SAP developers require two things before they can actually do development work in SAP - right authorizations and a developer access key. As with everything else in SAP, when a developer tries to execute a transaction, she will need the required authorizations in her profiles. In addition, she needs to be assigned a developer access key. The authorizations can be checked in the user master records while the developer access key can be checked using table DEVACCESS. Table DEVACCESS will show the user ID and the developer key assigned to the user ID. You should only expect to see name of developers in this table.
But what happens when the entry for a developer is deleted in the DEVACCESS table but the developer continues to use the same user ID? The answer is that the developer can still use the old developer access key.
The reason: Developer access key is nothing but an algorithm based on system number and SID and some other system values (SAP does not reveal the information). The developer access key is validated by SAP using a Kernel level C system program ''CHECK_DEVELOPER_KEY'. So, even if the developer access key has been deleted for a user ID in the DEVACCESS table, she can still use the same developer access key.
So the control should be to:
1. If the developer still works in the company and only the job role has changed, remove the developer authorizations in the user master records.
2. You may also want to assign a new user ID with the required access instead of using the existing user ID - just in case she gets the authorizations by mistake!
One more suggestion, turn on table logging for table DEVACCESS to review all the changes.
This is a great post. Thanks. This confirms everything else I have read and experienced.
ReplyDeleteThanks ....
ReplyDeleteHow do create a user with Developer Access Key?
ReplyDeleteHi Clarence,
ReplyDeleteSorry for the late reply.
The Developer Access Key can be obtained from the SAP Service Marketplace. Once you have the key and you attempt to make a change (let's say using SE38), SAP will prompt you to provide your key. Once you have entered the key, SAP will keep it and match it against your user ID. You will never be prompted for the key again in the same system. Trust this explains.
Would it be correct to say that the DEVACCESS table would only be populated when the developer attempts to create or change objects in a particular system?
ReplyDeleteIn other words, if the developer is provided a dev access key from SAP's service market place and the user does NOT attempt to create or change objects on the dev instance, this user would not have an entry in the devaccess table- am I correct?