are added in a program. you can check the program associated with a custom t-code using t-code SE93.
2. The authorization object which is added as a authority check in a program associated with custom t-code, should be maintained in SU24.
3. If the custom t-code involves any organizational fields for example plant, company codes, etc., ensure that authority check is added at program level to restrict these values as it is not recommended to provide * i.e. full authorization for organizational values. Once the check is maintained in a program, same authorization object should be maintained in SU24 so that organizational field values can be restricted in a role.
4. Ensure that custom t-code is not calling any standard t-code or performs similar functionality of any standard t-code. If yes, ensure if relevant standard t-code is part of any SOD function. If yes, please add the custom t-code to same SOD function and update SOD rule.
Hope this helps whenever you will get such requirement to any custom t-code to a role. Please understand the complete functionality of t-code, ensure to which program it is associated, maintain needed authorization objects and check whether it is SOX relevant as it impacts SOD rule set.
If you like this post and find it useful, please like. comment and subscribe.