Delete ABAP developer keys

Keygen

This blog will answer the following questions:

  • How to delete old ABAP developer keys from my system?

ABAP developer keys clean up

If ABAP developers leave their key is still in your system and could potentially misused. Also when SAP comes to measure licenses they might peek in table DEVACCESS to see which developer keys are present.

Unfortunately SAP does not deliver a standard program delete an unused ABAP key. See OSS note 1710320 – How to delete SSCR Object and/or Developer Keys – SAP ONE Support Launchpad.

So you simply have to write your own customer program with a code that looks like:

DELETE FROM DEVACCESS WHERE UNAME EQ '<USERNAME>'.

Maintenance view on DEVACCESS

Alternative solution is to create a maintenance view on table DEVACCESS. This will require a once off modification key. Then you can delete and insert developers keys via the normal SM30 table maintenance transaction.

Developer key hack

The developer keys are not safe, so don’t rely on them. See this blog.

S4HANA

S4HANA does not have the developer key principle at all any more. You can delete all keys in S4HANA. Read more in this blog.

4 thoughts on “Delete ABAP developer keys”

  1. Hi,
    Why not create a maintenance view on DEVACCESS and generate a table maintenance dialog for it.
    This would seem a more organized way of managing your developer keys.
    Btw It seems SAP is leaving the concept of developer keys in S4HANA, I’ve been told.

    kr
    Marcel

  2. hi
    What about visibility of developer keys in SAP systems. Should this also be limited to intended roles and users only?
    I imagine a person could easily read, note and store the developer key offline and later abuses it?
    (but nowhere this is described as a risk)

    1. A developer key can indeed be stored for later “re-use”. The only way to avoid it:
      1. Don’t hand out the developer key
      2. If a new developer comes, you call off the key and manually insert it into DEVACCESS table
      3. From authorisation perspective you shield off the DEVACCESS table

      Even that is not 100% proof. A developer can always write a simple program to read from DEVACCESS table to obtain the key….
      Or he can use the keygen…

      Abuse prevention: delete the ABAP user after he leaves. And the best prevention: upon selecting resources take ABAP senior developers that are always long on projects and don’t have any problems in their private life. And treat ABAP developers nicely always: during hiring, during work, and during the finishing and leaving. Most misuse has a trigger (need of money due to private circumstances, or revenge for being treated badly). Don’t provide the trigger.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.