Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Guidance Notes
December, 2017
© PricewaterhouseCoopers
ACE* version 8.10
Table of Contents
1. What is ACE*? 2
2. Why does PwC use ACE*? 2
3. Does ACE* have any impact on my system? 3
4. Will ACE* download any confidential data? 3
5. How can I install ACE*? 4
5.1 Importing the transport 4
5.2 Manually creating the program 7
5.3 Is it possible to change the name of the ABAPs? 12
© PricewaterhouseCoopers
ACE* version 8.10 1 of 22
1. What is ACE*?
SAP contains many controls which are embedded in the system. ACE* extracts configuration controls and
security data from SAP and analyses it to determine whether controls have been appropriately designed and
implemented into SAP.
two ABAPs which are the SAP part of the tool and download the required information from SAP; and
the ACE* tool (PC part) which analyses the security and configuration control elements implemented in
a SAP environment.
The GTL (General Test Library) which is a repository of all PwC researched and approved tests.
To achieve this, data has to be downloaded from the SAP system. The ABAPs do that in a very flexible way. They
have to be SAP release independent and able to adapt to how SAP has been configured and implemented.
ACE* can be run on any SAP instance and therefore can be used to analyse controls within SAP implementation
projects (pre go-live testing) as well as performing reviews of productive systems (live testing).
ACE* version 8 is executable on all SAP R/3 version 4.7 and higher (including any ECC or HANA systems).
SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentary
and difficult to use effectively. With ACE* configuration and security controls can be analysed easily using
standard tests which are tailored to each ACE* review. Complex search criteria can be applied within ACE*
allowing users to perform high level reviews and then to drill down to complete more detailed testing in areas
identified for additional work.
ACE* produces standard exception reports which are easy to understand and help with the subsequent
resolution of issues identified.
ACE* also enables PwC to perform an independent assessment of rule sets developed by the clients using the
SAP GRC products. By using ACE*, the client’s rule set can be mapped and compared to functions researched
in detail. This allows PwC to apply the benefit of research to each client’s environment.
© PricewaterhouseCoopers
ACE* version 8.10 2 of 22
3. Does ACE* have any impact on my system?
ACE* has been specifically designed to minimise the impact on the SAP environment where it is run either in
terms of system performance or data manipulation. This is because:
only two ABAPs are required for ACE* (note that additional objects are created to improve the security
of the file path that can be used and to protect the programs from unauthroised execution – refer to
5.1.1 for detail);
there are no other objects installed during the execution of the program; and
the entire process is under your control.
By sequentially reading and writing from the SAP database to the disk of the application server, any impact on
system performance is reduced to a minimum.
The master ABAP /PWC/ACE8M generates the temporary ABAP /PWC/ACE8T. That is the only change that
ACE* makes on the SAP system.
ACE* downloads authorisation, configuration, log and some master data. For certain large tables, ACE will
download only specific fields of interest. ACE has also a functionality to download detailed transactional data
but this feature is by default switched off and not activated.
PwC uses the same set of ABAPs on multiple SAP versions and for different SAP products. This increases the
flexibility and ease of use during the installation process. To achieve this flexibility, the ABAP has been designed
very dynamically analysing the SAP environment and searching for the required tables. As such, it is not
possible to provide a list of tables up-front. However, we have built in a feature which satisfies the need for
transparency.
The ABAPs write a reference list of all downloaded tables to the file B0002.QJF. The file will show table name,
table description and in which file the downloaded data is stored. Please note that due to optimization reasons,
one table can be stored in multiple files - this is also visible in the same reference file mentioned above. With
this transparency feature, you have the opportunity to review the downloaded data. Please do not hesitate to
contact your PwC contact person, in case your review will raise any questions or you feel that you do not want to
hand-over certain files.
For additional security and confidentiality measures, the ABAP performs an authorisation check on the object
S_TABU_DIS (and S_TABU_CLI if it is a client independent table), requiring the user executing the program
to have appropriate display access to the tables being downloaded by ACE*.
