Top Banner
Loading and Executing ABAPs [Guidance Notes] ACE* version 8.9 Automated Controls Evaluator Version 1.0 August 2007
20

ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

Oct 03, 2014

Download

Documents

KHEIJNEN
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

Loading and Executing ABAPs[Guidance Notes]

ACE* version 8.9Automated Controls EvaluatorVersion 1.0August 2007

Page 2: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)
Page 3: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers Contents

Loading and Executing ABAPs 5

1.0 What is ACE*? 5

2.0 Why does PwC use ACE*? 5

3.0 Does ACE* have any impact on my system? 6

4.0 Will ACE* download any confidential data? 6

5.0 How can I install ACE* ABAPs? 7

6.0 Is it possible the change the name of the ABAPs? 11

7.0 How can I run ACE* ABAPs? 12

8.0 What authorisations are required to run ACE*? 16

9.0 How do the ABAPs work? 16

10.0 What is the volume of data downloaded and how long does ACE* take to run? 17

11.0 How can I transfer the downloaded data to the ACE* user? 19

Contents

Page 4: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)
Page 5: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 5

1.0 What is ACE*?

ACE* is an abbreviation for “Automated Controls Evaluator”.

SAP contains many controls which are embedded in the system. ACE* extracts configuration controls and security datafrom SAP and analyse it to determine whether controls have been appropriately designed and implemented into SAP.

In brief, ACE* consists of:

two ABAPs which are the SAP part of the tool and download the required information from SAP; and

the ACE* tool (PC part) which analyses the security and configuration control elements implemented in a SAPenvironment.

To achieve this, data has to be downloaded from the SAP system. The ABAPs do that in a very flexible way. They areSAP release independent and able to adapt to how SAP has been configured and implemented.

ACE* can be run on any SAP instance and therefore can be used to analyse controls within SAP implementation projects(pre go-live testing) as well as performing reviews of productive systems (live testing).

ACE* version 8.9 is executable on SAP R/3 versions 4.5 to 4.7 and SAP ECC 5.0 - 6.0.

2.0 Why does PwC use ACE*?

SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentary and difficultto use effectively. With ACE* configuration and security controls can be identified easily using standard tests which aretailored to each ACE* review. Complex search criteria can be applied within ACE* allowing users to perform high levelreviews and then to drill down to complete more detailed testing in areas identified for additional work.

ACE* produces standard exception reports which are easy to understand and help with the subsequent resolution ofissues identified.

Loading and Executing ABAPs

Page 6: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.96 PricewaterhouseCoopers

3.0 Does ACE* have any impact on my system?

ACE* has been specifically designed to minimise the impact on the SAP environment where it is run either in terms ofsystem performance or data manipulation. This is because:

only two ABAPs are required for ACE*;

there are no other objects installed; and

the entire process is under your control.

By sequentially reading and writing from the SAP database to the disk of the application server, any impact on systemperformance is reduced to a minimum.

The master ABAP ACE8M generates the temporary ABAP ACE8T. That is the only change that ACE* makes on the SAPsystem.

Expressly, ACE* does not:

• Change any SAP repository objects (tables, structure, ABAPs, etc)

• Change any table contents

4.0 Will ACE* download any confidential data?

ACE* downloads authorisation data, configuration data and some master data. Because of the flexible design andstructure of ACE* and the different ways that SAP can be implemented, the exact content of data downloaded may varyfrom one system to another.

At run-time ACE*:

dynamically searches the tables existing in the SAP environment; and

selects the tables required to support the analysis of the SAP system.

ACE* also downloads table CDHDR and a summary of the BKPF table (excluding amounts) to help identified customtransactions that perform the same function as standard transaction.

To ensure transparency, ACE* lists all dynamically downloaded tables in the job protocol (generated automatically whenACE* is run as a background process). Before the data is released to the ACE* user, the data content can be checked forconfidentiality. The ACE* downloaded file B0002.QJF also contains a list of the SAP tables downloaded. The CDS tables(CDHDR and BKPF summary) are the last two tables in this list.

