Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Analysis of Authorisations

Matt_Marples
Participant

‎01-08-2014 5:31 PM

0 Kudos

Hi,

I understand that SUIM is available to answer most related security questions, but does anyone know how I could determine which ABAP programs, classes, function modules etc are reading what infotypes without the need to work through the logic. Is there a table that lists the programs, nested programs and the corresponding tables they read?

4 REPLIES 4

Former Member

‎01-08-2014 7:37 PM

0 Kudos

There is no such table in SAP.

Your next closest bet would be USOBT_C for object S_TABU_* objects but that is only as good as what the proposals for transactions etc are maintained, and they are notoriously not well maintained, even although they are very powerful to help build roles with exact proposals.


So we solved this ourselves and built a tool which scans the code of the programs, nested programs, classes, methods, function modules, subroutines etc etc... and finds all the existing authority-checks, access to tables and data which require checks, tells you which check is missing, which API to use and whether the corresponding values in USOBT_C are correct for the transactions which can reach that coding location which has or needs a check.

In some cases this might be the S_TABU* objects, but in most it is actually the application object which you need to know the values for (e.g. select of data from BKPF is scanned for a check on F_BKPF_BUK before outputting the results and use of the API instead of hardcoding the check). For infotypes it is actually quite easy as there are nice APIs, but you have to scan the code to see whether thy are used...

You get a result which then looks like this...

Preview file
113 KB

mvoros
Active Contributor

‎01-08-2014 10:08 PM

0 Kudos

Hi,

as Julius mentioned you have to go through the code. If you don't want to/can't use 3rd party products then there is a simple approach of using SE11 for a DB table and use Where-used function. The problem here is that you will get some function modules that are used by other programs. So you need to use where used function for these function modules and so on. The process is annoying and also does not cover dynamic selects from the tables. It's not bullet proof but it could give you some idea which programs are accessing particular DB tables. You could also try to use code inspector (transaction SCI) for this. There is a class of tests called "Search Functs.". Here you could try to search for ABAP statements that correspond to select from DB table.

Cheers

Former Member
In response to mvoros

‎01-09-2014 6:51 AM

0 Kudos

The where-used-list is actually a very powerful search tool but as you mentioned you cannot reverse engineer a long way as compared to a call-stack explosion from the top of the application start and you need to know what you are looking for to be able to start in SE11.

I see that SAP is making a lot of progress with the ATC and as they have control of the programming language perhaps we will see some nice features in this area within the ABAP Workbench itself. I see from the latest presentations that they are concentrating quite heavily on SQL access ->  http://scn.sap.com/docs/DOC-50160

Cheers,

Julius

Matt_Marples
Participant

‎01-09-2014 2:08 AM

0 Kudos

Many thanks for you responses, they have been really helpful