Skip to Content
avatar image
Former Member

S_DEVELOP - debug display authorization

Hi,

And old one but I still have not seen a good answer to this one so I will try again.

Can anyone please elaborate on the risk of having s_develop - debug 03 in production (or any other system for that matter)?

And please only provide concrete examples and not assumptions. Would be good to somewhat put this one to rest :).

br,

/joachim

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Jul 02, 2017 at 02:10 PM

    Hi Joachim,

    In systems with sensitive data this may allow for viewing raw data in the debugger, beyond the reach of the users' normal authorizations.

    Data may be collected from the database by a program and checked for authorizations on a line-to-line basis before presenting it to the end user. S_DEVELOP with DEBUG and ACTVT 03 will allow you to monitor the raw data before the authorization check takes place.

    Unfortunately I do not have a concrete example for you.

    Jurjen

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 13, 2017 at 11:54 AM

    Hi Joachim

    This won't give you the explicit examples that you are after but might help consider risks which seems to be system performance (resource availability); access to sensitive data in debug mode prior to authority check and potential data inconsistencies/rollback (See Julius' example).

    https://archive.sap.com/discussions/thread/1342811

    Unfortunately, I cannot tell you off the top of my head an example where each of those occur. I do recall debugging line by line through investment management and getting access to that data and project system information prior to the authority check (Data was selected from the table prior to the check)

    Regards

    Colleen

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 14, 2017 at 10:36 PM

    As someone who wrote numerous ABAP custom programs, I have same thoughts as Jurjen Heeck. In most cases the raw data is pull from database using select statement first and then the authorization is checked and based on the result from authority-check, the result is displayed.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 29, 2017 at 10:39 PM

    Hi,

    S_Develop with activity 03 for debug display no issue and we can give display activity 03 to the users even in production. But S_Develop debug change can not be assigned to any one in production as users may be change data with table browser SE16.

    Hope this helps.

    Venkat

    Add comment
    10|10000 characters needed characters exceeded