Skip to Content
avatar image
Former Member

DEVACCESS table maintenance

Hi everyone,

Is there a way to maintain the DEVACCESS table? We need to maintain this table for added security, since there are userid's (developers) in our system who are no longer connected with the company and we want to delete the active developer access keys of these users from the said table.

Is there a security risk at all if these access keys were just left active in the table? Would SAP recommend these keys to be deleted from the DEVACCESS table?

Thanks,

Kris Caldoza

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jun 20, 2007 at 01:19 PM

    One security risk I've pointed out to clients is that if you leave the entry in DEVACCESS and your termination policy is to delete users, then if you ever create a new user with the exact same userid, that userid will have a dev key entered for them. Simply disabling them in the Marketplace doesn't remove it from the table, and I've deleted entries from DEVACCESS with no problems.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      I agree with Auke.

      As has been pointed out in this thread and a few others on the topic in the past, developer keys are more an organization control and licensing mechanism.

      However there is a good security reason to delete the keys and ensure access to them is restricted for systems with the same installation number: It raises the security wall against someone wanting to create / change programs in the system such that they would need to jump the wall and make more noise when doing so.... so you have a better chance of detecting it.

      I am not aware of any SAP standard tool to clean DEVACCESS (last I heard there is none), however SAP told us it is okay to do it ourselves, so we created a tool for it.

      Cheers,

      Julius

  • Jun 20, 2007 at 06:37 AM

    Found this in one of the forums...

    DEVACCESS table entries are automatically maintained by SAP as and when an ABAP'ER is registered in the Development system. Any Developer who leaves the Organization has to be expired in his User Master Record. This will also ensure that his User Master Record is not chargeable for License as the User is expired.

    Also...

    ABAP program to delete records from this table:

    REPORT Z17DEVACCESS.

    tables: devaccess.

    parameters: p_user like devaccess-uname.

    delete from devaccess where uname eq p_user.

    if sy-subrc eq 0.

    write: / 'User ', p_user, ' deleted.'.

    else.

    write: / 'Error deleting user ', p_user, ' return code ', sy-subrc.

    endif.

    ....a few of them also used SM31 to delete the entires.. i tired but cud not do it...

    Regards

    Sachin

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks Sachin for all the information. They were very helpful.

      About the ABAP program, does it delete the entry one-by-one?

      Thanks again.

  • avatar image
    Former Member
    Feb 13, 2008 at 09:51 PM

    Hello everybody ...

    may I make a little remark ?

    I would suggest to switch on table-logging (SE13) on DEVACCESS.

    By doing that and by regularily deleting items in DEVACESS as described already you create a much better trail of DEVACCESS entries over time.

    That should make the real usage of developer keys much more visible.

    Best regards,

    Ralf

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Ralf,

      Yes, recording the key fields via table logging (read by SCU3)can help for auditing purposes, but recording the keys themselves would not make sense...

      ... at least not more than any other source for the same valid key to "create less noise"...

      Perhaps things have changed in higher releases, but I doubt it.

      Cheers,

      Julius