SAP Security for dummy ABAP developers: Opening with a motivational and maybe a little controversial statement saying that Security aspects are heavily underrated and neglected by the ABAP developers. Do you recognize yourself or your company? Or au contraire you think it is a false believe of mine? Because false believes are the topic for today.
I am afraid that some developers believe that SAP somehow cares about the security for them. Or that some magic procedure in the SAP kernel does that. (Again I am known for exaggerating a little, so please forgive me the strong words…). SAP standard does so many awesome things. But security is something like change documents: you don`t write change documents, you don`t have any. You don`t care about security, you don`t have one.
I have met “consultants” that refuse to come/ work if they`re not promised to have SAP_ALL all the time. That`s kind of a ultimate example. But how many of you don`t have SAP_ALL in DEV and quite often in QAS, or even SAP_ALL minus something unimportant in production system? I can`t work without SAP_ALL is definitely a false believe. Ask any auditor.
How can a developer which always has a SAP_ALL profile assigned and nearly never work in production system (DEV system = development system = that is where developers live) understand the risks. He/ she is used to do everything he wants, so are his colleagues, so why would he protect anything? Others in the system have the same powers as he have. In my opinion this is the reason why developers care so little about the security – they don`t have to live the security.
Another important statement about developers is that “they want to see their toys working”. Developers build things. And they build them the way they will work. They even test their tools they way the tools pass the tests (that`s why the quality assurance and testing processes were introduced, because they want to break tools). They`re also happy about the fact, everything works as asked in the specs, so they don`t think about other ways of using their tools. Be it a singular case where user does something unexpected for example or an intentional misuse of the tool. My work is finished when I see my tool/ code working is definitely a false believe.
Have you, dear developer, ever tried to misuse the tools you build? Do you know how many things one can accomplish when assigned the authorizations for debugging? Debugging effectively means the same thing as SAP_ALL. If you don`t protect your code with the AUTHORITY-CHECKs, boom, like SAP_ALL again. If you do not react to the AUTHORITY-CHECKs, same thing, SAP_ALL. Ok, this is all very simplified, but that`s how it is.
By the way, let`s stop for a while and talk about the last example. React to the AUTHORITY-CHECKs return code. That is so obvious. Checks return SY-SUBRC values with well documented meaning. I mentioned that some developers believe that some dark magic within the kernel does the dirty work for them (not sure what do they expect: a dump when the user is not authorized? Or “please contact your administrator” message?).
Actually, this is true in few cases, but still not considered the best practice. No call, no check in most of the cases (who can name objects checked by the kernel?). If called, then an “answer” is returned. If you don`t deny the access based on the check return then the call was for nothing. I can imagine how many of the readers do laugh now, but who has never ever seen a comment like IF SY-SUBRC NE 0. *** should never happened ENDIF after the AUTHORITY-CHECK (or any other test). This type of comments developer adds because he has SAP_ALL and then it never happens.
False believes, ladies and gentlemen. No hard work? No security! I answer questions in the Career forum here on SDN. Apart from the zillion questions about how to learn ABAP or do I have to learn ABAP being a functional person, many questions are about “How can I make myself more marketable in the future?”. One of the answers is go for Security. On the other hand it is no way so exciting as HANA or other Chuck Norris things.
CALL FUNCTION TH_USER_DELETE, cheers Otto