Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The Adventures of a Bored Programmer

  • Font size: Larger Smaller
  • Hits: 8257
  • Print

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...

iStock 000011246561XSmall


Programmers are valuable assets to a company, yet bored programmers can be plain trouble.

I can reassure you that adventurous programmers initially intend to simply have some fun and stimulate their senses a bit, before going back to their real tasks. That being said, I can also assure you that what begins as an innocent harmless adventure, may not end happily ever after.

Fact: most programmers can easily take over an inactive user account. In fact, all it takes are just 3 moves. Let me lay out the general sequence of actions for you:

Step 1: Identify a dormant user account using T-Code: SE16 (Table Browser) and Browse Table: USR02 (Logon Data)

     Picture2  Picture1

Step 2: Add SAP_ALL and Change Password and Unlock User T-Code: SU01 (Maintain User)

      Picture3 Picture4 Picture5

Step 3: Login as a new user – so all activities are now performed under another user's name

Now what, you ask? Well, according to our customers, salaries and invoices seem to interest programmers very much. So here are examples of what can happen next:

Example 1 – check how much you boss earns
Once a programmer has succeeded to login to the SAP system as a new user, viewing salaries is very simple:

T-Code: PA30 (Maintain HR Master Data)
Infotype: 0008 (Basic Pay), "Display"

Yes, most programmers are "shocked" to find out that their boss makes so much more money than they do.

Example 2 – discover company's highest invoices
Once in SAP, what harm would it do (ponders the programmer) if the details of the highest invoices are revealed? Retrieving this data is easy:

T-Code: SE16 (Table Browser), Browse table: BKPF_BSAD (Customer financial documents)
Document type = DZ (customer payment), Amount > 1,000,000

If the company is doing well (the programmer continues to ponder), why not ask for a raise, or let others know?

When things go too far

At times the innocent and harmless programmers get used to playing around and become bored once again. Sometimes they are tempted to take things even a step further (for their own personal – and wrongful – benefit). This time, their exploring around might end up in transferring money to the programmer's account instead of to the vendor's. Yes you are reading my thoughts correctly: fraud, security breach, etc.

I don't want to complicate things more; however do you remember that the programmer is using an actual legitimate account instead of his/her own? This means that these activities are practically untraceable, and even if eventually traced, so much time has surely gone by, that reacting to such incidents becomes painfully impossible and pointless.

In my previous post I promised to suggest an effective solution for adventurous programmers. So here we go:

Alerts Alerts Alerts!

Let's revisit the 3 moves in which a programmer can take over an account. Now, let's see how this can be prevented
step-by-step with the right alerts.

Step 1 can be prevented by receiving an alert if an employee made use of the following:

T-Code SE16 with table USR02 (Logon data)
Irregular use of T-Code SU01 (Change User)

Step 2 can be avoided if alerts are sent out for:

Usage of sensitive T-Code SU01 (Maintain User)
Adding high risk authorization profile SAP_ALL
Irregular behavior of user

Step 3 (if a programmer reached this step) can be stopped with alerts for:

Usage of sensitive T-Code: PA30 (HR Master Data)
Irregular behavior of user

Sophisticated and automated alerts ensure that taking over an inactive user account does not go unnoticed.

What about the invoices?
Alerts for the following:

Usage of sensitive T-Code SE16 (Table Browser) with sensitive tables: BKPF* (Financial Docs), etc.

Transferring money?!
There are many alerts for preventing an attempt to transfer money dishonestly, see a few examples:

Irregular activity of a user
Usage of sensitive T-Code: F110 (Payment Run)
Activating Debugging mode

Remember to stay alert
Smart, customized and real-time alerts are the key to implementing a proactive approach to security in any organization. Don't leave room for blunders. Even the best of programmers can go bored...

Visit again soon... I still owe you some insights on how to enable justified access to the production environment without compromising on security.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.


in Security & AuthorizationsPosted by Yoav Michaeli

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India