SE16N_BATCH program

SE16N_BATCH is a very powerful and dangerous program. You can use it to run SE16 queries for large datasets in batch mode and later pick up the results from the spool.

But it can also be misused to fetch data that you are not authorized to see, but a batch user can see.

Good use

For example you need a lot of records from BSEG:

This might fail online. If you run it in batch mode, you can simply pick up the spool later with the needed data:

Misuse

The program can be used for hacking purposes as well. Suppose you want to get all user password hashes. SE16N for USR02 is blocked. Now run the program in batch (not with your own user, but with a batch job user with rights to read USR02 data). Now all data is available in the spool for the hacker….

OSS notes

3443282 – “submit se16n_batch exporting list to memory” doesn’t work in background run

How to check SE16N usage?

SE16, SE16N and SE16H are frequently used transactions. They can be used in positive way to quickly fetch data. They can also be a security risk, since it might lead to unwanted data display.

Questions that will be answered in this blog are:

  • Which users used SE16N?
  • How much data do the user pull using SE16N?
  • Which tables did the users read using SE16N?
  • How to check which changes were performed using SE16N?

Which users are using SE16?

Start transaction ST03 or ST03N, and create detailed settings for recording of SE16N:

Save the values and let the system collect the data.

Now in ST03 in the tree below Transaction Profile, the Details for SE16N are shown. Double clicking on the EXEC function will give details on the execution step:

The DB data is normally shown more to the right.

This will give you information on who used SE16N, and how much data transfer was happening.

Which tables were read using SE16N?

If you want to know which table was read during SE16N, you must first activate activity DU9 (generic table access) in the SAP audit log. Go to transaction RSAU_CONFIG and make sure this activity is on:

Now you can use audit log display the audit log with transaction RSAU_READ_LOG or RSAU_READ_LOG_ADM (this is the version without user ID and terminal):

Select DU9 only to make the report faster.

You can now see the tables accessed via SE16N:

In many analysis cases it is sufficient to see which tables are read, and how frequently.

Use RSAU_READ_LOG to see also user and terminal information.

The audit log is a powerful tool. Be aware of privacy related rules in your company.

SE16N performance

Notes on SE16N performance:

Changes done with SE16N

On ECC or S4HANA systems, changes to SE16N are recorded in tables SE16N_CD_DATA and SE16N_CD_KEY. You can display the changes done using report RKSE16N_CD_DISPLAY:

OSS notes for RKSE16N_CD_DISPLAY: