Shared objects memory

ABAP programs (standard SAP and custom) use the shared memory objects technology.

Questions that will be answered in this blog are:

  • How to set the shared objects memory size?
  • How to monitor usage of shared objects memory?

Monitoring shared objects

Shared objects can be monitored with transaction SHMM:

In the start screen you can see the objects now loaded and how much memory they consume. In the start screen you can also delete and invalidate the shared memory objects.

The deletion can lead to short dumps. Only use this in emergency cases and when you are really sure

In the second tab you can see the total memory overview:

Setting shared memory objects memory size

In RZ11 with system parameter abap/shared_objects_size_MB you can set the shared object size in MB. A restart of the system is required to activate any change.

Older documentation says 500 or 1000 MB is sufficient. In newer systems a value of 3000 to 5000 in not uncommon.

Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

  • How can I directly edit tables?
  • How can I prevent direct table editing?
  • How can I detect direct table editing?

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: none. In audit logging you can see the user started SE37 in test mode, but you cannot see which module was done, neither is the data change logged.

Prevention of this method: deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

  • How to run the new STAUTHTRACE tool?
  • What are the major improvements in STAUTHTRACE tool?

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the tcode is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

  • All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
  • Specific user only, but errors only: this will reduce your logging footprint to errors only
  • Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE.

Generating substitution and validation rules

In the FICO module the consultant can define substitution and validation rules. These rules must be generated before they are active.

Questions that will be answered in this blog are:

  • How can I generate substitution and validation rules?
  • Where can I find more background on substitution and validation rules?

Substitution and validation rules generation

Goto SE38 and start program RGUGBR00:


Substitutions and validations

Simple select the correct application are indicated by the FICO consultant (this area can be FI, CO, etc). Select Generate validations and Generate Substitutions. Now execute.

Transport and system copies

You will need to run program RGUGBR00 locally on the system after the transport import is done.

Also after a system copy program RGUGBR00 must be run again.

Background on substitutions and validations

The full functional background on substitution and validation can be found this SAP wiki.