Thanks Colleen, So the client is on HANA 1.0, which means only way to restrict the access is through S_DEVELOP only, is it??

Thanks again!

restrict your S_DEVELOP and S_TRANSPRT access to display. Take note of DEBUG of for object type to avoid granting permanent access to debug display in production (there is a risk they could debug past a commit statement and end the session before completing program run) - Tan MIchael already made the comment with the ACTVT 02 access.

In PFCG authorisations, press F1 on the S_DEVELOP object as it gives you a heap of practical scenarios

As a side, I've seen developers debug past checks for DEVACCESS Key so quite happy to see guidance that security authorisations is the way to go. Also, it's less manual administration to register developers and continually review keys.

Thanks Colleen, this helps a lot

Hi Colleen,

If the my SCC4 is set as no changes allowed and my SE06 not modifiable, would any user with debug access be able to update table data and maybe use debug previliges??

debug display in a product environment can be a risk if user debug's past a commit statement and exits out before program has completed.

In short, protect your system integrity and restrict the object.

Thanks Colleen, In this case someone had debug access, now I wanted to understand if any changes were done using that access. Audit logging in the system is not enabled hence can’t check the sm20 logs, any other leads to see If any changes were made??

Tried checking if RSTPDAMAIN is invoked through ST03N and it appears during the period but do RSTPDAMAIN gets called even with display debug access as well?? And is it’s the right way to go about it?

Any other possible way to find out if at all any changes were made??

Thanks a lot for helping.

Thanks Tam for helping