Ace

Version 8

ACE*Guidance NotesGuidance Notes

PricewaterhouseCoopersACE* version 8.10 1 of 19

Table of Contents

1. What is ACE*? 2

2. Why does PwC use ACE*? 2

3. Does ACE* have any impact on my system? 3

4. Will ACE* download any confidential data? 3

5. How can I install ACE*? 4

6. Is it possible to change the name of the ABAPs? 9

7. How can I run ACE*? 9

8. What authorisations are required to run ACE*? 16

9. How do the ABAPs work? 16

10.What is the volume of data downloaded and how long does ACE* take to run? 17

11. How can I transfer the downloaded data to the ACE* user? 18


1. What is ACE*?

ACE* is an abbreviation for Automated Controls Evaluator.

SAP contains many controls which are embedded in the system. ACE* extracts configuration controls andsecurity data from SAP and analyses it to determine whether controls have been appropriately designed andimplemented into SAP.

In brief, ACE* consists of:

two ABAPs which are the SAP part of the tool and download the required information from SAP; and the ACE* tool (PC part) which analyses the security and configuration control elements implemented in

a SAP environment.

To achieve this, data has to be downloaded from the SAP system. The ABAPs do that in a very flexible way. Theyhave to be SAP release independent and able to adapt to how SAP has been configured and implemented.

ACE* can be run on any SAP instance and therefore can be used to analyse controls within SAP implementationprojects (pre go-live testing) as well as performing reviews of productive systems (live testing).

ACE* version 8 is executable on all SAP R/3 version 4.7 and higher. Different ABAP versions exist for thevarious SAP versions.

2. Why does PwC use ACE*?

SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentaryand difficult to use effectively. With ACE* configuration and security controls can be analysed easily usingstandard tests which are tailored to each ACE* review. Complex search criteria can be applied within ACE*allowing users to perform high level reviews and then to drill down to complete more detailed testing in areasidentified for additional work.

ACE* produces standard exception reports which are easy to understand and help with the subsequentresolution of issues identified.

ACE* also enables PwC to perform an independent assessment of rule sets developed by the clients using theSAP GRC products. By using ACE*, the clients rule set can be mapped and compared to functions researchedin detail. This allows PwC to apply the benefit of research to each clients environment.


3. Does ACE* have any impact on my system?

ACE* has been specifically designed to minimise the impact on the SAP environment where it is run either interms of system performance or data manipulation. This is because:

only two ABAPs are required for ACE*; there are no other objects installed; and the entire process is under your control.

By sequentially reading and writing from the SAP database to the disk of the application server, any impact onsystem performance is reduced to a minimum.

The master ABAP ACE8M generates the temporary ABAP ACE8T. That is the only change that ACE* makes onthe SAP system.

Expressly, ACE* does not:

* Change any SAP repository objects (tables, structure, ABAPs, etc)

*Change any table contents

4. Will ACE* download any confidential data?

ACE* downloads authorisation, configuration, log and some master data. For certain large tables, ACE willdownload only specific fields of interest. ACE has also a functionality to download detailed transactional databut this feature is by default switched off and not activated.

PwC uses the same set of ABAPs on multiple SAP versions and for different SAP products. This increases theflexibility and ease of use during the installation process. To achieve this flexibility, the ABAP has been designedvery dynamically analysing the SAP environment and searching for the required tables. As such, it is notpossible to provide a list of tables up-front. However, we have built in a feature which satisfies the need fortransparency.

The ABAPs write a reference list of all downloaded tables to the file B0002.QJF. The file will show table name,table description and in which file the downloaded data is stored. Please note that due to optimization reasons,one table can be stored in multiple files - this is also visible in the same reference file mentioned above. Withthis transparency feature, you have the opportunity to review the downloaded data. Please do not hesitate tocontact your PwC contact person, in case your review will raise any questions or you feel that you do not want tohand-over certain files.


5. How can I install ACE*?

The diagram below shows the steps involved in the process:

ACE* comprises of two custom ABAP programs that need to be loaded into the SAP production environment:

ZACE8M.TXT The master ACE* ABAP

ZACE8T.TXT The temporary ABAP which is called by the master as necessary

5.1. Copy the ABAP programs onto the SAP GUI client

The two ABAP files are usually provided either on a floppy disk or by e-mail (both files together are less than150K in size). These files should be copied onto the local hard drive of the workstation from which the ABAPswill be loaded into SAP.

