IT Audit Let's take a look at the T-codes and UserTypes to watch out for in your SAP accounts.

23-03-18

본문

In SAP, user types (UserTypes) allow you to create and manage user accounts for different purposes and roles. Let's describe the main user types provided by SAP and their uses.

1. Dialog (A)
The dialog user type is used for general users to log in to the system and perform tasks. For example, users who work in finance, logistics, human resources, etc. This type of user can log in to the system directly to execute different transactions.

2. System (B)
A system user type used to perform cross-system communications and processes, such as batch jobs, communication channels, and interfaces. They typically handle background tasks that don't require interactive access. For example, it is used to communicate with other systems using Remote Function Calls (RFCs).

3. Communication (C)
The Communication user type is used for the purpose of communicating with external systems without allowing interactive access. For example, a user that performs integration tasks such as web services, electronic data interchange (EDI), or business application programming interface (BAPI) calls.

4. Service (S)
The Service user type, used to allow anonymous user access. Typically used to provide limited access to anonymous users that do not require authentication, such as web services, portals, and Fiori applications.

5. Reference (L)
The Reference user type, which cannot sign in on its own, and is used to provide a reference role to other users. You can use reference users to allow multiple users to share the same permissions and simplify permissions management.

# Examples of appropriate user type settings:

General business users: Set them to the Dialog (A) type to allow interactive access and allow them to perform necessary tasks.
System administrators: Set as a Dialog (A) type, but grant permissions related to system administration and monitoring.
Users communicating with external systems: Set to Communication (C) type to restrict interactive access and grant permissions only for communicating with external systems.
Users performing background tasks: Set to the System (B) type to restrict interactive access and grant the necessary permissions for background tasks.
Users who allow anonymous user access to the web application: Set to the Service (S) type to provide limited access to anonymous users who don't require authentication.
When multiple users need to share the same permissions: Use the Reference (L) type to create reference roles and assign them to other users to simplify permissions management.
When setting up user types, consider your organization's security policies and internal control requirements to ensure that you choose the appropriate user type for each user's role. This will help make your system more secure and ensure compliance.

Considering the security aspects, we'll explain what to look out for when setting up each UserType and the risks that can occur if they are set up incorrectly.

1. Dialog (A)
Caution: Make sure to only grant dialog users the permissions they need and remove unnecessary ones. Also, enforce a strong password policy and change it regularly.
Risk: If interactive users are granted excessive permissions, or if you have a weak password policy, user accounts can be exploited by attackers. This can lead to security risks such as data leakage or system compromise.

2. System (B)
Caution: System users should be granted only the minimum necessary privileges, and interactive access should be limited.
Risk: If system users are enabled for interactive access, an attacker can use the system user account to log into the system or access sensitive data.

3. Communication (C)
Caution: Grant only communication-related permissions and restrict interactive access.
Risk: If communication users are enabled for interactive access, an attacker could use their account to log in to the system or access sensitive data. Also, if they are granted excessive privileges, data leakage could occur during communication with external systems.

4. Service (S)
Caution: Service users should be granted minimal permissions to services that allow anonymous access.
Risk: If service users are granted excessive permissions, malicious users can access sensitive data or attack your system through anonymous access.

5. Reference (L)
Caution: Use reference users to efficiently manage permissions shared by multiple users, but be careful not to grant individual users more permissions than necessary.
Risk: If excessive permissions are granted through reference users, regular users can abuse their privileges to access sensitive data or compromise your system.

Setting appropriate permissions for each user type and complying with security policies is an important element of internal control and IT audit of SAP systems. By setting up and managing user types correctly, you can help your organization maintain information security and ensure compliance. With these internal controls and security management, your organization can support safer and more efficient system operations.

The number of T-Codes managed by SAP is very large and spans many different modules and submodules. The list below organizes some of the most important T-Codes by module. It is not a complete list of T-Codes, but it does provide a good representation of the T-Codes.
(For T-Codes related to internal controls or security, see our previous article: http://www.tokenterrace.com/eng/209)

1. T-Codes related to Financial Accounting (FI):
FB01: Enter Slip
FB02: Change Slip
FB03: Display Slip
FBL3N: Account Transaction Display
F110: Auto Pay Program

2. Management Accounting (CO) related T-Codes:
KS01: Create Cost Center
KS02: Change Cost Center
KS03: Cost Center Display
KSB1: Display Performance by Cost Center
KP06: Enter budget plan by cost center

3. T-Codes related to logistics (SD, MM, PP, QM):
VA01: Create Sales Order
VA02: Change Sales Order
VA03: Sales Order Display
ME21N: Create Purchase Order
ME22N: Change Purchase Order
ME23N: Purchase Order Display
MD04: Inventory/Demand Status List
COOIS: Production Order Information System
QA32: Inspection Lot Work List

4. Human Resources (HCM) related T-Codes:
PA30: Maintain Human Resources Master Data
PA40: Human Resources Actions
PA20: Display Human Resources Master Data
PT60: Time Evaluation
PU12: Interface Tools

In addition to these, there are thousands of T-Codes in the SAP system, and each organization and task may use different T-Codes. The list below organizes the additional T-Codes by module.

T-Codes related to the Project System (PS):
CJ20N: Create and change project structure
CJ30: Change WBS Elements
CJ31: Display WBS Elements
CNS41: Project Reports
CJI3: Report Project Performance

T-Codes related to Plant Maintenance (PM):
IW31: Create Work Order
IW32: Change Work Order
IW33: Work Order Display
IW21: Create Breakdown and Maintenance Alerts
IW22: Change Breakdown and Maintenance Alerts

T-Codes related to Cost and Profitability Analysis (COPA):
KE24: Profitability Analysis Report
KE30: Run the Report Painter
KE34: Maintain Report Painter
KE91: Create a Profitability Analysis Account Plan
KSPI: Pricing Calculations: Comprehensive Report

Treasury Management (FSCM) related T-Codes:
TPM01: Create Transactions
TPM13: Transaction Display
TBB1: Create Funds Transaction Slip
FSCM_DISPUTE: Manage objections
FSCM_COLL: Collections management

Logistics Information System (LIS) related T-Codes:
MC46: Logistics Information System Inventory Report
MC43: Logistics Information System Analysis
MC50: Cost Centered Inventory Analysis
MCBR: Inventory Coverage Analysis Report
MCBA: Sales Analysis - Monthly

Warehouse Management (WM) related T-Codes:
LT01: Create Movement Task
LT02: Change a Movement Task
LT03: Display Movement Task
LT09: Move Inventory Location
LX03: Analyze Inventory Location

There are thousands of T-Codes in the SAP system, and each organization and task may use different T-Codes. The T-Codes that are needed in the actual business should be defined taking into account the UserType described above and always limited to the minimum number of people who need authorization according to the SoD.