Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Whats the risk of having SE37, SE38, SE80 in Production?

Go to solution
Former Member

‎08-25-2012 11:37 PM

0 Kudos

I have users who have tcodes SE37, SE38 and SE80 in BW Production. Whats the risk of having these tcodes if they dont have developers key?

Thanks,

Chox

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎08-26-2012 12:02 AM

0 Kudos

Hi Chox,

These transactions mustn't be grant to anyone in production systems. Despite they cannot change the code, they can directly execute it, and that's the most important risk.

If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace .Here an example: http://scn.sap.com/message/1974116#1974116

In production environments the should use the corresponding transactions!.

Re: Sensitive Transactions List for Production System

Cheers!

Diego.

5 REPLIES 5

Go to solution
Former Member

‎08-26-2012 12:02 AM

0 Kudos

Hi Chox,

These transactions mustn't be grant to anyone in production systems. Despite they cannot change the code, they can directly execute it, and that's the most important risk.

If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace .Here an example: http://scn.sap.com/message/1974116#1974116

In production environments the should use the corresponding transactions!.

Re: Sensitive Transactions List for Production System

Cheers!

Diego.

Go to solution
Former Member
In response to Former Member

‎08-27-2012 8:00 AM

0 Kudos

   Dear Diego,

  "If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace"

How  user having t-codes->se37,se38,se80 can create user ID in sap environment.

  We must require SU01 to create SAP ID

Go to solution
Former Member
In response to Former Member

‎08-27-2012 2:42 PM

0 Kudos 
Sumit Jain wrote:
   Dear Diego,
  "If they also have authorization S_DEVELOP ACTVT 02 they can also execute programs or function modules and they can "skip" the authority checks. The can create users or assign SAP_ALL to themselves without trace" 
 How  user having t-codes->se37,se38,se80 can create user ID in sap environment.
  We must require SU01 to create SAP ID

What do you think sits behind SU01? Have you looked at OY27/28 etc?

Transactions are but one gateway to accessing functionality.  If you have the ability to access that functionality through other means then you can perform those activities (subject to suitable authorisation)

Go to solution
Former Member
In response to Former Member

‎08-28-2012 1:57 AM

0 Kudos

Hi Diego,

Thanks for the answer. One of the users states that they need SE37 to validate code moves. Do you have know what alternative tcode they can use to achieve the same?

- Chox

Go to solution
Former Member
In response to Former Member

‎08-28-2012 2:28 AM

0 Kudos

Hi Chox,

There's no need to validate code moves via SE37. You can just send her/him the transport request log.

Cheers,

Diego.