2

I need to develope an ABAP program which does some actions for SAP Basis. This program will be run in test/development systems only and it's not safe to run the program in productive system.

I need any safe way how to prevent the program running in productive. I can read a category field in T000 table and check if the system is a productive or not, but this way is not 100% safe. Any user with debug/variable modification authorizations will be able to avoid this.

A possible solution is not import the ABAP program to productive system at all. At the same time we have a system copy from productive to QA (the Oracle DB is copied from PROD to QA completely and renamed). This means the new program will be erased in QA after each PROD->QA copy and we will need to import it from DEV to QA again. So, this way is not convinient.

Is there any way which is more safe?

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
Skalozub
  • 539
  • 7
  • 26

3 Answers3

6

There are very few safeguards against someone who maliciously uses the debugger to change values in a running program (and has the permissions to do so). If someone with that permission wants to actively harm your system, he/she/it will be able to do so one way or another.

Manage that risk through strict permissions management.

If that is not sufficient, do not transport the program, however inconvenient that may seem.

Still, you should guard against accidental execution, and for that, the role of the client (can be "productive", "customizing", "test"; via transaction code SCC4; it's stored in table column T000-CCCATEGORY and can be read via function module TR_SYS_PARAMS) should be sufficient.

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
vwegert
  • 18,371
  • 3
  • 37
  • 55
  • Thank you very much for a quick response. "...the client/system setting should be sufficient." - Do you mean the check of T000-CCCATEGORY in the ABAP program? – Skalozub Aug 21 '17 at 12:56
  • 2
    Yes, although I would recommend to use TR_SYS_PARAMS to read it. – vwegert Aug 21 '17 at 13:01
  • I updated the answer with information T000-CCCATEGORY and TR_SYS_PARAMS. – Sandra Rossi Aug 07 '19 at 08:42
  • For authorizations, one solution is to assign such programs to a custom "authorization group" (list in SM30 V_TPGP) in the program attributes and allow users to that group via authorization objects S_PROGRAM and S_DEVELOP in Dev/Test systems only. – Sandra Rossi Aug 07 '19 at 08:46
1

Anyone with a developer/debug authorization basically can do everything in your system. I mean even you do not ship your program, I myself can create a z-program to make the same thing as your program do if I have a dev role.

so let's focus your statement here: Productive System. How many users can have the dev authorization? I think it should be strictly controlled by your Admin.

In addition to T000 "Productive" check, you can also add authority check, for example, S_ADMI_FCD and logging in your code to restrict and safe the program.

Hope it helps. Thank you!

Haojie
  • 5,665
  • 1
  • 15
  • 14
0

The solution would be to call an operating system command which could be found only in the test/quality system and not on the productive system.

hovmat
  • 1
  • 1