It is nearly impossible to prevent a developer from accessing any t-code. We saw an example in our other post titled “Can you really restrict any developer from executing any t-code?“. For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?
SAP Security Guys!! Hope you are reading this.
Check, I do not have access to t-code SE38 (ABAP Editor) in my Pre-Production system.
I also do not have access to t-code SE80 (Object Navigator/ ABAP Workbench), SE37 (Function Module) etc in the same system.
I do have authorization to the basic t-code SE11 (Display Table). You might have access to some other common t-codes (you can use that). SE11 is my secret window to all the forbidden t-codes.
Check how ??
I am in SE11. Click Other Object icon (Shift + F5) -> Enhanced Options radio button. Click on the corner square icon for Program, Function Group or click ‘More’ to get other areas.
For demo, I chose, Program. Provide the program name you want to view. And here you are in the ABAP editor. You can see the code.
Similarly you can view, function modules, services, proxies, web dynpros and what not.
As an ABAPer, I am happy to figure out this alternative way to navigate through the t-codes. This process is specially handy, when you want to check something really quick or want to do some comparison during some issues mitigation.
If you go via the right path i.e. –> ask your manager for approval –> raise ticket for security team –> wait for approval again –> wait for security team to provide you the right access. Some times, you do not have the liberty of waiting and watching for that long. So, ABAPers quickly use this trick. Specially in quality and pre-production (where you have the restriction).
Question to Security Guys.
Are the developers suppose to access the t-code via this alternate route?
Did you guys knowingly provide this alternative? If you know and it is ok to access this way, then we are good.
But, if Security Guys are not aware of this loop hole, then there are chances of bigger Security breach. SAP Security folks can end up giving the same alternative in Production environment too. If this happens,then there can be serious implications and data theft (and I know of clients where you can use this alternative in Production environment as well).
We would like to hear comments from Security experts. Please provide your opinion on this topic. Should Security team not close this alternative if the user’s role does not allow him/her to access certain transactions?
ABAPers, please forgive me if your doors get closed. 🙂 But I am sure, no ABAPer want his/her system and data to be visible to unwanted crooks. It’s our duty to make our environment as robust as possible and protect them from any unforeseen spy or data thief.
Morever ABAPers would figure out some other way, if this one is closed.. ABAPers rock!!!!
Do you have anything more to add to it? Do you have any story to share on this topic. Please feel free to email us at firstname.lastname@example.org or leave it in our comment section.
If you want to get updates about our new tweaks and tricks, please subscribe.
If you liked it, please share it. Thank you very much for your time!!
Image source : www.theregister.co.uk