Some time ago, I posted a small C++ program that decompresses the source code stored in table REPOSRC
(⇒ check this article).
It was never intended to be more than a proof of concept, but since many people showed interest in it (and found bugs), I decided to create a GitHub repository:
It contains the history of my ancient CVS repository (converted thanks to this great how-to).
So… if you find any bugs or want to help improve it — please go there and either create an issue or simply fork it and unleash the developer in you).
Hi authorization admins,
from time to time I get in the mood to clean up one or two SAP systems – and lately I was looking for obsolete roles, which weren't assigned to anybody for ages (e.g. used at least 365 days ago).
While looking around in SUIM and change documents, the developer inside me became more and more delighted – because there is no SAP standard solution for this → time for some R&D. 😛
Here we go:
- Create a new report in SE38 and paste this source code (don't forget to set a program authorization group *cough*).
- There's no need to edit any of the selection texts, as they're defined inside the report…
- Activate & execute the program.
The report allows you to select:
- the role names (all SAP standard roles excluded per default),
- the user who created the role (default exclusion: "SAP") and
- the days since the role's last assignment to any user (default: 180).
The result consists of the following columns:
- Role: … well… the role name
- Creation date: the role's creation date
- Change date: the date of the role's last change
- Removal date: the date of the last removal from a user
- Removed by: the user, who performed the removal
- Role name: the role description
- 3 status indicator fields:
The role type shows, whether it is a single or composite role (using the standard SAP icons).
This icon equals to the traffic light icons on PFCG's "Authorizations" tab (→ green: generated, yellow: action required, red: not generated).
For composite roles this field stays empty (since they have no profile).
SR used in CR:
For single roles, this icon indicates if the role is assigned to a composite role (glowing bulb) or not (dark bulb).
Of course this makes no sense for composite roles – so the field is empty then.
Obsolete / superfluous / unused roles on productive systems should be removed before they get moldy!
😀 Happy Xmas 😀
if you ever wanted to determine the transaction type (dialog, parameter tcode …) and status (locked …), you probably came across table TSTC (where tcodes are defined) and found that this information is encoded in the CINFO field — which contains an old-school hexadecimal value.
So… wtf do those CINFO values mean? Here we go:
|CINFO (hex)||Binary||Type||Locked ?||Auth. object check ?|
|0x00||0000 0000||Dialog transaction||no||no|
|0x04||0000 0100||Dialog transaction||no||yes|
|0x20||0010 0000||Dialog transaction||yes||no|
|0x24||0010 0100||Dialog transaction||yes||yes|
|0x01||0000 0001||Area menu (obsolete)||no||-|
|0x21||0010 0001||Area menu (obsolete)||yes||-|
|0x02||0000 0010||Parameter / variant transaction||no||-|
|0x22||0010 0010||Parameter / variant transaction||yes||-|
|0x08||0000 1000||Object transaction||no||no|
|0x0C||0000 1100||Object transaction||no||yes|
|0x28||0010 1000||Object transaction||yes||no|
|0x2C||0010 1100||Object transaction||yes||yes|
|0x80||1000 0000||Report transaction||no||no|
|0x84||1000 0100||Report transaction||no||yes|
|0xA0||1010 0000||Report transaction||yes||no|
|0xA4||1010 0100||Report transaction||yes||yes|
|0x90||1001 0000||Report transaction with variant||no||no|
|0x94||1001 0100||Report transaction with variant||no||yes|
|0xB0||1011 0000||Report transaction with variant||yes||no|
|0xB4||1011 0100||Report transaction with variant||yes||yes|
|0x05 (invalid)||0000 0101||Area menu (obsolete)||no||-|
|0x06 (invalid)||0000 0110||Object transaction -or-|
|0x44 (invalid)||0100 0100||Dialog transaction||no||yes|
(The CINFO values marked with "invalid" exist, but make no sense… probably because they're relicts created by SAP a long time ago. 😯 )
According to the above, these are the bitmasks for your own program:
|0x00||0000 0000||Dialog transaction|
|0x01||0000 0001||Area menu|
|0x02||0000 0010||Parameter / variant transaction|
|0x08||0000 1000||Object transaction|
|0x80||1000 0000||Report transaction|
|0x90||1001 0000||Report transaction with variant|
|0x04||0000 0100||Flag: Authorization object check ?|
|0x20||0010 0000||Flag: Locked ?|
To get started, either have a look at the report "RSAUDITC_BCE" or try this:
REPORT. TABLES: tstc. * -- Bitmasks DATA: c_auth TYPE x VALUE '04', c_lock TYPE x VALUE '20'. * -- Find all locked transactions SELECT * FROM tstc. CHECK tstc-cinfo O c_lock. WRITE: / tstc-tcode, 'is locked'. ENDSELECT. * -- Find customer transactions w/o authorization check SELECT * FROM tstc WHERE tcode LIKE 'Y%' OR tcode LIKE 'Z%'. CHECK NOT tstc-cinfo O c_auth. WRITE: / tstc-tcode, 'has no authorization check'. ENDSELECT.
did you ever wonder, what's behind the button "Import from file" in PFCG's Menu tab?
