You know the Secure Programming Guidelines but you want to do more?
Well, here are my top priority security recommendations for developing secure ABAP applications:
New database tables
1. Assign table authorization group
Usually you create 3 table authorization groups per application:
a) for customizing tables (<appl>C)
b) for master data and transaction data or other application data (<appl>A)
c) for system data (<appl>S)
You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.
Use transaction SM30 for view V_BRG_54 to maintain authorization groups respective view V_DDAT_54 to maintain authorization group assignments.
Maintain authorization groups
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134d2407a11d1893b0000e8323c4f/frameset.htm
Maintain authorization group assignments
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134df407a11d1893b0000e8323c4f/frameset.htm
2. Set the maintenance flag, which controls SE16 am SM30, correctly
Data Browser/Table View Maintenance
http://help.sap.com/saphelp_nw70/helpdata/en/a6/03883acb00d768e10000000a114084/content.htm
Usually you create 3 table authorization groups per application:
a) for customizing tables (<appl>C)
b) for master data and transaction data or other application data (<appl>A)
c) for system data (<appl>S)
You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.
Use transaction SM30 for view V_BRG_54 to maintain authorization groups respective view V_DDAT_54 to maintain authorization group assignments.
Maintain authorization groups
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134d2407a11d1893b0000e8323c4f/frameset.htm
Maintain authorization group assignments
http://help.sap.com/saphelp_nw70/helpdata/en/a7/5134df407a11d1893b0000e8323c4f/frameset.htm
2. Set the maintenance flag, which controls SE16 am SM30, correctly
Data Browser/Table View Maintenance
http://help.sap.com/saphelp_nw70/helpdata/en/a6/03883acb00d768e10000000a114084/content.htm
3. Activate table logging for customizing table or create a change document object for master data.
You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.
Check the settings of profile parameter rec/client and the tp parameter RECCLIENT, too.
Activate/Deactivate Table Change Logging
http://help.sap.com/saphelp_nw70/helpdata/en/7e/c81ebb52c511d182c50000e829fbfe/frameset.htm
Note 1916 Logging table changes in R/3
https://service.sap.com/sap/support/notes/1916
Note 84052 R3trans: Table logging
https://service.sap.com/sap/support/notes/84052
You can use the report RDDPRCHK (or RDDTDDAT_BCE) to analyze the settings.
Check the settings of profile parameter rec/client and the tp parameter RECCLIENT, too.
Activate/Deactivate Table Change Logging
http://help.sap.com/saphelp_nw70/helpdata/en/7e/c81ebb52c511d182c50000e829fbfe/frameset.htm
Note 1916 Logging table changes in R/3
https://service.sap.com/sap/support/notes/1916
Note 84052 R3trans: Table logging
https://service.sap.com/sap/support/notes/84052
4. Create specialized SM30 maintenance views instead of offering maintenance using SE16 and add additional authorization checks if required.
Create a Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/a1/e4521aa2f511d1a5630000e82deaaa/frameset.htm
Event 25: At the Start of the Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/c2/703037301f327ae10000009b38f839/frameset.htm
Create a Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/a1/e4521aa2f511d1a5630000e82deaaa/frameset.htm
Event 25: At the Start of the Maintenance Dialog
http://help.sap.com/saphelp_nw70/helpdata/en/c2/703037301f327ae10000009b38f839/frameset.htm
New transactions
1. Assign authorization object with appropriate field values in the definition of the transaction using transaction SE93
Authorization Checks
http://help.sap.com/saphelp_nw70/Helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
Authorization Checks
http://help.sap.com/saphelp_nw70/Helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
2. Enter authorization proposals using transaction SU24
Check Indicators
http://help.sap.com/saphelp_nw70/helpdata/en/52/671470439b11d1896f0000e8322d00/frameset.htm
Check Indicators
http://help.sap.com/saphelp_nw70/helpdata/en/52/671470439b11d1896f0000e8322d00/frameset.htm
3. If the transaction is a report transaction and you have decided that the authorization check for the transaction is important: Check the authorization again using function AUTHORITY_CHECK_TCODE within the code of the report.
New BAPI / RFC Function
- Ensure that application specific authorization checks are executed
- Put critical and non-critical RFC functions into separate function groups.
New Web UI
See Secure Programming Guide chapter "Secure User Interface"
http://help.sap.com/saphelp_nw70/helpdata/en/58/4d767ed850443c891ad27208789f56/frameset.htm
Critical ABAP statements
Have a close look at critical ABAP statements
- INSERT REPORT / GENERATE SUBROUTINE POOL
These statements allow to create arbitrary code. Avoid anything which would enable users to inject ABAP code.
INSERT REPORT
http://help.sap.com/abapdocu_70/en/ABAPINSERT_REPORT.htm
GENERATE SUBROUTINE POOL http://help.sap.com/abapdocu_70/en/ABAPGENERATE_SUBROUTINE_POOL.htm
These statements allow to create arbitrary code. Avoid anything which would enable users to inject ABAP code.
INSERT REPORT
http://help.sap.com/abapdocu_70/en/ABAPINSERT_REPORT.htm
GENERATE SUBROUTINE POOL http://help.sap.com/abapdocu_70/en/ABAPGENERATE_SUBROUTINE_POOL.htm
- CALL TRANSACTION
The statement CALL TRANSACTION does not check the authorization of the current user to execute the called transaction automatically. To do this, either the calling (preferred) or the called program must call function module AUTHORITY_CHECK_TCODE.
CALL TRANSACTION
http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm
The statement CALL TRANSACTION does not check the authorization of the current user to execute the called transaction automatically. To do this, either the calling (preferred) or the called program must call function module AUTHORITY_CHECK_TCODE.
CALL TRANSACTION
http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm
Generic functionality
Avoid developing generic functionality which enables the user to choose any target table, file, report or transaction. Have a close look to these statements:
- Generic access to tables to SELECT … FROM (variable)
http://help.sap.com/abapdocu_70/en/ABAPFROM_CLAUSE.htm
- Generic access to files using OPEN DATASET variable
http://help.sap.com/abapdocu_70/en/ABAPOPEN_DATASET.htm
- Generic access to reports using SUBMIT (variable)
http://help.sap.com/abapdocu_70/en/ABAPSUBMIT.htm
- Generic access to transactions using CALL TRANSACTION variable
http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm
http://help.sap.com/abapdocu_70/en/ABAPFROM_CLAUSE.htm
- Generic access to files using OPEN DATASET variable
http://help.sap.com/abapdocu_70/en/ABAPOPEN_DATASET.htm
- Generic access to reports using SUBMIT (variable)
http://help.sap.com/abapdocu_70/en/ABAPSUBMIT.htm
- Generic access to transactions using CALL TRANSACTION variable
http://help.sap.com/abapdocu_70/en/ABAPCALL_TRANSACTION.htm
source: sdn. sap. com
author: Frank Buchholz is security evangelist for securing SAP systems.