Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The Curse of the Unused: Z_UNUSED_TCODE and Y_UNUSED_ROLE

  • Font size: Larger Smaller
  • Hits: 11329
  • Print

In 1914, American judge Louis Brandeis coined the famous quote “Sunlight is said to be the best of disinfectants,” and it has proven to be most accurate in 2014 too.


Many of our current and potential clients fear what may be revealed when the light is shined upon them. Some say it loud and some say it quietly in their hearts, “What if, when we use your software it’s revealed that 50% of our own developed T-Codes are not being used? Who will justify the huge development of Z T-Codes that was asked for which no one utilizes? Will I be the scapegoat?”

Ignorance is bliss. If you don’t know about it, then you don’t have to deal with the reality of the situation and no one can be guilty of anything. This is the secret point of view of people who resist implementing auditing software.
Note: This blog is not related to GRC, which of course some companies are obligated to maintain. I’m referring to security and authorizations – all the auditing stuff of knowing who-is-using-what. 

Someone in the organization has to be brave enough to say, “We want to know what’s really going on. We want to take the responsibility to improve our situation!” And indeed, after taking the step and implementing ProfileTailor Dynamics Security and Authorizations, they easily identify and solve a lot of authorization-related issues, which, lets face it, might become security breaches. 

Here are the top three most common solutions that our customers choose to focus on, after implementing the software:

1. Eliminating Unused T-Codes and Authorizations: When you know what is being used, then you know what is not being used. From there, the most sensible action from a security point of view is to eliminate the T-Codes that nobody is using, so they will not be misused. 

For example, if someone developed Z_INVOICE to issue invoices and nobody uses it, lock it via T-Code SM01. This way you ensure that nobody can misuse it to issue false invoices. It’s a simple action with high impact. Afterwards, if someone really needs this T-Code, the request can be examined and the T-Code can be unlocked again.
The same goes for authorization roles: If no one uses a specific authorization role, delete it everywhere except in the QA system. This way you will still have access to it, but there won’t be potential to misuse it in production.


2. Watching Sensitive Data Directly: It is amazing to see the impact on customers when they discover who is looking at sensitive data in production. Using T-Codes like SE16 and SE16N and also using simple SAP queries, sophisticated users like IT people, top-users and even employees who are good at Google Search can access very sensitive data, and in most organizations – yes, they will! People are most interested in financial data and salary information – “How much are they paying the outsourcing company for my services?” is often asked by external employees, “What is our revenue?” is asked by people who hold company stock, and “Let’s find out what my boss’s salary is…” is asked a lot too. 

Our customers can see the access to financial data tables like BKPF and BSEG (and even BSIK and BSAK) by people who are not meant to be there, but thought that it would be interesting to take a peek anyway. Following these findings, our customers can reevaluate access to SE16 and SE16N and inspect SAP queries more seriously. 

What should you do when you find out these things are happening? That’s another story – see our blog “CISO Advice: Shooting Might Not Be The Best Option."

Let me take a step back and say that in fact we only find a few cases of misuse of SE16, SE16N and SAP queries because most uses are for legitimate purposes. But the ones that break the rule, the non-legitimate purposes, that is what worries CISOs and Authorization Managers.

3. Access to Company Codes and Other Organizational Objects: When you have the data, it is very simple to produce an Excel sheet that lists employees to company codes, for example. Then you can easily trace potential security breaches, like employees from the warehouse who can access the company codes for management. When the data is stored (a.k.a. “buried”) inside roles and authorization objects – nobody has the time or patience to inspect it thoroughly, but when it lies in a simple Excel table, mistakes can be easily traced by managers and they can take action to fix the situations.


These are the most common examples from our customers, who are not only brave enough to ask the right questions but also to fix what needs to be fixed. And then after they’ve fixed the situation, they want to be alerted when a sensitive authorization is granted, or when a user misuses SE16. They are committed to keeping the system secured and clean, and ProfileTailor Dynamics helps them by sending alerts for various scenarios. Ask about this feature here.

So thrive in the sunlight. Don’t worry, you won’t get burned. You’ll be the hero!

Xpandion is the leading provider of Authorizations software solutions for ERP. If you have any questions or concerns about your authorizations, contact us now.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in Security & AuthorizationsPosted by Dror Aviv

The SAP Security Paradox: Irregular User Activity

“How Many Times?” We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India