Page 7: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 7

5.0 How can I install ACE* ABAPs?

The diagram below shows the steps involved in the process:

1. Copy of ABAP

ZACE8M.TXT and

ZACE8T.TXT

2. Upload ABAPS to

SAP R/3

3. Start ABAP

ZACE8M,

output files

will be

written to

the

application

server

4. Transfer ABAP output

files to a local

workstation

5. Copy files to a PwC

PC or burn a CD

6. Import

ABAP data

into ACE

application

1. Copy of ABAP

ZACE8M.TXT and

ZACE8T.TXT

2. Upload ABAPS to

SAP R/3

3. Start ABAP

ZACE8M,

output files

will be

written to

the

application

server

4. Transfer ABAP output

files to a local

workstation

5. Copy files to a PwC

PC or burn a CD

6. Import

ABAP data

into ACE*

application

1. Copy of ABAP

ZACE8M.TXT and

ZACE8T.TXT

2. Upload ABAPS to

SAP R/3

3. Start ABAP

ZACE8M,

output files

will be

written to

the

application

server

4. Transfer ABAP output

files to a local

workstation

5. Copy files to a PwC

PC or burn a CD

6. Import

ABAP data

into ACE

application

1. Copy of ABAP

ZACE8M.TXT and

ZACE8T.TXT

2. Upload ABAPS to

SAP R/3

3. Start ABAP

ZACE8M,

output files

will be

written to

the

application

server

4. Transfer ABAP output

files to a local

workstation

5. Copy files to a PwC

PC or burn a CD

6. Import

ABAP data

into ACE

application

1. Copy of ABAP

ZACE8M.TXT and

ZACE8T.TXT

1. Copy of ABAP

ZACE8M.TXT and

ZACE8T.TXT

2. Upload ABAPS to

SAP R/3

3. Start ABAP

ZACE8M,

output files

will be

written to

the

application

server

4. Transfer ABAP output

files to a local

workstation

5. Copy files to a PwC

PC or burn a CD

6. Import

ABAP data

into ACE*

application

2. Upload ABAPS to

SAP R/3

3. Start ABAP

ZACE8M,

output files

will be

written to

the

application

server

4. Transfer ABAP output

files to a local

workstation

5. Copy files to a PwC

PC or burn a CD

6. Import

ABAP data

into ACE*

application

ACE* comprises two custom ABAP programs that need to be loaded into the SAP production environment:

ZACE8M.TXT The master ACE* ABAP

ZACE8T.TXT The temporary ABAP which is called by the master as necessary

5.1 Copy the ABAP programs onto the SAP GUI client

The two ABAP files are usually provided either on a floppy disk or by e-mail (both files together are less than 350K insize). These files should be copied onto the local hard drive of the workstation from which the ABAPs will be loaded intoSAP.

NOTE: The ACE* ABAP programs MUST be loaded into andrun from the main productive client, and NEVER from withinanother client (eg client 000)

5.2 Upload the 2 ABAPs into SAP

The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.

Page 8: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.98 PricewaterhouseCoopers

5.2.1 Create the ACE* program in SAP

Use path: Tools > ABAP Workbench > Development > ABAP Editor(or use transaction code SE38)

In the program field enter ZACE8M as the program name and click on Create:

Please make sure that the name of the programs created in SAP matches the file names of the ABAP provided i.e.ZACE8M and ZACE8T (ignore the .txt file extension).

Note: You will need an OSS/Developer key to load the ABAP.

Page 9: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 9

5.2.2 Assign attributes to the ACE* ABAP program

In the following screen, assign the program attributes as below and click on “Save”:

Title: Enter a text that describes the ABAP such as “ZACE8M”

Type: Select “Executable Program”

Application: Select “Cross-application”

Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click “Save” to save theprogram attributes.

A message will be received indicating “Attributes for program ZACE8M saved.”

Page 10: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.910 PricewaterhouseCoopers

5.2.3 Upload the ACE* ABAP into the SAP program created

Use path: Utilities > More Utilities > Upload/Download > Upload

Upload the ACE* ABAPs into the SAP object directory which was created in the previous steps:

Navigate to the ZACE8M.txt file and click on “Open”:

The GUI will then display the ABAP code. Click the “Save” button and return to the ABAP Editor initial screen using theBack Arrow in the toolbar.

Page 11: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 11

5.2.4 Activate the ABAP

The ABAP needs to be activated before it can be run. Select the ZACE8M program and click the “Activate” button (oruse: Program > Activate).

Select the row containing ZACE8M and click on the “OK” button:

5.2.5 Load the temporary ABAP

Repeat steps 5.2.1 to 5.2.4 for the program ZACE8T.

6.0 Is it possible to change the name of the ABAPs?

If the ACE* ABAPs do not comply with the naming convention, it is possible to change their names from ZACE8M andZACE8T. If this is done however, the code in ZACE8M has to be changed to ensure that the master ABAP calls the re-named temporary ABAP and not ZACE8T. This requires one line of code change which is found in the ZACE8M ABAP.

To change the names of the ABAPs programs search for theline:data: subrepid like sy-repid value ‘ZACE8T’and replace ZACE8T with the new name for the that ABAPprogram

Page 12: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.912 PricewaterhouseCoopers

7.0 How can I run the ACE* ABAPs?

To run ACE* only the master ABAP, ZACE8M needs to be started. ZACE8M will generate and run the temporary ABAPProgram ZACE8T as and when required without further manual intervention.

