Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Deleting records from DEVACCESS Table

Former Member
0 Kudos

Hi,

We are currently writing a Z-Program to delete records from DEVACCESS Table. Can someone let me know if it is okay to proceed with this activity. Does this go out of Standard SAP Practice. Has anyone taken similar action to prevent the usage of Developer key of Termianted users.

Your views will be appreciated.

Regards,

Britney

9 REPLIES 9

Former Member
0 Kudos

Hi

First of all , why to use the same ID which was used previously someone else. I

DEVACCESS table entries are automatically maintained by SAP as and when

an ABAPPER is registered in the Development system.

An Developer who left the Organization has to be expired in his User

Master Record . This will also ensure that his User Master Record is not

chargeable for License as the User is expired.

0 Kudos

Hi Munish,

DEVACCESS is not really maintained by SAP. It stores dev key for a user from service.sap.com but you can unregister user there. SAP system does not check online if user is valid hence even unregistered user can still create/modify new development objects.

I guess that Britney wants to prevent users from misusing old users for their development. I don't see anything harmful about deleting records. You can always put them back. I've never done it though.

Cheers

0 Kudos

thanks for correction

manish_gupta34
Explorer
0 Kudos

Hi Britney,

Regarding the activity: delete records from DEVACCESS Table, go through the below link:

1. http://scn.sap.com/thread/450133

2. http://sap.ittoolbox.com/groups/technical-functional/sap-security/the-risk-of-devaccess-table-data-e...

Hope it will provide you more clarity.

Regards,

Manish

Former Member
0 Kudos

Thanks everyone for all the answers. They were helpfull.

0 Kudos

When you write your ABAP. Enter some logic for it to be run in the development system. Check table T000 for client status CCCATEGORY = C or hardcode check for the SID.

This will add an extra layer of your REAL developer keys getting wiped by accident.

It can happen. I know......

former_member202471
Participant
0 Kudos

Hi Britney,

The developer key is stored in the table DEVACCESS but the object key is also stored in the table ADIRACCESS (it is for Modified SAP Object). This is because when a customer has problems with an SAP object, we can look in local table ADIRACCESS to see whether the object has been modified.

So we advise that you should not manually delete the keys from the above DEVACCESS.

You can simply remove developer authorizations (like S_DEVELOP) profile to stop users from changing objects.

I hope it helps you.

Kind regards,

Felipe Fonseca.

0 Kudos

I recommend removing the developer keys anyway from DEVACESS. Reason is that it forces a misuser to make more noise in the system log if they want to get around the check.

Als, SAP recently made the Developer Key check stricter, so all sorts of folks (even security admins who create transaction or add queries / reports to menus) need a developer key now.

As only the user ID name and the installation number is an attribute of the key, it is best to remove them from all systems with the same installation number to reduce the surphase of misusing it.

However, where I do agree with you is that generating the developer key without registering it on SMP is public knowledge domain anyway (there is even an SCN blog on how to create one) and if someone has developer type authorizations and does not know how to dodge the developer key check then they will anyway be confused enough by SCC4 / SE06 settings that they cannot do much harm.

Personally I still prefer deleting them when the UID leaves the system. Makes hijacking an old ID less tempting for some of the noobs IMO.

Cheers,

Julius

0 Kudos

Julius von dem Bussche wrote:

SAP recently made the Developer Key check stricter, so all sorts of folks (even security admins who create transaction or add queries / reports to menus) need a developer key now.

That scares me slightly. Does this mean that they need a full developer-license as well? The license measurement reports people with developer keys and the number of changes they have made. Developer licenses are quite expensive.