Daniel Berlin on Security Insight on SAP security, development stuff… and all the rest

3Oct 12

Determine transaction type & status from table TSTC (field CINFO)

Hello programmers,
if you ever wanted to determine the transaction type (dialog, parameter tcode …) and status (locked …), you probably came across table TSTC (where tcodes are defined) and found that this information is encoded in the CINFO field — which contains an old-school hexadecimal value.


So… wtf do those CINFO values mean? Here we go:

CINFO (hex)BinaryTypeLocked ?Auth. object check ?
0x000000 0000Dialog transactionnono
0x040000 0100Dialog transactionnoyes
0x200010 0000Dialog transactionyesno
0x240010 0100Dialog transactionyesyes
0x010000 0001Area menu (obsolete)no-
0x210010 0001Area menu (obsolete)yes-
0x020000 0010Parameter / variant transactionno-
0x220010 0010Parameter / variant transactionyes-
0x080000 1000Object transactionnono
0x0C0000 1100Object transactionnoyes
0x280010 1000Object transactionyesno
0x2C0010 1100Object transactionyesyes
0x801000 0000Report transactionnono
0x841000 0100Report transactionnoyes
0xA01010 0000Report transactionyesno
0xA41010 0100Report transactionyesyes
0x901001 0000Report transaction with variantnono
0x941001 0100Report transaction with variantnoyes
0xB01011 0000Report transaction with variantyesno
0xB41011 0100Report transaction with variantyesyes
0x05 (invalid)0000 0101Area menu (obsolete)no-
0x06 (invalid)0000 0110Object transaction -or-
Parameter transaction
0x44 (invalid)0100 0100Dialog transactionnoyes

(The CINFO values marked with "invalid" exist, but make no sense… probably because they're relicts created by SAP a long time ago. 😯 )


According to the above, these are the bitmasks for your own program:

Bitmask (hex)BinaryMeaning
0x000000 0000Dialog transaction
0x010000 0001Area menu
0x020000 0010Parameter / variant transaction
0x080000 1000Object transaction
0x801000 0000Report transaction
0x901001 0000Report transaction with variant
0x040000 0100Flag: Authorization object check ?
0x200010 0000Flag: Locked ?


To get started, either have a look at the report "RSAUDITC_BCE" or try this:

TABLES: tstc.
* -- Bitmasks
DATA: c_auth TYPE x VALUE '04',
      c_lock TYPE x VALUE '20'.
* -- Find all locked transactions
  CHECK tstc-cinfo O c_lock.
  WRITE: / tstc-tcode, 'is locked'.
* -- Find customer transactions w/o authorization check
SELECT * FROM tstc WHERE tcode LIKE 'Y%' OR tcode LIKE 'Z%'.
  CHECK NOT tstc-cinfo O c_auth.
  WRITE: / tstc-tcode, 'has no authorization check'.
Comments (2) Trackbacks (0)
  1. Thank you Daniel.
    This info is really helpful. Where in SAP did you find these definitions?

    • Hi Sabrina.
      I found some of the bitmasks in standard reports – this got me started.
      Then I searched a huge system for all possible CINFO values and matched this against the ones I knew so far – this information confirmed (most of) the known values and exposed the values that I didn’t know yet.
      Then I reproduced the known and unknown CINFO values, until the logic became obvious.

      Finally, I tried to dig the faulty values (which is the most interesting part).

      Best regards, Daniel

Leave a comment

No trackbacks yet.