Loading and Executing ABAPs [Guidance Notes]

ACE* version 8.9

Automated Controls Evaluator
Version 1.0 August 2007

Contents

Loading and Executing ABAPs 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 What is ACE*? Why does PwC use ACE*? Does ACE* have any impact on my system? Will ACE* download any confidential data? How can I install ACE* ABAPs? Is it possible the change the name of the ABAPs? How can I run ACE* ABAPs? What authorisations are required to run ACE*? How do the ABAPs work? What is the volume of data downloaded and how long does ACE* take to run? How can I transfer the downloaded data to the ACE* user?

5 5 5 6 6 7 11 12 16 16 17 19

ACE* version 8.9 PricewaterhouseCoopers

August 07 Contents

Loading and Executing ABAPs

1.0 What is ACE*?

ACE* is an abbreviation for Automated Controls Evaluator. SAP contains many controls which are embedded in the system. ACE* extracts configuration controls and security data from SAP and analyse it to determine whether controls have been appropriately designed and implemented into SAP. In brief, ACE* consists of: two ABAPs which are the SAP part of the tool and download the required information from SAP; and the ACE* tool (PC part) which analyses the security and configuration control elements implemented in a SAP environment.

To achieve this, data has to be downloaded from the SAP system. The ABAPs do that in a very flexible way. They are SAP release independent and able to adapt to how SAP has been configured and implemented. ACE* can be run on any SAP instance and therefore can be used to analyse controls within SAP implementation projects (pre go-live testing) as well as performing reviews of productive systems (live testing). ACE* version 8.9 is executable on SAP R/3 versions 4.5 to 4.7 and SAP ECC 5.0 - 6.0.

2.0 Why does PwC use ACE*?

SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentary and difficult to use effectively. With ACE* configuration and security controls can be identified easily using standard tests which are tailored to each ACE* review. Complex search criteria can be applied within ACE* allowing users to perform high level reviews and then to drill down to complete more detailed testing in areas identified for additional work. ACE* produces standard exception reports which are easy to understand and help with the subsequent resolution of issues identified.

ACE* version 8.9 PricewaterhouseCoopers

August 07 5

3.0 Does ACE* have any impact on my system?

ACE* has been specifically designed to minimise the impact on the SAP environment where it is run either in terms of system performance or data manipulation. This is because: only two ABAPs are required for ACE*; there are no other objects installed; and the entire process is under your control.

By sequentially reading and writing from the SAP database to the disk of the application server, any impact on system performance is reduced to a minimum. The master ABAP ACE8M generates the temporary ABAP ACE8T. That is the only change that ACE* makes on the SAP system.

Expressly, ACE* does not: Change any SAP repository objects (tables, structure, ABAPs, etc) Change any table contents

4.0 Will ACE* download any confidential data?

ACE* downloads authorisation data, configuration data and some master data. Because of the flexible design and structure of ACE* and the different ways that SAP can be implemented, the exact content of data downloaded may vary from one system to another. At run-time ACE*: dynamically searches the tables existing in the SAP environment; and selects the tables required to support the analysis of the SAP system.

ACE* also downloads table CDHDR and a summary of the BKPF table (excluding amounts) to help identified custom transactions that perform the same function as standard transaction. To ensure transparency, ACE* lists all dynamically downloaded tables in the job protocol (generated automatically when ACE* is run as a background process). Before the data is released to the ACE* user, the data content can be checked for confidentiality. The ACE* downloaded file B0002.QJF also contains a list of the SAP tables downloaded. The CDS tables (CDHDR and BKPF summary) are the last two tables in this list.

August 07 6

ACE* version 8.9 PricewaterhouseCoopers

5.0 How can I install ACE* ABAPs?

The diagram below shows the steps involved in the process:
1. Copy of ABAP ZACE8M.TXT and ZACE8T.TXT 2. Upload ABAPS to SAP R/3 3. Start ABAP ZACE8M, output files will be written to the application server

6.

