SE16 in SAP

Posted by Fabio Mambretti on Dec 30, 2022 12:00:00 AM

For some SE16 may be an unknown acronym. For others it is the "bread and butter." It is a SAP transaction remarkably familiar to administrators. And often not only them, unfortunately.

 

 

SE16 - PANORAMA

 

But what is it used for? How many versions of it are there? How do you use it and what are the risks involved?

We discuss  it in this article!

What is it used for?

It is a transaction that allows direct read access (but can also be used in some cases to modify data) to all SAP tables that make up the database.

 

In other words, with this transaction it is possible to have access to any data stored in an SAP system. Clearly, all SAP systems based on ABAP (e.g., Success Factors or SAP Cloud Platform, are not covered here).

 

But what data for example?

  • Material list, with costs and any other data
  • Bills of Materials in every aspect
  • Customer and supplier master records in all their aspects
  • Pay slips and personal data (in the case of SAP HR systems)
  • And any other information

 

Although it is a read-only transaction, it can pose a data confidentiality problem if it is released in an unreasoned manner. There are several ways to release it reducing the criticality however, if possible it is always better to avoid.

 

How many versions exist?

Let's say that over time there have been several evolutions for this transaction. In the beginning there was only SE16, then several improved versions were created with many additional features for example SE16N.

 

We should not forget that there are not only SE16 like transactions, but there are several additional transactions such as SE11 or SE17 but also many others that allow to see the contents of SAP tables.

 

Here is a non-exhaustive list of the main SE16* transactions

 

SE16 Data Browser

SE16H General Table Display

SE16N General Table Display

SE16N_ROLE General Table Display

SE16RFCDESSECU Data Browser RFCDESSECU

SE16S General Table and Value Search

SE16SL Field-Based Table and Value Search

SE16S_CUST Customizing: Tables and Value Search

SE16T Access Search Functions

SE16T000 Data Browser T000

SE16TXCOMSECU Data Browser TXCOMSECU

SE16USR40 Data Browser USR40

SE16USRACL Data Browser USRACL

SE16USRACLEXT Data Browser USRACLEXT

SE16V_T599R Data Browser V_T599R

SE16W3TREES Data Browser W3TREES

SE16WWWFUNC Data Browser WWWFUNC

SE16WWWREPS Data Browser WWWREPS

SE16_AGR_DEFINE Technical View for AGR_DEFINE

SE16_ANEA Data Browser ANEA

SE16_ANEK Data Browser ANEK

SE16_ANEP Data Browser ANEP

SE16_ANLA Data Browser ANLA

SE16_ANLC Data Browser ANLC

SE16_ANLP Data Browser ANLP

SE16_ANLZ Data Browser ANLZ

SE16_BKPF Data Browser BKPF

SE16_BSEG Data Browser BSEG

SE16_BSEG_ADD Data Browser BSEG_ADD

SE16_BSID Data Browser BSID

SE16_BSIK Data Browser BSIK

SE16_BSIS Data Browser BSIS

SE16_ECMCA Data Browser Journal Entries

SE16_ECMCT Data Browser Totals Records

SE16_KNA1 Data Browser KNA1

SE16_KNB1 Data Browser KNB1

SE16_LFA1 Data Browser LFA1

SE16_LFB1 Data Browser LFB1

SE16_MARA Data Browser MARA

SE16_MARC Data Browser MARC

SE16_RFCDESSECU Data Browser RFCDESSECU

SE16_SKA1 Data Browser SKA1

SE16_SKB1 Data Browser SKB1

SE16_T000 Data Browser T000

SE16_T807R Data Browser T807R

SE16_TCJ_CHECK_STACK Data Browser TCJ_CHECK_STACKS

SE16_TCJ_CPD Data Browser TCJ_CPD

SE16_TCJ_C_JOURNALS Data Browser TCJ_C_JOURNALS

SE16_TCJ_DOCUMENTS Data Browser TCJ_DOCUMENTS

SE16_TCJ_POSITIONS Data Browser TCJ_POSITIONS

SE16_TCJ_WTAX_ITEMS Data Browser TCJ_WTAX_ITEMS

SE16_TXCOMSECU Data Browser TXCOMSECU

SE16_USR40 Data Browser USR40

SE16_USRACL Data Browser USRACL

SE16_USRACLEXT Data Browser USRACLEXT

SE16_V_T599R Data Browser V_T599R

SE16_W3TREES Data Browser W3TREES

SE16_WWWFUNC Data Browser WWWFUNC

SE16_WWWREPS Data Browser WWWREPS

 

But there are also additional lesser-known and differently named transactions that allow tables to be viewed, for example, the RSSG_BROWSER.

