09-12-2022 7:25 AM
Dear All
Kindly help me on this doubt
We are planning to remove SE38 access to all the users in production.
However, many of our Programs using SUBMIT statments inside the custom z-programs.
Hence, removing SE38 access - do they have impact on these SUBMIT statements being executed or interrupted.
Kindly help
regards,Venkat
09-12-2022 7:42 AM
There is no link between SE38 transaction and SUBMIT statement.
SE38 must be removed from production system (and SE37, SE24, SE80, ....)
09-12-2022 8:02 AM
Hello,
I don't fully agree to your last statement. For end users: yes. But I think for the IT support the access to these transactions IMHO should be given, otherwise you make their work more difficult. If you want to avoid people executing any program, you can do this by removing S_DEVELOP with Activity 16.
Kind regards,
Jan
09-12-2022 8:37 AM
jmodaal you have to chose between security and confort.
A production system should not be used by IT, there is no good reason to run SE38 transaction.
There is the solution of the Firefighter (in GRC) to give quickly a temporary role with a lot of authorization. You could recreate it with specific development in your system.
09-12-2022 8:49 AM
Sometimes it's a choice between security and having a functioning system. But yes - FF and other (better) solutions are available for these scenarios.
And then they took FF access away from IT in production...
09-12-2022 8:54 AM
Hello frdric.girod,
I see your point, however, I think it is a little bit theoretical and does not fit for everyone. Not every customer uses FireFighter.
I know of big SAP customers having the IT support staff on their productive systems with dedicated, restricted roles. FireFighter is also in use, but for emergency situations only. But of course the scenario you mentioned is also present.
With S_DEVELOP / Activity 03 (Display) only I do not see any reason why SE38 and similars are to be banned.
Kind regards
Jan
09-12-2022 8:30 AM
program execution access if not via transaction code should be SA38 with S_PROGNAM/S_PROGRAM which then has the SUBMIT, BTCSUBMIT, etc. Transaction SE38 for code uses the S_DEVELOP
I find the backdoor - admins take away SE38 but leave SA38 with S_PROGRAM wide open 🙂
09-12-2022 8:41 AM
To be precise about what you say "removing SE38 access", I guess you mean "removing authorization with object = S_TCODE and TCD = SE38".
SUBMIT does not check this authorization as you can see in the ABAP doc, and you can check by doing an authorization trace. ABAP doc SUBMIT: "When the statement SUBMIT is executed, an authorization check for the authorization group specified in the program attributes is performed using the authorization object S_PROGRAM. The program attribute Start Using Variant is ignored in SUBMIT." (you can deduce that there is no other authorization check)
09-12-2022 8:54 AM
The submit statement