CODEWITHSUNDEEP
abapsap-erpsap-basis
Skalozub
Skalozub

Reputation: 539

A safe way to avoid ABAP program running in productive ERP system

I need to develope an ABAP program which does some actions for SAP Basis. This program will be run in test/development systems only and it's not safe to run the program in productive system.

I need any safe way how to prevent the program running in productive. I can read a category field in T000 table and check if the system is a productive or not, but this way is not 100% safe. Any user with debug/variable modification authorizations will be able to avoid this.

A possible solution is not import the ABAP program to productive system at all. At the same time we have a system copy from productive to QA (the Oracle DB is copied from PROD to QA completely and renamed). This means the new program will be erased in QA after each PROD->QA copy and we will need to import it from DEV to QA again. So, this way is not convinient.

Is there any way which is more safe?

Upvotes: 2

Views: 1533

Answers (3)

vwegert
vwegert

Reputation: 18483

There are very few safeguards against someone who maliciously uses the debugger to change values in a running program (and has the permissions to do so). If someone with that permission wants to actively harm your system, he/she/it will be able to do so one way or another.

Manage that risk through strict permissions management.

If that is not sufficient, do not transport the program, however inconvenient that may seem.

Still, you should guard against accidental execution, and for that, the role of the client (can be "productive", "customizing", "test"; via transaction code SCC4; it's stored in table column T000-CCCATEGORY and can be read via function module TR_SYS_PARAMS) should be sufficient.

Upvotes: 6

hovmat
hovmat

Reputation: 1

The solution would be to call an operating system command which could be found only in the test/quality system and not on the productive system.

Upvotes: 0

Haojie
Haojie

Reputation: 5713

Anyone with a developer/debug authorization basically can do everything in your system. I mean even you do not ship your program, I myself can create a z-program to make the same thing as your program do if I have a dev role.

so let's focus your statement here: Productive System. How many users can have the dev authorization? I think it should be strictly controlled by your Admin.

In addition to T000 "Productive" check, you can also add authority check, for example, S_ADMI_FCD and logging in your code to restrict and safe the program.

Hope it helps. Thank you!

Upvotes: 1

Related Questions