For more information on the authorisation checks done when executing the program, please refer to section 7 of
this document.
© PricewaterhouseCoopers
ACE* version 8.10 3 of 22
The ABAP extracts security sensitive information and access should only
be granted to the person responsible for executing it. Standard change
control and testing process should be followed to put the ABAP into
production.
The directory to which data is downloaded should preferably be encrypted
and access to the directory should be carefully controlled. Once the data
has been securely transmitted to PwC, the downloaded files should be
removed.
There are two ways in which ACE* can be imported into your system:
1. By using the transport (F04K900733) provided.
2. By creating a program on your system and pasting the code manually into the program
The preferred method is (1), but for completeness purposes, both methods will be explained here.
This is the preferred method, as everything required to run ACE* in a secure and efficient manner, has already
been created for you in the transports provided. There are two sets of transport files provided:
Note that the program and the transaction codes have a /PWC/ prefix. This is a registered namespace with SAP
and it means that these objects cannot be changed once imported, unless it comes from an authorised transport
from PwC.
© PricewaterhouseCoopers
ACE* version 8.10 4 of 22
5.1.2 How to import the transport file
Once you’ve obtained the K900733.F04 and R900733.F04 files, you need to copy them into the application
server’s transports directory. This is usually configured in directory parameter DIR_TRANS (Can be viewed
from t-code AL11). The default folders are usually as follows:
\\XXXXXXXXX\sapmnt\trans\cofiles\ - copy the K900733.F04 file in here
\\XXXXXXXXX\sapmnt\trans\data\ - copy the R900733.F04 file in here
(Where the Xs represent the name of the application server)
If you cannot find the “cofiles” and “data” folders, please contact the person responsible for transports on the
systems. They will be able to direct you to the correct place.
Once you’ve copied the files to the correct place, go to transaction code STMS and press F5 (“Import overview”
button):
Double-click on the system you want to import the files in and you should get to the Import Queue for your
system. The transport files cannot be seen yet, as they need to be manually added. This is done by going on your
menu bar: Extras > Other requests > Add:
Manually input the transport request number (F04K900733) as follows and press Enter:
In the next window you’ll be asked to confirm – press yes and you will see that the transport has been added to
the import queue. To release the transport, simply click on the transport number and press the “Import
Request” button (Ctrl + F11).
© PricewaterhouseCoopers
ACE* version 8.10 5 of 22
Next, you need to specify the target client. The transport should always first be imported into your Development
and the Quality Assurance System so it can follow your standard change control process, including proper
testing. Then go the Options tab and specify the following:
This needs to be done because the transport was generated in a (more than likely) different version of SAP than
the one you’re running.
Once done, the transport should have been imported into your system. To execute the ACE* program, simply
execute transaction /PWC/ACE8M – it will lead you directly to the program’s selection screen.
Because this is a program created with a registered /PWC/ namespace, it isn’t possible to delete the program via
the conventional methods. A deletion transport can be provided by your PwC contact – F04K900697. Follow
the same steps as described in 5.1.2 above and release the transport accordingly. To delete the package that
contains the /PWC/ACE8M program and t-code, use the transport F04K900737. Note that these transports
need to be released one after the other – you cannot delete a package while it still contains objects within it.
© PricewaterhouseCoopers
ACE* version 8.10 6 of 22
5.2 Manually creating the program
This is not the preferred method – as it involves a much more manual process, which could increase the
chances of an error being made. Also, it will not be created under the registered /PWC/ namespace.
Nonetheless, if you still want to create the program via this method, please ask your PwC contact for the
ZACE8M.txt and ZACE8T.txt files.
ACE* comprises of two custom ABAP programs that need to be loaded into the SAP production environment:
5.2.1 Copy the ABAP programs onto the SAP GUI client
The two ABAP files are usually provided either on a usb drive or by e-mail (both files together are less than
150K in size). These files should be copied onto the local hard drive of the workstation from which the ABAPs
will be loaded into SAP.
