SHD0 – Maintain Transaction Variants
Transaction variants allows us to selectively mask certain fields in SAP transactions/screens. Though strictly not a security tool, transaction variants can have applications in security by helping to prevent users from updating fields which are not protected through authorization objects
Transaction Variants are created trough the SHD0 t-code. The initial screen SHD0 is given below. To create a transaction variant we mention the name of the parent transaction, give a name of the variant and click the create button.
In our example below, we create a transaction variant ZSU01 for the very common SU01 tcode. The transaction variant allows an administrator only to reset passwords and hides all other functions of SU01. Each transaction variant contains of one or more screen variants depending on the number of screens being called in the entire transaction flow. We don’t have to manually keep track of the screen variants when we are working with transaction variants. As we move from one screen to the next, SHD0 automatically creates and appends a new screen variant to the sequence.
On clicking the create button for ZSU01, we are taken to the standard SU01 screen. We enter a user name and click the change password button. A pop-up window appears with a list of the screen fields. This window contains the attributes of our first screen variant. Its here where we enter a name of the screen variant and can selectively mark screen fields to invisible/output only/required, etc.
The screen variant window has a button for “Menu Functions” where we can selectively hide/de-activate menu items or toolbar buttons. Since our intention is to disable everything except password change options, we end up with below screen.
On clicking the check button from the screen variant we are taken to the next screen and need to save our entries for the password change screen.
On clicking, the save and exit button we are taken to the overview screen for the transaction variant. As shown below, this screen gives the definition of the individual screen variants which form part of the transaction variant. On saving our entries, we are taken to the SHD0 initial screen which shows the transaction variant and the screen variants defined under it.
SHD0 provides a test button here we can check if the newly created transaction variants works as per our requirement. Once tested we create a new Z transaction (ZSU01) for the transaction variant by following the menu path Goto>Create Variant Transaction.
Once set up, this new transaction can be assigned to a user’s role just like a normal transaction. Executing, ZSU01 display a modified form of SU01 screen with all functions other than change password button is disabled.
Good one…thanks for sharing!!
nice 1……keep it up…
I just use shd0 to hiden button in mir7,your’s is helpful, thanks!
Hi aninda,
Great site for Security,i am very new to security and learnt lots of things from this site,one suggestion required on the above example you presented,can it be put in practical use if the users are on SSO since we get lots of password reset requests.
else please suggest some SAP standard solution for password reset request.
Thanks in Advace…GREAT WORK.
Hi Rajesh,
First of all, I am not an expert in the configuration of SSO for a system. There are different flavours of SSO being used by different clients so I would suggest to look for the specific tools that are available for your implementation. Standard SAP security tools probably won’t work as the users are not directly logging in to the backend at all.
Regards,
Aninda
Hi Aninda,
Few queries here.
In this case does ZSU01 calls the same program as of SU01 ?
What all entries do we have to maintain in SU24 for this t-code ?
Shortly i want to understand how the authorizations are maintained for this customized t-code ?
Thanks
Gaurav
Hi Gourav,
Any transaction variant calls the same program screens as the original t-code and would need the same auth objects to be executed. You can certainly add these objects to the SU24 entries for the new tcode (ZSU01 for instance) for easier maintenance. However manually adding the objects to the role with ZSU01 will also work.
Regards,
Aninda
Hi Aninda,
Great Work!
Here i have one doubt using this concept can we give multiple options like display,lock,unlock,edit,….
Please suggest me!
Thanks in Advance!
Thanks & Regards,
Siva.
Hi Siva,
You need to basically need to disable all the menu options in the transaction being recorded which you do not want the user to access.
Regards,
Aninda
Hi Aninda,
In case of SU01, is it possible to restrict access only to password reset through authorization object ?
Regards
Gaurav
Hi Aninda, I don’t see “Menu functions” button in the Variant Screen while executing SHD0. Do you know why is it not showing? Thank you.
Great Sapsecurity website.
Thanks a lot. Born to win