Import ABAP data into ACE ACE* application

5.

Copy files to a PwC PC or burn a CD

4.

Transfer ABAP output files to a local workstation

ACE* comprises two custom ABAP programs that need to be loaded into the SAP production environment:
ZACE8M.TXT ZACE8T.TXT The master ACE* ABAP The temporary ABAP which is called by the master as necessary

5.1

Copy the ABAP programs onto the SAP GUI client

The two ABAP files are usually provided either on a floppy disk or by e-mail (both files together are less than 350K in size). These files should be copied onto the local hard drive of the workstation from which the ABAPs will be loaded into SAP.

NOTE: The ACE* ABAP programs MUST be loaded into and run from the main productive client, and NEVER from within another client (eg client 000)
5.2 Upload the 2 ABAPs into SAP

The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.

ACE* version 8.9 PricewaterhouseCoopers

August 07 7

5.2.1 Create the ACE* program in SAP Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

In the program field enter ZACE8M as the program name and click on Create:

Please make sure that the name of the programs created in SAP matches the file names of the ABAP provided i.e. ZACE8M and ZACE8T (ignore the .txt file extension). Note: You will need an OSS/Developer key to load the ABAP.

August 07 8

ACE* version 8.9 PricewaterhouseCoopers

5.2.2 Assign attributes to the ACE* ABAP program In the following screen, assign the program attributes as below and click on Save:
Title: Type: Application: Enter a text that describes the ABAP such as ZACE8M Select Executable Program Select Cross-application

Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click Save to save the program attributes.

A message will be received indicating Attributes for program ZACE8M saved.

ACE* version 8.9 PricewaterhouseCoopers

August 07 9

5.2.3 Upload the ACE* ABAP into the SAP program created Use path: Utilities > More Utilities > Upload/Download > Upload

Upload the ACE* ABAPs into the SAP object directory which was created in the previous steps:

Navigate to the ZACE8M.txt file and click on Open:

The GUI will then display the ABAP code. Click the Save button and return to the ABAP Editor initial screen using the Back Arrow in the toolbar.

August 07 10

ACE* version 8.9 PricewaterhouseCoopers

5.2.4 Activate the ABAP The ABAP needs to be activated before it can be run. Select the ZACE8M program and click the Activate button (or use: Program > Activate). Select the row containing ZACE8M and click on the OK button:

5.2.5 Load the temporary ABAP Repeat steps 5.2.1 to 5.2.4 for the program ZACE8T.

6.0 Is it possible to change the name of the ABAPs?

If the ACE* ABAPs do not comply with the naming convention, it is possible to change their names from ZACE8M and ZACE8T. If this is done however, the code in ZACE8M has to be changed to ensure that the master ABAP calls the renamed temporary ABAP and not ZACE8T. This requires one line of code change which is found in the ZACE8M ABAP.

To change the names of the ABAPs programs search for the line: data: subrepid like sy-repid value ZACE8T and replace ZACE8T with the new name for the that ABAP program

ACE* version 8.9 PricewaterhouseCoopers

August 07 11

7.0 How can I run the ACE* ABAPs?

To run ACE* only the master ABAP, ZACE8M needs to be started. ZACE8M will generate and run the temporary ABAP Program ZACE8T as and when required without further manual intervention. 7.1 Create a variant of ZACE8M ZACE8M should be executed in the background. To run the ABAP in the background, a variant of the ABAP needs to be created. To create a Variant, go to the ABAP Editor (transaction SE38). Type ZACE8M and select the Variant sub-object, then click the Variants button on the toolbar:

Enter a variant name (e.g. 0001) and click on the Create button:

