Daniel Berlin on Security IT Audit, SAP security, developmentā€¦ and all the rest

15Sep 12

Source – ZXFILU01

*&---------------------------------------------------------------------*
*& Include ZXFILU01
*&---------------------------------------------------------------------*
*& Purpose: User-exit implementation for SAP GUI downloads
*& Author : Daniel Berlin
*& Version: 1.0.0
*& License: CC BY 3.0 (http://creativecommons.org/licenses/by/3.0/)
*&---------------------------------------------------------------------*
 
DATA: lv_deny   VALUE space.
 
DATA: ls_log    TYPE bal_s_log,
      lv_handle TYPE balloghndl,
      ls_msg    TYPE bal_s_msg,
      lt_handle TYPE bal_t_logh.
 
* --- Authority check for S_GUI has been disabled
 
" See import parameter NO_AUTH_CHECK in function module GUI_DOWNLOAD
IF no_auth_check <> space.
 
  " Re-enable check
  AUTHORITY-CHECK OBJECT 'S_GUI' ID 'ACTVT' FIELD '61'.
 
  IF sy-subrc <> 0.
    lv_deny = 'X'.
  ENDIF.
 
ENDIF.
 
* --- Special handling depending on transaction code
 
CASE sy-tcode.
  WHEN 'SE16'.              " Transaction SE16
 
    " Get table by stripping prefix '/1BCDWB/DB' from display report
    CASE sy-cprog+10.
 
      WHEN 'PA0008'.        " Table PA0008 (Infotype 0008 - Basic Pay)
 
        " Download is only allowed for users in group SUPER
        TABLES: usr02.
        SELECT SINGLE * FROM usr02 WHERE bname = sy-uname.
 
        IF usr02-class <> 'SUPER'.
          lv_deny = 'X'.
        ENDIF.
 
      WHEN '...'.           " Table ...
 
        " ...
 
    ENDCASE.
 
    CONCATENATE '( table:' sy-cprog+10 ')'
           INTO ls_msg-msgv2 SEPARATED BY space.
 
  WHEN 'SE16N'.             " Transaction SE16N
 
    " Prevent any download in SE16N
    lv_deny = 'X'.
 
  WHEN '...'.               " Transaction ...
 
    " ...
 
ENDCASE.
 
* --- Create an Application Log entry
 
" Open log and provide header data
 
ls_log-extnumber  = 'GUI Download'.                         "#EC NOTEXT
ls_log-object     = 'DX'.           " You might want to change this ...
ls_log-subobject  = 'RUN'.          " ... and this as well (see SLG0)
ls_log-aldate     = sy-datum.
ls_log-altime     = sy-uzeit.
ls_log-aluser     = sy-uname.
ls_log-altcode    = sy-tcode.
ls_log-alprog     = sy-cprog.
ls_log-aldate_del = sy-datum + 365. " Expiry date
ls_log-del_before = space.          " Log may be deleted before expiry
 
CALL FUNCTION 'BAL_LOG_CREATE'
  EXPORTING
    i_s_log                 = ls_log
  IMPORTING
    e_log_handle            = lv_handle
  EXCEPTIONS
    log_header_inconsistent = 1
    OTHERS                  = 2.
 
" Create new log entry
 
IF lv_deny = space.
  ls_msg-msgty     = 'I'.           " Information
  ls_msg-probclass =  4.            " Additional information
  ls_msg-msgv1     = 'Download allowed'.                    "#EC NOTEXT
ELSE.
  ls_msg-msgty     = 'W'.           " Warning
  ls_msg-probclass =  2.            " Important
  ls_msg-msgv1     = 'Download prevented'.                  "#EC NOTEXT
ENDIF.
 
ls_msg-msgid = 'SGRPDL00'.
ls_msg-msgno = '000'.
 
CALL FUNCTION 'BAL_LOG_MSG_ADD'
  EXPORTING
    i_log_handle     = lv_handle
    i_s_msg          = ls_msg
  EXCEPTIONS
    log_not_found    = 1
    msg_inconsistent = 2
    log_is_full      = 3
    OTHERS           = 4.
 
" Save log entry to database
 
APPEND lv_handle TO lt_handle.
 
CALL FUNCTION 'BAL_DB_SAVE'
  EXPORTING
    i_t_log_handle   = lt_handle
  EXCEPTIONS
    log_not_found    = 1
    save_not_allowed = 2
    numbering_error  = 3
    OTHERS           = 4.
 
* --- Finally prevent unauthorized downloads
 
IF lv_deny <> space.
  RAISE no_authority.
ENDIF.