For some SE16 may be an unknown acronym. For others it is the "bread and butter." It is a SAP transaction remarkably familiar to administrators. And often not only them, unfortunately.
But what is it used for? How many versions of it are there? How do you use it and what are the risks involved?
We discuss it in this article!
What is it used for?
It is a transaction that allows direct read access (but can also be used in some cases to modify data) to all SAP tables that make up the database.
In other words, with this transaction it is possible to have access to any data stored in an SAP system. Clearly, all SAP systems based on ABAP (e.g., Success Factors or SAP Cloud Platform, are not covered here).
But what data for example?
- Material list, with costs and any other data
- Bills of Materials in every aspect
- Customer and supplier master records in all their aspects
- Pay slips and personal data (in the case of SAP HR systems)
- And any other information
Although it is a read-only transaction, it can pose a data confidentiality problem if it is released in an unreasoned manner. There are several ways to release it reducing the criticality however, if possible it is always better to avoid.
How many versions exist?
Let's say that over time there have been several evolutions for this transaction. In the beginning there was only SE16, then several improved versions were created with many additional features for example SE16N.
We should not forget that there are not only SE16 like transactions, but there are several additional transactions such as SE11 or SE17 but also many others that allow to see the contents of SAP tables.
Here is a non-exhaustive list of the main SE16* transactions
SE16 Data Browser
SE16H General Table Display
SE16N General Table Display
SE16N_ROLE General Table Display
SE16RFCDESSECU Data Browser RFCDESSECU
SE16S General Table and Value Search
SE16SL Field-Based Table and Value Search
SE16S_CUST Customizing: Tables and Value Search
SE16T Access Search Functions
SE16T000 Data Browser T000
SE16TXCOMSECU Data Browser TXCOMSECU
SE16USR40 Data Browser USR40
SE16USRACL Data Browser USRACL
SE16USRACLEXT Data Browser USRACLEXT
SE16V_T599R Data Browser V_T599R
SE16W3TREES Data Browser W3TREES
SE16WWWFUNC Data Browser WWWFUNC
SE16WWWREPS Data Browser WWWREPS
SE16_AGR_DEFINE Technical View for AGR_DEFINE
SE16_ANEA Data Browser ANEA
SE16_ANEK Data Browser ANEK
SE16_ANEP Data Browser ANEP
SE16_ANLA Data Browser ANLA
SE16_ANLC Data Browser ANLC
SE16_ANLP Data Browser ANLP
SE16_ANLZ Data Browser ANLZ
SE16_BKPF Data Browser BKPF
SE16_BSEG Data Browser BSEG
SE16_BSEG_ADD Data Browser BSEG_ADD
SE16_BSID Data Browser BSID
SE16_BSIK Data Browser BSIK
SE16_BSIS Data Browser BSIS
SE16_ECMCA Data Browser Journal Entries
SE16_ECMCT Data Browser Totals Records
SE16_KNA1 Data Browser KNA1
SE16_KNB1 Data Browser KNB1
SE16_LFA1 Data Browser LFA1
SE16_LFB1 Data Browser LFB1
SE16_MARA Data Browser MARA
SE16_MARC Data Browser MARC
SE16_RFCDESSECU Data Browser RFCDESSECU
SE16_SKA1 Data Browser SKA1
SE16_SKB1 Data Browser SKB1
SE16_T000 Data Browser T000
SE16_T807R Data Browser T807R
SE16_TCJ_CHECK_STACK Data Browser TCJ_CHECK_STACKS
SE16_TCJ_CPD Data Browser TCJ_CPD
SE16_TCJ_C_JOURNALS Data Browser TCJ_C_JOURNALS
SE16_TCJ_DOCUMENTS Data Browser TCJ_DOCUMENTS
SE16_TCJ_POSITIONS Data Browser TCJ_POSITIONS
SE16_TCJ_WTAX_ITEMS Data Browser TCJ_WTAX_ITEMS
SE16_TXCOMSECU Data Browser TXCOMSECU
SE16_USR40 Data Browser USR40
SE16_USRACL Data Browser USRACL
SE16_USRACLEXT Data Browser USRACLEXT
SE16_V_T599R Data Browser V_T599R
SE16_W3TREES Data Browser W3TREES
SE16_WWWFUNC Data Browser WWWFUNC
SE16_WWWREPS Data Browser WWWREPS
But there are also additional lesser-known and differently named transactions that allow tables to be viewed, for example, the RSSG_BROWSER.
