Rule Definition
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

Remediation
The additions "USING CLIENT" and "CLIENT SPECIFIED" should not be used in OpenSQL. The following source code shows how OpenSQL is generally used for implicit automatic client handling. SELECT ... FROM dbtab WHERE ... INTO ...

Violation Code Sample

OpenSQL Statements with USING CLIENT/CLIENT SPECIFIED addition.

This program allows a user to access customer data in any client.

DATA client TYPE sy-mandt. 
client = sy-mandt. 
cl_demo_input=>request( CHANGING field = client ). 

SELECT * 
       FROM scustom USING CLIENT @client 
       INTO TABLE @DATA(customers1). 
cl_demo_output=>display( customers1 ). 

SELECT * 
       FROM scustom CLIENT SPECIFIED 
       WHERE mandt = @client 
       INTO TABLE @DATA(customers2). 
cl_demo_output=>display( customers2 ).

https://www.se80.co.uk/dataelements/s/syma/symandt.htm Note: sy-mandt: Client ID used by the current user to log on, for example "401" or "800". client: Organizational unit in Application Server (AS) ABAP. For each logon to AS ABAP, a client ID must be specified. This ID enables a logon to a specific client. The various clients in an AS ABAP have separate user master records and separate authorizations. Client-specific data is split by the client column in application tables. Application programs generally run in application clients. There is also a system client for performing system-specific or administrative tasks.