Note: The ACE* ABAP programs MUST be loaded into and run from the main productive client, and
NEVER from within another client (eg client 000)
The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.
Please note that the ABAPs should always be uploaded in the Development environment and tested before
transporting it to the production environment.
Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)
In the program field enter ZACE8M as the program name and click on Create:
© PricewaterhouseCoopers
ACE* version 8.10 7 of 22
Please make sure that the name of the programs created in SAP matches the file names of the ABAP provided
i.e. ZACE8M and ZACE8T (ignore the .txt file extension).
In the following screen, assign the program attributes as below and click on “Save”:
© PricewaterhouseCoopers
ACE* version 8.10 8 of 22
Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click “Save” to
save the program attributes. It is encouraged to use an authorisation group – the program used in the transport
method uses authorization group “ZPWC”.
© PricewaterhouseCoopers
ACE* version 8.10 9 of 22
5.2.3 Deploy the ACE* ABAP into the SAP program created
Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)
Copy and paste the code from the ZACE8M.txt text file as displayed below.
Select the “Save” button. A message will be received indicating that the program has been saved as displayed
below.
Return to the ABAP Editor initial screen using the Back Arrow in the toolbar.
The ABAP needs to be activated before it can be run. Select the ZACE8M program and click the “Activate”
button (or use: Program > Activate).
Select the row containing ZACE8M and click on the “OK” button:
© PricewaterhouseCoopers
ACE* version 8.10 10 of 22
5.2.5 Load the temporary ABAP
Important:
Clients should remove the ACE ABAP after the assignment is complete if it is not a recurring
assignment.
Older versions should not be kept and any updates PwC provides should be used to overwrite the old
version.
The ACE ABAP should be considered as sensitive access and should be appropriately restricted.
The client should populate an authorization group for the program when they create it for further
protection.
© PricewaterhouseCoopers
ACE* version 8.10 11 of 22
5.3 Is it possible to change the name of the ABAPs?
If the ACE* ABAPs do not conform to the naming convention used, it is possible to change their names from
ZACE8M and ZACE8T. If this is done however, the code in ZACE8M has to be changed to ensure that the
master ABAP calls the re-named temporary ABAP and not ZACE8T. This requires one line of code to be
changed which is found in the ZACE8M ABAP.
Please note that this cannot be done if the program was created by the transport, as it is contained in a
registered /PWC/ namespace.
To change the names of the ABAPs programs search for the line:
Data: subrepid like sy-repid value ‘ZACE8T’
and replace ZACE8T with the new name for the ABAP program
6.1 Setup directory access for ACE-S using the PACE authorisation group
The ACE* ABAP has been programmed to require the user running the program to have access to file path
authorisation group PACE. Therefore the file path, that will be used to download the files to, needs to be
authorised in table SPTH and assigned to authorisation group PACE.
Please note that in the screen print above the “NR (No Read)” has been unchecked for file path “*” and “/”.
Good practice is to first restrict all file paths on the server, by checking the “NR” box, and then authorising
specific paths on the server (i.e. white list concept). Do not change this setting without evaluating which batch
jobs have already been set up, which file path they require access to and maintaining SPTH accordingly. Please
© PricewaterhouseCoopers
ACE* version 8.10 12 of 22
also note that this is a customising change and must be done in development and transported through to
production. For more information on the authority checks required, go to Section 7.
© PricewaterhouseCoopers
ACE* version 8.10 13 of 22
6.2 Select the ACE* parameters
© PricewaterhouseCoopers
ACE* version 8.10 14 of 22
In most cases, the default parameter values should be correct (except the application server path and the start
of the financial year as mentioned below). The different parameters are explained below:
© PricewaterhouseCoopers
ACE* version 8.10 15 of 22
Section Parameter Description Recommendation
Path on the application This defines the specific path on the application server where the This must be
Parameters
Start of the financial year The start of the financial year date is used for download date related This must be
data, such as change documents, etc. maintained
Data Report for all clients Defines if data is only downloaded from the current client or all Should not be changed
Log Analysis for all clients clients in the SAP instance.