7.1 Create a variant of ZACE8M

ZACE8M should be executed in the background. To run the ABAP in the background, a variant of the ABAP needs to becreated.

To create a Variant, go to the ABAP Editor (transaction SE38). Type ZACE8M and select the “Variant” sub-object, thenclick the “Variants” button on the toolbar:

Enter a variant name (e.g. 0001) and click on the “Create” button:

Page 13: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 13

7.2 Select the ACE* ABAP parameters

The ABAP parameters in the variant should be maintained:

Page 14: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.914 PricewaterhouseCoopers

In most cases, the default parameter values should be sufficient (except the application server path and the start of thefinancial year as mentioned below). The different parameters are explained below:

Parameter Description Comment

Path on the application server This defines the specific path on the application

server where the ACE* data will be downloaded

to.

This must be maintained – see note below.

Client specific downloading of authorisation

tables

Determines whether data is downloaded from

the current client only or all clients in the SAP

instance.

Default values are generally appropriate.

Transaction log data (TLD) ACE* will download data generated by the SAP

Workload Monitor. In ACE* this is called

Transaction Log Data (TLD).

Month, weekly or daily data – specifies the

summary level at which the data will be

download.

Period limit – this setting will limit the data

downloaded to respectively the number of

months, weeks or days specified.

Record limit – this setting will limit the data

downloaded to the number of records specified.

Default values are generally appropriate. If not

specified differently by PwC, use ‘monthly’

record download with the standard 12 month

download period and 4 million record limit.

Change Document Summary (CDS) and BKPF

summary for R/3 Systems only

Determines the time frame of downloading

change document and BKPF summary data.

Start of Financial Year – In large Environments

CDS downloads increase download time

significantly and it may be advisable to reduce

the time frame to less than the full financial year.

If this is not a R/3 system specify: no download

of CDS data.

Please check with PwC auditor for the date

range for CDS data download.

Scope of download

- Authorisation group fields

- Object help information

- Field status definition

- Base component

- Desolved values

Determines what authorisation data is

downloaded.

Desolved values allow ACE* to display a drop

down list of possible values for authorisation

fields.

Default values are generally appropriate.

Scope of download (Enterprise Areas)

- Desolved value

- Tables

Determines what data is downloaded by

Enterprise Area.

Desolved values allow ACE* to display possible

values for authorisation fields.

Tables refer to configuration data tables.

Default values are generally appropriate.

Additional tables to download Allows to specify additional tables to be

downloaded.

Not generally required if not specifically

requested by PwC.

Space limit for tables Defines the maximum size a table can reach

before ACE* will not download it.

The default value is generally appropriate

although the limit can be reduced if the size of

the downloaded data is excessive.

Download strategy Determines the method used by the ABAP to The default value should not be changed unless

problems are experienced with the download

Page 15: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 15

Parameter Description Comment

download data from SAP.

If “less read rollback” is selected, the ABAP

could run very long.

If the SAP system is very powerful, the value

can be switched to “better performance”, then

the ABAP is executed faster.

process.

Code Page for download Leave this setting as defined unless instructed

to modify.

The default value should not be changed.

In the “Path on the application server” field, specify the exact location (e.g. [Drive]:\usr\sap\ace, for Windows NT, or/usr/sap/ace, for UNIX servers) on the application server (or other server with a mapping from the application server)where the downloaded data is to be saved. The directory should have enough free space to accommodate thedownloaded data (typically between 500MB and 2 GB is required).

Click on the “Attributes” button and enter a name for the variant (e.g. 0001) and then click on the “Save” button. Themessage “Variant Saved” will be displayed at the bottom of the screen.

Click on the “Save” button again and the message “Values of Variant 0001 Saved” will be displayed at the bottom of thescreen.

7.3 Run the ABAP

Execute ACE* in the background by going to the ABAP Editor (Transaction code SA38), entering ZACE8M in the programfield and selecting the menu path: Program > Execute > Background:

Enter the variant name (i.e. 0001 etc) and then press the button “Execute Immed.” to run the ABAP immediately or pressthe “Schedule” button to specify a time and date to run the ABAP later (e.g. for an overnight run).

Page 16: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.916 PricewaterhouseCoopers

If the “Execute Immed.” button is pressed then you will see a message that ZACE8M has started as a background job.

7.4 Check status of the ABAP

To check the status of the ABAP, go to the Background Job Overview screen (Transaction code SM37). Enter a “*” in theJob Name field and select the current date in the From and To fields. Click on “Execute”.

