Reporting Server > Using the Adapter for SAP > Advanced SAP Features

Advanced SAP Features

Topics:

This topic describes how to use security, BAPIs, joins, and tracing.

Support for User Security

The Native interface for SAP has been enhanced to handle the user ID and password in the following syntax: 

ENGINE SQLSAP SET CONNECTION_ATTRIBUTES system/user,password:'client'

This feature allows you to run a secured request that involves the following:

  • One or more BAPIs, as BAPIs are secured by SAP.
  • SAP delivered logical databases, as the server code is secured by SAP.
  • Function modules (either SAP or customer) that are fully prototyped, including the proper AUTHORITY-CHECK statements.

Using Customized Security Exits

To prevent and avoid the malicious injection of ABAP code in the context of a WebFOCUS query, the function modules provided by Information Builders (DYNAMIC_RUN, REP_CREATE, REP_GET_B_D, REP_RUN) have been enhanced to perform, by default, whitelisting of the dynamically generated ABAP4 code of legitimate, permitted commands (see the SEC_CHK function module for the list of permitted commands). Any command not whitelisted will be denied execution.

These function modules have also been enhanced to insert calls to customer-defined function modules on start (USR_EXT_ENT*) and exit (USR_EXT_EXT*). Initially, the calls are inserted to dummy versions of the function modules supplied by Information Builders. You can modify these dummy versions to implement all additions and authorizations (SAP authority checks) required by your site. These user exits will be called with the same set of parameters as the original calling function module (IMPORT/TABLES only).

Example: Sample Customer Authority Check 

function /IBI/ZIBI_USR_EXT_ENT.
*"----------------------------------------------------------------------
*"*"Local Interface:
*" IMPORTING
*" VALUE(REPID) LIKE TRDIR-NAME OPTIONAL
*" VALUE(REPORT_NAME_PREFIX) LIKE RS38L-AREA OPTIONAL
*" VALUE(FUNCPOOL) LIKE RS38L-AREA OPTIONAL
*" VALUE(LDBNAME) LIKE TRDIR-LDBNAME OPTIONAL
*" VALUE(INTERFACE_MODE) LIKE DD03L-INTTYPE OPTIONAL
*" VALUE(JOB_COUNT) LIKE TRDIR-NAME OPTIONAL
*" VALUE(REPID_BD) LIKE RS38L-AREA OPTIONAL
*" TABLES
*" ITAB STRUCTURE CHAR8000 OPTIONAL
*" PROGRAM STRUCTURE ABAPTXT255 OPTIONAL
*" EXCEPTIONS
*" GENERATION_ERROR
*"----------------------------------------------------------------------
 
* -------------------------------------------------------
* delete a catalogued report
* -------------------------------------------------------
*{ INSERT M6DK900965 1
*
AUTHORITY-CHECK OBJECT 'S_CARRID'
ID 'CARRID' FIELD 'AA'
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 4.
MESSAGE e045(sabapdocu) WITH 'AA'.
ELSEIF sy-subrc <> 0.
MESSAGE e184(sabapdocu) WITH text-010.
ENDIF.
 
*} INSERT
* this is now a dummied function module
ENDFUNCTION.

Example: Sample Exit Authorization Check for Create Synonym

The following sample exit, META_USR_SEC, is called during create synonym run-time. For every SAP Datasource type supported by the adapter, such as TABLE, BAPI, RFC FUNCTION, LDB, or QUERY, the exit can access the corresponding LOCAL INTERFACE structure that is populated with the list of create synonym candidates. The following prototype code exemplifies an AUTHORITY-CHECK on the current user SY-UNAME. The authorization has an object name of Z_table_name, where table_name is the value of 'curval', the create synonym literal parsed from the TABS structure, with an ID authorization field of A_TABNAME and contains the value of table_name. This dummy version should be customized with the proper authorization call for your site before being implemented. 

FUNCTION /IBI/ZIBI_META_USR_SEC.
*"-------------------------------------------------------------------
*"*"Local interface:
*"  TABLES
*"      NODES STRUCTURE  SNODETEXT OPTIONAL
*"      TABS STRUCTURE  DD02VV OPTIONAL
*"      BAPIS STRUCTURE  SWOTFIND OPTIONAL
*"      LDBS STRUCTURE  LDBT OPTIONAL
*"      FUGRS STRUCTURE  TLIBT OPTIONAL
*"      FUNCTIONS STRUCTURE  TFTIT OPTIONAL
*"      DEVCLASSES STRUCTURE  TDEVCVT OPTIONAL
*"      QUERY_FIELDS STRUCTURE  DFIES OPTIONAL
*"-------------------------------------------------------------------
 data: curval(30) type C.
 data: auth_object_name(80) type C.
 
*"-------------------------------------------------------------------
* Insert needed authorization checks here
*"-------------------------------------------------------------------
  CLEAR curval.
  LOOP AT TABS INTO curval.
*-------------------------------------------------------------
* Insert authorization check for the table name in curval here
* ------------------------------------------------------------
     CLEAR auth_object_name.
     CONCATENATE 'Z_' curval INTO auth_object_name.
     AUTHORITY-CHECK OBJECT auth_object_name FOR USER SY-UNAME
     ID 'A_TABNAME' FIELD curval.

     IF SY-SUBRC <> 0.
        RAISE GENERATION_ERROR.
     ENDIF.
  ENDLOOP.   
ENDFUNCTION.

BAPI Support

This release supports most read-only BAPIs, including joins, as described in the following example: 

CREATE SYNONYM baseapp/BUS0002_GETLIST
FOR BUS0002/GETLIST
BAPI DBMS SQLSAP AT I46
END
CREATE SYNONYM baseapp/BUS0002_GETDETAIL
FOR BUS0002/GETDETAIL BAPI
DBMS SQLSAP AT I46
END
JOIN BAPI0002_COMP_CODE IN COMPANYCODE_GETLIST TO
CCGD2_COMP_CODE IN OMPANYCODE_GETDETAIL
END
TABLE FILE COMPANYCODE_GETLIST
PRINT
CCGL0_TYPE NOPRINT
BAPI0002_COMP_CODE
BAPI0002_COMP_NAME
CCGD2_CURRENCY
CCGD2_LANGU
IF BAPI0002_COMP_CODE NE '2300' OR '6000'
END

Join Support

The Native Interface supports all joins from and to SAP. For performance reasons, we do not recommend joining to an SAP data source from a non-SAP data source. It is more efficient to hold the keys in a sequential file, and then use the following code: 

TABLE FILE SAP PRINT FIELDS IF KEYS IS (HOLD) END

 WebFOCUS

Feedback