Ace

Version 8
ACE*
Guidance Notes Guidance Notes
PricewaterhouseCoopers
ACE* version 8.10 1 of 19
Table of Contents
1. What is ACE*? 2
2. Why does PwC use ACE*? 2
3. Does ACE* have any impact on my system? 3
4. Will ACE* download any confidential data? 3
5. How can I install ACE*? 4
6. Is it possible to change the name of the ABAPs? 9
7. How can I run ACE*? 9
8. What authorisations are required to run ACE*? 16
9. How do the ABAPs work? 16
10. What is the volume of data downloaded and how long does ACE* take to run? 17
11. How can I transfer the downloaded data to the ACE* user? 18
1. What is ACE*?
ACE* is an abbreviation for Automated Controls Evaluator.
SAP contains many controls which are embedded in the system. ACE* extracts configuration controls and
security data from SAP and analyses it to determine whether controls have been appropriately designed and
implemented into SAP.
In brief, ACE* consists of:
two ABAPs which are the SAP part of the tool and download the required information from SAP; and
the ACE* tool (PC part) which analyses the security and configuration control elements implemented in
a SAP environment.
To achieve this, data has to be downloaded from the SAP system. The ABAPs do that in a very flexible way. They
have to be SAP release independent and able to adapt to how SAP has been configured and implemented.
ACE* can be run on any SAP instance and therefore can be used to analyse controls within SAP implementation
projects (pre go-live testing) as well as performing reviews of productive systems (live testing).
ACE* version 8 is executable on all SAP R/3 version 4.7 and higher. Different ABAP versions exist for the
various SAP versions.
2. Why does PwC use ACE*?
SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentary
and difficult to use effectively. With ACE* configuration and security controls can be analysed easily using
standard tests which are tailored to each ACE* review. Complex search criteria can be applied within ACE*
allowing users to perform high level reviews and then to drill down to complete more detailed testing in areas
identified for additional work.
ACE* produces standard exception reports which are easy to understand and help with the subsequent
resolution of issues identified.
ACE* also enables PwC to perform an independent assessment of rule sets developed by the clients using the
SAP GRC products. By using ACE*, the clients rule set can be mapped and compared to functions researched
in detail. This allows PwC to apply the benefit of research to each clients environment.
3. Does ACE* have any impact on my system?
ACE* has been specifically designed to minimise the impact on the SAP environment where it is run either in
terms of system performance or data manipulation. This is because:
only two ABAPs are required for ACE*;
there are no other objects installed; and
the entire process is under your control.
By sequentially reading and writing from the SAP database to the disk of the application server, any impact on
system performance is reduced to a minimum.
The master ABAP ACE8M generates the temporary ABAP ACE8T. That is the only change that ACE* makes on
the SAP system.
Expressly, ACE* does not:
* Change any SAP repository objects (tables, structure, ABAPs, etc)
*Change any table contents
4. Will ACE* download any confidential data?
ACE* downloads authorisation, configuration, log and some master data. For certain large tables, ACE will
download only specific fields of interest. ACE has also a functionality to download detailed transactional data
but this feature is by default switched off and not activated.
PwC uses the same set of ABAPs on multiple SAP versions and for different SAP products. This increases the
flexibility and ease of use during the installation process. To achieve this flexibility, the ABAP has been designed
very dynamically analysing the SAP environment and searching for the required tables. As such, it is not
possible to provide a list of tables up-front. However, we have built in a feature which satisfies the need for
transparency.
The ABAPs write a reference list of all downloaded tables to the file B0002.QJF. The file will show table name,
table description and in which file the downloaded data is stored. Please note that due to optimization reasons,
one table can be stored in multiple files - this is also visible in the same reference file mentioned above. With
this transparency feature, you have the opportunity to review the downloaded data. Please do not hesitate to
contact your PwC contact person, in case your review will raise any questions or you feel that you do not want to
hand-over certain files.
5. Howcan I install ACE*?
The diagram below shows the steps involved in the process:
ACE* comprises of two custom ABAP programs that need to be loaded into the SAP production environment:
ZACE8M.TXT The master ACE* ABAP
ZACE8T.TXT The temporary ABAP which is called by the master as necessary
5.1. Copy the ABAP programs onto the SAP GUI client
The two ABAP files are usually provided either on a floppy disk or by e-mail (both files together are less than
150K in size). These files should be copied onto the local hard drive of the workstation from which the ABAPs
