This blog will answer the following questions:
- How to delete old ABAP developer keys from my system?
ABAP developer keys clean up
If ABAP developers leave their key is still in your system and could potentially misused. Also when SAP comes to measure licenses they might peek in table DEVACCESS to see which developer keys are present.
Unfortunately SAP does not deliver a standard program delete an unused ABAP key. See OSS note 1710320 – How to delete SSCR Object and/or Developer Keys – SAP ONE Support Launchpad.
So you simply have to write your own customer program with a code that looks like:
DELETE FROM DEVACCESS WHERE UNAME EQ '<USERNAME>'.
Maintenance view on DEVACCESS
Alternative solution is to create a maintenance view on table DEVACCESS. This will require a once off modification key. Then you can delete and insert developers keys via the normal SM30 table maintenance transaction.
Developer key hack
The developer keys are not safe, so don’t rely on them. See this blog.
S4HANA
S4HANA does not have the developer key principle at all any more. You can delete all keys in S4HANA. Read more in this blog.
Hi,
Why not create a maintenance view on DEVACCESS and generate a table maintenance dialog for it.
This would seem a more organized way of managing your developer keys.
Btw It seems SAP is leaving the concept of developer keys in S4HANA, I’ve been told.
kr
Marcel
Hi Marcel,
That is indeed another option.
S4HANA is without development keys and without object keys. ANY developer can edit standard SAP if authorized.
See blog: http://saptechnicalguru.com/developer-keys-hack/ and then the subsection on S4HANA.
hi
What about visibility of developer keys in SAP systems. Should this also be limited to intended roles and users only?
I imagine a person could easily read, note and store the developer key offline and later abuses it?
(but nowhere this is described as a risk)
A developer key can indeed be stored for later “re-use”. The only way to avoid it:
1. Don’t hand out the developer key
2. If a new developer comes, you call off the key and manually insert it into DEVACCESS table
3. From authorisation perspective you shield off the DEVACCESS table
Even that is not 100% proof. A developer can always write a simple program to read from DEVACCESS table to obtain the key….
Or he can use the keygen…
Abuse prevention: delete the ABAP user after he leaves. And the best prevention: upon selecting resources take ABAP senior developers that are always long on projects and don’t have any problems in their private life. And treat ABAP developers nicely always: during hiring, during work, and during the finishing and leaving. Most misuse has a trigger (need of money due to private circumstances, or revenge for being treated badly). Don’t provide the trigger.