Saturday, August 29, 2015

t-code STAUTHTRACE

I recently faced authorization issue. As usually I sent an output of t-code SU53 which is evaluate of authorization check to SAP security team. As colleague from the security had some issues with finding the objects which authorization was missing to be granted for my user we sat together to see the issue. While we were working on it he showed my new interesting t-code of which existence I wasn’t aware before. It is the t-code STAUTHTRACE.

The t-code allows system-wide trace evaluation. This solves very common issue in case of system with multiple application servers. In such a case you need to perform analysis of authorization checks on particular server where user is logged to.
The trace in the t-code is very detailed. It basically shows all trace (similarly to t-code SU22) needed for analyze any kind of AUT issues. The trace so detailed but is limited authorization checks only.


The new t-code is available as of following NW releases: NW Basis 700 SP27, 701 SP12, 702 SP12, 730 SP8, 731 SP5 and NW 74+.


More information:
1707841 - STAUTHTRACE: System-wide trace evaluation
1603756 - Using StAuthTrace to record authorization checks

Saturday, August 8, 2015

Where to find information about SAP Security?

Every day SAP admins are facing many challenges. One of them is related to security. Also someone one may not consider security as an issue. But according surveys like here or here we can see that security is very important in SAP systems as well. Within this post I want to highlight few pages where we can learn about different aspects about security within SAP systems.


SAP Security Notes: service.sap.com/securitynotes

Patch Day MM/YYYY Notes - SAP releases security notes (a fixes of wide range of security issues discovered within SAP software) within SAP Notes that are called Patch Day Notes; search for patch day at service.sap.com/notes

service.sap.com/support -> Help & Support -> Search for SAP Notes and SAP Knowledge Base Articles -> SAP Security Notes -> White Papers or access it via direct link: SAP Security Recommendations

1536783 - SAP SECURITY RECOMMENDATIONS - PROTECTING JAVA- AND ABAP BAS

Failed transport contains objects related to new source system

Recently I faced one strange transport issue. I developed a new data flow related to newly created source system. That source system had complete setup from basis point of view in target BW system as well. It correctly appeared under Source Systems area in Modeling of TA RSA1.  Even Check connection functionality (available at right click on source system name) worked for the new source system in the target system. However my transport with had the flow using the source system (so called “source system dependent objects”) failed with following errors:

Transformation 0G2M3XTZUMRNTOQTV4EH6PK6VGDNVHLD inactive; action cannot be executed      Message No. RSBK260
Saving Objects with Type Data Transfer Process
Saving Data Transfer Process DTP_00O2SPBAQDZQZ6KPQH9N4U2NT
Transformation 0G2M3XTZUMRNTOQTV4EH6PK6VGDNVHLD inactive; action cannot be executed
Error while saving Data Transfer Process DTP_00O2SPBAQDZQZ6KPQH9N4U2NT
End of after import methode RS_DTPA_AFTER_IMPORT (Activation mode) - runtime: 00:00:00

As per error I checked TRFN and DTP but they both were fine. I also reactivated the TRFN via report RSDG_TRFN_ACTIVATE but error was still there. I even checked corresponding entries in table RSTRAN and active version was there.

Then I finally got an idea to check table RSLOGSYSMAP. This table contains mapping entries of logical systems. It is used while import phase of transport takes in place. If there is a BW object related to source sys (e.g. datasource) in the transport the table is used to map source system in source BW system to target source system in target BW system. If the source mapping is not maintained then the transport fails as in my case. The problem is that from the error which is shown in the transport log it is not possible to find out this root cause. Notice that the table RSLOGSYSMAP must have the entries for the system conversion in target BW system of the transport.

Tuesday, August 4, 2015

Converting Oracle DB format of date to SAP date format

There are many data flows picking up the data from "external database" based source systems in BW. One of most used DB system is Oracle. To connect BW system to Oracle DB a technology called DB Connect is very often used. As Oracle and SAP are different systems designed by two different companies there are many differences in there while comparing each other. The differences are there as well as from date and time related fields representation.

Therefore there are challenges while integrating data from Oracle DBs into SAP BW. Especially when converting date and time fields in Oracle and into format compatible with SAP BW. Let's take an Oracle date format for example. It has a format as DD-MMM-YY means it has 7 characters (e.g. today's date is represented by: 03-AUG-15). Whereas SAP format is 8 characters long in format YYYYMMDD (see Data Element SYDATUM; Domain SYDATS or Data Type DATS). If we just simply assign Oracle date field to SAP one it won't get proper data because the fields are not compatible.

Now; how to solve this? On SCN there are many discussions (e.g. here or here) on this. Most of it suggest parsing value as they come from Oracle and concatenate it at the end to field in SAP format of date. However this is not proper approach. The way how Oracle produce the format of the data field depends on national language settings (NLS) used with the database connection. Therefore the date field can come in many different flavors as per many configuration settings. What actually needs to be done is to force Oracle to produce the date field in desired format. This can be achieved by adding function TO_CHAR into e.g. SELECT statement while we extracting the data. E.g. a separate view can be created in Oracle to add TO_CHAR function. Such a SELECT statement would look like:

select  to_char(,'YYYYMMDD') as dat from where ;


For more information see:

518241 - DB Connect in BW for an external Oracle database