Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Prohibiting User Access to ABAP Code

Go to solution
Former Member

‎01-26-2008 1:45 PM

0 Kudos

Hi,

I have a Key User who has access to the ABAP CODE via SA38 -> System Status -> double click the report name. How can I prohibit the user from looking at the code?

Thanks,

Shah.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎01-27-2008 9:29 AM

0 Kudos

Hi,

Try removing access to SA38 and activity 03 in S_PROGRAM. Then, add the reports to the report tree for execution.

Alternatively, (and I don't recommend this but it does work), if you want to protect custom programs then you could modify the name of the ABAP source code in the ORACLE-only table D010S which contains the ABAP source. This makes it different from the load module which retains its original name to allow it to execute.

There are those who argue that you should provide more freedom to extract data from the system using the programs. However, consider the case of someone who does not have access to SE03, and so he uses SA38, writes the standard program to run this TCode, and uses it.

Not all standard programs have this problem because some of them make an initial validation by an authorization object before running on the ABAP editor. I recommended this approach as the first step in the Profile Generator is to make a first validation by the TCode. You should also make sure that the people who do queries are able to aquire the TCode.

One other thought is that the access definitions in the development environment are more powerful in terms of making ABAP programs and running them. In the production system this is more restricted for security reasons.

Reward points if found helpfull..

Cheers,

Chandra Sekhar.

2 REPLIES 2

Go to solution
Former Member

‎01-27-2008 9:29 AM

0 Kudos

Hi,

Try removing access to SA38 and activity 03 in S_PROGRAM. Then, add the reports to the report tree for execution.

Alternatively, (and I don't recommend this but it does work), if you want to protect custom programs then you could modify the name of the ABAP source code in the ORACLE-only table D010S which contains the ABAP source. This makes it different from the load module which retains its original name to allow it to execute.

There are those who argue that you should provide more freedom to extract data from the system using the programs. However, consider the case of someone who does not have access to SE03, and so he uses SA38, writes the standard program to run this TCode, and uses it.

Not all standard programs have this problem because some of them make an initial validation by an authorization object before running on the ABAP editor. I recommended this approach as the first step in the Profile Generator is to make a first validation by the TCode. You should also make sure that the people who do queries are able to aquire the TCode.

One other thought is that the access definitions in the development environment are more powerful in terms of making ABAP programs and running them. In the production system this is more restricted for security reasons.

Reward points if found helpfull..

Cheers,

Chandra Sekhar.

Go to solution
Former Member

‎01-28-2008 7:39 AM

0 Kudos

Hi,

Assign limited authorisation to the user.

Pls refer to the link:

http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm

The transaction for creating authorization object is SU21 and role is PFCG.

Regards,

Renjith Michael.