Using Google Chrome?

Download my
free Chrome Extension, Power Notes Searcher, to make searching for and evaluating SAP notes, much easier.

Wednesday, February 20, 2013

HowTo: Restrict and remove DEBUG from SAP Roles

Print Friendly and PDF
Scenario: Having access to the debugger ("/H") in SAP, could provide the user the capability of circumventing authorisation checks and allowing access to data or modification of data.
You need to restrict or remove access to the debugger in the SAP roles.

The S_DEVELOP authrisation object controls access to the debugger.
You can locate the roles that contain the S_DEVELOP authorisation object using the SUIM report "Roles by Authorisation Values".

You should edit all user assigned roles that contain S_DEVELOP and ensure that it is set to include a range of values for field "Object Type", that excludes the DEBUG value:

4 to DE
Z to $TM

i.e. missing out DEBUG.

NOTE: The above is based on SAP R/3 4.7.

This will prevent access to the debugger.

No comments: