Can you do bad things with Debug permission? Be careful. Your every move is on the system

Happy New Year everyone! Jerry: Good health and a happy Year of the Rat!

This is the first article in the year of the Rat and the 200th original article on Wang Zixi’s official account.

Yesterday Jerry had the weakest New Year’s Eve in his life at home. In response to the call of the government and experts, we did not visit relatives and friends, stayed at home, with relatives and code, and spent a peaceful New Year’s Eve.

The so-called “ordinary light is a blessing”, let us pray together, looking forward to the early end of this disaster for all mankind.

Jerry had also read articles on how to bypass SAP’s standard permission checking “tricks” with ABAP single-step debugging, such as changing the return value of the AUTHORITY CHECK statement sy-subrc in the debugger, or simply using the “jump to a certain statement” function in the debugger. Bypass permission checking statements directly.

Although in SAP production system, by convention, common business users would never have debugging permissions, let alone to modify the value of a variable in the debugger, but if it is in the development system, directly modify the values of variables in the debugger, or skip some of the execution of the statement, really can not be found?

The answer is no.

Here’s an example:

I changed the value of the variable from 12 to 123 in the ABAP debugger and press Enter to make the change take effect.

Then transaction code SM21, open the system log viewing tool:

I’ve just changed the value of a variable in the ABAP debugger:

Try again in the ABAP debugger, using “Goto Statement” to skip some statements:

This behavior is also well documented in the system logs, even as I jump from line to line of ABAP code.

The Terminal field is the Terminal MACHINE ID used by the user who performed the statement jump in the debugger. Each machine connected to the ABAP Netweaver server has a unique Terminal ID.

Where are these system log files stored?

In the Component Trace panel, click on Display Components to selectively view certain types of system logs:

/usr/ SAP/ag3/d56 = /usr/ SAP/ag3/d56 = /usr/ SAP/ag3/d56 = /usr/ SAP/ag3/d56

Use transaction code AL11 to follow this path and find these system log files in the work subdirectory:

Ordinary ABAP users do not have access to the operating system and cannot write to these system log files.

In short, whenever you step around some permission check or perform some other dangerous operation, the action is immediately recorded in the system log and ordinary users cannot delete the log file.

The authority control system of SAP system is very perfect. When you find that you lack the execution authority limit of a certain transaction in actual work, please solve the problem according to the standard process of AUTHORITY control of SAP. Bypassing permission checks through ABAP single-step debugging is not SAP’s recommended solution in any case. Even if you want to do this on your system, think twice.

Thanks for reading and happy Chinese New Year to you all.

For more of Jerry’s original articles, please follow the public account “Wang Zixi “: