Category: ABAP

abap

Call transaction security

An ABAP developer can call a different transaction from a custom build program or transaction. This can be very helpful for certain user requirements and can save an end user time when the system is helping him with jumping from one transaction to the next logical transaction.

Example

For authorization this can be a bit messy.
What for example will happen with this coding:

CALL TRANSACTION 'SU01'.

Will the SU01 transaction now be called successfully or not?

SE97 TCDCOUPLES

Suppose the user does not have rights to call SU01. The coding is still trying to go to this transaction.

Depending on the value of system parameter auth/check/calltransaction a couple of things can happen:

  • No check
  • Always check
  • Lookup if check is needed in table TCDCOUPLES

Table TCDCOUPLES links the calling transaction to the jumped to transaction and determines if the transaction authorization for the new transaction is required or not.

But what in case there is no entry or the entry in TCDCOUPLES is vague? Then it again determines on the value of parameter auth/check/calltransaction to be strict or not strict.

Entries in table TCDCOUPLES are maintained via transaction SE97:

Standard SAP example output:

Formal OSS note of SE97: 358122 – Description of functions of transaction SE97.

Updating TCDCOUPLES is a lot of work and no longer SAP best practice. See this SAP blog.

Correct way of coding

The correct way of coding is more simple: always indicate that the authority check is mandatory:

CALL TRANSACTION 'SU01' WITH AUTHORITY-CHECK.

In this way the coding forces the check independent of the system parameter and entries in TCDCOUPLES.

Finding incorrectly coded CALL TRANSACTIONS

The fastest way of finding incorrectly coded call transactions is by running the SAP CVA (code vulnerability analysis) tool. This tool scans for CALL TRANSACTIONS with missing authority checks. It also scans for other variations like dynamic use of CALL TRANSCATION.

Alternatively you can use CODE_SCANNER (see blog on usage) with this special input:

Basically you tell the program to look for any program with CALL TRANSACTION and not having WITH AUTHORITY-CHECK in it. Do realize it can potentially miss programs in case there are 2 calls (1 correct and 1 incorrect). The CVA tool will not miss this case.

LEAVE TO TRANSACTION

You might wonder: what is the situation for the LEAVE TO TRANSACTION statement? That is more simple. LEAVE TO TRANSACTION will always check the user rights for object S_TCODE for the transaction.

Report SNIF: search active customer enhancements

Report SNIF can be used to find active customer enhancements like BADI, user exit, BTE event.

To start the report go to transaction SA38, enter report SNIF and execute:

Select the items you want to search for that are implemented and press execute. Wait until the result shows:

Here you can see which exits are active. Double click on a line will jump to the code.

Background OSS notes

Update process debugging

As ABAP developer you sometime need to update a piece of ABAP code that is part of the Update logic. To get debugging done there some more actions are required.

ABAP debugging should only be done by experienced ABAP developers who know the pros and cons of debugging in Update. If you are not experience enough, stop reading and let an experienced person do the job.
Avoid debug and replace and update process debugging in production.

Update process debugging

First set your break point in the Z code or standard code that does the update. If you run the normal transaction, you will notice this break point will not be called.

Now start your normal transaction again. Go to debug mode.

Choose menu Settings and Change debugger profile / Settings:

Select Update Debugging and press Save.

In the main transaction go to the point where you are about to save the data. Before pressing the save button, key in /h for debug. Now press the save button. you jump to debug mode. Press F8 to continue the current session. Wait a few seconds, and the update debug will start now:

The update debug starts now. Now you can debug the ABAP logic used in the UPDATE task. Please notice in the debug screen you see you are doing the UPDATE process debug on top of the screen.

If you have set breakpoints before in the correct code then these are now active.

SAP reference OSS notes

Write system log entries from custom ABAP

For some specific requirements (like system monitoring) you might need to write entries into the ABAP system log (transaction SM21).

Preparation

In SE92 (see this blog) create a new message for the system log. It is best to create your own Z message code in stead of re-using standard SAP.

Writing to system log

OSS note 5462 – Writing SysLog entries from within ABAP/4 programs explains 2 methods, for which using function module RSLG_WRITE_SYSLOG_ENTRY is the preferred one.

Program RSLG0014 can be used to test the writing and basis for code re-use:

DWDM: Enjoy demo center

The enjoy controls are old, but still much in use.

If you need to re-use and idea and code, you can use transaction DWDM: the Enjoy Demo Center.

