Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

S_DEVELOP - debug display authorization

Former Member

‎2017 Jun 26 9:02 AM

0 Likes
16,456

Hi,

And old one but I still have not seen a good answer to this one so I will try again.

Can anyone please elaborate on the risk of having s_develop - debug 03 in production (or any other system for that matter)?

And please only provide concrete examples and not assumptions. Would be good to somewhat put this one to rest :).

br,

/joachim

4 REPLIES 4
Read only

jurjen_heeck
Active Contributor

‎2017 Jul 02 3:10 PM

4,962

Hi Joachim,

In systems with sensitive data this may allow for viewing raw data in the debugger, beyond the reach of the users' normal authorizations.

Data may be collected from the database by a program and checked for authorizations on a line-to-line basis before presenting it to the end user. S_DEVELOP with DEBUG and ACTVT 03 will allow you to monitor the raw data before the authorization check takes place.

Unfortunately I do not have a concrete example for you.

Jurjen

Read only

Former Member
In response to jurjen_heeck

‎2017 Aug 01 11:06 AM

0 Likes
4,962

Hi Jurjen,

Very good point indeed.

/joachim

Read only

Colleen
Product and Topic Expert
Product and Topic Expert

‎2017 Jul 13 12:54 PM

4,962

Hi Joachim

This won't give you the explicit examples that you are after but might help consider risks which seems to be system performance (resource availability); access to sensitive data in debug mode prior to authority check and potential data inconsistencies/rollback (See Julius' example).

https://archive.sap.com/discussions/thread/1342811

Unfortunately, I cannot tell you off the top of my head an example where each of those occur. I do recall debugging line by line through investment management and getting access to that data and project system information prior to the authority check (Data was selected from the table prior to the check)

Regards

Colleen

Read only

sjeevan
Active Contributor

‎2017 Jul 14 11:36 PM

4,962

As someone who wrote numerous ABAP custom programs, I have same thoughts as Jurjen Heeck. In most cases the raw data is pull from database using select statement first and then the authorization is checked and based on the result from authority-check, the result is displayed.