Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Recommendation to "not open production client"

Former Member
0 Kudos

Ok guys, I know this should be something that we don't even need to talk about it, but I have this situation and I need your help to find documents, blogs, articles or best practices to present from the SAP point of view "why it's not recommended to open production client".

I'm the CTO in this company and I'm kind of new here and it seems my collegue (the Development and Project Manager) has as usual practice to request to open the production client (R/3) to do changes directly there...because some cheap and not technical reasons: because that object already is different in the three ambients, because his developers are alreading working on these objects and a sudden emergency needs to make just a simple change, etc.

Any link, best practice document, your experience, recommendation, etc., will help me.

Regards.

Alfredo Díaz P.

Chile.

7 REPLIES 7

Former Member
0 Kudos

Lets move this to the security forum for a start and then try ABAP General or NW Admin later...

To your question: There are special cases where you have to open the client for some changes. This is a security mechanism to protect the client against unwanted changes from users with powerfull authorizations and applications with powerfull functions (such as the transport tools).

So that you have a procedure for this is good and necessary. I would monitor the use of it (see transaction SCU3 --> table T000) so that it is not misused and then it should be acceptable to the system and the auditors as well.

Cheers,

Julius

Former Member
0 Kudos

Thats a interesting question. I always preached that we shouldnt have the client open at all times ( you would need it for specific needs as Julius mentioned in his post), but when i tried to think big and answer your question i should admit i was lost for a clear cut explanation. so i googled and found this link, have a look at it, it might give some valuable information

[http://www.erptips.com/Snippet1/yoijqvzasm.pdf]

0 Kudos

Hi ,

The document actually points to have client setting for production:

what is different from others have answered.

Setup a good process on doing all this activities, DEV to Qa to PRD

Edited by: Franklin Jayasim on Aug 4, 2010 7:06 PM

0 Kudos

I was not advocating having the client open "at all times" but rather opening selected clients temporarily for a short time to do some justifiable work, and then close it again without delay.

You should however not rely ONLY on the client settings either and take care of the authorizations. Debugging, ABAP insert statements, SQL injection, directory traversals, "tp" commands, "C"-calls, etc etc are all generally independent of the client settings.

They do however serve as a blunt reminder and will deter all "Monday's experts" from doing silly things..

A nice example of the exceptions are printers and changing the activation status of auth objects. Here it is intentional (and reasonable, also for security) that you open the client to activate the changes which have been transported.

There are always exceptions to rules (particularly in SAP) and you need some procedures to attend to them and monitor / report on them otherwise they become day-to-day "emergencies"...

Cheers,

Julius

0 Kudos

>

> Thats a interesting question. I always preached that we shouldnt have the client open at all times ( you would need it for specific needs as Julius mentioned in his post), but when i tried to think big and answer your question i should admit i was lost for a clear cut explanation. so i googled and found this link, have a look at it, it might give some valuable information

>

> [http://www.erptips.com/Snippet1/yoijqvzasm.pdf]

Frankiln / Julius,

i think you missed the finer print in the post, i mentioed that i preach that the client ShouldNT be open at all times..and if i understand correctly the document that opens with the link does'nt advocate having the client open or does it

0 Kudos

Shekar,

Your statement seemed to contradict what julius had posted, if you meant to say that the production client should not be opened

we are on the same page. No issues.

Cheers

Franklin Jayasim

martin_voros
Active Contributor
0 Kudos

Hi,

as it was mentioned for some scenarios it's justifiable. I have another point of view why to minimize this practice. Your QA system should be same as production otherwise how you can be sure that a tested change QA won't break anything in production (obviously, there is a small subset of settings which are different in each client/system). When you allow developers to change things directly in production then they should reproduce same changes to all system but you know developers, usually they forget or there is not enough time and so on. Using TMS minimizes this risk.

If they want to push a quick change and that object is already in open transport then they can exclude this object from that transport, use version management system to get current version in production, apply a quick fix, release it, get back the previous development version and put it back to open transport. It's possible but you can see why they don't like it.

Cheers