10-26-2006 3:05 PM
Hi fellow developers. I'm trying to talk our security team off the ledge and I want to conduct an informal poll regarding the responsible use of debug with replace in a DEVELOPMENT environment. For the newer developers.. replace is much more powerful in debugging because you can change the values of variables and some system fields like sy-subrc which makes it very powerful.
Our development environment is setup as follows:
Client 300, ABAP Development \config. We promote to QA, and Prod from here but can't unit test because no data allowed. Debug with NO replace allowed here.
Client 320 Unit testing, debug with replace is allowed.
both of these clients are on the same instance, same sid so they share client independent information.
Our security team claims that it's a security risk to allow debug with replace in our Client 300 because someone could change a security profile or something like that. Here's my question...
Are you authorized to debug with replace in your development environment and if not, what's the reason you were given? I'm looking for arguments one way or the other to use as precedent for a meeting.
Your prompt response is appreciated.
Dan
10-26-2006 3:11 PM
I've worked at approx 20 clients and have ALWAYS had the ability to replace while debugging in development environments.
In my opinion, it's particularly critical when debugging SAP standard code.
10-26-2006 3:11 PM
I've worked at approx 20 clients and have ALWAYS had the ability to replace while debugging in development environments.
In my opinion, it's particularly critical when debugging SAP standard code.
10-26-2006 3:12 PM
Hi Dan,
We ARE given the authorization for replace in debugging.
I don't think it is such a big security risk that someone would try to change sensitive information becuase those transactions would have authorization checks anyway.YOu can handle the authorizations to user for transactions using roles.
Regards,
ravi
10-26-2006 3:56 PM
Hi
I think the option can be dangerous in QA or PROD system because you can skip some control and change the data normally can't be changed.
A classicl example is trx SE16: by debug you can change directly the data of the most of tables.
But I don't believe can be a risk in development system, in this enviroment the developer should have no limit, otherwise to work and test can belong very hard.
Max