Double clicking program name will show the ABAP code on the right.

Double clicking on the title will give you the output of the example code.

The HTML control as WWW browser can be used to test the internet connectivity from your SAP server to internet.

Some developers might have restrictions on their laptop and use this program to browse....

ABAP escape functions

The escape function is used in IT systems to indicate a real value of a character in stead of the control function of the character. Example is the < character which means smaller than, but in HTML is also a control character. For more background read wikipedia.

In ABAP code you sometimes need to set a URL with these characters, or build a HTML text. Then you really need to use these rules.

Documentation of the Esacpe function in ABAP can be found in this URL.

Example is the following code:

cl_demo_output=>display(
  escape( val    = 'IF a < b.'
          format = cl_abap_format=>e_xml_text ) ).

The result will be IF a &lt; b. < is in xml replaced by escape character &lt;.

Demo program

A full list can be found in ABAP program DEMO_ESCAPE. Start the program and select the type you want to check (do select the Show Differences tick box):

Output is now show for the diverse characters:

ABAP code to call URL

In ABAP code you might need to reach out to a browser.

The code to call a URL is pretty simple:

DATA ld_url(1000).

ld_url = 'https://www.saptechnicalguru.com'.

CALL FUNCTION 'CALL_BROWSER'
  EXPORTING
    url = ld_url.

Simply construct your URL and use function “CALL_BROWSER”.

For a webdynpro to run in browser use this code:

CALL FUNCTION 'WDY_EXECUTE_IN_BROWSER'
   EXPORTING
     application         = 'ESH_SEARCH_RESULTS_UI'
EXCEPTIONS
     invalid_application = 1
     browser_not_started = 2
     action_cancelled    = 3
OTHERS              = 4.
IF sy-subrc <> 0.
  MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4 RAISING execution_error.
ENDIF.

Application ESH_SEARCH_RESULTS_UI is an example here of a web dynpro.

Custom code adjustments for HANA database migration

If you convert ECC to S4HANA you need to execute custom code adjustments for both HANA database migration and for functional application changes. This can be read in this blog and this blog.

If you only want to migrate an existing database to HANA for a netweaver ABAP stack (either standalone or for SAP ECC), you will also need to adjust custom code.

Questions that will be answered in this blog are:

  • Which custom code ABAP changes to I need to perform mandatory for a HANA database migration?
  • Which custom code ABAP changes are highly recommended to perform for a HANA database migration?
  • Which other tools should I use to help to smoothen the HANA database migration?

Mandatory custom ABAP changes for HANA database migration

There are mandatory ABAP changes to be made for HANA database migration. The main ones are:

  • Native SQL statements
  • Use of Database hints
  • Search in pool and cluster tables
  • Use of ADBC interface
  • Search for problematic statements without ORDER BY

The first few will not appear too much and are relatively easy to fix.

The last one: the statements without ORDER BY needs some explanation. Some current custom code might work properly with the current database, since some database will present the data to the ABAP application server in a specific sorted way. When migration to HANA database the HANA database might present the same records to the ABAP application server, but in a different sorting or in a random order. This might lead to issues in further handling in custom code. The solution is to analyze the code and to add explicit sorting as per need of the custom program. To scan the usage in live system, see below chapter on SRTCM.

All these changes can be detected with the SCI variant FUNCTIONAL_DB:

Run this SCI variant via the ATC tool on your custom code:

Wait for the run to finish and go to the results. The best overview is when you click the Statistics View button:

Clicking on an item will drill down to the details.

Performance related coding changes for HANA database migration

The second set of custom code changes is from the performance side. For this set you need to run the ATC tool with SCI variant PERFORMANCE_DB:

The PERFORMANCE_DB variant has 2 main parts: mandatory fixes, good to fix.

The mandatory fix is the unsecure use of SELECT FOR ALL ENTRIES. If this is not properly checked, it might blow up the system:

What happens here? If in the current database the SELECT FOR ALL ENTRIES for whatever reason is not giving results this might be running fine. But on HANA the entire table is read in this case. To scan the usage in live system, see below chapter on SRTCM.

The other part is the performance best practices for HANA:

This ATC run can yield a very long working list:

Where to start? Since even the priority 1 and 2 can yield a very long list.

