08-25-2012 11:37 PM
I have users who have tcodes SE37, SE38 and SE80 in BW Production. Whats the risk of having these tcodes if they dont have developers key?
Thanks,
Chox
08-26-2012 12:02 AM
Hi Chox,
These transactions mustn't be grant to anyone in production systems. Despite they cannot change the code, they can directly execute it, and that's the most important risk.
If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace .Here an example: http://scn.sap.com/message/1974116#1974116
In production environments the should use the corresponding transactions!.
Re: Sensitive Transactions List for Production System
Cheers!
Diego.
08-26-2012 12:02 AM
Hi Chox,
These transactions mustn't be grant to anyone in production systems. Despite they cannot change the code, they can directly execute it, and that's the most important risk.
If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace .Here an example: http://scn.sap.com/message/1974116#1974116
In production environments the should use the corresponding transactions!.
Re: Sensitive Transactions List for Production System
Cheers!
Diego.
08-27-2012 8:00 AM
Dear Diego,
"If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace"
How user having t-codes->se37,se38,se80 can create user ID in sap environment.
We must require SU01 to create SAP ID
08-27-2012 2:42 PM
Sumit Jain wrote:
Dear Diego,
"If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace"
How user having t-codes->se37,se38,se80 can create user ID in sap environment.
We must require SU01 to create SAP ID
What do you think sits behind SU01? Have you looked at OY27/28 etc?
Transactions are but one gateway to accessing functionality. If you have the ability to access that functionality through other means then you can perform those activities (subject to suitable authorisation)
08-28-2012 1:57 AM
Hi Diego,
Thanks for the answer. One of the users states that they need SE37 to validate code moves. Do you have know what alternative tcode they can use to achieve the same?
- Chox
08-28-2012 2:28 AM
Hi Chox,
There's no need to validate code moves via SE37. You can just send her/him the transport request log.
Cheers,
Diego.