Re: [sap-security] S_DEVELOP in production system roles
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by henrikmadsen2 (GRC Consultant ) on Apr 30 at 6:03 PM |  Mark as helpful |
There are some issues with that approach, as that requires S_DEVELOP, 03 for
PROG in production. If they can log on there, they can use a back door and
run not just programs, but also function modules... So that is a big gaping
hole...
/henrik
On 1 May 2010 00:23, benefieldgm via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by benefieldgm(SAP Security Specialist)
> on Apr 30 at 10:22 AM
> I've also heard the argument from developers regarding the need for SE38
> to review code in production. I advised our developers that this can be
> quite easily accomplished by using SE38 in development as follows:
>
> 1. Logon to development system
> 2. SE38; enter name of program to review
> 3. Go to Utilities ? Splitscreen editor
> 4. Enter name of program under 'Right' box
> 5. Click 'Compare Different Systems'
> 6. Enter RFC destination for production environment (ours requires that the
> user logon with his own credentials such that the user is constrained by his
> own authorizations in production)
> 7. Click 'Display' (user prompted to logon to production)
> 8. Production source code is displayed on right
>
> This allows developers to view source code in production without having to
> directly have access to SE38 in production (although it does require that
> the user have an S_DEVELOP Display authorization for the program). Perhaps
> something to consider as an alternative?
>
> Gail
>
> From: henrikmadsen2 via sap-security [mailto:
> sap-security@Groups.ITtoolbox.com]
> Sent: Thursday, April 22, 2010 10:49 PM
> To: Benefield, Gail M.
> Subject: Re: [sap-security] S_DEVELOP in production system roles
>
> Posted by henrikmadsen2 (GRC Consultant )
> on Apr 22 at 10:47 PM Mark as helpful
>
> So they make so many mistakes that they require SE38 full time? That's not
> a
> good sign ;-)
> Temporary access as and when needed should be the way to go.
> If you have different versions of your programs in different environments,
> you may want to revisit your change management process.
>
> No one has SE38 in production here - not even in UAT. There is firefighter
> access as and when required, but only on the back of a support ticket.
>
> So, it's a matter of how strict you want to be.
>
> On 23 April 2010 06:25, JimmyJ2 via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by JimmyJ2(Mr)
> > on Apr 22 at 4:26 PM
> > All,
> > Of course it goes without saying if you have several development teams on
>
> > the go then the version in Dev / Test may be modified but not yet
> > transported to Production. Trying to debug a different modified version
> in
> > Test for a Production issue is the perfect excuse for failing to fix a
> > problem quickly and the impact to the business that causes.
> > Cheers, James.
> >
> > ---------------Original Message---------------
> > From: mjc
> > Sent: Friday, April 16, 2010 10:33 AM
> > Subject: S_DEVELOP in production system roles
> >
> > > I removed S_DEVELOP from production system end user roles per the
> > S_DEVELOP documentation. However, now users cannot run tcode SE38 without
>
> > getting an authorization error pointing to S_DEVELOP. Can someone explain
> to
> > me why this is happening?
__.____._ PROG in production. If they can log on there, they can use a back door and
run not just programs, but also function modules... So that is a big gaping
hole...
/henrik
On 1 May 2010 00:23, benefieldgm via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by benefieldgm(SAP Security Specialist)
> on Apr 30 at 10:22 AM
> I've also heard the argument from developers regarding the need for SE38
> to review code in production. I advised our developers that this can be
> quite easily accomplished by using SE38 in development as follows:
>
> 1. Logon to development system
> 2. SE38; enter name of program to review
> 3. Go to Utilities ? Splitscreen editor
> 4. Enter name of program under 'Right' box
> 5. Click 'Compare Different Systems'
> 6. Enter RFC destination for production environment (ours requires that the
> user logon with his own credentials such that the user is constrained by his
> own authorizations in production)
> 7. Click 'Display' (user prompted to logon to production)
> 8. Production source code is displayed on right
>
> This allows developers to view source code in production without having to
> directly have access to SE38 in production (although it does require that
> the user have an S_DEVELOP Display authorization for the program). Perhaps
> something to consider as an alternative?
>
> Gail
>
> From: henrikmadsen2 via sap-security [mailto:
> sap-security@Groups.ITtoolbox.com]
> Sent: Thursday, April 22, 2010 10:49 PM
> To: Benefield, Gail M.
> Subject: Re: [sap-security] S_DEVELOP in production system roles
>
> Posted by henrikmadsen2 (GRC Consultant )
> on Apr 22 at 10:47 PM Mark as helpful
>
> So they make so many mistakes that they require SE38 full time? That's not
> a
> good sign ;-)
> Temporary access as and when needed should be the way to go.
> If you have different versions of your programs in different environments,
> you may want to revisit your change management process.
>
> No one has SE38 in production here - not even in UAT. There is firefighter
> access as and when required, but only on the back of a support ticket.
>
> So, it's a matter of how strict you want to be.
>
> On 23 April 2010 06:25, JimmyJ2 via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by JimmyJ2(Mr)
> > on Apr 22 at 4:26 PM
> > All,
> > Of course it goes without saying if you have several development teams on
>
> > the go then the version in Dev / Test may be modified but not yet
> > transported to Production. Trying to debug a different modified version
> in
> > Test for a Production issue is the perfect excuse for failing to fix a
> > problem quickly and the impact to the business that causes.
> > Cheers, James.
> >
> > ---------------Original Message---------------
> > From: mjc
> > Sent: Friday, April 16, 2010 10:33 AM
> > Subject: S_DEVELOP in production system roles
> >
> > > I removed S_DEVELOP from production system end user roles per the
> > S_DEVELOP documentation. However, now users cannot run tcode SE38 without
>
> > getting an authorization error pointing to S_DEVELOP. Can someone explain
> to
> > me why this is happening?
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
henrikmadsen2SAP Security Helper
Posted helpful replies on 5 threads in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
Earn Recognition for Your Contributions at Toolbox for IT. Gain Points for Community Achievements
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
