SlideShare a Scribd company logo

10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

Virtual Forge
Virtual Forge

On March 2014 BIZEC held the 3rd SAP Security Workshop in parallel to the Troopers conference in Heidelberg. In the presentation Virtual Forge CTO Andreas Wiegenstein talks not only about the 10 golden rules for coding proper authorization checks in ABAP. He also shows statistics how often those rules are violated. Enjoy!

Technology
1 of 19
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Dr. Markus Schumacher © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. March 18, Heidelberg SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Ten golden rules for coding authorization checks in ABAP Andreas Wiegenstein
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Andreas Wiegenstein (Twitter: @codeprofiler)  Founder of Virtual Forge (Heidelberg), responsible for R&D  SAP Security Researcher, active since 2003  Received Credits from SAP for 66 reported 0-day Vulnerabilities  Speaker at international Conferences  SAP TechEd (USA & Europe), DSAG (Europe)  BlackHat (Europe), Hack in the Box (Europe)  Troopers (Europe), IT Defense (Europe), RSA (USA)  Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)  Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)  Created training class WDESA3 (ABAP Security) @ SAP University My car, my house, my boat, … I am with
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Authorizations in Custom Code Ongoing survey, results as of March 12, 2014
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks General advice  Check with your business department, if (and which) authorizations are required in order to execute the business logic you provide.  As a fallback, analyze code that is similar to your business process for authorization checks.  If authority checks are required for your custom business logic, add them to your code. On average there are 866 missing authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks (cont’d) Specific advice  Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either...  Don't rely on authorization groups assigned to reports. They are usually coarse grained, as the same authorization group is used for multiple programs. And they are not necessarily related to the specific business logic of your custom code.  Always check start authorizations when using CALL TRANSACTION, as no implicit start authorization check is performed by the kernel.  Function module AUTHORITY_CHECK_TCODE  Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #2 Perform authority checks according to SAP standard functionality General advice  Always use functionality based on the ABAP command AUTHORITY- CHECK in order to perform authorization checks. (A common bad practice is to base authorizations on usernames.) On average there are 187 hard-coded username checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #3 Check the result of an authority check General advice  Always check the result of sy-subrc after you perform an AUTHORITY-CHECK. sy-subrc with value zero means authorization sufficient.  Since other ABAP commands also change sy-subrc, make sure to perform the sy-subrc check *immediately* after the AUTHORITY- CHECK. On average there are 13 broken authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #4 Perform authority checks for the user that is actually logged on General advice  Only check the authorization of the currently logged on user (by avoiding the optional parameter FOR USER). On average there are 2 ‘alias’ authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #5 Always use APIs instead of AUTHORITY-CHECK, if they exist General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Use AUTHORITY_CHECK_TCODE instead of S_TCODE  Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH On average there are 92 insufficient authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #6 Declare all fields of the authorization object General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Always make sure to specify all fields of the authorization object you check.  If there are fields you don't want to check, mark them as DUMMY in order to make your intentions explicit. No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #7 Don't use DUMMY values in important fields General advice  Do not use DUMMY values in important authorization fields like 'ACTVT' On average there are 8 DUMMY authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #8 Don't program privileging authorization checks AUTHORITY-CHECK OBJECT 'S_DEVELOP' ID 'DEVCLASS' FIELD '*' ID 'OBJTYPE' FIELD 'PROG' ID 'OBJNAME' FIELD lv_prog ID 'P_GROUP' DUMMY " Field not required in this context ID 'ACTVT' FIELD '03'. IF sy-subrc = 0. READ REPORT lv_prog INTO lt_code. ENDIF. General advice  Avoid "*" values in authorization fields, as they force administrators to grant unnecessarily high privileges to users On average there are 2 privileging authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #9 Make authorization checks early in your business logic General advice  If an authorization check is required for a given business logic, it should be checked as early as possible No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #10 Perform authorization checks in order to avoid dumps Specific advice  Always make sure to test for S_DATASET and S_PATH authorizations before you open a server-side file. No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Further Information Blog Post “Ten golden rules for ABAP authorization checks” https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Twitter: @codeprofiler © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Thank you for your attention Andreas Wiegenstein CTO
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Insert CTA Header MISSED THE BIZEC SAP SECURITY WORKSHOP AT TROOPERS14 CONFERENCE? CLICK HERE FOR A RETROSPECTIVE + ALL PRESENTATIONS FOR FREE DOWNLOAD
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2014 Virtual Forge GmbH.

