Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Unexpected Party in Production

  • Font size: Larger Smaller
  • Hits: 5511
  • Print

IT activities in most enterprises fall under internal rules and regulations. Transferring objects to the production environment or creating them – is no different. Companies usually have a process for transferring T-Codes into the production environment or creating new user queries in the global queries area. Such a process begins with creating the object in the development system according to a design case; followed by testing it in the development system, transferring it to QA, running tests, getting approval from the user and finally transferring it to production. Quite a straightforward process, and in most cases works well.

iStock 000009783079XSmall


Why only in most cases?

Because there are always exceptions. For example, a programmer decides to test a new functionality for reading data more efficiently from large tables. So the programmer creates a new T-Code and program in development (called Z_TEST). Unfortunately there isn’t enough data in any table in development, so the programmer transfers it to QA, only to discover that it was refreshed yesterday and there isn’t enough data there either. If you’re guessing that by now the T-Code is on its way to production, you are correct. Since the test is not documented or related to an actual task, the programmer can’t (or won’t) request a transfer “by the book” and instead just transfers the T-Code to production without any help.

The sad truth about temporary programs in production

If you’re thinking to yourself that you don’t have these types of objects in production, then think again. Even in a standard SAP® system there are temporary objects that were passed to production accidently. I’m sure your company has some too. Objects like T-Codes, programs, functions, queries and even temporary user accounts, which are created just for the purpose of testing something, end up staying forever in the production environment and exposing organizations to risk of misuse. A random search at some of our clients showed that these objects can really be dangerous (examples: directly delete rows in standard SAP tables, get all invoice amounts, backup user for the administrator with full authorizations, etc.).

So what can you do other than hope everyone obeys regulations and follows rules? You should implement an alerting system that notifies you about new objects “appearing” in production: new T-Codes, new programs, new user accounts, etc.  A truly sophisticated alerting system will know when to avoid sending alerts, such as in the case where objects passed through the normal workflow process of development-to-production.

In addition to immediate alerts, a weekly report sent directly to your mailbox with a summary of all new objects in production this week is highly recommended. Such a summary should be crystal clear – also to managers – so that the development department can approve it and the security department can verify that regulations have been kept.

Don’t get me wrong, setting good workflow procedures and thus having to deal with less surprises, is the right thing to do, however controlling surprises in the production environment must be done too. 

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India