August 07 12

ACE* version 8.9 PricewaterhouseCoopers

7.2 Select the ACE* ABAP parameters The ABAP parameters in the variant should be maintained:

ACE* version 8.9 PricewaterhouseCoopers

August 07 13

In most cases, the default parameter values should be sufficient (except the application server path and the start of the financial year as mentioned below). The different parameters are explained below:
Parameter Path on the application server Description This defines the specific path on the application server where the ACE* data will be downloaded to. Determines whether data is downloaded from the current client only or all clients in the SAP instance. ACE* will download data generated by the SAP Workload Monitor. In ACE* this is called Transaction Log Data (TLD). Month, weekly or daily data specifies the summary level at which the data will be download. Period limit this setting will limit the data downloaded to respectively the number of months, weeks or days specified. Record limit this setting will limit the data downloaded to the number of records specified. Change Document Summary (CDS) and BKPF summary for R/3 Systems only Determines the time frame of downloading change document and BKPF summary data. Start of Financial Year In large Environments CDS downloads increase download time significantly and it may be advisable to reduce the time frame to less than the full financial year. Scope of download - Authorisation group fields - Object help information - Field status definition - Base component - Desolved values Scope of download (Enterprise Areas) - Desolved value - Tables Determines what data is downloaded by Enterprise Area. Desolved values allow ACE* to display possible values for authorisation fields. Tables refer to configuration data tables. Additional tables to download Space limit for tables Allows to specify additional tables to be downloaded. Defines the maximum size a table can reach before ACE* will not download it. Determines the method used by the ABAP to Not generally required if not specifically requested by PwC. The default value is generally appropriate although the limit can be reduced if the size of the downloaded data is excessive. The default value should not be changed unless problems are experienced with the download Default values are generally appropriate. Determines what authorisation data is downloaded. Desolved values allow ACE* to display a drop down list of possible values for authorisation fields. If this is not a R/3 system specify: no download of CDS data. Please check with PwC auditor for the date range for CDS data download. Comment This must be maintained see note below.

Client specific downloading of authorisation tables Transaction log data (TLD)

Default values are generally appropriate.

Default values are generally appropriate. If not specified differently by PwC, use monthly record download with the standard 12 month download period and 4 million record limit.

Default values are generally appropriate.

Download strategy

August 07 14

ACE* version 8.9 PricewaterhouseCoopers

Parameter

Description download data from SAP. If less read rollback is selected, the ABAP could run very long. If the SAP system is very powerful, the value can be switched to better performance, then the ABAP is executed faster.

Comment process.

Code Page for download

Leave this setting as defined unless instructed to modify.

The default value should not be changed.

In the Path on the application server field, specify the exact location (e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers) on the application server (or other server with a mapping from the application server) where the downloaded data is to be saved. The directory should have enough free space to accommodate the downloaded data (typically between 500MB and 2 GB is required). Click on the Attributes button and enter a name for the variant (e.g. 0001) and then click on the Save button. The message Variant Saved will be displayed at the bottom of the screen. Click on the Save button again and the message Values of Variant 0001 Saved will be displayed at the bottom of the screen. 7.3 Run the ABAP Execute ACE* in the background by going to the ABAP Editor (Transaction code SA38), entering ZACE8M in the program field and selecting the menu path: Program > Execute > Background:

Enter the variant name (i.e. 0001 etc) and then press the button Execute Immed. to run the ABAP immediately or press the Schedule button to specify a time and date to run the ABAP later (e.g. for an overnight run).

ACE* version 8.9 PricewaterhouseCoopers

August 07 15

If the Execute Immed. button is pressed then you will see a message that ZACE8M has started as a background job. 7.4 Check status of the ABAP To check the status of the ABAP, go to the Background Job Overview screen (Transaction code SM37). Enter a * in the Job Name field and select the current date in the From and To fields. Click on Execute. In the subsequent screen, the status of the background job can be viewed. A status of Active means that the job is still running. A status of Finished means that the job is over.

8.0 What authorisations are required to run ACE*?

The following authorisations are required to run ACE*: Authorisation checks: Programmed: In functions: S_USER_AUT with ACTVT 03 S_DATASET with the path to the application server

To start: S_PROGRAM with implemented P_GROUP and S_TCODE

At the operating system level: The SAP user at the OS level has to have write access to the directory specified in the path on the application server field in the ABAP variant.

