Author: saptechnicalguru

Call transaction security

An ABAP developer can call a different transaction from a custom build program or transaction. This can be very helpful for certain user requirements and can save an end user time when the system is helping him with jumping from one transaction to the next logical transaction.

Example

For authorization this can be a bit messy.
What for example will happen with this coding:

CALL TRANSACTION 'SU01'.

Will the SU01 transaction now be called successfully or not?

SE97 TCDCOUPLES

Suppose the user does not have rights to call SU01. The coding is still trying to go to this transaction.

Depending on the value of system parameter auth/check/calltransaction a couple of things can happen:

  • No check
  • Always check
  • Lookup if check is needed in table TCDCOUPLES

Table TCDCOUPLES links the calling transaction to the jumped to transaction and determines if the transaction authorization for the new transaction is required or not.

But what in case there is no entry or the entry in TCDCOUPLES is vague? Then it again determines on the value of parameter auth/check/calltransaction to be strict or not strict.

Entries in table TCDCOUPLES are maintained via transaction SE97:

Standard SAP example output:

Formal OSS note of SE97: 358122 – Description of functions of transaction SE97.

Updating TCDCOUPLES is a lot of work and no longer SAP best practice. See this SAP blog.

Correct way of coding

The correct way of coding is more simple: always indicate that the authority check is mandatory:

CALL TRANSACTION 'SU01' WITH AUTHORITY-CHECK.

In this way the coding forces the check independent of the system parameter and entries in TCDCOUPLES.

Finding incorrectly coded CALL TRANSACTIONS

The fastest way of finding incorrectly coded call transactions is by running the SAP CVA (code vulnerability analysis) tool. This tool scans for CALL TRANSACTIONS with missing authority checks. It also scans for other variations like dynamic use of CALL TRANSCATION.

Alternatively you can use CODE_SCANNER (see blog on usage) with this special input:

Basically you tell the program to look for any program with CALL TRANSACTION and not having WITH AUTHORITY-CHECK in it. Do realize it can potentially miss programs in case there are 2 calls (1 correct and 1 incorrect). The CVA tool will not miss this case.

LEAVE TO TRANSACTION

You might wonder: what is the situation for the LEAVE TO TRANSACTION statement? That is more simple. LEAVE TO TRANSACTION will always check the user rights for object S_TCODE for the transaction.

Migrate TREX to HANA

If you use SAP TREX for search, you might want to switch it to search on HANA. This can be done with HANA as primary database or as secondary database connection.

If you migrate you main database to HANA, the basic steps are described in OSS note 2054157 – How to migrate Enterprise Search from TREX to SAP HANA. Which are in short: delete current model, delete current connection, set up again (see blog).

In case you want to migrate from TREX to HANA search with a HANA database as secondary connection, there are different steps. First setup the secondary database connection. If that works, delete the current model and connection. You can run STC01 task list SAP_ESH_INITIAL_SETUP_WRK_CLIENT. Before executing the task list, tick the box for Set TREX Destination to SAP HANA DB:

Now fill out your details:


Now run the task list. After task list is done, rerun with ESH_COCKPIT the loading of the model and data again.

Bug fix notes

GTS Edition for Hana readiness check

If your company is running a GTS (global trade system) it might consider a conversion to GTS Edition for HANA. The GTS version for HANA has a different functional scope than a regular GTS system. It might be some functions are no longer supported on GTS Edition for HANA, some might be different, but also new functions might be available.

SAP GTS, edition for SAP HANA: Conversion readiness check

To get the right input for your business, you can run the conversion readiness check. Load OSS note 3033398 – SAP GTS, edition for SAP HANA: Conversion readiness check into your development system and transport it to your productive GTS system. The tool you can already run on development to get an impression, but must finally be run in production to make sure the data checks are done properly.

The note delivers program /SAPSLL/READINESS_CHK_V8000. This program you run in the system. The output is directly a list of items that might require your attention:

OSS note 2973223 – SAP Global Trade Services, edition for SAP HANA: Conversion readiness check – conflict clarification contains extra explanation on the checks.

Unlike most of the other readiness checks, no upload to SAP is required. You just run the check locally.

SE16N_BATCH program

SE16N_BATCH is a very powerful and dangerous program. You can use it to run SE16 queries for large datasets in batch mode and later pick up the results from the spool.

