The purpose of this script is to verify that certain sensitive tables are not being accessed by ABAPers. As you may know, SAP does not offer any security protection to tables from being accessed by ABAP programs. This program basically looks for predefined patterns in the ABAP source code that is being saved, generated or executed. If a matching pattern is found (in this case, HR personal administration table names such as PA0001, PA0008 etc.), a silent alert is generated in the application log ZHR (transaction code SLG1) and an email is sent to a responsible person, the userid for which can be configured in table ZPATH. (It can also be hard-coded into this program).
- Create a function module called Z_VERIFY using SE37, copy and paste the function source code from the line indicated below.
- Open a repair for MSEDTF01.
- Search for the subroutine PG_UPDATE (SAP 3.1G - 3.1I)
- Insert the following lines at line 5038.
CALL FUNCTION ZH_VERIFY
EXPORTING USER = SY-UNAME
PROG = SY_REPID
TABLES CONTENT.
- Create an
authorization object called Z_HR, field ACTVT, using xaction SU21 - Create associated
authorizations and profiles and assign it to users who you want this verification disabled (ie. authorized users) - Create a application log object ZHR1 using transaction SLG0.
- Create a message class ZK with message# 001 Attempt to access &1 by user &1 at &1
- SAP to internet email gateway must be configured correctly to receive emails.
*************************START OF FUNCTION MODULE ZH_VERIFY source code***************
TABLES : ZPATH.
DATA: BEGIN OF EMAIL_DATA.
INCLUDE STRUCTURE SODOCCHGI1.
DATA: END OF EMAIL_DATA.
DATA: BEGIN OF EMAIL_SEND OCCURS 10.
INCLUDE STRUCTURE SOMLRECI1.
DATA: END OF EMAIL_SEND.
DATA: BEGIN OF DATA_TAB OCCURS 20,
LINE(255),
END OF DATA_TAB. FUNCTION ZH_VERIFY.
*"----------------------------------------------------------------------
*"*"Local interface:
*" IMPORTING
*" VALUE(USER) LIKE SY-UNAME
*" VALUE(PROG) LIKE SY-REPID
*" TABLES
*" CONTENT STRUCTURE E1TXTRW
*"----------------------------------------------------------------------
* If the authority object is available, exit, don't check.
AUTHORITY-CHECK OBJECT 'Z_HR'
ID 'ACTVT' FIELD ''.
IF SY-SUBRC <> 0.
EXIT.
ENDIF.
DATA: BEGIN OF BALMI.
INCLUDE STRUCTURE BALMI.
DATA: END OF BALMI.
DATA: BEGIN OF SPAR OCCURS 10.
INCLUDE STRUCTURE SPAR.
DATA: END OF SPAR.
DATA: BEGIN OF BALNRI OCCURS 10.
INCLUDE STRUCTURE BALNRI.
DATA: END OF BALNRI.
* Internal table with pattern to search for.
DATA: BEGIN OF PAT_ITAB OCCURS 0,
PATTERN(6),
FOUND(1),
END OF PAT_ITAB. DATA: FOUND VALUE 'N'.
REFRESH PAT_ITAB.
REFRESH DATA_TAB.
REFRESH EMAIL_SEND.
*1 very important,2 important,3 medium,4 Additional information
BALMI-PROBCLASS = 2.
*1 Immediate message display,2 Message display on request
*3 Message display on further request
BALMI-DETLEVEL = 1.
BALMI-MSGTY = 'I'.
BALMI-MSGID = 'ZK'.
BALMI-MSGNO = '001'.
BALMI-MSGV1 = 'HR tables'.
BALMI-MSGV2 = PROG.
BALMI-MSGV3 = USER.
BALMI-MSGV4 = SY-UZEIT.
BALMI-ALTEXT = 'Standard text'.
PAT_ITAB-PATTERN = 'PA0001'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
PAT_ITAB-PATTERN = 'PA0002'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
PAT_ITAB-PATTERN = 'PA0007'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
PAT_ITAB-PATTERN = 'PA0008'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
PAT_ITAB-PATTERN = 'PA0025'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
PAT_ITAB-PATTERN = 'PA0183'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
PAT_ITAB-PATTERN = 'PA9002'. PAT_ITAB-FOUND = 'N'. APPEND PAT_ITAB.
LOOP AT CONTENT.
LOOP AT PAT_ITAB.
IF CONTENT-TLINE CS PAT_ITAB-PATTERN.
PAT_ITAB-FOUND = 'Y'. MODIFY PAT_ITAB.
FOUND = 'Y'.
ENDIF.
ENDLOOP.
ENDLOOP.
IF FOUND = 'Y'.
CALL FUNCTION 'APPL_LOG_WRITE_MESSAGE_PARAMS'
EXPORTING
OBJECT = 'ZHR1'
MESSAGE = BALMI
TABLES
PARAMETERS = SPAR.
CALL FUNCTION 'APPL_LOG_WRITE_DB'
EXPORTING
OBJECT = 'ZHR1'
TABLES
OBJECT_WITH_LOGNUMBER = BALNRI.
* Send email
CONCATENATE 'User : ' USER INTO DATA_TAB-LINE. APPEND DATA_TAB.
CONCATENATE 'Program : ' PROG INTO DATA_TAB-LINE.APPEND DATA_TAB.
CONCATENATE 'Date/time: ' SY-DATUM '/' SY-UZEIT INTO DATA_TAB-LINE.
APPEND DATA_TAB.
DATA_TAB-LINE = 'Accessing table(s) :'. APPEND DATA_TAB.
DATA_TAB-LINE = '--------------------'. APPEND DATA_TAB.
LOOP AT PAT_ITAB.
IF PAT_ITAB-FOUND = 'Y'.
DATA_TAB-LINE = PAT_ITAB-PATTERN.
APPEND DATA_TAB.
ENDIF.
ENDLOOP.
PERFORM SEND_EXPRESS_MAIL.
ENDIF.
ENDFUNCTION. FORM SEND_EXPRESS_MAIL.
EMAIL_DATA-OBJ_NAME = 'MESSAGE'.
EMAIL_DATA-OBJ_DESCR = 'Security Alert'.
EMAIL_DATA-OBJ_LANGU = 'E'.
EMAIL_DATA-SENSITIVTY = 'P'.
EMAIL_DATA-OBJ_PRIO = '1'.
EMAIL_DATA-NO_CHANGE = 'X'.
EMAIL_DATA-PRIORITY = '1'. SELECT SINGLE * FROM ZPATH WHERE ZUSE = 'HR_MASTER'.
IF ZPATH-ZLOCATION = 'NONE'.
EXIT.
ENDIF.
EMAIL_SEND-RECEIVER = ZPATH-ZLOCATION.
EMAIL_SEND-REC_TYPE = 'U'. " Internet mail.
EMAIL_SEND-EXPRESS = 'X'. " Pop up SAP dialogue
EMAIL_SEND-TO_ANSWER = 'X'.
APPEND EMAIL_SEND. CALL FUNCTION 'SO_NEW_DOCUMENT_SEND_API1'
EXPORTING
DOCUMENT_DATA = EMAIL_DATA
DOCUMENT_TYPE = 'RAW'
PUT_IN_OUTBOX = 'X'
TABLES
OBJECT_CONTENT = DATA_TAB
RECEIVERS = EMAIL_SEND.
ENDFORM.
|