Recommended

Fiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksFiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksJasbir Khanuja
 
Introduction To Report Painter
Introduction To Report PainterIntroduction To Report Painter
Introduction To Report PainterMichael Management Corp.
 
SAP GUI and Navigation - Quick Guide
SAP GUI and Navigation - Quick Guide SAP GUI and Navigation - Quick Guide
SAP GUI and Navigation - Quick Guide Ankit Sharma
 
Introducing enhancement framework.doc
Introducing enhancement framework.docIntroducing enhancement framework.doc
Introducing enhancement framework.docKranthi Kumar
 
Sap Fico Configuration Material
Sap Fico Configuration MaterialSap Fico Configuration Material
Sap Fico Configuration MaterialNaina Mohamed
 
SAP Document Management System(DMS)-PLM 120
SAP Document Management System(DMS)-PLM 120SAP Document Management System(DMS)-PLM 120
SAP Document Management System(DMS)-PLM 120KMR SOFTWARE SERVICES PVT LTD
 
1000 solved questions
1000 solved questions1000 solved questions
1000 solved questionsKranthi Kumar
 
SAP-ABAP/4@e_max
SAP-ABAP/4@e_maxSAP-ABAP/4@e_max
SAP-ABAP/4@e_maxBhuvnesh Gupta
 

Recommended

Fiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksFiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksJasbir Khanuja
 
Introduction To Report Painter
Introduction To Report PainterIntroduction To Report Painter
Introduction To Report PainterMichael Management Corp.
 
SAP GUI and Navigation - Quick Guide
SAP GUI and Navigation - Quick Guide SAP GUI and Navigation - Quick Guide
SAP GUI and Navigation - Quick Guide Ankit Sharma
 
Introducing enhancement framework.doc
Introducing enhancement framework.docIntroducing enhancement framework.doc
Introducing enhancement framework.docKranthi Kumar
 
Sap Fico Configuration Material
Sap Fico Configuration MaterialSap Fico Configuration Material
Sap Fico Configuration MaterialNaina Mohamed
 
SAP Document Management System(DMS)-PLM 120
SAP Document Management System(DMS)-PLM 120SAP Document Management System(DMS)-PLM 120
SAP Document Management System(DMS)-PLM 120KMR SOFTWARE SERVICES PVT LTD
 
1000 solved questions
1000 solved questions1000 solved questions
1000 solved questionsKranthi Kumar
 
SAP-ABAP/4@e_max
SAP-ABAP/4@e_maxSAP-ABAP/4@e_max
SAP-ABAP/4@e_maxBhuvnesh Gupta
 
Creating mass users using e_catt
Creating mass users using e_cattCreating mass users using e_catt
Creating mass users using e_cattsparten369
 
Charm workflow for urgent changes while adding node
Charm workflow for urgent changes while adding nodeCharm workflow for urgent changes while adding node
Charm workflow for urgent changes while adding nodeAditya Shivhare
 
Step by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesStep by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesnanda nanda
 
Chapter 02 sap script forms
Chapter 02 sap script formsChapter 02 sap script forms
Chapter 02 sap script formsKranthi Kumar
 
Badis
Badis Badis
Badis Rajesh Kumar
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
 
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdfSAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdfsubbulokam
 
Maximizing SAP ABAP Performance
Maximizing SAP ABAP PerformanceMaximizing SAP ABAP Performance
Maximizing SAP ABAP PerformancePeterHBrown
 
SAP Validation and substitution
SAP Validation and substitution SAP Validation and substitution
SAP Validation and substitution Hari Krishna
 
BADI IMPLEMENTATION.pdf
BADI IMPLEMENTATION.pdfBADI IMPLEMENTATION.pdf
BADI IMPLEMENTATION.pdfssuser08365f
 
