Skip to Content

Analysis of Authorisations

Hi,

I understand that SUIM is available to answer most related security questions, but does anyone know how I could determine which ABAP programs, classes, function modules etc are reading what infotypes without the need to work through the logic. Is there a table that lists the programs, nested programs and the corresponding tables they read?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jan 08, 2014 at 10:08 PM

    Hi,

    as Julius mentioned you have to go through the code. If you don't want to/can't use 3rd party products then there is a simple approach of using SE11 for a DB table and use Where-used function. The problem here is that you will get some function modules that are used by other programs. So you need to use where used function for these function modules and so on. The process is annoying and also does not cover dynamic selects from the tables. It's not bullet proof but it could give you some idea which programs are accessing particular DB tables. You could also try to use code inspector (transaction SCI) for this. There is a class of tests called "Search Functs.". Here you could try to search for ABAP statements that correspond to select from DB table.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      The where-used-list is actually a very powerful search tool but as you mentioned you cannot reverse engineer a long way as compared to a call-stack explosion from the top of the application start and you need to know what you are looking for to be able to start in SE11.

      I see that SAP is making a lot of progress with the ATC and as they have control of the programming language perhaps we will see some nice features in this area within the ABAP Workbench itself. I see from the latest presentations that they are concentrating quite heavily on SQL access ->  http://scn.sap.com/docs/DOC-50160

      Cheers,

      Julius

  • avatar image
    Former Member
    Jan 08, 2014 at 07:37 PM

    There is no such table in SAP.

    Your next closest bet would be USOBT_C for object S_TABU_* objects but that is only as good as what the proposals for transactions etc are maintained, and they are notoriously not well maintained, even although they are very powerful to help build roles with exact proposals.


    So we solved this ourselves and built a tool which scans the code of the programs, nested programs, classes, methods, function modules, subroutines etc etc... and finds all the existing authority-checks, access to tables and data which require checks, tells you which check is missing, which API to use and whether the corresponding values in USOBT_C are correct for the transactions which can reach that coding location which has or needs a check.

    In some cases this might be the S_TABU* objects, but in most it is actually the application object which you need to know the values for (e.g. select of data from BKPF is scanned for a check on F_BKPF_BUK before outputting the results and use of the API instead of hardcoding the check). For infotypes it is actually quite easy as there are nice APIs, but you have to scan the code to see whether thy are used...

    You get a result which then looks like this...

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 09, 2014 at 02:08 AM

    Many thanks for you responses, they have been really helpful

    Add comment
    10|10000 characters needed characters exceeded