Raghu,

Creating new custom auth object in existing custom class,

Su21->click on create custom auth object(Z...)->enter description, values->click on documentation->then click on permitted values->pop up ->enter developer key.

I am trying in development system.

Why does it ask for developer key? Do we need to apply any SAP NOTES?

Thank you,

Sri

_

Hi Sri,

What is your current version & patch level. As per my understanding there are no issues that are identified with creating of auth objects. If you are at a recent patch level, raise a message to SAP.

Regards,

Raghu

Hello Raghu,

Support pakage L: 254 / Kernel : 700

ECC6.0

Thank you,

Sri

I assume that you already added fields to your object (SAP Standard ones with domains) and now you want to extend the value ranges of the domains.

That requires a developer key as it is developer work (domains do not only relate to authorizations but also the typing and search helps of fields for programmers) and once you have a developer key it will also require an object key if it is a SAP domain --> it is a modification.

Can you confirm which fields this custom object has and which you are trying to change?

Chances are good that the fields for the object have not been chosen with care (in the technical specifications).

Cheers,

Julius

Thanks Bernhard!

Particularly changing auth object definitions is best done by a developer who understands the programming side of the coin, but I cannot say the same for tcodes.

Tcodes do not check the developer key and I dont think they should either. Will this remain so?

Cheers,

Julius

Okay, so changing an SAP transaction in SE93 requests an object key (gud!) but creating a Z-tcode or adding a quiery to a role menu to generate a tcode only checks S_DEVELOP right?

I think this is correct as the authorization admin should have the ability to create transactions for applications and use them in roles annd SU24, without having to be a developer.

the spanish inquisition expected that quesiton

LOL!

The peasants and infidels down here would also like to know about changeability of the client (SCC4)? Can we keep that one?

Cheers,

Julius

Thanks for the infos Bernhard!

I guess we are going to have more granular S_DEVELOP authorizations then for the authorization admins down here as the "missing" developer key check was usefull to keep them out of SE38 / SE37 etc's harm even if they did have "blunt" authorizations.

Or, we will need to change our development processes and have the ABAPers even trained to build roles and maintaining SU24 for the applications they develop. Not all bad, but I think it will be a painfull adjustment for some "out here in the wild" where the developers only did the "programming" part and security then "protected" it via tcodes and gave access back to users via roles without having to manage or know about developer keys.

I will add this to the FAQ thread to give others a notice about the change.

Cheers,

Julius

>

> workaround 
> 

Lets explore this a bit further... I think a marketing person came up with this idea?

For me it will be a pain as I often create tcodes in cleanups (SA38 --> tcode battle) and use symbolic tcodes in SU24 - particularly for batch processing and role specific values which should not have a transaction context because the GRC folks persuaded SAP to maintain a load of nonsense in some cases so that their rules work...).

Okay, Se93 can be used to create a new tcode for a program which does not check FM AUTHORITY_CHECK_TCODE... but that is a lesser evil compared to auth admins becoming developers now.

From my observations "in the wild" this is not a good move and real developers will not be happy about it. Removing "debug" was enough for them to trigger the auth admin to have to contact them - auth admins can now change programs on their own (possibly).

Anyway... for sure it will be a big process change for customers out here, once they realize it or suffer the consequences.

Personally, I am still undecided, because neglecting S_DEVELOP is not really a solution for development systems either.

Very interesting topic...

Cheers,

Julius