will be loaded into SAP.
Note: The ACE* ABAP programs MUST be loaded into and run from the main productive client, and
NEVER from within another client (eg client 000)
5.2. Upload the 2 ABAPs into SAP
The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.
Please note that the ABAPs should always be uploaded in the Development environment and tested before
transporting it to the production environment.
1. Copy of ABAP
ZACE8M.TXT and
ZACE8T.TXT
2. Upload ABAPS to
SAP R/3
3. Start ABAP
ZACE8M,
output files
will be
written to
the
application
server
4. Transfer ABAP output
files to a local
workstation
5. Copy files to a PwC
PC or burn a CD
6. Import
ABAP data
into ACE
application
1. Copy of ABAP
ZACE8M.TXT and
ZACE8T.TXT
2. Upload ABAPS to
SAP R/3
3. Start ABAP
ZACE8M,
output files
will be
written to
the
application
server
4. Transfer ABAP output
files to a local
workstation
5. Copy files to a PwC
PC or burn a CD
6. Import
ABAP data
into ACE
application
5.2.1 Create the ACE* programin SAP
Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)
In the program field enter ZACE8M as the program name and click on Create:
Please make sure that the name of the programs created in SAP matches the file names of the ABAP provided
i.e. ZACE8M and ZACE8T (ignore the .txt file extension).
Note: You will need an OSS/Developer key to load the ABAP.
5.2.2 Assign attributes to the ACE* program
In the following screen, assign the program attributes as below and click on Save:
Title: Enter a text that describes the ABAP such as ZACE8M
Type: Select Executable Program
Application: Select Cross-application
Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click Save to
save the program attributes.
A message will be received indicating Attributes for program ZACE8M saved.
5.2.3 Deploy the ACE* ABAP into the SAP program created
Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)
Copy and paste the code from the ZACE8M.txt text file as displayed below.
Select the Save button. A message will be received indicating that the program has been saved as displayed
below.
Return to the ABAP Editor initial screen using the Back Arrow in the toolbar.
5.2.4 Activate the ABAP
The ABAP needs to be activated before it can be run. Select the ZACE8M program and click the Activate
button (or use: Program > Activate).
Select the row containing ZACE8M and click on the OK button:
5.2.5 Load the temporary ABAP
Repeat steps 2.1 to 2.4 for the program ZACE8T.
6. Is it possible to change the name of the ABAPs?
If the ACE* ABAPs do not conform to the naming convention used, it is possible to change their names from
ZACE8M and ZACE8T. If this is done however, the code in ZACE8M has to be changed to ensure that the
master ABAP calls the re-named temporary ABAP and not ZACE8T. This requires one line of code to be
changed which is found in the ZACE8M ABAP.
To change the names of the ABAPs programs search for the line:
Data: subrepid like sy-repid value ZACE8T and replace ZACE8T with the
newname for the ABAP program
7. Howcan I run ACE*?
To run ACE* only the master ABAP, ZACE8M needs to be started. ZACE8M will generate and run the
temporary ABAP Program ZACE8T as and when required without further manual intervention.
7.1 Create a variant of ZACE8M
ZACE8M should be executed in the background. To run the ABAP in the background, a variant of the ABAP
needs to be created.
To create a Variant, go to the ABAP Editor (transaction SE38). Type ZACE8M and select the Variant sub-
object, then click the Variants button on the toolbar:
Enter a variant name (e.g. 0001) and click on the Create button:
7.2 Select the ACE* parameters
The first two ABAP parameters in the variant should be maintained:
ACE* version 8.10
In most cases, the default parameter values should be correct (except the application server path and the start
of the financial year as mentioned below). The different parameters are explained
of the financial year as mentioned below). The different parameters are explained below:
12 of 19
below:
Section Parameter Description Recommendation
C
o
r
e
P
a
r
a
m
e
t
e
r
s
Path on the application
server
This defines the specific path on the application server where the
ACE* data will be downloaded to.
This must be
maintained see the
note below.
Start of the financial year The start of the financial year date is used for download date related
data, such as change documents, etc.
This must be
maintained
S
c
o
p
e
o
f
D
o
w
n
l
o
a
d
Data Report for all clients
Log Analysis for all clients
Defines if data is only downloaded from the current client or all
clients in the SAP instance.
Should not be changed
CDS data Defines if aggregated change document information will be
downloaded.
Authorization groups Defines if tables with authorization groups should be downloaded. Should not be changed
Object help information Defines if authorization object help will be downloaded. Should not be changed
Desolved values Defines if desolved values are downloaded. Desolved values allow
ACE* to display a drop down list of possible values for authorization
fields.
Field status definition Defines if the tables related to field status are downloaded. Should not be changed