 

RSSG_BROWSER

 

Useful in some contexts is the SE16T transaction that allows you to search by description for tables or transactions. See "Find Transactions" and "Find Tables."

 

SE16T_DESCRIPTION
 
So does the SE16SL, which allows you to search by content
 
SE16SL

 

SE16N back door

Sometimes the following remark is raised, "it's view-only, we can release it."

 

In most cases this is true; it is a view-only transaction. However, this may not be the case and depends on the user's permissions and system configuration.

 

And it's also true that view-only is critical (especially in the context of internal policies and GDPR regarding the processing of personal data).

 

Immediately after SAP released the SE16N transaction, a "backdoor" called &sap_edit had been inserted by SAP, after this backdoor was leaked on the network SAP decided to block it.

 

SAP_EDIT_OSS_NOTE1420281

 

Through the RKSE16N_EDIT program, however, it is possible to decide whether this feature should be active or not.

 

SAP_EDIT

 

Keep in mind: not only transactions are critical but also the execution of programs or functions associated with SE16 transactions* is, e.g. RK_SE16N or RSDU_CALL_SE16 

 

Why can it be critical?

We have already mentioned this above. SAP enables data segregation by going and issuing users with transactions specific to each business activity. A user can then have a set of these transactions that allows them to do their work. Based on the defined responsibility.

Releasing SE16* is like opening a special door that allows one to get to data not formally released from the perimeter of transactions assigned to this user. Effectively bypassing the transactional segregation provided by SAP.

In addition, if the user has debug permissions (S_DEVELOP authorization object in edit) changes can be made.

P.S. Changes made via SE16N can be seen in tables SE16N_CD_KEY and SE16N_CD_DATA. Please note that these tables can also be edited


SE16N_EMERGENCY

What to do if someone needs to perform emergency changes via this transaction in production environment. In this case the following OSS note may be helpful 2911103 - SE16N: Alternative edit mode SE16N_EMERGENCY.

 

By default the transaction is locked on first use. Then it is unlocked only upon specific request and re-locked via transaction SM01_CUS. tracking what is done.

 

1) transaction unlocking, by an administrator.

 

SM01_CUS

 

2) Use of the transaction, detailing the changes made e.g. Ticket XYZ

 

SE16N_EMERGENCY

 

3) Documentation of changes made

 

REPORT_RKSE16N_CD_DISPLAY

 

Which mitigations are needed in order to give transaction SE16?

There are alternative solutions to release it.

There are users who need access to specific tables. In this case, if the number of tables is not very high, it is possible to define transactions called parametric (via transaction SE93, see image below)

 

TRANSAZIONE PARAMETRICA_CREAZIONE
 

which allow SE16 to be used to read a specific table directly (without giving the user the option of entering it), thus skipping the initial screen.

 

TRANSAZIONE PARAMETRICA
 

In the case where the number of transactions to be issued is extremely large there can be two scenarios in my opinion:

  1. Why does the user need to access so many tables directly?
    1. Because he does not use the standard SAP transactions
    2. If he has to display parts of the system configuration, there is also the QAS system
  2. Define a custom transaction that allows the user to select which tables he can display. In this case with one transaction released and developed it is possible to release the tables to be displayed. However, I do not suggest it (although implemented in some contexts).

But if you really must release it, how can you circumscribe access?

You can:

  1. Use the authorization objects that SAP provides to protect access to tables. Read the post on specific authorization objects here
  2. use the functionality seen above of SE16N_EMERGENCY if it is already present
  3. in any case it is worth activating the security audit log. In particular the following events (you will be able to see who used a critical transaction and on which tables). Keep in mind: if you activate the logs then they must be audited and used. The alternative is to use the Emergency Access Management component (to automate the provisioning of these enablement and log management)

    1. DU9 - Generic table access using transactions es. SE16, SE16N, SM30, SM31, SM34, o SQV (OSS note 2041892)
    2. CUZ - Generic table access by RFC to &A with activity &B

 

So watch out for requests during system maintenance (AMS) that may come in. Better think twice before releasing it.

 

 

Topics: se16n, se16, SAP Security, supporto sap ams, sap query, SAP GDPR

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all