ABAP log

September 24, 2007

Comparing two SAP Query infosets without SQ02.

Filed under: ABAP, SAP — abaplog @ 8:33 pm

One of the nice features of SAP Query is that when you build an infoset for it, you can, in addition to reading data directly from SAP database tables, use plain ABAP code to implement some custom data extraction logic. The only problem with that is security. Normally, SAP Query is used by both developers and end-users, so that many companies allow building queries directly in test or even production systems. But who wants ABAP being written directly in production? On our system you can still build queries based on existing infosets, but changing the infosets is allowed only in our development system. This works well, the only problem is that in the very beginning, changing the infosets was possible in the production system too. And now, before changing an infoset in development, we have to compare its current version against one in the production system. Without having an authorization for SQ02, of course.

As I often do, I looked for alternatives. SQ02 allows you to print a kind of report where the whole infoset, along with selection logic and even manually written ABAP will be shown. And as it often happens, this is done by some ABAP report being called by the transaction, with no additional authority checks in report. Which means, I can get the whole structure of my infoset without SQ02, just by running this report. The report’s name is RSAQSHSG, and all it needs is the infoset name and the output mode, where you can put ‘A’ to see the whole. No tricks, simple and legal.

Advertisements

2 Comments »

  1. Your article is very helpful but I am struck in almost same kind of situation.My client is asking me to take away authorization to change or create ABAP codes in any infoset in PRD for all the admin users.This is fine it can be easily taken out but the issue is they want us to make sure that the admin who create a infoset cannot even upload an infoset from quality to Production if in case that infoset contains any ABAP coding but the authorization should check also if there is no ABAP coding in the infoset and it is just for table join then it should let the admin upload the infoset.

    This is really confusing do you have any suggestions?

    Comment by Abhi — April 16, 2008 @ 11:17 pm

  2. I’d solve such complicated problems by establishing proper (and strict) code QA procedures.

    Comment by abaplog — April 19, 2008 @ 6:59 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: