How SAP Security Consultants Build Roles When a Custom Transaction Is Created

Complete Process Including SE93 Checks, Authorization Tracing, SU24 Maintenance and Role Design

In many SAP projects, business teams require functionality that standard SAP transactions cannot provide. To support these needs, developers create custom transactions, usually starting with Z or Y.

Whenever a new custom transaction is created, the SAP security consultant is responsible for ensuring that the authorization design is secure, minimal, and aligned with business requirements.

Building a role for a custom transaction is not just about adding the transaction to a role. It requires several checks including SE93 verification, authorization tracing, SU24 maintenance, segregation of duties analysis, and collaboration with functional and development teams.

This article explains the complete process SAP security consultants follow when a custom transaction is introduced, including the real checks performed during projects.

---

Step 1 Understand the Business Requirement

Before working on authorization design, the first responsibility of a SAP security consultant is to understand the business process.

A consultant should never build a role without knowing what the transaction actually does.

Typical questions asked during discussions with the functional consultant or business owner include:

What business activity the transaction performs
Who will use the transaction
Whether the activity involves display, create, change, or delete actions
Which department owns the business process

This step helps determine the level of access required and prevents unnecessary authorization assignments.

---

Step 2 Check the Transaction in SE93

The next important step is verifying the custom transaction using SE93.

SE93 is used to create and display transaction codes in SAP. It helps security consultants understand what the transaction executes.

Steps performed in SE93:

Open SE93
Enter the custom transaction code
Select Display

Now review the following information:

Transaction type
Program name
Package details
GUI support
Authorization object assignment

Most custom transactions point to an ABAP program. Identifying the program is important because authorization checks are usually implemented inside the program logic.

For example, a transaction such as Z_VENDOR_CREATE may call a program like Z_VENDOR_MASTER_PROGRAM.

Once the program name is identified, the security consultant coordinates with the ABAP developer.

---

Step 3 Discuss Authorization Checks With the Developer

Developers sometimes include authorization checks directly in the program.

These checks determine which authorization objects must be present in the user role.

The security consultant should discuss the following with the developer:

Which authorization objects are checked in the program
Whether standard authorization objects are used
If any custom authorization objects were created
Whether the program accesses sensitive tables

ABAP programs may contain statements that verify user authorization before allowing certain actions.

Understanding these checks helps ensure the correct authorization objects are assigned in roles.

---

Step 4 Perform Authorization Trace

Authorization tracing is one of the most reliable ways to identify authorization requirements.

During this step, the security consultant activates authorization tracing while the functional consultant executes the custom transaction.

The system records all authorization checks performed during execution.

This helps identify:

Authorization objects used by the program
Missing authorization values
Objects causing authorization failures

Tracing is extremely useful because developers may not always document every authorization check inside the program.

Using trace results, the security consultant can confirm which objects must be included in the role.

---

Step 5 Maintain SU24 Authorization Proposals

Once authorization objects are identified, the consultant checks SU24 entries for the custom transaction.

In many cases, newly created transactions do not have SU24 proposals configured.

SU24 maintenance ensures that correct authorization objects appear automatically when the transaction is added to a role.

The consultant must decide the correct proposal indicator for each object:

Check Maintain
Check
Do Not Check

Check Maintain means the object appears in PFCG and values must be maintained.

Check means the object is checked during execution but not proposed for maintenance.

Do Not Check means the object is not checked.

Maintaining SU24 properly simplifies role building and prevents unnecessary authorization objects from appearing in roles.

---

Step 6 Identify Sensitive or Critical Access

Security consultants must verify whether the custom transaction performs sensitive operations.

Examples include:

Financial postings
Vendor creation
Payment processing
User administration
Configuration changes

If the transaction performs sensitive activities, the role design must ensure that only authorized users receive access.

This helps maintain compliance and reduces audit risks.

---

Step 7 Perform Segregation of Duties Analysis

Another critical step is checking segregation of duties risks.

The security consultant must analyze whether access to the new transaction creates conflicts with other user roles.

For example, a user should not be able to both create vendors and process vendor payments.

If a conflict exists, possible solutions include:

Removing conflicting access
Creating separate roles
Applying mitigation controls

Risk analysis ensures that the custom transaction does not introduce security violations.

---

Step 8 Build the Role in PFCG

After completing the analysis, the consultant builds the role.

The role creation process includes:

Creating a new role
Adding the custom transaction to the role menu
Generating authorization proposals from SU24
Maintaining required authorization values

During this step, the consultant carefully reviews the authorization objects.

Unnecessary objects should be removed to ensure that users only receive required access.

---

Step 9 Test the Role With Functional Consultants

Testing is an essential step before deploying the role.

The functional consultant executes the transaction using a test user while the security consultant monitors authorization behavior.

Testing verifies that:

Users can perform required activities
No authorization errors occur
No excessive access is granted

If authorization failures appear, the consultant reviews trace results and updates role values accordingly.

---

Step 10 Transport the Role Across the System Landscape

Once testing is completed, the role must be transported through the system landscape.

Typical landscape flow includes:

Development system
Quality system
Production system

Roles should be tested again in the quality environment before production deployment.

Transport documentation should clearly describe the purpose of the role.

---

Step 11 Maintain Documentation for Audit

Documentation is extremely important for compliance and audits.

Security teams should document:

Business purpose of the role
Transactions included in the role
Authorization objects maintained
Role owner details

Auditors frequently request this information during security assessments.

Proper documentation helps demonstrate strong access governance.

---

Key Checks Every SAP Security Consultant Performs

When a custom transaction is introduced, security consultants should always perform these checks:

Understand business requirement
Verify transaction details in SE93
Identify underlying program
Discuss authorization checks with developers
Perform authorization tracing
Maintain SU24 authorization proposals
Identify sensitive activities
Perform segregation of duties analysis
Build roles using least privilege principle
Test roles with functional teams
Transport roles through system landscape
Maintain role documentation

Following these steps ensures that custom transactions are implemented securely and efficiently.

---

Final Thoughts

Custom transactions are common in SAP systems and play an important role in supporting business processes. However, they also introduce additional security considerations.

SAP security consultants must carefully analyze authorization requirements, collaborate with functional and development teams, and perform proper testing before granting access.

By using tools such as SE93, authorization tracing, SU24 maintenance, and role design in PFCG, consultants can ensure that custom transactions operate securely while maintaining strong governance and compliance within the SAP landscape.