09-04-2012 3:07 AM
Hi,
We are currently writing a Z-Program to delete records from DEVACCESS Table. Can someone let me know if it is okay to proceed with this activity. Does this go out of Standard SAP Practice. Has anyone taken similar action to prevent the usage of Developer key of Termianted users.
Your views will be appreciated.
Regards,
Britney
09-04-2012 10:31 AM
Hi
First of all , why to use the same ID which was used previously someone else. I
DEVACCESS table entries are automatically maintained by SAP as and when
an ABAPPER is registered in the Development system.
An Developer who left the Organization has to be expired in his User
Master Record . This will also ensure that his User Master Record is not
chargeable for License as the User is expired.
09-05-2012 12:29 AM
Hi Munish,
DEVACCESS is not really maintained by SAP. It stores dev key for a user from service.sap.com but you can unregister user there. SAP system does not check online if user is valid hence even unregistered user can still create/modify new development objects.
I guess that Britney wants to prevent users from misusing old users for their development. I don't see anything harmful about deleting records. You can always put them back. I've never done it though.
Cheers
09-05-2012 10:18 AM
09-05-2012 6:04 PM
Hi Britney,
Regarding the activity: delete records from DEVACCESS Table, go through the below link:
1. http://scn.sap.com/thread/450133
Hope it will provide you more clarity.
Regards,
Manish
09-10-2012 12:51 AM
09-18-2012 7:41 AM
When you write your ABAP. Enter some logic for it to be run in the development system. Check table T000 for client status CCCATEGORY = C or hardcode check for the SID.
This will add an extra layer of your REAL developer keys getting wiped by accident.
It can happen. I know......
09-26-2012 1:25 PM
Hi Britney,
The developer key is stored in the table DEVACCESS but the object key is also stored in the table ADIRACCESS (it is for Modified SAP Object). This is because when a customer has problems with an SAP object, we can look in local table ADIRACCESS to see whether the object has been modified.
So we advise that you should not manually delete the keys from the above DEVACCESS.
You can simply remove developer authorizations (like S_DEVELOP) profile to stop users from changing objects.
I hope it helps you.
Kind regards,
Felipe Fonseca.
09-26-2012 7:25 PM
I recommend removing the developer keys anyway from DEVACESS. Reason is that it forces a misuser to make more noise in the system log if they want to get around the check.
Als, SAP recently made the Developer Key check stricter, so all sorts of folks (even security admins who create transaction or add queries / reports to menus) need a developer key now.
As only the user ID name and the installation number is an attribute of the key, it is best to remove them from all systems with the same installation number to reduce the surphase of misusing it.
However, where I do agree with you is that generating the developer key without registering it on SMP is public knowledge domain anyway (there is even an SCN blog on how to create one) and if someone has developer type authorizations and does not know how to dodge the developer key check then they will anyway be confused enough by SCC4 / SE06 settings that they cannot do much harm.
Personally I still prefer deleting them when the UID leaves the system. Makes hijacking an old ID less tempting for some of the noobs IMO.
Cheers,
Julius
09-27-2012 8:06 AM
Julius von dem Bussche wrote:
SAP recently made the Developer Key check stricter, so all sorts of folks (even security admins who create transaction or add queries / reports to menus) need a developer key now.
That scares me slightly. Does this mean that they need a full developer-license as well? The license measurement reports people with developer keys and the number of changes they have made. Developer licenses are quite expensive.