02-26-2019 6:07 PM
Hello,
If a user appeared in DEVACCESS table and have access to authorization object S_DEVELOP with ACTVT value 01 and 02, and later someone deletes the user from DEVACCESS, will that still be a security issue and what all activity that user can perforrm?
Thanks
02-26-2019 11:26 PM
which ABAP release are you on? Developer Keys are no longer used in S/4HANA systems.
You need to protect via authorisations and shouldn't be assigning that level of access in production.
Refer note 2309060 - The SSCR license key procedure is not supported in SAP S/4 HANA
02-26-2019 6:31 PM
02-26-2019 6:42 PM
Hi Tammy, In one of the clients I'm seeing users having 01 & 02 access in PRD.
02-26-2019 8:09 PM
02-26-2019 11:26 PM
which ABAP release are you on? Developer Keys are no longer used in S/4HANA systems.
You need to protect via authorisations and shouldn't be assigning that level of access in production.
Refer note 2309060 - The SSCR license key procedure is not supported in SAP S/4 HANA
03-01-2019 3:25 PM
Thanks Colleen, So the client is on HANA 1.0, which means only way to restrict the access is through S_DEVELOP only, is it??
Thanks again!
03-01-2019 10:42 PM
restrict your S_DEVELOP and S_TRANSPRT access to display. Take note of DEBUG of for object type to avoid granting permanent access to debug display in production (there is a risk they could debug past a commit statement and end the session before completing program run) - Tan MIchael already made the comment with the ACTVT 02 access.
In PFCG authorisations, press F1 on the S_DEVELOP object as it gives you a heap of practical scenarios
As a side, I've seen developers debug past checks for DEVACCESS Key so quite happy to see guidance that security authorisations is the way to go. Also, it's less manual administration to register developers and continually review keys.
03-07-2019 1:26 PM
03-23-2019 12:39 PM
Hi Colleen,
If the my SCC4 is set as no changes allowed and my SE06 not modifiable, would any user with debug access be able to update table data and maybe use debug previliges??
03-24-2019 9:38 AM
debug display in a product environment can be a risk if user debug's past a commit statement and exits out before program has completed.
In short, protect your system integrity and restrict the object.
03-26-2019 4:47 AM
Thanks Colleen, In this case someone had debug access, now I wanted to understand if any changes were done using that access. Audit logging in the system is not enabled hence can’t check the sm20 logs, any other leads to see If any changes were made??
Tried checking if RSTPDAMAIN is invoked through ST03N and it appears during the period but do RSTPDAMAIN gets called even with display debug access as well?? And is it’s the right way to go about it?
Any other possible way to find out if at all any changes were made??
Thanks a lot for helping.
02-27-2019 5:46 AM
Hi,
I think he/she can view the program and debug it since he got 02(changed), she/he change manipulate the data filters through debugging..
03-07-2019 1:23 PM