CDS data Defines if aggregated change document information will be Should not be changed
downloaded.
Authorization groups Defines if tables with authorization groups should be downloaded. Should not be changed
Object help information Defines if authorization object help will be downloaded. Should not be changed
Desolved values Defines if desolved values are downloaded. Desolved values allow Should not be changed
ACE* to display a drop down list of possible values for authorization
fields.
Scope of Download
Field status definition Defines if the tables related to field status are downloaded. Should not be changed
Base component Defines if core tables of the base component are downloaded Should not be changed
With user details Defines if user information in the tables USR03, ADCP, ADRP are Should not be changed
hidden in the download.
TLD ACE* will download data generated by the SAP Performance Should not be changed
Monitor. In ACE* this is called Transaction Log Data (TLD).
Month, weekly or daily data: Specifies the summary level at which
the data will be downloaded.
Period limit: This setting will limit the data downloaded to
respectively the number of months, weeks or days specified.
Record limit: This setting will limit the data downloaded to the
number of records specified.
Module specific Defines if tables or desolved values for these modules are Should not be changed
downloads downloaded
Specify additional tables Allows including additional tables to be downloaded. Should not be changed
Optional data in MB Defines download limits per table avoiding any space issues to the Should not be changed
Special data in MB application server. The limits are specified in MB!
Additional data in MB
Space limit for
Download strategy Determines the method used by the ABAP to download data from Should not be changed
Download Strategy
SAP.
and Code Page
Code page Downloads the data in a different code page. Should not be changed
This options should never be changed without consultation, since it
may impact the readability of the data.
© PricewaterhouseCoopers
ACE* version 8.10 16 of 22
KPI Indicators New feature in piloting phase – please do not use yet Should not be changed
KPI
Company Code New feature in piloting phase – please do not use yet Should not be changed
Multiple Selection Downloading posting information based on BKPF/BSEG and related Should not be changed
Download
Multiple Selection Use ACE ABAPs to efficiently download large SAP transaction and Should not be changed
master data tables
Download
Extended
Only Rep If the selection ‘Only Report Testing’ (Only Rep) is ticked then no This must be
other parameters above are taken into account (including path). The maintained see FAQ
Report Testing
ABAP will then solely analyze the specified reports and produce an in ACE* Toolbox.
on-line report – NO DATA will be written to the application server.
ABAP Programs The selection ‘ABAP Programs’ allows you to specify the reports. If This must be
you want to specify multiple reports, then click on the icon to the maintained see FAQ
right of the field allowing you to specify multiple reports. You can in ACE* Toolbox.
also enter transaction codes; in this case ACE will evaluate the
transaction and search for the associated report.
In the “Path on the application server” field, specify the exact location (e.g. [Drive]:\usr\sap\ACE*, for
Windows, or /usr/sap/ACE*, for UNIX) on the application server (or other server with a mapping from the
application server) where the downloaded data is to be saved. The directory should have enough free space to
accommodate the downloaded data (typically between 500MB and 2GB is required).
The operating system that is used to write the ACE* files to (QJF’s) must be
the same as the SAP application server operating system.
Execute ACE* in the background by selecting the menu path: Program > Execute > Background:
© PricewaterhouseCoopers
ACE* version 8.10 17 of 22
If the “Execute Immediately” button is pressed then you will see a message that /PWC/ACE8M has started as a
background job.
To check the status of the ABAP, go to the Background Job Overview screen (Transaction code SMX). Enter a
“*” in the Job Name field and select the current date in the From and To fields. Click on “Execute”.
To check the status of the ABAP, go to the Own Background Jobs screen (Transaction code SMX). A status of
Active means that the job is still running. A status of Finished means that the job is complete.