Sap abap real time questions
Sap abap real time questionsSap abap real time questions
Sap abap real time questionstechie_gautam
 
SAP Variant configuration
SAP Variant configurationSAP Variant configuration
SAP Variant configurationKumbum Ramesh
 
Sap workflow adminsitration
Sap workflow adminsitrationSap workflow adminsitration
Sap workflow adminsitrationArghadip Kar
 
SAP SD Variant configuration-training-document 2
SAP SD Variant configuration-training-document 2SAP SD Variant configuration-training-document 2
SAP SD Variant configuration-training-document 2ramesh Charantimath
 
Abap coding standards
Abap coding standardsAbap coding standards
Abap coding standardssurendra1579
 
Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Andre Bothma
 
Sap Purchase Order Workflow
Sap Purchase Order WorkflowSap Purchase Order Workflow
Sap Purchase Order WorkflowArghadip Kar
 
Module pool programming
Module pool programmingModule pool programming
Module pool programmingSubhojit- Opekkhay
 
What is Retrofit in Solution Manager 7.2
What is Retrofit in Solution Manager 7.2What is Retrofit in Solution Manager 7.2
What is Retrofit in Solution Manager 7.2Aditya Shivhare
 
Enhancement framework the new way to enhance your abap systems
Enhancement framework the new way to enhance your abap systemsEnhancement framework the new way to enhance your abap systems
Enhancement framework the new way to enhance your abap systemsKranthi Kumar
 
Implementasi kartu jakarta sehat
Implementasi kartu jakarta sehatImplementasi kartu jakarta sehat
Implementasi kartu jakarta sehatJoan Mahulae
 
Elvens kall
Elvens kallElvens kall
Elvens kallIlyas Qadri Ziaee
 

More Related Content

What's hot

Creating mass users using e_catt
Creating mass users using e_cattCreating mass users using e_catt
Creating mass users using e_cattsparten369
 
Charm workflow for urgent changes while adding node
Charm workflow for urgent changes while adding nodeCharm workflow for urgent changes while adding node
Charm workflow for urgent changes while adding nodeAditya Shivhare
 
Step by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesStep by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesnanda nanda
 
Chapter 02 sap script forms
Chapter 02 sap script formsChapter 02 sap script forms
Chapter 02 sap script formsKranthi Kumar
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
 
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdfSAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdfsubbulokam
 
Maximizing SAP ABAP Performance
Maximizing SAP ABAP PerformanceMaximizing SAP ABAP Performance
Maximizing SAP ABAP PerformancePeterHBrown
 
SAP Validation and substitution
SAP Validation and substitution SAP Validation and substitution
SAP Validation and substitution Hari Krishna
 
BADI IMPLEMENTATION.pdf
BADI IMPLEMENTATION.pdfBADI IMPLEMENTATION.pdf
BADI IMPLEMENTATION.pdfssuser08365f
 
Sap abap real time questions
Sap abap real time questionsSap abap real time questions
Sap abap real time questionstechie_gautam
 
SAP Variant configuration
SAP Variant configurationSAP Variant configuration
SAP Variant configurationKumbum Ramesh
 
Sap workflow adminsitration
Sap workflow adminsitrationSap workflow adminsitration
Sap workflow adminsitrationArghadip Kar
 
SAP SD Variant configuration-training-document 2
SAP SD Variant configuration-training-document 2SAP SD Variant configuration-training-document 2
SAP SD Variant configuration-training-document 2ramesh Charantimath
 
Abap coding standards
Abap coding standardsAbap coding standards
Abap coding standardssurendra1579
 
Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Andre Bothma
 
Sap Purchase Order Workflow
Sap Purchase Order WorkflowSap Purchase Order Workflow
Sap Purchase Order WorkflowArghadip Kar
 
What is Retrofit in Solution Manager 7.2
What is Retrofit in Solution Manager 7.2What is Retrofit in Solution Manager 7.2
What is Retrofit in Solution Manager 7.2Aditya Shivhare
 
Enhancement framework the new way to enhance your abap systems
Enhancement framework the new way to enhance your abap systemsEnhancement framework the new way to enhance your abap systems
Enhancement framework the new way to enhance your abap systemsKranthi Kumar
 

