SAP Security Loop hole with Object S_DEVELOP
Recently a SAP Security Loop hole has been encountered during Sap Security Auditing
S_DEVELOP with ACTVT =03 in production is not at all recommended and it can be a threat to Business.
Please have a look how it works:
First you (the user) need the following authorizations: Object: S_DEVELOP ACTVT: 03
Then he/she does the following: 1. Run transaction 2. System, Status 3. Double click on Program (screen)-name 4. Shift+ F5 5. Enter Transaction in transaction field 6. Double click on Program name 7. F8
Hence S_DEVELOP in production is not recommended
Note: that the sequence might only work on specific versions of SAP.
Only the SAP R/3 super user can have S_DEVELOP authorization object with critical activity values in the production system.Auditor can perform the following procedures to verify that only super user has S_DEVELOP authorization object with critical activity values in the production system
Execute transaction code: SUIM
o S_TCODE: SE38
o Authorization Object: S_DEVELOP
o All fields: “*”
The risk here is that users, who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only.
SAP Security Loop hole with Object S_DEVELOP