S_TCODE /PWC/ACE8M
S_ADMI_FCD with PADM
S_BTCH_JOB with RELE (in JOBACTION field)
S_DATASET with ACTVT 33 and PROGRAM /PWC/ACE9M
S_LOG_COM with Command LIST_DB2DUMP
S_TABU_CLI with X
S_USER_AUT with ACTVT 03 (Display) and 08 (Display Change Documents)
S_USER_GRP with ACTVT 03 and 08
S_USER_PRO with ACTVT 03 and 08
S_SCD0 with ACTVT 08
S_TABU_DIS with ACTVT 03 and the authorisation groups for all the tables dynamically downloaded
by ACE*
Additional authorisation checks, if using the PACE authorisation group as detailed in section 6.1 above (only
available if using the transport method):
- S_TCODE /PWC/ACE8_SPTH
- S_PATH with ACTVT 02 and 03 and PACE authorisation group
(NB: this contains maintenance access – it should only be done by appropriate people that are responsible for
table maintenance and basis administration on your production system).
The roles, containing the access listed above, have been created in transport F04k900699 (For instructions on
how to import transports, refer to the steps detailed in section 5.1). For the standard role to execute ACE*, you
can assign role /PWC/ACE_EXECUTE. For the additional authorisation group maintenance, you can assign
role /PWC/ACE_MAINTAIN_SPTH.
NB: Only assign these roles to appropriate users that are generally responsible for these tasks
on your system.
Additional authorisation checks if not using the transport method (not encouraged):
- S_PROGRAM with implemented P_GROUP and S_TCODE
© PricewaterhouseCoopers
ACE* version 8.10 18 of 22
At the operating system level:
The SAP user at the OS level has to have write access to the directory specified in the “path on the
application server” field in the ABAP.
The ABAP extracts security sensitive information and access should only
be granted to the person responsible for executing it. Standard change
control and testing process should be followed to put the ABAP into
production.
© PricewaterhouseCoopers
ACE* version 8.10 19 of 22
8. How do the ABAP programs work?
The overall purpose of these ABAPs is to search for relevant data and to download this to the application server.
The downloaded data can split into three types:
The ABAPs do not change or modify any data in the SAP system
The volume of data and run-time of the ABAP cannot be predicted exactly as ACE* dynamically selects what
data to run depending on the size of the SAP implementation (i.e. number of users) how authorizations have
been built and the scope of the data to be downloaded as defined in the variant of the ABAP.
Example
© PricewaterhouseCoopers
ACE* version 8.10 20 of 22
10. How can I transfer the downloaded data to the ACE*
user?
Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files
(e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 2000 files (depending
on the size of the SAP instance) with the .QJF extension will be saved here.
The names of the output files generated by ACE* should not be changed
These files now need to be transferred from the application server to the ACE* user. There are several ways of
doing this and the best way will depend on the system architecture and the software and hardware available.
Note that often the data has to be first transferred from the SAP application server to a SAPGUI PC because of
restricted access rights on the SAP application server. Options available are:
CD/DVD Writer Use a CD/DVD writer connected Easiest and quickest method Requires a CD/DVD writer to be
to the SAP application server connected to the SAP
application server
Use FTP or File Copy to copy the data from the SAP application server to a SAPGUI workstation and then:
FTP and CD/DVD Writer Use a CD/DVD writer attached Easy and quick method Requires a CD/DVD writer to be
to the SAPGUI workstation connected to the SAPGUI
workstation.
FTP and memory stick Zip up the data in packets and This method is always possible The workstation containing the
use a memory stick to transfer data must have a USB port.
the data to the ACE user
FTP and email E-mail the zipped data in This can be a quick solution Data needs to be zipped into
packets to the ACE* user packets <5MB and e-mail
security may be a concern
Please transfer all files created during the download including 0KB files.
If you have any questions or queries or get any error message, please contact your local PwC auditor with
screenshots, and details of error message.
© PricewaterhouseCoopers
ACE* version 8.10 21 of 22
© 2017 PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers to
the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context
requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does
not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is
not responsible or liable for the acts or omissions of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the acts and
omissions of any other member firm nor can it control the exercise of another member firm's professional
judgment or bind another member firm or PwCIL in any way.
© PricewaterhouseCoopers
ACE* version 8.10 22 of 22