topic Secure custom developer programs and transactions in Application Development and Automation Discussions

Secure custom developer programs and transactions

Former Member — Sun, 26 Apr 2009 10:29:02 GMT

Hi Guys,

I am given a task in my company to maintain authority check for all costom developed programs and transaction.

In combination TADIR, TRDIR & TSTC i found more then 1000 transactions and 1500 programs custom developed.

So now I am having difficulty in finding authority check at program level for all the custom programs and transactions. I tried to use RSABAPSC but this gives for each program/ transaction.

Can you guys help me to find a best way to get the list for the whol transactions and good approach to complete the task at ace and good way.

Please comment your best practices and approaches for this.

Let me know if you guys need any more information from me to make the above more clear.

Thanks.

Re: Secure custom developer programs and transactions

jurjen_heeck — Sun, 26 Apr 2009 11:08:36 GMT

> I am given a task in my company to maintain authority check for all costom developed programs and transaction.

Are we talking about SU24 or actually coding new checks into the software?

Re: Secure custom developer programs and transactions

Former Member — Sun, 26 Apr 2009 11:14:04 GMT

I first have to check at program level and then after all the programs/transactions are checked at program then I have to maintain the same at SU24 level.

Hope this is what you are looking for.

Thanks....

Re: Secure custom developer programs and transactions

Former Member — Mon, 27 Apr 2009 01:44:27 GMT

Hi Amit,

I beleive we can execute only one Tcode/Program/Report at once.

Re: Secure custom developer programs and transactions

Former Member — Mon, 27 Apr 2009 03:46:14 GMT

Thanks Hari for your reply, but this is not going to help as its going to take me ages to look for one by one. Can someone let me know if anyone have done this task in their companies and if yes please let me know the best and good way to accomplish this task.

Thanks,

Re: Secure custom developer programs and transactions

Former Member — Mon, 27 Apr 2009 04:48:57 GMT

You can use the t code suim -> user-> with complex criteria then go wid objects you are looking for .

it will display allin to the particular object been carried out.

Thx

Shilpa

Re: Secure custom developer programs and transactions

Former Member — Mon, 27 Apr 2009 04:56:05 GMT

Hi Shilpa,

But Amit is not looking for the users list...where as he is looking for list of authorization objects which are part Authority check statements of customized Tcodes.

Probably ABAP programmers would help us here!!!!!

Hari

Re: Secure custom developer programs and transactions

morten_nielsen — Mon, 27 Apr 2009 06:07:54 GMT

Hi Amit

I do not think you will find any relevant standard report/functionality in the SAP System, that could scan your Z-Report and find out if it's correctly secured with authorizations checks. Many of those checks could hide in called functionmodules, Methods etc.

And you still have need to define and check each SAP report for your companies specific security requirement.

With 1000/1500 Z-transactions/reports, my guess is, that a lot of them might be obsolete, never used, temp programs for dataloads etc. So mayby you do not have to focus on all of them, so I think that my approach would be, to try to limit the number of report that I needed to investigate thoroughly, and then take the reports one by one.

The steps involved would be something like:

1. Find out which of your Z-reports/T-codes thats actually used. You should be able to se that in SM20(if you have activated the secure audit log with the correct filters), ST03N etc. Report/T-codes that are not used could be locked in SM01.

2. Investigate the used reports one by one, Check the Source-Code, do an Authorisation trace etc - Remember that if your Z-Report used BAPI and other SAP Standard functionality, Or if i reads from at DATASET etc.. you might not be able to spot the Authority-check statement in your source code

3. Implement and test the relevant and requirered additional authorization check

4. Document in SU24

5. Adjust the roles

And your ready for test.

And yes I know,,, It can be a hugh job, but I do not think that you can find a quick-fix for this.

Regards

Morten Nielsen

Re: Secure custom developer programs and transactions

Former Member — Mon, 27 Apr 2009 09:48:25 GMT

I would recommend first taking to the development co-ordinator or manager to find out whether there is any concept which the developers were meant to adhere to (e.g. program auth groups, checking tcode authority in the coding, using BAPI's, etc).

It might be more possible to scan for exceptions to the development guidelines instead of going through each program manually to start with - take a look at transaction SCI (SAP Code Inspector).

This way you can prioritize to some extent and find conceptual inconsistencies - but ultimately you will need some ABAP knowledge to complete the task and go through each one.

