Audit finding: developer keys in productive system

Direkt zum Seiteninhalt

Audit finding: developer keys in productive system

Veröffentlicht von Shortcut IT in Sc4SAP · 13 Juli 2023
Tags: SAP Security;SAP developer key
It is a standard check done by many auditors: have a look into the table DEVACCESS in a 'Production' system and check whether there are entries. If there are any, this might become a finding - and it does not matter to the auditor whether your system is not changeable according to the settings in SCC4 and SE03.

This can be easily avoided. And if you have already received a finding, you can delete the developer keys quickly and easily.

There is no table maintenance dialog available for table DEVACCESS, so you have to delete existing entries using another method.

For example, you can do this via transaction SE14:
SE14 - delete table data

This would satisfy the auditor's requirement. But it is a task to be done manually. You have to do it for each (productive) system, and you can not take it for granted, that the finding will not occur in next year's audit. It is unlikely, but not impossible, that developer keys somehow find their way into your productive system... but with the following method you can be sure that this problem will no longer be a reason for an audit finding.

Typically, this is where the idea comes into play of developing an ABAP program for this purpose, distributing it to all systems and scheduling it as a periodic batch job in all productive systems.

Here I want to show a shorter, faster and consequently cheaper approach. "Shortcut for SAP systems" comes with a 'Delete table data' function that is useful for granting that this issue will never occur in your system. Using the dialog function, solving the problem would look like this:

Delete table data: developer keys in table DEVACCESS

The entries in table DEVACCESS are to be deleted for all users not beginning with 'EM_'. Here this is for excluding developer keys from an emergency user. Personally, if there are developer keys for the emergency user I would keep them - however, if the auditor also claims about developer keys of emergency user, you can leave this out for deleting all records in the table.

Up to here, pressing the "Execute" button, we have a one-time solution for this problem. But our aim is to do this on a regularly basis, maybe every week, to ensure that possibly created entries will be deleted again on short notice. And we want to do this on every 'Production' system.

"Shortcut for SAP systems" contains a command line tool that we are going to use for this task. It runs outside the GUI application on OS level. This gives us the possibility to execute it periodically via an automation solution. This can be a simple (and free) solution like the Windows Task Scheduler or a more sophisticated (and more expensive) product like Automic Automation or others.

There are 2 options to use the command line tool:
  1. using a Variant (a Variant in "Shortcut for SAP systems")
  2. using an XML file

Personally, I like this XML stuff. It doesn't need any variants and offers maximum flexibility. An XML file for deleting the entries in DEVACCESS would look like this:

An XML file for the command line tool, deleting developer keys in productive systems

In front of scheduling this periodically we call it directly on the console:

Deleting developer keys via command line tool in the console

In opposite to the first task the next 3 tasks ended with return code 4. This is because in these systems there are no records to be deleted (the ABAP statement DELETE dbtab also sets SY-SUBRC to 4 in that case). It is a warning that there are no records fitting to the criteria (here: the condition with UNAME NOT LIKE 'EM_%'). We can ignore this - obviously we had the issue with the developer keys in the first system only.

Now let's implement this in a periodic task. Here I use the Windows Task Scheduler for this. After clicking on "Create Task..." (1) we enter a name (2) and a description (3). Here I changed the user (4) - I want to have this independent from my personal user, like I prefer to schedule jobs in SAP also with a system user instead of my personal user - and specified that the task has to be executed independently from a login of the user.

Windows Task Scheduler - create a new task

After clicking OK (6) we move to the next tab. A trigger (1) is to be created (2) for running the task. Here I specified that the task has to be run weekly (3) starting on next Monday at 06:30 (4).

Windows Task Scheduler - weekly task

In the "Actions" tab we enter the call of the command line tool and enter the XML file as argument.

Windows Task Scheduler - calling the command line tool

After closing the "Actions" tab we click on OK. And that's it!

The command line tool writes the result of the tasks back into the XML file. By viewing it, you can check whether (and when) it has been executed.

With the implementation of a regular deletion of developer keys you can be sure, that developer keys in next year's auditing will not be an issue anymore. We did not have to develop an ABAP program and distribute it into every system line, followed by a job scheduling. Adding a new system for this task is quite simple via adding some lines in the XML file.

Es gibt noch keine Rezension.
Shortcut IT GmbH
Försterstr. 11A
31275 Lehrte

Zurück zum Seiteninhalt