Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Transaction SWO1 in production

Former Member

‎08-30-2011 12:38 PM

0 Kudos

Hi,

We have a developer requesting transaction SWO1 in production. The only roles with this transaction with users currently assigned are BASIS roles. We use custom roles only, no SAP roles. Our concern is the change/create functionality of this transaction that we don't think our auditors would approve of. I'd appreciate some feedback regarding allowing users this transaction in production? Also, is there any way to turn off the change and create functionality of this transaction? I searched the SDN security before posting my questions.

Thanks,

John

5 REPLIES 5

Former Member

‎08-30-2011 1:06 PM

0 Kudos

Hello John,

in ECC 6.0 the authorization object s_develop is checked with transaction SWO1. So you can limit the action of s_develop to 03 which is display. Try this out, but check that the users have the object s_develop nowhere else in any authorization role.

Regards

Christian

Former Member

‎08-31-2011 2:35 PM

0 Kudos

Hi Christian,

Thanks for your suggestions. I think that the problem is we don't have any custom roles that contain transaction SWO1 that my manager would agree to assign a developer to. The roles are all for BASIS people. So I can't use PFCG to make the changes you suggest because I don't have a role to start with. Or am I wrong in my thinking?

John

Former Member
In response to Former Member

‎08-31-2011 2:55 PM

0 Kudos

Hello John,

you could create a new role for the developers in your production system which only contains transaction SWO1 with object s_develop and the according restrictions. You can easily show your manager that this works by making a temporary testuser which was copied from a developer.

Regards

Christian

mvoros
Active Contributor

‎09-02-2011 12:33 AM

0 Kudos

Hi,

I am not sure if this is a great idea. The problem is that you can test business objects in SWO1. So malicious user can find try to misuse it by executing object and manually entering key for that object. The methods of that business might not have a proper authorization check for all operations.

Cheers

Former Member
In response to mvoros

‎09-02-2011 12:27 PM

0 Kudos

Note that display s_develop is sufficient to execute the test environment of methods..