OS commands

In some cases OS commands might be needed to perform maintenance work. It can also be misused by hackers.

Questions that will be answered in this call are:

  • How to fire OS commands via SM49 or SM69?
  • How to fire OS command via program RSBDCOS0?

OS commands via SM49 and SM69

OS commands can be defined and executed using transaction SM49 or SM69:

You can use the SAP standard commands and define your own Z commands.

Issues with external commands? Read OSS note 1328083 – An external command behaves differently than expected.

OS command via ABAP program RSBDCOS0

There is also an ABAP program to fire external commands: RSBDCOS0. OSS note for this program: 2443193 – Report RSBDCOS0 – Execute OS command from SAP GUI.

Start the program and enter the command (in this case ls command):

Output is shown:

The action is registered in the SM21 system log:

SAP Activate methodology for S4HANA implementations

In the past there was the RunSAP implementation methodology. This is now succeeded with the SAP Activate methodology. The most important one is the S4HANA implementation.

You can go to the methodology using this link.

The roadmap now opens:

The methodology is split into several phases:

  • Discover
  • Prepare
  • Explore
  • Realize
  • Deploy
  • Run

The method is focusing more on using out-of-the-box SAP software and focused on Agile/Scrum way of implementing S4HANA.

On the tab content you can find useful content per phase:

And accelerators per phase:

Keep in mind the method is focusing on green field implementation. Nevertheless you can still use the content and accelerators in your own projects.

SQL commands via ST04

Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.

Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.

Firing SQL command via ST04

Start transaction ST04 and open the SQL editor in the Diagnostics section:

Now enter your SQL statement and press execute.

Result is shown:

How to avoid this?

If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.

Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.