Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The Three Most Sensitive T-Codes Ever: What Are They?

  • Font size: Larger Smaller
  • Hits: 14559
  • Print

What are your organization’s top three most sensitive T-Codes; the ones that you’re really careful about granting? You’ve had to think about this before, either during an authorization-inspection project, a GRC project or when asked by an auditor. Can you name the “top three?” I’m sure you can. And I’m sure you probably wouldn’t give it a second thought.


You’ll say it’s obvious, the most sensitive T-Codes are the ones dealing with access, the ones dealing with invoices, the ones dealing with new accounts. Well, as George Bernard Shaw so eloquently put it, “No question is so difficult to answer as that to which the answer is obvious.”

You have to dig deeper because there is no one universal answer. To get to the truth, you must do your due diligence.

Defining high-risk (sensitive) activities or T-Codes is an essential part of every authorization-related project because of the significant impact they could have on the company if they are misused. To manage them requires a list, and once this list is defined, leverage it: Get alerts when granting sensitive activities and when they are used irregularly, find authorization roles that include sensitive activities so you can narrow them down, and see a distinct icon in your reports when sensitive activities appear. Read more about our product that does exactly this.

But what are the actual sensitive activities you’re being alerted about? How do you make this list? Sensitive T-Codes vary significantly depending on some key factors.

The List of Sensitive T-Codes

They aren’t as obvious as you think. When our customers set up our software, they reach a step in the implementation path best practice where they are prompted to define high-risk activities. They think this step will take them an hour because of course they know what the sensitive activities are, but when they really put their minds to it, it even takes them days to finalize the list. The reason why is because they need to be at the same time both specific and broad – defining many high-risk activities is not efficient, defining the RIGHT ones is the issue.

From our experience, here are some interesting findings about the most sensitive T-Codes:

Interesting Findings about Sensitive T-Codes

  • The answer depends on the time of the year – if your answer is FS00 (G/L Account Creation), FB01 (Post Document) and SU01 (User Maintenance), my guess is that the security guys have just had their annual audit of finance related issues, or maybe you’ve had a regular meeting with your internal auditor. If your answer is FB01 (Post Document), MIGO (Goods Movement) and MIRO (Enter Incoming Invoice), there’s a good chance that you’re fresh out from a thorough SOX/SoD compliance check or GRC audit. People tend to name their “top three” most sensitive T-Codes based on the last thing they were working on or stressed out about, and often the same person will inadvertently give different answers following different auditing tasks.
  • The answer depends on the department – of course, each department will have their subjective answer. The “top three” most sensitive T-Codes in finance are probably F110 (Automatic Payment), FB01 (Post Financial Documents), and FS00 (G/L Account Master Record Maintenance) for most power users. But if you’re more involved with infrastructure and authorizations, you will probably say SU01 (User Maintenance), PFCG (Role Maintenance) and SCC4 (Client Administration). People see sensitivity through the glasses of their own department and can therefore identify risk in what they understand best.
  • The answer depends on the position – even within the same department, you’ll get different answers. Different answers from a power user in finance, from the authorization manager for finance and from the IT reference person in the financial department. This is because every person understands the word “sensitive” to have unique meanings. For example, if the end-user utilizes a T-Code that can be changed from “Display” mode to “Change” mode, this will probably disturb authorization and security guys, but the power user in finance will probably not even think of it as a risk.
  • The answer depends on the type of the organization and the usage – each organization has its “favorite” most used activities, and the scope of sensitive T-Codes varies accordingly. We discovered that even companies in the same industry can disagree on the list of sensitive activities. For instance, automobile manufacturers fall under the industry of “production,” and so do some companies in the food industry. Although they both make goods, the difference in risk between stealing during the shipping process from a 1 MM shipment of canned corn and a shipment of 3 automobiles is obvious. Same goes for the finance-related industry; although insurance companies and banks both deal with money, insurance companies are more concerned about fraudulent claims than they are about someone making a standard withdrawal from their account. 

So why is it so important for you to know the answer?

Sensitive” means dangerous and dangerous means that you must track usage. If you track usage, then from time to time you’ll find “surprises” (e.g., suspicious behavior) like someone utilizing XK01 (Create Vendor) in the middle of the night, or F110 (Automatic Payment) to transfer money on an unexpected date. Defining the “list” of the most sensitive T-Codes for your organization will enable you to know who can use them, what the true risk is and who really is using them. Just as importantly, you’ll be able to determine which sensitive T-Codes can be taken off from the people who don’t use them, in order to reduce the risk of misuse.

So you see, the “most sensitive T-Codes” is a thorough compilation of many subjective answers whittled down to the core. It’s doing your due diligence and having the ability to be both specific and broadminded. 

…And yes, you must have that list.

ProfileTailor Dynamics shows Authorization Roles which Contain High Risk Activities

What would you consider your most Sensitive T-Codes? We’d love to hear. Please share them with us here.

Xpandion is the leading provider of GRC and Authorizations software solutions for ERP. If you have any questions or concerns about your GRC or authorizations, contact us now.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 21/07/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Yoav Michaeli

Discover How Simple It Can Be To Manage a Role Catalog

One of your accounting clerks just left on maternity leave (congratulations to Sally). Another employee is replacing her and thus has the new responsibility of performing Invoice Reconciliation (good luck to John). To perform this task, John needs to open a new request in the portal for the proper a...
in Security & AuthorizationsPosted by Moshe Panzer

3 Easy Ways to Prepare for the Event of Employee Leave

“Leaving us so soon, Mr. Solo?” This famous quote might sound good in the movies, but in a business environment, the event of an employee leaving your company can cause some serious security issues if not treated properly. Let’s talk about why and what you can do to prevent these risky situations. ...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


3310 W Braker Lane Suite 300-253

Austin, TX 78758, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India