Authorization NOTE Impact App
The Authorization NOTE Impact App finds used impacted objects based on changes to AUTHORITY-CHECK statements introduced by SAP Notes.
The App is provided with one of more transports, from which it obtains a set of changing objects on an Analysis System. It uses usage data obtained from a Performance History System to find a set of used impacted objects, and identifies the impact of security authorizations on these objects, also identifying impacted roles.
The most-at-risk objects are compared on the Analysis System and a Comparison System. The App produces an Dashboard report and an associated Excel report.
A user with LiveCompare Editor privileges must prepare this App making sure that performance history data is available for the ‘Performance History System’ RFC Destination.
DevOps Categories
Development, Testing, InfoSec.
Prerequisites
If a support pack or transport has not been applied to the Analysis system, it must be disassembled before it can be analyzed by the App. This can be done in SAP by running the SAINT transaction and selecting ‘Disassemble OCS Package’ from the Utilities menu. Alternatively, the support pack or transport may be disassembled in LiveCompare using the Package Disassembler App.
The App requires that SAP’s Where Used indexes are up to date on the Analysis system. For further details, see the Step 1 (As-Is) - Checking the Integrity of the Where Used Indexes help topic.
You should make sure that performance history data is available on the RFC Destination selected for the ‘Performance History System’. Select the RFC Destination in the LiveCompare hierarchy and click the PHD tab. Select the source for performance history data, and if necessary the number of months of data to retrieve, then click ‘Update Data’. The performance history data may also be retrieved using a schedule. See the Retrieving Performance History Data help topic for details.
Running the App
To run the Authorization NOTE Impact App, select the App from the Apps screen and create an App variant. Complete the variant screen as follows:
- Set the ‘Analysis System’ field to the RFC Destination for the system that contains the transports or objects to be analyzed.
- Set the ‘Performance History System’ field to the RFC Destination for the system from which performance history data has been obtained.
- Set the ‘Comparison System’ field to the RFC Destination for the system on which to compare the most-at-risk executables.
Click ‘Run’. When the variant has completed, its results may be accessed from the App Cockpit screen.
App Results
The Authorization NOTE Impact App generates an Excel report which includes the following spreadsheets.
Home
This spreadsheet lists changing objects (in the CHILD_TYPE and CHILD_NAME columns) and their associated transports. Click a hyperlink in the CHILD_NAME column to display an Object Differences report for the selected object.
The IMPACTED_OBJECTS column displays the number of impacted objects for each changing object. Click a link in this column to display the impacted objects in the Impacted Objects spreadsheet.
The AUTH_OBJECT column displays the AUTHORITY-CHECK object associated with each changing object.
Impacted Objects
This spreadsheet lists used impacted objects in the NAME and TYPE columns, and the objects that impact them in the CHILD_TYPE and CHILD_NAME columns. The usage count for each impacted object according the available performance history data is shown in the USAGE column.
The IMPACTED_ROLES column lists the number of roles impacted by each impacted transaction code (this column is set to 0 if there are no impacted roles). Click a hyperlink to display the objects impacted roles in the Impacted Roles spreadsheet.
The USERS column lists the number of users of the impacted object according to the available performance history data. Click a hyperlink to display the object’s users in the Impacted Users spreadsheet.
Impacted Roles
This spreadsheet lists details for the impacted roles based on impacted transaction codes, including each role’s name, and its associated impacted transaction code. The results are filtered to only include roles assigned to active accounts.
Impacted Users
This spreadsheet lists each impacted object, and its usage count for each user according to the available performance history data. If a hyperlink is selected in the Impacted Objects spreadsheet’s USERS column, the Impacted Users spreadsheet lists the users of the associated object.