Use the SQLM and SWLT tools. These tools will help you to prioritize the ATC run result from the PERFORMANCE_DB variant. SQLM will take statistics data from production. You start with the heavy used programs. SWLT will combine the heavy use with the ATC run. The output is the heavy used program which can be improved.

SRTCM tool

The SRTCM tool is specifically designed to scan for 2 main issues: Empty table in FOR ALL ENTRIES clause and Missing ORDER BY or SORT after SELECT. The tool is run on a productive system and will list the actual usage in a productive system.

To switch on start transaction SRTCM and press the Activate Globally button.

Let the tool run, and later Display Results from either running system or snapshot:

Show results;

Clicking on the line will jump to the direct code point.

Note for Oracle as source database: 3209584 – RTM: RTM_PERIODIC_JOB canceled with runtime error SQL_CAUGHT_RABAX (ORACLE).

Functionality issues after HANA database migration

Functional issues after HANA database migration are rare. Some might occur on an ECC system if there are minor bugs or issues in the HANA database optimized routines.

Example OSS notes:

Custom code decommissioning

SAP solution manager offers a custom code decommissioning cockpit tool. This tool you can use to delete unused custom code. Unused code does not need to be migrated, which will save you effort.

SAP references

SREPO: compare multiple sources across systems

SREPO is a tool to compare multiple ABAP code programs across 2 systems.

The background can be found in OSS note 1368474 – System comparison tool SREPO Version 2.0.

Using SREPO tool

Start transaction SREPO. Enter the RFC between the 2 systems and the list of objects to compare:

Then press the button Object Intersection. Result list is a list of programs existing in either one or both the systems:

Select a single program and start the Version Comparison:

Bug notes

3584619 – Incorrect compare result of SREPO for Behavior Definitions

CVA: Code vulnerability analysis

CVA is a licensed SAP tool to scan custom code for potential security issues.

CVA is built in code inspector and analysis is run via the ATC tool.

Questions that will be answered in this blog are:

  • What checks does CVA perform?
  • How to activate CVA?
  • Is CVA licensed?
  • Where to find more information on CVA?

Activating CVA

SAP CVA Code Vulnerability Analysis is a licensed tool. You need to activate it before you can use it. To activate run program RSLIN_SEC_LICENSE_SETUP:

The activation refers to OSS note 1855773 – Security checks for customer-specific ABAP programs which explains the license, restrictions, etc.

Call to SAP: if you really think security is important for your customers and their custom programs, don't ask money for CVA tool, but allow free usage!

Check the bug fix OSS notes below. Apply them before your first run.

Checks in detail

The SAP CVA checks can be seen in SCI variant SLIN_SEC:

And then open the variant and click the information button for details:

A full list of checks can also be found on this SAP blog.

And per netweaver version the checks are listed in OSS note 1921820 – SAP Code Vulnerability Analyzer – support package planning.

Setting up ATC variant and run

Start transaction ATC and press Schedule Run:

First create a new variant and refer to SCI variant SLIN_SEC:

Now schedule the run for your Z code:

The run can take a few hours.

More on ATC set up and running can be found in this blog.

Run results

Start transaction ATC and go to the results part:

Select your run:

The ATC result screen will show, but list can be very long:

Both Z programs and user exits will be shown (starting with S or X).

Press the Statistics View button top right to get a better overview:

The result list is now sorted per security item:

Don't let yourself be impressed by high numbers of the first run. Most issues are in old code: consider clean up. Focus on the priority 1 and priority 2 first. Finetune result set for priority 3 to lower the numbers.

Now you can zoom in to the issue per item by clicking on the line:

The details show the issue: hard coded user name. Clicking on the underlined code name in column Object Name will zoom into the code point to fix:

In this case hard coded break for a user. Fix is easy: delete the line of code.

Remote analysis

It is possible to use ATC remote analysis (see blog) for CVA. The full setup is explained in this SAP online help link. See also OSS note 2232083 – ATC/CI: SAP NetWeaver Application Server add-on for code vulnerability analysis – remote check runs – installation.

Checking license usage

Run program RSLIN_SEC_LICENSE_SETUP to check license usage:

Or run this from transaction SLIN_ADMIN.

SAP reference material

Generic presentation on SAP CVA can be found on this link.

CVA FAQ: follow this link.

CVA full list of checks: follow this link.

CVA as part of CI/CD development pipeline: follow this link.

ABAP code security issues explained: follow this link.

Bug fix and improvement notes

Bug fix and improvement OSS notes: