- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- ABAP Reports and SAP Query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ABAP Reports and SAP Query
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2009 10:03 PM
Hi Experts,
I have question regarding ABAP Reports, SAP Query, and Transaction with variant. How are we securing one the above reports that we assign them through pfcg. We can secure custom program by custom transaction or define the auth group in S_PROGRAM auth object but in this case we have to assign SA38 in production. is that correct?
Please help me understand difference between the ABAP reports and SAP query. Is the ABAP reports same as Program or they are different.
Thanks in advance
Faisal
Edited by: Faisal on Jun 30, 2009 11:06 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2009 3:40 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2009 3:48 PM
ABAP Queries are created via SQ01 and are a quick way to get data as referred to by Anish. They are also a lazy way of doing things and many people do not condone their use in the Production environment as they are rarely efficient and offer little data security without significant additional work on the infotype. You can assign queries to users in a number of ways, through PFCG (generates a custom t-codes) or via SQ00 and SQ01 and use of user groups.
ABAP reports are developed in SE38 and are bespoke code which produce a desired output of data. If coded correctly they are more efficient than queries and are easier to restrict using the standard authorisation concept. You assign ABAP reports to custom tranaction codes and assign via a role.
ABAP reports also can refer to programs which may display or change data when executed.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2009 8:18 PM
Thanks Alex,
I asked this question because I'm implementing SAP security from scratch and trying to find out what else I have to secure other then following:
1) End user security (role matrix coordinate with process team)
2) Secure Table (by auth group)
3) Secure program (as you said ABAP reports are referred to Program)
4) Secure some batch jobs roles for batch job
5) Create support roles for cutover activity during Go-live
6) Emergency roles & IT roles for support
Please let me know if I missed anything that I need to prepare during realization phase. I have concern regarding secure program or reports., we have two ways to secure program/report, one way is to assign auth group in S_PROGRAMM auth object in the role and assign the program to specific auth group, but we need to assign SA38 in Prod in order to execute this particular program/report that we assign in the auth group. Other way is to assign the program/report to custom T-code and then assign the t-code into the role. AM I right?
Can you please give your feedback on my above questions and concern I have during this full implementation.
Thank you so much
Faisal
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2009 5:32 AM
Hi,
1) End user security (role matrix coordinate with process team)
This role Matrix design is most important where we can put restrictions and use SoD.
2) Secure Table (by auth group)
Table TDDAT and use of transaction se54 for security tables to right auth Groups. Secure s_tabu_dis, s_tabu_cli.
3) Secure program (as you said ABAP reports are referred to Program)
Use of table TPGP and program RSCSAUTH for assignment of groups to Program. SA38 Running of SA38 requires a minimum SUBMIT in user Action. A user having SA38 is dangerous as he/she is now enabled to run any report. Hence protection in Auth Group is needed. Verify each and every program is having authority check statement and Auth Group or not before assigning sa38. As you mentioned its best to avoid SA38 and create CUSTOM TXN for each report.
(We should also SECURE S_DEVELOP in Production properly along with ur points. Please Note).
4) Secure some batch jobs roles for batch job
Secure by s_btch* objects and less access to se36.
5) Create support roles for cutover activity during Go-live
That is always needed. Go ahead.
6) Emergency roles & IT roles for support
This is very much needed as a role of Mitigation and Fire Fighting for Temporary access. Ensure to enable ur audit parameters in RZ10 (rsau* sm20,RSLG* for sm21). Give emergency access but enable audit via sm19 and get audit reports from sm20 and sm21 immediately after the use of emergency access.
There are also other auth objects we need to be care ful which is a long list and hope every body ensures that (s_cts,a_admi,s_trans, tables ssm_cust, prgn,t000) etc and a host of others. Besh wishes. Let us know if any issue.
Regards
Aveek.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2009 1:36 PM
Thank you so much for clearing some of my doubt; I just want to clear some more of my doubt.
1) Use of table TPGP and program RSCSAUTH for assignment of groups to Program
As far as I know we can use RSCSAUTH for assignment of groups to program and also we can do that through se11 (I'm not sure how?) But I didn't know if we can assign auth group through table TPGP, How can we assign auth group to program using TPGP?
2) Secure by s_btch* objects and less access to se36.
You mean SM36 not se36
Also, can you please tell me is there any standard batch jobs role out there or most common used transaction batch jobs any help creating batch jobs, or should I talk to my process team to find out all the transactions to create a role for batch jobs.
4) Create support roles for cutover, activity Emergency roles & IT roles for support
Are these roles created by discussing with process team or is there most common t-codes we can use to create some of the support and IT roles. I was curious if I can put it together most common t-codes for support roles, I'm implementing (FI, and MM) modules
Your feedback will be appreciated and very valuable for every one
Regards,
Faisal
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2009 2:38 PM
Hi,
1.RSCSAUTH is the report needed. Table TPGP you can check the groups not assigning. Any assignment of programs to groups to be done via RSCSAUTH.
2. SM36..typo error :-). In PFCG if u give batch you will get SAP standard Batch job roles. From there you may customise as per your need. Same with Print related auth objects s_spo*.
4. Definitely a discussion needs to be done with functional experts regarding the requirement for these cut over roles and emergency roles which are given in tempoorary basis. Let me know if any issue.
Regards
Aveek.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2009 5:30 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2009 8:47 PM
Note that you can also assign groups with RSCSAUTH to report trees and I believe area menus as well.
Cheers,
Julius
- SAP Managed Tags:
- Security