9.0 How do the ABAPs work?

There are two ABAPs: ZACE8M (Master ABAP) and ZACE8T (Temporary ABAP).

The Master ABAP generates and executes the Temporary ABAP. The overall purpose of these ABAPs is to search for relevant data and to download this to the application server. The downloaded data can split into three types:

August 07 16

ACE* version 8.9 PricewaterhouseCoopers

Special data (downloaded by Master ABAP) Some data is downloaded by the Master ABAP directly. This data is downloaded based on a join of multiple tables, a selection of a single table or standard SAP function. Standard data (downloaded by Temporary ABAP) Each downloaded file relates to one SAP table. In the procedure FILLFIXB0005 these tables are selected and the names of these tables are saved in an internal table (B0005). The Temporary ABAP is generated for each entry in this table, and submitted by the procedure EXP-STAND. The Temporary ABAP then downloads the data to the specified directory path on the application server. Data of internal tables (downloaded by Master ABAP) During the import, seven internal tables are populated. These tables describe the downloaded data.

The ABAPs do not change or modify any data in the SAP system

10.0 What is the volume of data downloaded and how long does ACE* take to run?
The volume of data and run-time of the ABAP cannot be predicted exactly as ACE* dynamically selects what data to run depending on the size of the SAP implementation (i.e. number of users) how authorisations have been built and the scope of the data to be downloaded as defined in the variant of the ABAP. However, a couple of examples are provided below:
Example 1 SAP release: Number of users: Scope of downloaded files: Number of downloaded files: Space required on application server: Run time of the ABAP: 4.6C 1295 Full 987 800 MB 3 hours

Example 2 SAP release: Number of users: Scope of downloaded files: Number of downloaded files: 4.6C 10212 Full 1132

ACE* version 8.9 PricewaterhouseCoopers

August 07 17

Example 2 Space required on application server: Run time of the ABAP: 1.0 GB 6 hours

August 07 18

ACE* version 8.9 PricewaterhouseCoopers

11.0 How can I transfer the downloaded data to the ACE* user?
Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files (e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 1200 files (depending on the size of the SAP instance) with the .QJF extension will be saved here.

The names of the output files generated by ACE* should not be changed
These files now need to be transferred from the application server to the ACE* user. There are several ways of doing this and the best way will depend on the system architecture and the software and hardware available. Note that often the data has to be first transferred from the SAP application server to a SAPGUI PC because of restricted access rights on the SAP application server. Options available are:
Option From the application server: CD Writer Use a CD writer connected to the SAP application server Easiest and quickest method Requires a CD writer to be connected to the SAP application server Method Advantages Disadvantages

Use FTP or File Copy to copy the data from the SAP application server to a SAPGUI workstation and then: FTP and CD Writer Use a CD writer attached to the SAPGUI workstation Zip up the data in packets and use a memory stick to transfer the data to the ACE user E-mail the zipped data in packets to the ACE user Easy and quick method Requires a CD writer to be connected to the SAPGUI workstation. The workstation containing the data must have a USB port. Data needs to be zipped into packets <5MB and e-mail security may be a concern Requires both the SAPGUI workstation and the ACE user to have the appropriate zip programs loaded If the SAPGUI workstation is connected to the network and the PC cannot be started in disconnected or DOS mode, then the port will not be available for Laplink use

FTP and memory stick

This method is always possible

FTP and email

This can be a quick solution

FTP and ZIPDrive

Use a ZipDrive attached to the workstation

One zip disk should be able to handle all the downloaded data

FTP and LapLink

Use Laplink to transfer the data

Easy to handle

Please transfer all files created during the download including 0KB files. If you have any questions or queries or get any error message, please contact your local PwC auditor with screenshots, and details of error message.

ACE* version 8.9 PricewaterhouseCoopers

August 07 19

pwc.com
This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance. 2007 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. Design: 0700695_ass/cd