Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Restricting Debug and Replace in certain function modules

Former Member

‎2008 Feb 20 7:19 PM

0 Likes
1,024

I'm trying to determine if there is a way to alter our Developer role to still allow for Debug and Replace in most of our code but to only allow display within one particular function group. Has anyone ever done this or know how it can be done?

I know you need to assign the DEBUG object type but it appears that the objname field isn't being checked. Is this true? Is there some other way to do it?

Thanks!

Dave

4 REPLIES 4
Read only

Former Member

‎2008 Feb 20 9:31 PM

0 Likes
705

Not sure (I am not very good at debugging).

It might be that by the point where you want to check the object name (the developer wants to change something) it is too late because the developer is already in the function.

Does the developer have activity 01 for debug?

It might be possible to permit them the debugging, but prevent them from stepping into a function module (based in the object_name of the function pool it belongs to).

Of course, if the function module does not make checks and the likes, or the checks can be remotely turned off by the calling program... then giving them debug with replace for the calling program will not solve your problem either.

> ...allow for Debug and Replace in most of our code but to only allow display within one particular function group.

So what does that function do which should not be changed (on the inside)?

Cheers,

Julius

Read only

Former Member
In response to Former Member

‎2008 Feb 20 9:42 PM

0 Likes
705

From what I can tell in documentation and testing, it appears that when you go into debug mode a check is made against S_DEVELOP to verify that the objtype field has DEBUG. Following that, the only other field that is checked is the activity field. Developers need activity 2 to allow them to alter the memory values of variables as they test their own code.

Where we're running into trouble is that there is some SAP code where we'd like to not allow them to alter the return value of auth checks. For development purposes you can restrict access to particular packages and\or function groups. It appears however that these fields on the auth object are not used when in debug.

I'm still hoping that someone has run across a fix for this as it seems like a pretty major hole security-wise.

Thanks!

Read only

Wolfgang_Janzen
Product and Topic Expert
Product and Topic Expert

‎2008 Feb 20 10:33 PM

0 Likes
705

>

> I'm trying to determine if there is a way to alter our Developer role to still allow for Debug and Replace in most of our code but to only allow display within one particular function group. Has anyone ever done this or know how it can be done?

I'm sorry, but this is not possible.

Maybe it makes sense to post your inquiry also to the [ABAP Forum|;

Read only

Former Member
In response to Wolfgang_Janzen

‎2008 Feb 20 11:13 PM

0 Likes
705

>

> Maybe it makes sense to post your inquiry also to the [ABAP Forum|;

@ Dave: Please post a link here (in this SDN Security forum thread) to the link which you open in the ABAP General forum.

/hs,

Julius