$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: true, vro: true, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content
avatar image
Former Member

Disable change authorization in debug mode for single class

We wanted to disable some  "Generic Object Services" such as attachment list / create attachment. So certain users are not allowed to see the attachment. We achieved it using SGOS to Substitute standard service class with our own class. then use "CHECK_STATUS" method.

Now everything works fine. The set of users which are not supposed to see these attachments also involves developers. These users have access to debug mode and can change values at run time and change behavior of the class method.

So we remove authorization for changing variable values in debug mode. But this blank ban does not work as in certain cases they need to change values in debug mode.

Can some one advice if we can stop developers from changing values of variable in particular class method? or we need a redesign of our solution?


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Sep 08, 2013 at 12:58 AM


    they can also go straight to DB table using SE16 and get attachment from there. Right?

    Honestly, that case when they really need to have access to change in debugger should be so rare that you can handle it as an exception. Whenever they need it they can submit a request and they will get it for limited time. As Julius said if they need it on daily basis then they are doing dodgy stuff.

    The macros could not be debugged. So you could wrap your logic into macro and try to prevent easy change of sy-subrc with this technique. It seems that the new debugger allows macro debugging (I haven't tested it). So you can't try to use this trick anymore. Not that I would advice to use this trick.

    I think every change of value in debugger gets logged in SM21 so I would have a look there how often it happens in production.

    To summarize, a developer with allowed change in debugger is unstoppable.


    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 07, 2013 at 08:20 PM

    ACTVT 02 (change variables) supports the object name and package, but ACTVT 01 (system debugging) does not as those programs override almost everything and the calling program does not matter anymore.

    But... if your developers need to permanently have debugging access to production then that is a different problem and you probably have much bigger ones than unauthorized display to GOS objects.

    If this has been going on for a long time, then you probably have a big can of worms there... (in the organizational and change management sense...)



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Thanks Julius,

      We are trying to achieve this in a test system not in production. In production we have controlled emergency use concept. There developers can have debug change authority only in case of emergency. But issue is that its a different team with different geographical location. They are allowed to have access to attachment services as well. We are not. When client is copied the attachments are also copied to test system 😔.

      Will explore more based on your suggestions.