08-20-2008 10:33 AM
Dear guru's,
Many RFC authorization issues will occur as ABAP dumps (ST22). I am security consultant, and everyday Basis team is sending me email for RFC authorization dumps(st22 screen shot).
I checked for St22, required is S_DEVLOP auth. object with activity=display.
Do you guys recommend that security consultant should have access to ST22 (display access) in production server.
Kindly advise.
08-20-2008 10:58 AM
A security consultant need not have access to ST22 in Production. If a user would want to send you a authorization error that would be through SU53. In case you would like to have access to ST22 this is to be restricted and therefore should be through a Firefighter or Swat ID (which is monitored)
I would think that S_DEVELOP is okay in production with activity 03 (depending on a case by case basis)
ravi
08-20-2008 10:38 AM
Hello Imran,
As far as access to ST22 TCode concern, a Basis guy should have the access to ST22 TCode. As I am a Basis person, I have the access to this TCode. As you are a Security person, access to ST22 TCode is not your cup of tea.
Hope it helps.
Cheers,
Satish.
08-20-2008 10:50 AM
Thanks Satish for your inputs.
But the problem is Basis people are sending any RFC authorization daily morning time during their health check. So i will not be getting upto date errors to resolve before end user come to me.
if authorization team should have ST22 access, i don't see any harm to give display access...
still looking for experts advise like you
08-20-2008 10:51 AM
> As far as access to ST22 TCode concern, a Basis guy should have the access to ST22 TCode. As I am a Basis person, I have the access to this TCode. As you are a Security person, access to ST22 TCode is not your cup of tea.
Sorry to disagree with you.
ST22 checks S_DEVELOP actvt '03' (display) without any values for the other fields - how could it when it does not yet know which program dumped?
It is checked because once inside the dump, there is a possibility to step into the source code in debug mode which will then check further fields of S_DEVELOP (e.g. object type = DEBUG, etc). You don't have to have that authority nor give it to the security admin.
If an RFC call fails and recorded in the dump analysis, it can be security relevant and the security admin should be able to look into the context of the call - and not just add it to a role because "basis" says it's dumping...
On the other hand, perhaps you can google "ST22 basis sap_all only" and give us some random links?
Cheers,
Julius
08-20-2008 10:58 AM
A security consultant need not have access to ST22 in Production. If a user would want to send you a authorization error that would be through SU53. In case you would like to have access to ST22 this is to be restricted and therefore should be through a Firefighter or Swat ID (which is monitored)
I would think that S_DEVELOP is okay in production with activity 03 (depending on a case by case basis)
ravi
08-20-2008 11:03 AM
> A security consultant need not have access to ST22 in Production. If a user would want to send you a authorization error that would be through SU53.
How is a remote RFC user in the background processing going to take a screenshot of SU53 and email it to you?
> In case you would like to have access to ST22 this is to be restricted and therefore should be through a Firefighter or Swat ID (which is monitored). I would think that S_DEVELOP is okay in production with activity 03 (depending on a case by case basis).
I have S_DEVELOP display access in some production systems as well, but only with specific object types. It does not include DEBUG even in display mode. So I can start ST22 and read the dump, but not debug the source of the dump...
Anyway, most users can typically get much of this information from table SNAP anyway...
Cheers,
Julius
08-20-2008 12:03 PM
08-20-2008 11:03 AM
Hello Imran,
Yes, as you said, there is no harm in having display authorization for a security person for ST22 TCode in Production.
Regards,
Satish.