Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

prevent changes to package and contents

Former Member
0 Kudos

I have been asked to investigate locking down packages and their contents. We have our framework code and wish for devs not to be able to alter it. We have looked into the editor locks and transport locks but they do not provide the level of security that we desire. Both allow to be unlocked, taken over or deleted.
What I am doing now, as a dev, is to enhance SAP standard code to do an authorisation check by creating tables with the object names and a category/role required to make changes and another table with user IDs and category/role doing a cross check (as I am a beginner ABAP developer I do not fully understand SAP Authorisation checks and if they can be used in this manner). Surely this has been handled by many companies all over the world and we just need a bit of information.

I am open to all suggestions, process, coding, whatever.

If you have suggestions on where to enhance SAP standard code I would appreciate that also. I am at the moment looking to lock down classes and database tables, I have enhanced SEO_CLIF_ACCESS_PERMISSION which blocks modify, delete and insert to classes (possibly interfaces but I haven't tested) from both SE24 and SE80.
I was hoping there would be a common location for all types and requests but I haven't been able to find one. I also have just started enhancing DDIF_TABL_GET for database tables as this is a common point for SE11 and SE80.

Let me know please.

Regards,

Peter.

5 REPLIES 5

matt
Active Contributor
0 Kudos

Seems odd to be giving such a complex task involving modification of SAP standard to a newbie. But whatever.

There is no 100% foolproof way to prevent changes to objects in specific packages. If you have developer access, you can always hack if you want to. (In debug you can skip any security if you have debug change - and you really do need that if you're a developer), so you're relying on people following the rules, and warning them when they've made a mistake.

I would put some code into the CTS_REQUEST_CHECK  BADI, so that when a transport is released, the package of the objects in the transport is checked. If they're in your protected package, then you can issue an error message, and the transport cannot be released. Implement this after you've transported your framework objects to the test system. After that if someone deletes an object, say, when they come to transport, they'll be blocked and the object can be recovered from version management.


You should also put all the framework objects into a single local Transport of Copies, release it, and even keep a copy of the associated files somewhere safe. Then if someone pathologically sabotages your framework, you can recover it very quickly, by re-importing the ToC.


The only other alternative is to have all your protected code in its own /NAMESPACE/  and develop on a separate instance. When the packages are in your main development system, they can only be modified with a key (like standard SAP objects)..

Sandra_Rossi
Active Contributor
0 Kudos

For a "common location", maybe the time of transport request popup is the best one (cf function module TR_EDIT_CHECK_OBJECTS_KEYS ).

Former Member
0 Kudos

Thank you for your comments. Turns out that someone else had been working on the solution and has done so with Basis Authorisation Checks.

0 Kudos

So maybe you could share the solution and close the discussion then?

Thank you.

0 Kudos

Unfortunately I don't know what the solution is exactly. It is a role authorization.