Xiting Authorizations Management Suite (XAMS)

Introducing Xiting ABAP Alchemist

by

The ABAP Alchemist is a dedicated module within the Xiting Authorizations Management Suite (XAMS) that can help you optimize custom ABAP code and make recommendations for missing authorization checks.

In the development of custom programs, there is a fundamental challenge to meet different requirements. These include security, stability, extendability, and ease of use. An important, and central aspect of an authorization concept is to ensure security. To ensure ICS compliance, security authorization checks must be implemented in the source code of custom ABAP programs. These authorization checks allow differentiated access restrictions on data in the SAP system and enable proper authorization assignments to protect critical actions. Only through established and optimized authorization checks in custom ABAP developments can correct access restrictions be made feasible via authorization roles. Reliable protection of business data is therefore directly related to the proper development of custom ABAP programs.

ABAP Alchemist - scan report
ABAP Alchemist – Scan Report

The ABAP Alchemist supports developers during the development process by providing suitable proposals for the proper implementation of authorization checks and the optimization of the source code with regard to stability and performance. At the same time, the tool supports authorization administrators in the identification and maintenance of proper default values for authorizations in the SAP system.

Technical Detail Analysis

With the help of the ABAP Alchemist, you can optimize your custom developments with regard to existing security audits and correct errors in the implementation of authorization checks. Also, missing authorization checks are proposed to actively close potential vulnerabilities of your custom developments.

The ability to save test definitions as variants allows you to setup flexible test scenarios for use with the ABAP Alchemist.   The ABAP Alchemist provides you with a broad range of detailed analysis screening to ensure the proper and safe implementation of your custom developments.

In the basic view of the analysis, you get a complete overview of all results. A call stack analysis function allows you to examine the call structure within your custom developments that supports developers, as well as authorization administrators, in the identification of nested functions within the program code. This gives you a clear structure of the call sequence to quickly and easily analyze where each result was found within the program and at which level.

Compare Default Values

An authorization role in an SAP system ultimately represents the collection of authorizations that a user should receive to do a specific set of tasks in the system. For authorizations, SAP provides default values that ensure correct operation. However, custom developments do not come with default values and hence need to be maintained manually.

The ABAP Alchemist allows you to scan entire roles and compare the authorizations with the default values of SAP in SU24. Missing values can be added or expanded directly in SU24. This helps ensure that SU24 proposal values are correctly maintained and that future role maintenance overhead is thereby considerably reduced.

API-Finder

Use the API search engine within the ABAP Alchemist to improve your custom developments with regard to coding and stability. With the API Finder, you can access function blocks that are already available in the system, thus reducing the programming effort.

For example, one has the possibility to use functions provided by SAP instead of programming an authorization check yourself . Since these APIs are standard functions, this will save you a lot of time and effort. Due to the use of proven SAP standard functions, the corresponding stability of complex authorization check chains and the functionality of your custom programs increases accordingly.

Conclusion

With the ABAP Alchemist, you can quickly and easily analyze ABAP program code for errors.  This allows you to correct identified errors manually and thus optimize your custom developments. With the possibility of conducting direct comparisons of proposal values your future effort will be reduced accordingly. With the API Finder, you can create custom developments more efficiently, and the overall stability of your development is increased.

With the help of these analysis possibilities for custom developments, you gain an enormous time advantage compared to manual optimization.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.