Base component Defines if core tables of the base component are downloaded Should not be changed
With user details Defines if user information in the tables USR03, ADCP, ADRP are
hidden in the download.
TLD ACE* will download data generated by the SAP Performance
Monitor. In ACE* this is called Transaction Log Data (TLD).
Month, weekly or daily data: Specifies the summary level at which
the data will be downloaded.
Period limit: This setting will limit the data downloaded to
respectively the number of months, weeks or days specified.
Record limit: This setting will limit the data downloaded to the
number of records specified.
Module specific
downloads
Defines if tables or desolved values for these modules are
downloaded
Specify additional tables Allows including additional tables to be downloaded. Should not be changed
S
p
a
c
e
l
i
m
i
t
f
o
r
t
a
b
l
e
s
Optional data in MB
Special data in MB
Additional data in MB
Defines download limits per table avoiding any space issues to the
application server. The limits are specified in MB!
Optional data: Data which is not absolutely necessary to analyze
authorizations. If not downloaded than the efficiency of the
authorization analysis will be significantly impacted. Most of the
configuration data is classified as optional.
Special data: Data which are handled specially such as extended
download data see below.
Additional data: Data which has been selected for download via
parameter: Specify additional tables see above.
D
o
w
n
l
o
a
d
S
t
r
a
t
e
g
y
a
n
d
C
o
d
e
P
a
g
e
Download strategy
Determines the method used by the ABAP to download data from
SAP.
If less read rollback is selected, the ABAP could run long.
If the SAP system is very powerful, the value can be switched to
better performance, and then the ABAP is executed faster.
Code page Downloads the data in a different code page.
This options should never be changed without consultation, since it
may impact the readability of the data.
In the Path on the application server field, specify the exact location (e.g. [Drive]:\usr\sap\ACE*, for
Windows NT, or /usr/sap/ACE*, for UNIX servers) on the application server (or other server with a mapping
from the application server) where the downloaded data is to be saved. The directory should have enough free
space to accommodate the downloaded data (typically between 500MB and 2GB is required).
The operating system that is used to write the ace files to (QJFs) must be
the same as the SAP application server operating system.
Click on the Attributes button and enter a name for the variant (e.g. Variant for ZACE8M) and then click on
the Save button. The message Variant Saved will be displayed at the bottom of the screen.
Click on the Save button again and the message Values of Variant 001 Saved will be displayed at the bottom
of the screen
K
P
I
KPI Indicators New feature in piloting phase please do not use yet Should not be changed
Company Code New feature in piloting phase please do not use yet Should not be changed
P
o
s
t
i
n
g
D
o
w
n
l
o
a
d
Multiple Selection Downloading posting information based on BKPF/BSEG and related
tables based on selection criteria via ACE ABAP.
By default, data will not be downloaded.
If selected for download by ticking one of the two options, then
please specify filtering criteria, since no limits apply.
E
x
t
e
n
d
e
d
D
o
w
n
l
o
a
d
Multiple Selection Use ACE ABAPs to efficiently download large SAP transaction and
master data tables
Used largely for CAATs purposes ready to be used with ACL
By default, data will not be downloaded.
If selected for download, then please specify filtering criteria. Despite
the limits for extended data applies, the downloaded data can get
quite big.
R
e
p
o
r
t
T
e
s
t
i
n
g
Only Rep If the selection Only Report Testing (Only Rep) is ticked then no
other parameters above are taken into account (including path). The
ABAP will then solely analyze the specified reports and produce an
on-line report NO DATA will be written to the application server.
This must be
maintained see FAQ
in ACE* Toolbox.
ABAP Programs The selection ABAP Programs allows you to specify the reports. If
you want to specify multiple reports, then click on the icon to the
right of the field allowing you to specify multiple reports. You can
also enter transaction codes; in this case ACE will evaluate the
transaction and search for the associated report.
This must be
maintained see FAQ
in ACE* Toolbox.
7.3 Run the ABAP
Execute ACE* in the background by going to the ABAP Editor (Transaction code SA38), entering ZACE8M in
the program field and selecting the menu path: Program > Execute > Background:
Enter the variant name (i.e. 0001 etc) and then press the button Execute Immed. to run the ABAP
immediately or press the Schedule button to specify a time and date to run the ABAP later (e.g. for an
overnight run).
If the Execute Immed. button is pressed then you will see a message that ZACE8M has started as a
background job.
7.4 Check status of the ABAP
To check the status of the ABAP, go to the Background Job Overview screen (Transaction code SM37). Enter a