Note: The ACE* ABAP programs MUST be loaded into and run from the main productive client, andNEVER from within another client (eg client 000)

5.2. Upload the 2 ABAPs into SAP

The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.Please note that the ABAPs should always be uploaded in the Development environment and tested beforetransporting it to the production environment.

1. Copy of ABAPZACE8M.TXT andZACE8T.TXT

2. Upload ABAPS toSAP R/3

3. Start ABAPZACE8M,output fileswill bewritten totheapplicationserver

4. Transfer ABAP outputfiles to a localworkstation

5. Copy files to a PwCPC or burn a CD

6. ImportABAP datainto ACEapplication

1. Copy of ABAPZACE8M.TXT andZACE8T.TXT

2. Upload ABAPS toSAP R/3

3. Start ABAPZACE8M,output fileswill bewritten totheapplicationserver

4. Transfer ABAP outputfiles to a localworkstation

5. Copy files to a PwCPC or burn a CD

6. ImportABAP datainto ACEapplication


5.2.1 Create the ACE* program in SAP

Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

In the program field enter ZACE8M as the program name and click on Create:

Please make sure that the name of the programs created in SAP matches the file names of the ABAP providedi.e. ZACE8M and ZACE8T (ignore the .txt file extension).

Note: You will need an OSS/Developer key to load the ABAP.

5.2.2 Assign attributes to the ACE* program

In the following screen, assign the program attributes as below and click on Save:

Title: Enter a text that describes the ABAP such as ZACE8M

Type: Select Executable Program

Application: Select Cross-application


Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click Save tosave the program attributes.

A message will be received indicating Attributes for program ZACE8M saved.


5.2.3 Deploy the ACE* ABAP into the SAP program created

Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

Copy and paste the code from the ZACE8M.txt text file as displayed below.

Select the Save button. A message will be received indicating that the program has been saved as displayedbelow.

Return to the ABAP Editor initial screen using the Back Arrow in the toolbar.


5.2.4 Activate the ABAP

The ABAP needs to be activated before it can be run. Select the ZACE8M program and click the Activatebutton (or use: Program > Activate).

Select the row containing ZACE8M and click on the OK button:

5.2.5 Load the temporary ABAP

Repeat steps 2.1 to 2.4 for the program ZACE8T.


6. Is it possible to change the name of the ABAPs?

If the ACE* ABAPs do not conform to the naming convention used, it is possible to change their names fromZACE8M and ZACE8T. If this is done however, the code in ZACE8M has to be changed to ensure that themaster ABAP calls the re-named temporary ABAP and not ZACE8T. This requires one line of code to bechanged which is found in the ZACE8M ABAP.

To change the names of the ABAPs programs search for the line:

Data: subrepid like sy-repid value ZACE8T and replace ZACE8T with thenewname for the ABAP program

7. How can I run ACE*?

To run ACE* only the master ABAP, ZACE8M needs to be started. ZACE8M will generate and run thetemporary ABAP Program ZACE8T as and when required without further manual intervention.

7.1 Create a variant of ZACE8M

ZACE8M should be executed in the background. To run the ABAP in the background, a variant of the ABAPneeds to be created.

To create a Variant, go to the ABAP Editor (transaction SE38). Type ZACE8M and select the Variant sub-object, then click the Variants button on the toolbar:


Enter a variant name (e.g. 0001) and click on the Create button:


7.2 Select the ACE* parameters

The first two ABAP parameters in the variant should be maintained:

PricewaterhouseCoopersACE* version 8.10

In most cases, the default parameter values should be correct (except the application server path and the startof the financial year as mentioned below). The different parameters are explainedIn most cases, the default parameter values should be correct (except the application server path and the startof the financial year as mentioned below). The different parameters are explained below:

12 of 19

In most cases, the default parameter values should be correct (except the application server path and the startbelow:


Section Parameter Description Recommendation

Co

reP

ara

me

ters

Path on the applicationserver

This defines the specific path on the application server where theACE* data will be downloaded to.

This must bemaintained see thenote below.

Start of the financial year The start of the financial year date is used for download date relateddata, such as change documents, etc.

This must bemaintained

Sco

pe

of

Do

wn

loa

d

Data Report for all clientsLog Analysis for all clients

Defines if data is only downloaded from the current client or allclients in the SAP instance.

Should not be changed

CDS data Defines if aggregated change document information will bedownloaded.


