Audit finding: developer keys in productive system

This can be easily avoided. And if you have already received a finding, you can delete the developer keys quickly and easily.

This would satisfy the auditor's requirement. But it is a task to be done manually. You have to do it for each (productive) system, and you can not take it for granted, that the finding will not occur in next year's audit. It is unlikely, but not impossible, that developer keys somehow find their way into your productive system... but with the following method you can be sure that this problem will no longer be a reason for an audit finding.

The entries in table DEVACCESS are to be deleted for all users not beginning with 'EM_'. Here this is for excluding developer keys from an emergency user. Personally, if there are developer keys for the emergency user I would keep them - however, if the auditor also claims about developer keys of emergency user, you can leave this out for deleting all records in the table.

Up to here, pressing the "Execute" button, we have a one-time solution for this problem. But our aim is to do this on a regularly basis, maybe every week, to ensure that possibly created entries will be deleted again on short notice. And we want to do this on every 'Production' system.

"Shortcut for SAP systems" contains a command line tool that we are going to use for this task. It runs outside the GUI application on OS level. This gives us the possibility to execute it periodically via an automation solution. This can be a simple (and free) solution like the Windows Task Scheduler or a more sophisticated (and more expensive) product like Automic Automation or others.

In front of scheduling this periodically we call it directly on the console:

In opposite to the first task the next 3 tasks ended with return code 4. This is because in these systems there are no records to be deleted (the ABAP statement DELETE dbtab also sets SY-SUBRC to 4 in that case). It is a warning that there are no records fitting to the criteria (here: the condition with UNAME NOT LIKE 'EM_%'). We can ignore this - obviously we had the issue with the developer keys in the first system only.

Now let's implement this in a periodic task. Here I use the Windows Task Scheduler for this. After clicking on "Create Task..." (1) we enter a name (2) and a description (3). Here I changed the user (4) - I want to have this independent from my personal user, like I prefer to schedule jobs in SAP also with a system user instead of my personal user - and specified that the task has to be executed independently from a login of the user.

After clicking OK (6) we move to the next tab. A trigger (1) is to be created (2) for running the task. Here I specified that the task has to be run weekly (3) starting on next Monday at 06:30 (4).

In the "Actions" tab we enter the call of the command line tool and enter the XML file as argument.

After closing the "Actions" tab we click on OK. And that's it!

The command line tool writes the result of the tasks back into the XML file. By viewing it, you can check whether (and when) it has been executed.

With the implementation of a regular deletion of developer keys you can be sure, that developer keys in next year's auditing will not be an issue anymore. We did not have to develop an ABAP program and distribute it into every system line, followed by a job scheduling. Adding a new system for this task is quite simple via adding some lines in the XML file.