04553 - Debugging in production instance

04553 - Debugging in production instance

Vendor Master (General Section)   PERFORM Short Reference  
This documentation is copyright by SAP AG.
SAP E-Book

Debugging in production instance

The main concern with debugging authorization in PRD is with the replacement
of variable values. For example, if a user isn't authorized to create P/O's,
they could start the debugger then enter tcode ME21. The user can then
single step past the authority check. If the check fails, SY-SUBRC will be
set to 8. The user can then replace the 8 with a 0 and continue with that

This is granted by giving:
Activity: 01/02
Object type: DEBUG

If you grant only display access for object DEBUG, then users will be able
to debug programs to analyze source code with production data. However,
users will not be able to replace values for objects such as SY-SUBRC. So,
in PRD, I grant activity 03 for S_DEVELOP for object type DEBUG. Most
importantly, this is secure and passes audit.

Mike D. Martin
SAP Basis Administrator
SOLA Optical, USA
707-763-9911 x6106

-----Original Message-----
From: Gueldenpfennig, Volker [mailto:volker.gueldenpfennigZs...]
Sent: Friday, January 11, 2002 2:42 AM
To: 'bpeedleZp...'
Cc: Sap400 (E-mail)
Subject: RE: Debugging in production instance


this is an authority question. There is some authority necessary for /h. It
is strongly recommended NOT to give this authority at all the users.
Unfortunately I don't know what the correct setting is. Perhaps you create a
user with very little authority and then it shouldn't be allowed. Then you
could use SU53 in order to find out what authority is missing there.

This should be removed at any "normal" user in your system.



[Non-text portions of this message have been removed]

Durban Tours - Südafrika Safari

PERFORM Short Reference   CPI1466 during Backup  
This documentation is copyright by SAP AG.

Length: 2562 Date: 20240620 Time: 002059     sap01-206 ( 4 ms )