Scenario: Having access to the debugger (“/H”) in SAP, could provide the user the capability of circumventing authorisation checks and allowing access to data or modification of data.
You need to restrict or remove access to the debugger in the SAP roles.
The S_DEVELOP authrisation object controls access to the debugger.
You can locate the roles that contain the S_DEVELOP authorisation object using the SUIM report “Roles by Authorisation Values”.
You should edit all user assigned roles that contain S_DEVELOP and ensure that it is set to include a range of values for field “Object Type”, that excludes the DEBUG value:
4 to DE
DEVC to Z
Z to $TM
i.e. missing out DEBUG.
NOTE: The above is based on SAP R/3 4.7.
This will prevent access to the debugger.