* in the Job Name field and select the current date in the From and To fields. Click on Execute.
In the subsequent screen, the status of the background job can be viewed. A status of Active means that the job
is still running. A status of Finished means that the job is complete.
8. What authorizations are required to run ACE*?
The following authorizations are required to run ACE*:
Authorization checks:
Programmed: S_USER_AUT with ACTVT 03
In functions: S_DATASET with path to the application server
To start: S_PROGRAM with implemented P_GROUP and S_TCODE
For TLD: S_TOOLS_EX with authorization value S_TOOLS_EX_A
Without having object S_TOOLS_EX the downloaded TLD data (aka performance
monitor data) will be encrypted.
At the operating system level:
The SAP user at the OS level has to have write access to the directory specified in the path on the
application server field in the ABAP variant.
9. Howdo the ABAPs work?
There are two ABAPs:
ZACE8M (Master ABAP) and
ZACE8T (Temporary ABAP).
The Master ABAP generates and executes the Temporary ABAP.
The overall purpose of these ABAPs is to search for relevant data and to download this to the application server.
The downloaded data can split into three types:
Special data (downloaded by Master ABAP).
Some data is downloaded by the Master ABAP directly. This data is downloaded based on a join of
multiple tables, a selection of a single table or standard SAP function.
Standard data (downloaded by Temporary ABAP).
Each downloaded file relates to one SAP table. In the procedure FILLFIXB0005 these tables are
selected and the names of the tables are saved in an internal table (B0005). The Temporary ABAP is
generated for each entry in this table, and submitted by the procedure EXP-STAND. The Temporary
ABAP then downloads the data to the specified directory path on the application server.
Data of internal tables (downloaded by Master ABAP).
During the import, seven internal tables are populated. These tables describe the downloaded data.
The ABAPs do not change or modify any data in the SAP system
10. What is the volume of data downloaded and howlong
does ACE* take to run?
The volume of data and run-time of the ABAP cannot be predicted exactly as ACE* dynamically selects what
data to run depending on the size of the SAP implementation (i.e. number of users) how authorizations have
been built and the scope of the data to be downloaded as defined in the variant of the ABAP.
However, an example is provided below:
Example 2
SAP Release ECC6
Number of users: 2,545
Scope of downloaded files: Full
Number of downloaded files: 1,841
Space required on application server: 1.16 GB
Run time of the ABAP: 2 hours
11. Howcan I transfer the downloaded data to the ACE*
user?
Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files
(e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 2000 files (depending
on the size of the SAP instance) with the .QJF extension will be saved here.
The names of the output files generated by ACE* should not be changed
These files now need to be transferred from the application server to the ACE* user. There are several ways of
doing this and the best way will depend on the system architecture and the software and hardware available.
Note that often the data has to be first transferred from the SAP application server to a SAPGUI PC because of
restricted access rights on the SAP application server. Options available are:
Option Method Advantages Disadvantages
From the application server:
CD/DVD Writer Use a CD/DVD writer connected
to the SAP application server
Easiest and quickest method Requires a CD/DVD writer to be
connected to the SAP
application server
Use FTP or File Copy to copy the data from the SAP application server to a SAPGUI workstation and then:
FTP and CD/DVD Writer Use a CD/DVD writer attached
to the SAPGUI workstation
Easy and quick method Requires a CD/DVD writer to be
connected to the SAPGUI
workstation.
FTP and memory stick Zip up the data in packets and
use a memory stick to transfer
the data to the ACE user
This method is always possible The workstation containing the
data must have a USB port.
FTP and email E-mail the zipped data in
packets to the ACE* user
This can be a quick solution Data needs to be zipped into
packets <5MB and e-mail
security may be a concern
Please transfer all files created during the download including 0KB files.
If you have any questions or queries or get any error message, please contact your local PwC auditor with
screenshots, and details of error message.
2011 PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers to
the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context
requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does
not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is
not responsible or liable for the acts or omissions of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the acts and
omissions of any other member firm nor can it control the exercise of another member firm's professional
judgment or bind another member firm or PwCIL in any way.

Ace

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ace

Uploaded by

Copyright:

Available Formats

Version 8

You might also like