03-10-2011 2:29 PM
Hi,
i just found that in our prod env. for bw for all developers we have S_DEVELOP authorization with all activities (*).
i just need to provide them debug access in prd without having access to change the values while debugging.
i see all the activities for S_DEVELOP but not sure what all of them does and why its been given *. can some one explain me all the activities and explain which one should be given ? also, should there be any restriction on DEVCLASS, OBJNAME, OBJTYPE, P_GROUP etc. coz all of them are having * value.
01 - create or generate
02 - change
03 - display
06 - delete
07 - activate, generate
16 - execute
40 - create in DB
41-delete in DB
42 - convert to DB
70 - administer
90 - override
L0 - all function
MA - Deactivate mod. assistant
Thank Y
03-10-2011 2:32 PM
03-10-2011 2:33 PM
03-10-2011 3:30 PM
thank you for response florine -
i want to give them debug access but they should not be able to change the values in prod while debugging.
activity 02 is change...
Thanks,
Keral
03-10-2011 3:33 PM
Hi!
yes please see my second respone...
you are absolutely right,
ACTVT must be 03!!!!
have fun
FLo
03-10-2011 5:00 PM
If I give 03 and 16 - they still have problem cannt debug.
so i think i have to give them 01, 03, 16
right ?
do u have specification for other activities ? what r they for ?
03-10-2011 7:37 PM
Hi,
all relevant activities for DEBUG are described in documentation for S_DEVELOP which can be accessed from SU21. There is also note 65968.
Cheers
03-10-2011 9:17 PM
Probably this comes from the role SAP_BW_DEVELOPER which is a piece of **** (sorry).
All aspects (even display debugging) is critical.
Try to remove all S_DEVELOP authorization and show them some of the blogs on SDN about transaction SE14 and debugging process chains.
What you need to give them in return is an emergency user concept for when them within the BW (not the target system for the extraction) need to be able to use database utilities.
9 times out of 10 there are better solutions, which they will find by necessity if their access is removed.
They will then either improve their coding quality or start building in backdoors (changing ALEREMOTE or BWREMOTE to a service or dialog user and claiming that it cannot work without SAP_ALL and SAP_NEW (also stupid) is one such trick).
Sorry for the rant. It was spontaneous and honest
Cheers,
Julius