Cheers,

Julius

Re: Secure custom developer programs and transactions

Former Member — Wed, 29 Apr 2009 04:08:10 GMT

Thanks Morten & Julius for your valuable suggestions.

I appreciate for the procedures given to me by Morten, but this is a usual procedure which I thought of doing from day-1, but after I started the work; I am feeling that I would not be able to achieve the task by going one-one and would not be able to complete this task by the dead line.

But I will definitely follow your from step 2 to 5.

Julius, as you have suggested I have met my ABAP lead and got some updates abt the procedures they follow during the custom developments. Here I find they donu2019t follow maintaining custom programs in program auth groups and they only maintain with authority checks and each custom report would be executed by using a custom transaction.

I would like to know the implications when we only maintain authority checks and not maintain the custom programs in program auth groups. I know is we cannot secure access in S_DEVELOP & S_PROGRAM.

Julius: I am not very familiar with transaction SCI (SAP Code Inspector) and I tried to find come documents to know more about this, but I am failed to find something which can help my work.

Would appreciate if you can let me know something more on this and how it can be used in my scenariou2026.

Thanks for all your replies, I would appreciate if I can know more best practices on this regards.

Re: Secure custom developer programs and transactions

Frank_Buchholz — Wed, 29 Apr 2009 11:28:21 GMT

In addition to the described manual methods in this thread to analyse authorization checks in programs, there exist another option based on tracing, too:

Set profile parameter auth/authorization_trace as described in note [543164|https://service.sap.com/sap/support/notes/543164] and view the result using transaction SU22 (yes, in this case it't SU22).

Limitation (in addition to the disclaimer as described in the note): The results are quite fine for transactions and some other service types but not for reports.

Kind regards

Frank Buchholz

P.S. Please keep in mind that RSABAPSC is somehow outdated - it's quite valuable for old programs respective simple programming techniques, however, it might fail if you analyse modern programs which are based on object oriented code.

Re: Secure custom developer programs and transactions

Frank_Buchholz — Wed, 29 Apr 2009 11:30:48 GMT

Do you know the [Secure Programming |https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/334929d6-0a01-0010-45a9-8015f3951d1a] development guide at https://www.sdn.sap.com/irj/sdn/security ?

(Well, it doesn't describe how to analyze programs for authorization checks, but contains valuable information about other areas of secure programming in ABAP and Java.)

Frank

Edited by: Frank Buchholz on Apr 29, 2009 1:31 PM

Re: Secure custom developer programs and transactions

Former Member — Mon, 04 May 2009 04:37:48 GMT

Hi People,

Can I please expect some more possible ways to approach my task as mentioned in my replies.

Thanks.

Re: Secure custom developer programs and transactions

Former Member — Mon, 04 May 2009 08:17:23 GMT

The tcode and program group only are blunt tools for security, and will not let you achieve granular security nor differentiate in a meaningfull way between org levels.

Go for the correct and consistent authorization checks in the programs - it is the better option for maintaining a consistent role authorization concept.

If you did not find information on SCI then you did not look very hard...

Just search here in SDN or start transaction SCI - there is a little blue "Information" button at the top. It will tell you what you need to know...

Cheers,

Julius

Re: Secure custom developer programs and transactions

Former Member — Mon, 04 May 2009 12:48:53 GMT

Hello Amit,

we have developed a security scanner for ABAP that can (among many other things) identify all authority checks in custom ABAP code. Even better - it can identify missing authority checks, too.

Let me know if you want to know more.

Markus

Re: Secure custom developer programs and transactions

Former Member — Wed, 06 May 2009 07:22:29 GMT

Hi Markus,

Thanks for your response, and we also have developed a custom program to read authority checks in all reports but it wont identify missing authority checks. So, can you please let me know how your program will help to show the missing authority checks.

Thanks.

Re: Secure custom developer programs and transactions

Former Member — Fri, 04 Jun 2010 10:03:55 GMT

Where can we get this Scanner and how is it different to RSABAPSC ?

Thx

Denis

Re: Secure custom developer programs and transactions

Former Member — Fri, 04 Jun 2010 10:37:48 GMT

It is a commercially available product. See www.virtualforge.de

The main difference is that it does not only scan for static coding statements, but can verify where the input is coming from and validations in between (such as authity-checks).

There are several tools which do this for webservers and Java applications, but not many for ABAP.

Cheers,

Julius