Authorization groups Defines if tables with authorization groups should be downloaded. Should not be changed

Object help information Defines if authorization object help will be downloaded. Should not be changed

Desolved values Defines if desolved values are downloaded. Desolved values allowACE* to display a drop down list of possible values for authorizationfields.


Field status definition Defines if the tables related to field status are downloaded. Should not be changed

Base component Defines if core tables of the base component are downloaded Should not be changed

With user details Defines if user information in the tables USR03, ADCP, ADRP arehidden in the download.


TLD ACE* will download data generated by the SAP PerformanceMonitor. In ACE* this is called Transaction Log Data (TLD).

Month, weekly or daily data: Specifies the summary level at whichthe data will be downloaded.

Period limit: This setting will limit the data downloaded torespectively the number of months, weeks or days specified.

Record limit: This setting will limit the data downloaded to thenumber of records specified.


Module specificdownloads

Defines if tables or desolved values for these modules aredownloaded


Specify additional tables Allows including additional tables to be downloaded. Should not be changed

Sp

ace

lim

itfo

rta

ble

s

Optional data in MBSpecial data in MBAdditional data in MB

Defines download limits per table avoiding any space issues to theapplication server. The limits are specified in MB!

Optional data: Data which is not absolutely necessary to analyzeauthorizations. If not downloaded than the efficiency of theauthorization analysis will be significantly impacted. Most of theconfiguration data is classified as optional.

Special data: Data which are handled specially such as extendeddownload data see below.

Additional data: Data which has been selected for download viaparameter: Specify additional tables see above.


Do

wn

loa

dS

tra

teg

ya

nd

Co

de

Pa

ge

Download strategy Determines the method used by the ABAP to download data fromSAP.

If less read rollback is selected, the ABAP could run long.

If the SAP system is very powerful, the value can be switched tobetter performance, and then the ABAP is executed faster.


Code page Downloads the data in a different code page.

This options should never be changed without consultation, since itmay impact the readability of the data.



In the Path on the application server field, specify the exact location (e.g. [Drive]:\usr\sap\ACE*, forWindows NT, or /usr/sap/ACE*, for UNIX servers) on the application server (or other server with a mappingfrom the application server) where the downloaded data is to be saved. The directory should have enough freespace to accommodate the downloaded data (typically between 500MB and 2GB is required).

The operating system that is used to write the ace files to (QJFs) must bethe same as the SAP application server operating system.

Click on the Attributes button and enter a name for the variant (e.g. Variant for ZACE8M) and then click onthe Save button. The message Variant Saved will be displayed at the bottom of the screen.

Click on the Save button again and the message Values of Variant 001 Saved will be displayed at the bottomof the screen

KP

I

KPI Indicators New feature in piloting phase please do not use yet Should not be changed

Company Code New feature in piloting phase please do not use yet Should not be changed

Po

stin

gD

ow

nlo

ad

Multiple Selection Downloading posting information based on BKPF/BSEG and relatedtables based on selection criteria via ACE ABAP.

By default, data will not be downloaded.

If selected for download by ticking one of the two options, thenplease specify filtering criteria, since no limits apply.


Ex

ten

de

dD

ow

nlo

ad

Multiple Selection Use ACE ABAPs to efficiently download large SAP transaction andmaster data tables

Used largely for CAATs purposes ready to be used with ACL

By default, data will not be downloaded.

If selected for download, then please specify filtering criteria. Despitethe limits for extended data applies, the downloaded data can getquite big.


Re

po

rtT

est

ing

Only Rep If the selection Only Report Testing (Only Rep) is ticked then noother parameters above are taken into account (including path). TheABAP will then solely analyze the specified reports and produce anon-line report NO DATA will be written to the application server.

This must bemaintained see FAQin ACE* Toolbox.

ABAP Programs The selection ABAP Programs allows you to specify the reports. Ifyou want to specify multiple reports, then click on the icon to theright of the field allowing you to specify multiple reports. You canalso enter transaction codes; in this case ACE will evaluate thetransaction and search for the associated report.

This must bemaintained see FAQin ACE* Toolbox.


7.3 Run the ABAP

Execute ACE* in the background by going to the ABAP Editor (Transaction code SA38), entering ZACE8M inthe program field and selecting the menu path: Program > Execute > Background:

Enter the variant name (i.e. 0001 etc) and then press the button Execute Immed. to run the ABAPimmediately or press the Schedule button to specify a time and date to run the ABAP later (e.g. for anovernight run).