But it can also be misused to fetch data that you are not authorized to see, but a batch user can see.

Good use

For example you need a lot of records from BSEG:

This might fail online. If you run it in batch mode, you can simply pick up the spool later with the needed data:

Misuse

The program can be used for hacking purposes as well. Suppose you want to get all user password hashes. SE16N for USR02 is blocked. Now run the program in batch (not with your own user, but with a batch job user with rights to read USR02 data). Now all data is available in the spool for the hacker….

Signavio process insights; discovery edition

SAP has acquired Signavio. Signavio provides tool for process insights into SAP ERP systems to help the users and business to optimize their processes.

The Signavio product is licensed. To see if the tool is interesting for you, there is an option to run the discovery edition on your productive system. At time of writing this blog the discovery edition is for free. But please check before submitting. The discovery edition is giving you a look and feel on the tool, but with limited functions and content.

Installation and preparation

Installation preparation consist of applying most recent versions of these 2 OSS notes:

Your ST-A/PI version must be 01V –SP0 or higher.

Running the tool and submitting the data

In your productive system (not a copy, not any other system) start program RC_VALUE_DISCOVERY_COLL_DATA and select the 3rd option (SAP Signavio Process Insights, discovery edition):

Run the program in batch and wait for it to finish.

After finishing run the program again and push the Download Analysis Data button. Store the results file on your laptop.

Now you can submit the file and create your request on the SAP Signavio Process Insights discovery site. It will take 5 to 10 business days before you receive the link with the results.

Results of the Signavio discovery edition

The results can be seen on website of SAP Signavio:

Process flows:

And details for process:

Keep in mind the discovery edition will only have limited content. It is meant to give you and idea on look and feel and see if the tool is usable for your business users.

Office integration tips & tricks

This blog contains tips and tricks for Microsoft Office integration with SAP applications (mainly SAP GUI). Although SAP is the company backbone for data, many users still love excel and word for pre and post processing of data.

General integration

Integration of office with SAP GUI; support and version information can be found in OSS note 722513 – Desktop Office Integration: Maintenance information. For 64 bits versions: 1442028 – SAP GUI for Windows / Desktop Office Integration: Support for Office 64bit editions. 365 support: 3301985 – Does SAPGUI For Windows support Microsoft Office 365 MSO?.

Unfortunately most integration is only possible with SAP GUI.

Not possible for ITS and JAVA GUI: 822867 – Desktop Office Integration: No support for ITS & Java GUI.

Not possible for WebGUI: 2717865 – WEBGUI: Office Integration is not supported.

Not possible for FIORI: 3322204 – Microsoft Options are not available in FIORI.

Multiple screens and high resolution

For supporting multiple screens and high resolution for office integration, read this OSS note: 3141383 – SAP GUI Desktop Office Integration: Guidelines for Handle high DPI and DPI scaling in Office applications.

Inplace/outplace

For inplace/outplace, read these notes: 2739132 – Office 365 – Excel and Word do not open in place (Inside SAPGUI Window) for some users when using Windows DPI over 100%,using multiple screens or after an Office update and 3350338 – OfficeIntegration opens Excel/Word outplace instead of inplace (inside SAP GUI).

Security patching of office products

In some cases security patching from office products causes issues on SAP GUI integration:

Word integration

Specific issue with word as SAPscript text editor: 2362509 – Performance issue with MS Word SAPscript text editor.

OneDrive limitation

OneDrive usage limitation in combination with SAP GUI: 3280505 – File upload to SAP from OneDrive not working when the file is open.

Transport tips & tricks

This blog is a collection of transport tips & tricks.

Questions that will be answered are:

  • What to do if my transport number range is getting exhausted?
  • How to find objects in transports?
  • How to unlock objects in a transport in emergency case?
  • How to put objects from different transport in new transport?
  • How to execute program directly after transport?
  • How to check transport parameters?

Transport number range getting exhausted

If your transport number range gets exhausted, no new transports can be created. To fix this issue run program RSWBO301:

Then acknowledge the new number range proposed.

See also OSS note 2951296 – Transport TR range getting exhausted, which points to OSS notes 1674286 – How to modify CTS transport number range (ABAP) and 106911 – Transport system: number range filled for requests (that explains RSWBO301).