In the subsequent screen, the status of the background job can be viewed. A status of Active means that the job is stillrunning. A status of Finished means that the job is over.

8.0 What authorisations are required to run ACE*?

The following authorisations are required to run ACE*:

Authorisation checks:

Programmed: S_USER_AUT with ACTVT 03

In functions: S_DATASET with the path to the application server

To start: S_PROGRAM with implemented P_GROUP and S_TCODE

At the operating system level:

The SAP user at the OS level has to have write access to the directory specified in the “path on the applicationserver” field in the ABAP variant.

9.0 How do the ABAPs work?

There are two ABAPs:

ZACE8M (Master ABAP) and

ZACE8T (Temporary ABAP).

The Master ABAP generates and executes the Temporary ABAP.

The overall purpose of these ABAPs is to search for relevant data and to download this to the application server. Thedownloaded data can split into three types:

Page 17: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 17

Special data (downloaded by Master ABAP)Some data is downloaded by the Master ABAP directly. This data is downloaded based on a join of multiple tables, aselection of a single table or standard SAP function.

Standard data (downloaded by Temporary ABAP)Each downloaded file relates to one SAP table. In the procedure ‘FILLFIXB0005’ these tables are selected and thenames of these tables are saved in an internal table (B0005). The Temporary ABAP is generated for each entry inthis table, and submitted by the procedure ‘EXP-STAND’. The Temporary ABAP then downloads the data to thespecified directory path on the application server.

Data of internal tables (downloaded by Master ABAP)During the import, seven internal tables are populated. These tables describe the downloaded data.

The ABAPs do not change or modify any data in the SAPsystem

10.0 What is the volume of data downloaded and how long does ACE* take to run?

The volume of data and run-time of the ABAP cannot be predicted exactly as ACE* dynamically selects what data to rundepending on the size of the SAP implementation (i.e. number of users) how authorisations have been built and thescope of the data to be downloaded as defined in the variant of the ABAP.

However, a couple of examples are provided below:

Example 1

SAP release: 4.6C

Number of users: 1295

Scope of downloaded files: Full

Number of downloaded files: 987

Space required on application server: 800 MB

Run time of the ABAP: 3 hours

Example 2

SAP release: 4.6C

Number of users: 10212

Scope of downloaded files: Full

Number of downloaded files: 1132

Page 18: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

August 07 ACE* version 8.918 PricewaterhouseCoopers

Example 2

Space required on application server: 1.0 GB

Run time of the ABAP: 6 hours

Page 19: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

ACE* version 8.9 August 07PricewaterhouseCoopers 19

11.0 How can I transfer the downloaded data to the ACE* user?

Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files (e.g.[Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 1200 files (depending on the size of theSAP instance) with the .QJF extension will be saved here.

The names of the output files generated by ACE* should not bechanged

These files now need to be transferred from the application server to the ACE* user. There are several ways of doing thisand the best way will depend on the system architecture and the software and hardware available. Note that often thedata has to be first transferred from the SAP application server to a SAPGUI PC because of restricted access rights onthe SAP application server. Options available are:

Option Method Advantages Disadvantages

From the application server:

CD Writer Use a CD writer connected to the

SAP application server

Easiest and quickest method Requires a CD writer to be

connected to the SAP application

server

Use FTP or File Copy to copy the data from the SAP application server to a SAPGUI workstation and then:

FTP and CD Writer Use a CD writer attached to the

SAPGUI workstation

Easy and quick method Requires a CD writer to be

connected to the SAPGUI

workstation.

FTP and memory stick Zip up the data in packets and use

a memory stick to transfer the data

to the ACE user

This method is always possible The workstation containing the

data must have a USB port.

FTP and email E-mail the zipped data in packetsto the ACE user

This can be a quick solution Data needs to be zipped into

packets <5MB and e-mail security

may be a concern

FTP and ZIPDrive Use a ZipDrive attached to the

workstation

One zip disk should be able to

handle all the downloaded data

Requires both the SAPGUI

workstation and the ACE user to

have the appropriate zip programs

loaded

FTP and LapLink Use Laplink to transfer the data Easy to handle If the SAPGUI workstation is

connected to the network and the

PC cannot be started in

disconnected or DOS mode, then

the port will not be available for

Laplink use

Please transfer all files created during the download including 0KB files.If you have any questions or queries or get any error message, please contact your local PwC auditor with screenshots,and details of error message.

Page 20: ACE Star - Load and Execute ACE ABAPs - Guidance Notes (A4)

pwc.comThis document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care forany use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) asexpressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance.

© 2007 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the contextrequires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

Design: 0700695_ass/cd