If the Execute Immed. button is pressed then you will see a message that ZACE8M has started as abackground job.

7.4 Check status of the ABAP

To check the status of the ABAP, go to the Background Job Overview screen (Transaction code SM37). Enter a* in the Job Name field and select the current date in the From and To fields. Click on Execute.

In the subsequent screen, the status of the background job can be viewed. A status of Active means that the jobis still running. A status of Finished means that the job is complete.


8. What authorizations are required to run ACE*?

The following authorizations are required to run ACE*:

Authorization checks:

Programmed: S_USER_AUT with ACTVT 03

In functions: S_DATASET with path to the application server

To start: S_PROGRAM with implemented P_GROUP and S_TCODE

For TLD: S_TOOLS_EX with authorization value S_TOOLS_EX_A

Without having object S_TOOLS_EX the downloaded TLD data (aka performance

monitor data) will be encrypted.

At the operating system level:

The SAP user at the OS level has to have write access to the directory specified in the path on the

application server field in the ABAP variant.

9. How do the ABAPs work?

There are two ABAPs:

ZACE8M (Master ABAP) and

ZACE8T (Temporary ABAP).

The Master ABAP generates and executes the Temporary ABAP.

The overall purpose of these ABAPs is to search for relevant data and to download this to the application server.The downloaded data can split into three types:

Special data (downloaded by Master ABAP).Some data is downloaded by the Master ABAP directly. This data is downloaded based on a join ofmultiple tables, a selection of a single table or standard SAP function.

Standard data (downloaded by Temporary ABAP).Each downloaded file relates to one SAP table. In the procedure FILLFIXB0005 these tables areselected and the names of the tables are saved in an internal table (B0005). The Temporary ABAP isgenerated for each entry in this table, and submitted by the procedure EXP-STAND. The TemporaryABAP then downloads the data to the specified directory path on the application server.

Data of internal tables (downloaded by Master ABAP).During the import, seven internal tables are populated. These tables describe the downloaded data.

The ABAPs do not change or modify any data in the SAP system


10. What is the volume of data downloaded and how longdoes ACE* take to run?

The volume of data and run-time of the ABAP cannot be predicted exactly as ACE* dynamically selects whatdata to run depending on the size of the SAP implementation (i.e. number of users) how authorizations havebeen built and the scope of the data to be downloaded as defined in the variant of the ABAP.

However, an example is provided below:

Example 2

SAP Release ECC6

Number of users: 2,545

Scope of downloaded files: Full

Number of downloaded files: 1,841

Space required on application server: 1.16 GB

Run time of the ABAP: 2 hours


11. How can I transfer the downloaded data to the ACE*user?

Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files(e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 2000 files (dependingon the size of the SAP instance) with the .QJF extension will be saved here.

The names of the output files generated by ACE* should not be changed

These files now need to be transferred from the application server to the ACE* user. There are several ways ofdoing this and the best way will depend on the system architecture and the software and hardware available.Note that often the data has to be first transferred from the SAP application server to a SAPGUI PC because ofrestricted access rights on the SAP application server. Options available are:

Option Method Advantages Disadvantages

From the application server:

CD/DVD Writer Use a CD/DVD writer connectedto the SAP application server

Easiest and quickest method Requires a CD/DVD writer to beconnected to the SAPapplication server

Use FTP or File Copy to copy the data from the SAP application server to a SAPGUI workstation and then:

FTP and CD/DVD Writer Use a CD/DVD writer attachedto the SAPGUI workstation

Easy and quick method Requires a CD/DVD writer to beconnected to the SAPGUIworkstation.

FTP and memory stick Zip up the data in packets anduse a memory stick to transferthe data to the ACE user

This method is always possible The workstation containing thedata must have a USB port.

FTP and email E-mail the zipped data inpackets to the ACE* user

This can be a quick solution Data needs to be zipped intopackets


2011 PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers tothe network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the contextrequires, individual member firms of the PwC network. Each member firm is a separate legal entity and doesnot act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL isnot responsible or liable for the acts or omissions of its member firms nor can it control the exercise of theirprofessional judgment or bind them in any way. No member firm is responsible or liable for the acts andomissions of any other member firm nor can it control the exercise of another member firm's professionaljudgment or bind another member firm or PwCIL in any way.

Documents

Ace