Skip to Content
0

S_DEVELOP - debug display authorization

Jun 26, 2017 at 08:02 AM

778

avatar image
Former Member

Hi,

And old one but I still have not seen a good answer to this one so I will try again.

Can anyone please elaborate on the risk of having s_develop - debug 03 in production (or any other system for that matter)?

And please only provide concrete examples and not assumptions. Would be good to somewhat put this one to rest :).

br,

/joachim

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Jurjen Heeck Jul 02, 2017 at 02:10 PM
1

Hi Joachim,

In systems with sensitive data this may allow for viewing raw data in the debugger, beyond the reach of the users' normal authorizations.

Data may be collected from the database by a program and checked for authorizations on a line-to-line basis before presenting it to the end user. S_DEVELOP with DEBUG and ACTVT 03 will allow you to monitor the raw data before the authorization check takes place.

Unfortunately I do not have a concrete example for you.

Jurjen

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Jurjen,

Very good point indeed.

/joachim

0
Colleen Hebbert
Jul 13, 2017 at 11:54 AM
1

Hi Joachim

This won't give you the explicit examples that you are after but might help consider risks which seems to be system performance (resource availability); access to sensitive data in debug mode prior to authority check and potential data inconsistencies/rollback (See Julius' example).

https://archive.sap.com/discussions/thread/1342811

Unfortunately, I cannot tell you off the top of my head an example where each of those occur. I do recall debugging line by line through investment management and getting access to that data and project system information prior to the authority check (Data was selected from the table prior to the check)

Regards

Colleen

Share
10 |10000 characters needed characters left characters exceeded
Jeevan Sagar Jul 14, 2017 at 10:36 PM
1

As someone who wrote numerous ABAP custom programs, I have same thoughts as Jurjen Heeck. In most cases the raw data is pull from database using select statement first and then the authorization is checked and based on the result from authority-check, the result is displayed.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Jun 29, 2017 at 10:39 PM
0

Hi,

S_Develop with activity 03 for debug display no issue and we can give display activity 03 to the users even in production. But S_Develop debug change can not be assigned to any one in production as users may be change data with table browser SE16.

Hope this helps.

Venkat

Share
10 |10000 characters needed characters left characters exceeded