【正文】 d for a particular field. If a table is specified, there must be procedures for ensuring that the table’s contents are kept uptodate. Restricting Access Controlled by the authorization object System Admin Functions. Only users with the value = DDIC in the Admin Function fields can make changes to the ABAP/4 Dictionary or use the database table utility. It is not possible to further restrict access to alterable tables. Changes are logged by the system and can be queried using the ABAP/4 Dictionary Information System Menu Path: Development ABAP/4 Dictionary Info System Dictionary changes should be reviewed daily.ABAP/4 ProgrammingABAP/4 is the fourth generation interpretative language in which all R/3 applications are written. The Basis System is written in C.ABAP/4 is a prehensive programming language. ABAP statements can be written that will read and update data, create new records, etc. ABAP also can contain SQL statements allowing almost unrestricted access to the database.ABAP/4 must be tightly controlled. No ABAP statement changes should be allowed in the production system’s environment.1. Location On Application Server Restricting AccessEach ABAP needs to be assigned to an authorization group in the report attributes set when creating an ABAP report. Any ABAP that has not been assigned to an authorization group may be run by any user with authorization for object S_PROGRAM.ABAP that have been assigned to a program group can only be run by users who are authorized to that program group using object S_PROGRAM. This object further restricts the manner in which a user is able to run an ABAP. SUBMIT The user may start programs interactively BTCSUBMIT The user may submit programs for execution in the background partition. EDIT The user can maintain attributes and text elements and use utilities for copying and deleting reports ( This does not allow the user to edit ABAP/4 programs). VARIANT The user may maintain variants. Variants are parameters that are passed to an ABAP program.In the standard system, none of the ABAPs are assigned to authorization groups. Therefore any user that can run transaction SA38 (or SE38 to develop ABAP/4 programs), can run any of the standard ABAPs. It is remended that all ABAPs be placed in authorization classes and that users should only have authorization for authorization classes (ABAPs) that are required for their job functions. No matter what, the database interface checks are still in play for all ABAPs and the user will not be able to act on data for which they have no authority. ABAPs may be developed online using the SAP ABAP editor. The ABAP programs can be assigned to authorization groups. The S_EDITOR authorization object is used to restrict authorization groups a user is able to edit. Any user with S_EDITOR authorization object is able to edit any ABAP program that has not been assigned to an authorization group.No users should have S_EDITOR. Otherwise they may write a dynamic SQL that allows plete access to all client’s data.ABAP/4 QueryABAP/4 Query is the report writing software that allows users to generate reports quickly and easily without programming knowledge. It generates an ABAP program. Users cannot access any information to which the user would otherwise not have access. Restricting Access Must be assigned to a user group before they can be run User group contains the functional areas and the names of all people authorized to run queries. Ensure that procedures are in effect to update the user groups when job assignments change. Any user can run any queries defined for a user group of which he/she is a member, regardless of who wrote the query. In order to create or maintain ABAP/4 Queries, a user must be a member of one or more user groups and have a value = 02 (change) in the activity field of the ABAP/4 Query authorization object. In order to maintain the ABAP/4 Query user groups, a user needs the value = 23 (Maintain Environment) in the activity field of the ABAP/4 Query authorization object. This should be restricted to administrators.Operating Systems1. Unix StartUp Profiles are stored in /usr/sapSAP System Name/sys/profile2. NTDatabase Management Systems1. OracleDynpros Screen GeneratorDynpros are the input screens used when processing SAP transactions. They include details of the processing logic to be performed on the fields.1. Dynpros can be developed online using the standard SAP Dynpro Screen Painter Menu Path: Tools Case Development Screen Painter.2. Controls need to be in place to ensure that changes to Dynpros are authorized, tested, and approved. Number RangesSAP provides an “internal” and “external” numbering mechanism1. Internal numbers are sequential codes given by the system for documents, article numbers, personnel numbers, etc.2. Both internal and external numbers are stored in a file SYSV.MatchcodesThese are secondary indexes to enable users to find specific records when the primary key is unknown.1. Stored in Table MAC2. Table MAC can be edited online using transaction SM31 and accessible through the Menu Path: System Services Table Maintenance. Weaknesses 1. In the standard system, none of the ABAPs are assigned to authorization groups.2. Do not use native SQL calls in ABAPs as they will bypass the dictionary consistency checks. Use open SQL statements. Unlike normal ABAP statements, native SQL and open SQL do not trigger any authorization checks at run time. But using ABAPs with AUTHORITYCHECK statement, the users authority can be checked