This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

HowTo: Restrict and remove DEBUG from SAP Roles

Scenario: Having access to the debugger (“/H”) in SAP, could provide the user the capability of circumventing authorisation checks and allowing access to data or modification of data.
You need to restrict or remove access to the debugger in the SAP roles.

The S_DEVELOP authrisation object controls access to the debugger.
You can locate the roles that contain the S_DEVELOP authorisation object using the SUIM report “Roles by Authorisation Values”.

You should edit all user assigned roles that contain S_DEVELOP and ensure that it is set to include a range of values for field “Object Type”, that excludes the DEBUG value:

4 to DE
Z to $TM

i.e. missing out DEBUG.

NOTE: The above is based on SAP R/3 4.7.

This will prevent access to the debugger.