Well, it obviously allows you to upload a menu from a file, but expects a special file format: SAP Note 389675 has the details. You won't find this format anywhere in PFCG or elsewhere in your system, so it has to be created by you…
This usually makes the "Import from file" button hard to use and thus unpreferable!
Let's say, you're trying to revise (and minimize) the authorization in a SAP client ex post, i.e. when the system has been in use for some while and nobody took care of proper roles. Moreover some (key-) users might already have created their own favorites, which – hopefully – reflect their tasks in the system.
Wouldn't it be nice to be able to import those user favorites to a role and build adequate authorizations this way? Still there will be much to analyze and adjust — but it might be a good starting point!
A user's favorites are stored in the table SMEN_BUFFC and SMEN_BUFFI (for the various kinds of link targets). So this is the place we'll get the menu data from.
The file format from the above mentioned SAP Note 389675 only supports a subset of all possible favorite types: folders, transaction codes, URLs, Knowledge Warehouse links and custom types (we won't deal with the last-mentioned one).
So in addition to reading and converting the favorites, we'll have to filter out all unsupported types of favorites.
Here's how to create the program that does the work:
- Create a new report in SE38 and paste this source code (don't forget to set a program authorization group).
- In the selection texts, tick "dictionary reference" for all parameters.
- Activate & execute the program.
The selection screen allows you to select:
- the user from whom to read the favorites and
- an optional file to save the data to.
Once started, the report prints the converted favorites on screen and optionally saves it to the specified file.
You might want to customize the report to download the favorites of several users at once — but be aware that you'll have to either save each user's favorites to its own file or deal with duplicate object IDs (and parent IDs and the sort order …)!
If you're interested in role menus, you might want to check the AGR_HIER* tables.
😀 Have fun!
this week, a colleague pointed me to the possibility to hook your own code into SAP GUI downloads via a user-exit. Since downloads are always a big security - and data protection topic, I took a closer look.
Generic download authorization: S_GUI
When downloading data to the frontend, the authorization object S_GUI is checked (with ACTVT 61). This is a very unspecific check, as it does not take the affected data into account – if you have appropriate authorizations, you can download roles, the SFLIGHT table or your colleagues' salary. It's just a client-wide "switch", which either allows or disallows downloads. Many authorization admins don't pay much attention to S_GUI, but rather focus on data access authorization objects. Anyway this is not sufficient, as downloaded data may be passed to third-parties easily or analyzed inappropriately.
SAP offers 2 user-exits to extend download authorization checks:
- SGRPDL00 — User-exit for "normal" SAP GUI downloads
- HRPC0001 — User-exit for HR-specific downloads; logical databases: PNP (HR master data) and PAP (recruitment data)
The first one is called by the GUI_DOWNLOAD function module – i.e. for each and every frontend download, while the second one is HCM-specific. To get started, I decided to inspect SGRPDL00, as this one has the best coverage.
User-exit SGRPDL00: Creation
First of all, we need to create an add-on project via tcode CMOD to implement the user-exit.
Enter the project name "SGRPDL00", click on "Create", enter the project attributes and then go for "Enhancement assignments". When you're prompted to save, say "Yes" (← hard decision) and choose a package ("Local object" is fine, if you're just playing around).
After that, enter "SGRPDL00" as the enhancement name, click on "Components" and double click on the function exit name:
Since you don't want to modify the SAP standard function module, double click on the include ZXFILU01. SAP tries to baffle you with a warning message:
… nice try, but just press Enter and you'll be prompted, whether you'd like to create the include. After ticking "Yes", you can start to implement the code, which will be called during every frontend download.
User-exit SGRPDL00: Implementation
The function module EXIT_SAPLGRAP_001, in which our code runs, provides 2 input parameters:
- IS_LIST_DOWNLOAD — whether the user is downloading a list (Standard list or ALV)
- NO_AUTH_CHECK — whether the GUI_DOWNLOAD function module was asked to not check S_GUI
and allows throwing the exception "NO_AUTHORITY" – which means that the download is forbidden.
Paste this code to get you started, activate it and don't forget to activate the user-exit itself.
The above code is a documented example… you'll for sure want to add your own code there; anyway it demonstrates a bunch of possibilities. One of the most interesting aspects is that it creates an Application Log entry for every download. Although the Security Audit Log provides similar functionality, it's possible to add additional information – the table name for SE16 in the above example code.
Unfortunately, you don't have access to all variables from the calling program… which makes it a bit difficult to add useful information (have a look at how the include gets the table name for SE16). If anybody has a better idea, please tell me.
The user-exit HRPC0001 is specific to HR/HCM and works a bit different. The implementation in include ZXP04U02 does not perform any check itself, but is rather expected to return a report and form name. This form is responsible for the check and may be located within the calling report's context – thus enabling your code to access any global variable therein. This way you can take the HCM-specific context into account to determine whether the download is okay or not.
When copying data to the clipboard, S_GUI is not triggered – SAP Note 997201 provides a solution at the cost of a modification.
- Uploads are not covered.
- Non-GUI downloads are not covered (BEx, Portal, …)
- If you mainly need reliable logging for each and every client, you might want to check the SAP UI Logging solution.