cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Access of ABAPer to SE38in Production Environment

Former Member

on ‎2016 Dec 27 2:09 PM

0 Kudos
672

Our ABAPer is requesting to grant SE38 on permanent basis in Production Environment to facilitate him to view the source code in production and perform debugging on production on regular basis. Kindly advice:

Is there any harm in granting such access to the ABAPER on production on regular basis.

Would there be any impact on our production system for any activity performed by the ABAPER in production provided that the Scc4 is non-modifiable?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (5)

Answers (5)

ChrisSolomon
Active Contributor
‎2016 Dec 27 6:16 PM

"Our ABAPer is requesting to grant SE38 on permanent basis in Production Environment"...I would be keeping an eye on that "ABAPer" from here on. haha

Show replies
Show replies
Matt_Fraser
Active Contributor
‎2016 Dec 27 5:20 PM

To build upon Chris's answer, bear in mind that just because the client is marked "non-modifiable" in SCC4 does not mean that someone with developer authorizations and SE38 cannot still do harm. In fact, you mentioned the main reason to not grant this: debug. Using the debug feature, a knowledgeable person can bypass authorizations and substitute different values during runtime of a program. This would be a classic way to inject something malicious without leaving much of a trace. Not to mention, using debug does have a performance impact on production, in that it locks up the work process in privileged mode for the duration of the debug session.

Cheers,
Matt

Show replies
Show replies
ChrisSolomon
Active Contributor
‎2016 Dec 27 4:15 PM

NO! Never! (I can see security folks seething and gnashing teeth right now) They should not have that access unless absolutely necessary. QA should match Production enough to be usable to resolve most all issues. If not, then you typically give "firefighter" access to production....this would be VERY short access (day or so if that) and watched. This is rare to do unless mission critical issues that can not be hunted down in QA.

Show replies
Show replies
Matias_AV
Participant
‎2016 Dec 27 8:39 PM
0 Kudos

I dont know the details because im not in security, but you can allow to debug while not being able to let them change values while debugging. Also you can let them have access to for example TRX SE80, but do not allow them to execute programs, so they can see the source code but they can not execute the reports/function modules/etc directly. I know it can be done cause i have seen it.

Hope that helps.

Show replies
Show replies
former_member74789
Explorer
‎2016 Dec 27 6:38 PM
0 Kudos

Hi Aeman,

It is not recommended to grant access to the transaction SE38 or "/h" debug option in a production environment. If an ABAP programmer wants to display the code, they should use a DEV, QAS or PRE-PROD environment to do that. Also, if your company is running audit processes, they will probably check if someone have access to transactions like those ones in a production environment. As Matt wrote in his comment, with the debug option, a programmer can find the "Authorization Check" in the ABAP code and bypass authorization restrictions in a production environment, so that is an additional reason to deny that access in PROD.

To solve that request, I will recommend you to tell them to display the code or debug processes in a system that is not a production environment.

Regards,

Carlos

Show replies
Show replies
Ask a Question