Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Implement activation key in ABAP code

Former Member

‎2010 Mar 19 11:51 AM

0 Likes
1,503

In short:

I want to implement a way to control if certain ABAP code (certain logicial areas) are executed, by having the ABAP code prompting for an activation key.

Much like when you are promptet for a Developer access key or an object key for chaning sap standard code.

The long explanation:

We have som local developement in our system landscape that we want subsiduraies to request an access key if they want to go beond a certain point (or if they want to use this logical part of the develoment).

They should be promptet for an access key - which they then request from the head office.

A case could also be if we are developing an SAP Add-on using AAK (Add-on Assemply Kit) and we want to close of certain areas of functionality, these areas of functionality could then be opened by a access key requested from headoffice.

Question

Do you know how to impelment an access key feature in ABAP?

8 REPLIES 8
Read only

Former Member

‎2010 Mar 19 8:17 PM

0 Likes
1,218

Good question, for which I don't have the answer, but I did look, didn't have enough time to spend on this to get to the solution. I thought perhaps a setting in TADIR, but didn't find anything. I would suggest that you display an SAP object in SE38. Set hobble mode (command box '/h'), and then going into change mode....Before the Access key screen arrives, you will have processed everything SAP does to determine that an access key is required. Somewhere in there a switch or data value triggers the process to obtain an access key and store in in table ADIRACCESS.

Read only

Former Member

‎2010 Mar 19 8:57 PM

0 Likes
1,218

Interesting, but the part that's not clear to me is what the goal of such approach is. I'm assuming you're talking about code modifications or to be more precise, to force code changes to somehow be marked as modifications along with the requirement to get notified about those (e.g. due to need of requesting an access key).

What if they would utilize the enhancement framework (implicit enhancement points) instead? That's something that completely circumvents the access key.

If the goal is to control modifications, wouldn't it be better to actually define enhancement spots so that you're exposing a clean interface?

Anyhow, probably too much guessing and rambling on my side without knowing the background.

Cheers, harald

Read only

Former Member

‎2010 Mar 22 7:21 AM

0 Likes
1,218

Goal

To stop the user from going into certain parts of the code with out having entered an access key.

Sort of in the same way as a user are not allowed to develop ABAP without a developer key, even though he or she already have SAP_ALL.

Read only

Sandra_Rossi
Active Contributor
In response to Former Member

‎2010 Mar 22 12:53 PM

0 Likes
1,218

For programs (SE38), you may implement EXIT_SAPLS38E_001 of extension SEUED001 (using CMOD transaction) to keep users from modifying programs:


IF operation = 'EDIT' AND 
   program IN <reserved_to_head_office> AND 
   sy-uname NOT IN <head_office_team>.
  MESSAGE i001(00) WITH 'program reserved exclusively to head office'.
  RAISE cancelled.
ENDIF.

For function modules (SE37), you may implement EXIT_SAPLS38L_001 of extension SEU00004:


IF operation = 'MODIFY' AND 
   objectname IN <reserved_to_head_office> AND 
   sy-uname NOT IN <head_office_team>.
  MESSAGE e001(00) WITH 'this FM is reserved exclusively to head office' 
          RAISING cancelled.
ENDIF.

For methods (SE24), I don't know how to do it. I guess implicit enhancement option should be used.

Edited by: Rob Burbank on Mar 22, 2010 6:40 PM

Read only

Former Member
In response to Former Member

‎2010 Mar 22 7:29 PM

0 Likes
1,218

I am not looking to block users from editing code - but to block them from executing the code.

/MikaelB

Read only

Former Member
In response to Former Member

‎2010 Mar 22 7:36 PM

0 Likes
1,218

Hi Mikael,

As I indicated before, it's hard to provide any feedback without knowing the background/requirements. Are you looking for a one-time activation; is it supposed to be per user or per subsidiary? Are they working on different systems? By giving the access key comparison, you probably directed most people into the code change area, instead of the runtime limitation as you pointed out now. So I think with a little bit more information we might be able to provide better feedback...

Cheers, harald

Read only

Sandra_Rossi
Active Contributor
In response to Former Member

‎2010 Mar 22 10:38 PM

0 Likes
1,218

For example:

1) A user wants to run a restricted function named "UR3"

2) He calls the head office to get a key

3) The head office accepts the request, generates a key (from a separate system so that users can't access) and provide it to the user. This key is valid for UR3 only, for this user, and for one day.

4) The user enters the key via a dedicated transaction (it might also be entered via a popup when the function is executed, but it wouldn't be valid for programs not running in dialog, like background, etc.)

5) He runs the program and the restricted function is executed because the key exists and is valid

How you may generate the key:

1) Head office side: concatenate strings UR3, user name, the integer division of UNIX timestamp (seconds since 1.1.70) by number of seconds of validity (1 day = 86400 seconds), and calculate the MD5 of it (CALCULATE_HASH_FOR_CHAR).

2) User side: when user enters the key, the algorithm is the same, but you have to calculate an MD5 for the integer division, and another one for the integer division minus 1. The check is correct if one of the 2 MD5 equal the MD5 of the head office.

Note: you may convert the MD5 into a shorter form (that would be rather easy) so that it is easier to enter. For example, 8 characters in base62 (like "z5MapGhT").

Read only

Former Member

‎2015 Apr 16 1:48 PM

0 Likes
1,218

Hi Mikael,

Preventing users from executing anything should be covered by authorizations.

For specific ABAP programs you should use Authorization Groups (se38 select attributes)

Can you give us an example of a piece of code that you want to restrict? And also on what system are we talking about? Authorizations on development make no sense if the users have full debugging access and a developers key, it's just a total waste of time and money.

And on production you have to have good authorizations to prevent stuff from happening.

Kind regards, Rob Dielemans