Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

  • How can I directly edit tables?
  • How can I prevent direct table editing?
  • How can I detect direct table editing?

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: audit logging. In audit logging you can see the user started SE37 and then used report RS_TEST_FRAME_CALL, but you cannot see which module was done, neither is the data change logged.

Prevention of this method:

  1. Debug/replace is needed to change the data: don’t hand out debug/replace.
  2. Deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.