Re: SE38 Authorization

venkateswaran_k · ‎2022 Sep 12

Dear All

Kindly help me on this doubt

We are planning to remove SE38 access to all the users in production.

However, many of our Programs using SUBMIT statments inside the custom z-programs.

Hence, removing SE38 access - do they have impact on these SUBMIT statements being executed or interrupted.

Kindly help

regards,Venkat

FredericGirod · ‎2022 Sep 12

There is no link between SE38 transaction and SUBMIT statement.

SE38 must be removed from production system (and SE37, SE24, SE80, ....)

jmodaal · ‎2022 Sep 12

Hello,

I don't fully agree to your last statement. For end users: yes. But I think for the IT support the access to these transactions IMHO should be given, otherwise you make their work more difficult. If you want to avoid people executing any program, you can do this by removing S_DEVELOP with Activity 16.

Kind regards,

Jan

FredericGirod · ‎2022 Sep 12

jmodaal you have to chose between security and confort.

A production system should not be used by IT, there is no good reason to run SE38 transaction.

There is the solution of the Firefighter (in GRC) to give quickly a temporary role with a lot of authorization. You could recreate it with specific development in your system.

matt · ‎2022 Sep 12

Sometimes it's a choice between security and having a functioning system. But yes - FF and other (better) solutions are available for these scenarios.

And then they took FF access away from IT in production...

jmodaal · ‎2022 Sep 12

Hello frdric.girod,

I see your point, however, I think it is a little bit theoretical and does not fit for everyone. Not every customer uses FireFighter.

I know of big SAP customers having the IT support staff on their productive systems with dedicated, restricted roles. FireFighter is also in use, but for emergency situations only. But of course the scenario you mentioned is also present.

With S_DEVELOP / Activity 03 (Display) only I do not see any reason why SE38 and similars are to be banned.

Kind regards

Jan

Colleen · ‎2022 Sep 12

program execution access if not via transaction code should be SA38 with S_PROGNAM/S_PROGRAM which then has the SUBMIT, BTCSUBMIT, etc. Transaction SE38 for code uses the S_DEVELOP

I find the backdoor - admins take away SE38 but leave SA38 with S_PROGRAM wide open 🙂

Sandra_Rossi · ‎2022 Sep 12

To be precise about what you say "removing SE38 access", I guess you mean "removing authorization with object = S_TCODE and TCD = SE38".

SUBMIT does not check this authorization as you can see in the ABAP doc, and you can check by doing an authorization trace. ABAP doc SUBMIT: "When the statement SUBMIT is executed, an authorization check for the authorization group specified in the program attributes is performed using the authorization object S_PROGRAM. The program attribute Start Using Variant is ignored in SUBMIT." (you can deduce that there is no other authorization check)

RaymondGiuseppi · ‎2022 Sep 12

The submit statement

Doesn't require to be allowed to SE38 or SA38 (S_TCODE)
The only authorization check performed checks the authorization group specified in the program attributes, it is performed using the authorization object S_PROGRAM. There is no check if the program isn't assigned to an authorization group.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

SE38 Authorization