Put objects from different transport in new transport

Go to transaction. SE10 and select your transport. Then select: Request/task –> Object list –> include objects –>  select other transport or object.

Find object in transport

Report RSWBO040 can be used to find and object inside transport(s):

Bug fix note for this program: 3237476 – Wrong result when searching for sub-objects in requests/tasks (SE03).

Unlock objects from a transport

In some special cases it might be needed to unlock an object from a transport. Be careful with this. Use program RSWBO099 to unlock objects from a transport:

Transporting ODATA

ODATA transports can be bit messy. Read the FAQ note 2244649 – SAP Netweaver Gateway Odata service transport FAQ.

Transporting in-app extensibility

For transporting FIORI in-app extension read this blog.

Execute program after transport

If you want a program to be executed directly after transport import, edit the transport and a a new object R3TR, XPRA (execute program after transport) and in the object fill the program name.

Most common use case is in transporting Requirements and formulas where it is common to add XPRA action for program RV80HGEN. See this blog.

Checking transport parameters

Start transaction code STMS, select menu Overview / Systems. Now choose a system and select display. On the tab transport tool you can see the transport parameters:

Including customer transports in SUM

You can include customer transports in the SUM procedure. Read more in this dedicated blog.

BRF+ transport issues

For BRF+ transport issues, read this dedicated blog.

Transport sequence and consistency check tool

SAP has a transport sequence and consistency check tool. Read more in this blog.

Information disclosure

Information disclosure is a potential security risk. Most IT software has a way to show the exact software version. This detailed information can be useful for an end user submitting an incident. Or for an administrator to know if certain patching is needed for an IT system.

But the detailed version information can also be used by a hacker to know if the system is vulnerable for some known attacks (and the system is not yet patches with the fix).

Hence for IT systems one should be careful and conscious about showing detailed version information: this is called information disclosure.

Known information disclosure items

ABAP System / Status

In ABAP stack, you can reduce the information in System/Status via authorizations. See OSS note 2658772 – System -> Status: Restriction of the available information.

Web administration interface

The web administration interface is a very known one. How to solve, read this blog.

Information disclosure security notes

Every month SAP release security notes (see blog). For the SAP systems that are internet facing (like portals, Netweaver Gateways, PI systems), check and apply the information disclosure notes as soon as possible. For the other systems, apply them at your normal security cycle speed.

Table AQLDB clean up

Table AQLDB is used for storing data of SAP Queries created via SQ01 queries. Cleaning this up can be tricky job.

Deletion of old query data

Deletion of old SAP query data is performed via program RSAQQLRE_MASS:

Background OSS note: 2336268 – SQ01: Reorganization of saved lists.

In case of inconsistencies, install program Z_INCONSISTENT_SAVED_LISTS from OSS note 2173291 – Saved List cannot be deleted by program RSAQQLRE.

Clean up of generated programs

Program RSAQDEL0 can be used to clean up generated query program data:

System queries, generated programs and obsolete programs can be cleaned up.

Background notes:

Data archiving: material ledger data

This blog will explain how to archive material ledger data via object CO_ML_DAT. Generic technical setup must have been executed already, and is explained in this blog.

Object CO_ML_DAT

Go to transaction SARA and select object CO_ML_DAT.

Dependency schedule:

Main tables that are archived:

  • CKMLCR (material ledger data)
  • CKMLPP (period totals)

Technical programs and OSS notes

Write program: SAPRCKMN_NEU

Delete program: SAPRCKMO_NEU

Read from archive: SAPRCKMP_NEU_LESEN

Reload program: SAPRCKMP_NEU_RUECKLADEN

Relevant OSS notes:

Application specific customizing

Archiving object CO_ML_DAT has no specific customizing. Retention period is set on the write program screen.

Executing the write run and delete run

In transaction SARA, CO_ML_DAT select the write run:

Select your data, save the variant and start the archiving write run.

After the write run is done, check the logs. CO_ML_DAT archiving has high speed, and high percentage of archiving (up to 100%).

Proved a good name for the archive file for later use!

Deletion run is standard by selecting the archive file and starting the deletion run.

Data retrieval

Data retrieval is via program SAPRCKMP_NEU_LESEN. But the retrieval has no proper selection. Output is also hard to read.