Useful in some contexts is the SE16T transaction that allows you to search by description for tables or transactions. See "Find Transactions" and "Find Tables."
SE16N back door
Sometimes the following remark is raised, "it's view-only, we can release it."
In most cases this is true; it is a view-only transaction. However, this may not be the case and depends on the user's permissions and system configuration.
And it's also true that view-only is critical (especially in the context of internal policies and GDPR regarding the processing of personal data).
Immediately after SAP released the SE16N transaction, a "backdoor" called &sap_edit had been inserted by SAP, after this backdoor was leaked on the network SAP decided to block it.
Through the RKSE16N_EDIT program, however, it is possible to decide whether this feature should be active or not.
Keep in mind: not only transactions are critical but also the execution of programs or functions associated with SE16 transactions* is, e.g. RK_SE16N or RSDU_CALL_SE16
Why can it be critical?
We have already mentioned this above. SAP enables data segregation by going and issuing users with transactions specific to each business activity. A user can then have a set of these transactions that allows them to do their work. Based on the defined responsibility.
Releasing SE16* is like opening a special door that allows one to get to data not formally released from the perimeter of transactions assigned to this user. Effectively bypassing the transactional segregation provided by SAP.
In addition, if the user has debug permissions (S_DEVELOP authorization object in edit) changes can be made.
P.S. Changes made via SE16N can be seen in tables SE16N_CD_KEY and SE16N_CD_DATA. Please note that these tables can also be edited
SE16N_EMERGENCY
What to do if someone needs to perform emergency changes via this transaction in production environment. In this case the following OSS note may be helpful 2911103 - SE16N: Alternative edit mode SE16N_EMERGENCY.
By default the transaction is locked on first use. Then it is unlocked only upon specific request and re-locked via transaction SM01_CUS. tracking what is done.
1) transaction unlocking, by an administrator.
2) Use of the transaction, detailing the changes made e.g. Ticket XYZ
3) Documentation of changes made
Which mitigations are needed in order to give transaction SE16?
There are alternative solutions to release it.
There are users who need access to specific tables. In this case, if the number of tables is not very high, it is possible to define transactions called parametric (via transaction SE93, see image below)
which allow SE16 to be used to read a specific table directly (without giving the user the option of entering it), thus skipping the initial screen.
In the case where the number of transactions to be issued is extremely large there can be two scenarios in my opinion:
- Why does the user need to access so many tables directly?
- Because he does not use the standard SAP transactions
- If he has to display parts of the system configuration, there is also the QAS system
- Define a custom transaction that allows the user to select which tables he can display. In this case with one transaction released and developed it is possible to release the tables to be displayed. However, I do not suggest it (although implemented in some contexts).
But if you really must release it, how can you circumscribe access?
You can:
- Use the authorization objects that SAP provides to protect access to tables. Read the post on specific authorization objects here
- use the functionality seen above of SE16N_EMERGENCY if it is already present
- in any case it is worth activating the security audit log. In particular the following events (you will be able to see who used a critical transaction and on which tables). Keep in mind: if you activate the logs then they must be audited and used. The alternative is to use the Emergency Access Management component (to automate the provisioning of these enablement and log management)
- DU9 - Generic table access using transactions es. SE16, SE16N, SM30, SM31, SM34, o SQV (OSS note 2041892)
- CUZ - Generic table access by RFC to &A with activity &B
So watch out for requests during system maintenance (AMS) that may come in. Better think twice before releasing it.