Debug unauthorized TCODE without using SE93 or SM3...

Loed · ‎06-27-2014

Hi guyz,

In relation with the post below, I just want to ask if there is other way to access TCODEs you are not authorized to access aside from debugging in SE93 or SM37?

http://scn.sap.com/message/15149782#15149782

Thank you!

Loed

tom_demuyt · ‎06-27-2014

I am not saying you should do this, but, all transactions are in TSTC.

You could try to go to SE16, and simulate in debug mode SE93..

Loed · ‎06-30-2014

Hi Tom,

What do you mean by all transactions are in TSTC? Is it a tcode? Coz I tried it in BW server and the error message is TRANSACTION TSTC IS UNKNOWN..

Thank you!

Loed

tom_demuyt · ‎06-30-2014

TSTC is table. I find some of the other answers far more convenient and enlightening.

Loed · ‎07-02-2014

Thanks for the table mate..

Former Member · ‎06-27-2014

Hi Loed,

The best way to debug transactions you do not have access to is to request authorisation to those transactions. If it is a necessary part of your role to have this access then it should be granted, if it is not you shouldn't be accessing them by any back door means.

Regards,

Nick

tom_demuyt · ‎06-27-2014

If you have the authorization to change variables in debug mode, then that is an explicit authorization to the whole system.

Former Member · ‎06-27-2014

Agreed, badly designed authorisation roles can always give you access to more than was intended.

However, if you need to use debug to access a transaction then that doesn't constitute explict authorisation. Your attempt to run the transaction by conventional means will have explicitly told you that you are not authorised to do so. You can seek to exploit other means to access the transaction, but you are doing so with full knowledge that this is outside the defined scope of transactions in your authorisation role.

Regards,

Nick

Loed · ‎06-30-2014

Hi Nick,

Yeah I just request access on my client to tcodes that I need to access..

I just became curious when I saw the thread I have posted that's why I created this post..;-)

Loed

former_member730258 · ‎06-28-2014

This message was moderated.

former_member730258 · ‎06-29-2014

hi, the procedure provided below is not advisable but for some cases might be helpful. please be advised that all security must be followed as best practice still.

1. Go to SE37 and execute SCCA_CALL_TRANSACTION in debugging.

2. Click F6 and change value of sy-subrc to 0.

3. Click F8. You may now use the tcode.

Loed · ‎06-30-2014

Hi Jovee,

Sorry for that, I mistyped the title..It should be SE93 and SE37..I already know how to debug on both tcodes..I'm just curious if there are still other ways to access tcodes which are not assigned to you aside from debugging using those tcodes..

Thanks anyway for reply..=)

Loed

former_member223133 · ‎06-30-2014

Hi,

You can try the function module 'ALINK_CALL_TRANSACTION' by passing the t-code required to be accessed.

Regards

Gangadar

Loed · ‎07-01-2014

Hi Gangadhar,

As I have said, what if I don't have access in SE37 or SE93? Can I still access tcodes I am unauthorized?

former_member730258 · ‎07-02-2014

No.

Loed · ‎07-02-2014

Ah, I thought there are other ways aside from debugging or accessing SE37/SE93..

Thanks for your reply Jovee..

former_member730258 · ‎07-02-2014

There's none because it defeat the purpose of putting security and authorizations in place. only way you can do it is by changing values of the sy-subrc in debugging mode. This is also the reason why debugging access is set to read only in production to avoid unnecessary execution of programs/transactions in the system.

Loed · ‎07-02-2014

Ok mate, thanks for the info..=)

Loed

krishnadhuriya · ‎06-30-2014

HI

you can use SE37 (for FM)

then CC_CALL_TRANSACTION_NEW_TASK

and execute this FM..

Thanks!

Loed · ‎07-01-2014

Hi Krishna,

Aside from debugging in SE37 or SE93, can I still access tcodes I am unauthorized?

former_member220028 · ‎06-30-2014

hi,

having debugging option makes you able to debug any tcode somehow.

typing /h into the tcode-field enables debugging. the next action you do is starting the debugger

thats why only trusty people should have debug-authorization

by the way: post http://scn.sap.com/message/15149782#15149782 is restricted

regards

Stefan Seeburger

Loed · ‎07-01-2014

What do you mean mate by post is restricted in that link?

Are there other ways to access tcodes which I don't have authorization for and without using SE37 or SE93?

former_member220028 · ‎07-01-2014

Hi Loed,

i cant open your link - access denied.

without beeing in any transaction you can type /h in the transaction-code-field. Then you can type in the transaction-code you want to enter/debug. set breakpoint on authority check and "sy-subrc = 0" all requests. You will be able to use this transaction after accepting each authority-check. the bigger the transaction the more uncomfortable this is.

regards

Stefan Seeburger

Loed · ‎07-02-2014

Here is the link mate:

http://scn.sap.com/message/15149782

For example, I am in the main window (the window after logging on), after entering /h where will I type the transaction code I want to access?

former_member220028 · ‎07-02-2014

Hi Loed,

you type both in the transaction field.

type in "/h" --> enter --> type in "LSMW" --> enter --> "debugger is starting" --> set breakpoint at command "authority-check"

regards

Stefan Seeburger

Loed · ‎07-03-2014

Yeah, already tried it mate but can't make it work..I tried accessing ST22 (see below posts with Pranav Agrawal)..

Loed

Former Member · ‎07-02-2014

Hi Loed,

I would say the ultimate solution to your query is to use sy-subrc check flag and then after authority-check i.e. in SAP system, most of the authorizations are maintained via Authority-check followed by check on sy-subrc if sys-cubrc check fails then a error is thrpwn stating "No authorization".

I would recommend you to primarily put /h in command box followed by the required TCODE and then after followed by breakpoint at statement authority-check, after that you will stop at all the instances where authority-check will get executed you just need to pass the failure of sy-subrc and the you can debug the required t-codes.

Please validate the same at your end as well, please drop backa a reply in case you require further inputs.

BR/Thanks

Pranav Agrawal

Loed · ‎07-02-2014

Hi Pranav,

I tried this but I can't make it work..I can debug but I think there are so many sy-subrc that you need to bypass..There is also lv-subrc something that was used and equated to sy-subrc..I also saw the authority-check command but it's not the only authorization command that is needed to bypass..

Anyway. thanks for the help..=)

By the way, did you already try this? Did you make it work?

Thank you!

Loed

Former Member · ‎07-02-2014

Yes Loed, at once I wanted to use LSMW transaction, and I was not having the access, but by by-passing sy-subrc 5-6 times I was able to operate the LSMW Transaction.

Anyways I would suggest when you are using this said method, you need to by-pass all the authority-check sy-subrc passes.

BR/Thanks

Pranav Agrawal

Loed · ‎07-02-2014

Ok mate I will just try it again..By the way I'm trying the ST22 tcode here..

Thank you..

Loed

Debug unauthorized TCODE without using SE93 or SM37