What's hot (20)

Creating mass users using e_catt
Creating mass users using e_cattCreating mass users using e_catt
Creating mass users using e_catt
 
Charm workflow for urgent changes while adding node
Charm workflow for urgent changes while adding nodeCharm workflow for urgent changes while adding node
Charm workflow for urgent changes while adding node
 
Step by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesStep by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notes
 
Chapter 02 sap script forms
Chapter 02 sap script formsChapter 02 sap script forms
Chapter 02 sap script forms
 
Badis
Badis Badis
Badis
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and Security
 
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdfSAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
SAP S_4HANA Migration Cockpit - Migrate your Data to SAP S_4HANA.pdf
 
Maximizing SAP ABAP Performance
Maximizing SAP ABAP PerformanceMaximizing SAP ABAP Performance
Maximizing SAP ABAP Performance
 
SAP Validation and substitution
SAP Validation and substitution SAP Validation and substitution
SAP Validation and substitution
 
BADI IMPLEMENTATION.pdf
BADI IMPLEMENTATION.pdfBADI IMPLEMENTATION.pdf
BADI IMPLEMENTATION.pdf
 
Sap abap real time questions
Sap abap real time questionsSap abap real time questions
Sap abap real time questions
 
SAP Variant configuration
SAP Variant configurationSAP Variant configuration
SAP Variant configuration
 
Sap workflow adminsitration
Sap workflow adminsitrationSap workflow adminsitration
Sap workflow adminsitration
 
SAP SD Variant configuration-training-document 2
SAP SD Variant configuration-training-document 2SAP SD Variant configuration-training-document 2
SAP SD Variant configuration-training-document 2
 
Abap coding standards
Abap coding standardsAbap coding standards
Abap coding standards
 
Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...
 
Sap Purchase Order Workflow
Sap Purchase Order WorkflowSap Purchase Order Workflow
Sap Purchase Order Workflow
 
Module pool programming
Module pool programmingModule pool programming
Module pool programming
 
What is Retrofit in Solution Manager 7.2
What is Retrofit in Solution Manager 7.2What is Retrofit in Solution Manager 7.2
What is Retrofit in Solution Manager 7.2
 
Enhancement framework the new way to enhance your abap systems
Enhancement framework the new way to enhance your abap systemsEnhancement framework the new way to enhance your abap systems
Enhancement framework the new way to enhance your abap systems
 

Viewers also liked

Implementasi kartu jakarta sehat
Implementasi kartu jakarta sehatImplementasi kartu jakarta sehat
Implementasi kartu jakarta sehatJoan Mahulae
 
Ferreteria gutierrez 1
Ferreteria gutierrez 1Ferreteria gutierrez 1
Ferreteria gutierrez 1carmitagarcia
 
150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet i150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet iRoberto GARCÍA ARRIBAS
 
Helpedia 2.0
Helpedia 2.0Helpedia 2.0
Helpedia 2.0Helpedia
 
Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011Cext
 
Comte de Rius, Química
Comte de Rius, QuímicaComte de Rius, Química
Comte de Rius, Químicaclara87
 
Optymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NETOptymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NETBartlomiej Zass
 
En torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy MeloEn torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy MeloLeidy Melo
 
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...PrensaDMB
 
Cómo hacer sal de colores.
Cómo hacer sal de colores.Cómo hacer sal de colores.
Cómo hacer sal de colores.Ritamv91
 
Caracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicosCaracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicosKarolayn Farfan Cruz
 
Paso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en JimdoPaso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en JimdoGabriel Tibaquira
 
Manual del-equipo-para-kendo
Manual del-equipo-para-kendoManual del-equipo-para-kendo
Manual del-equipo-para-kendoclubkendovigo
 
Training Needs Analysis Modified
Training Needs Analysis ModifiedTraining Needs Analysis Modified
Training Needs Analysis ModifiedPhil Mayor
 
Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014Optics-Trade
 
Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12Marco Jakob
 

Viewers also liked (20)

Implementasi kartu jakarta sehat
Implementasi kartu jakarta sehatImplementasi kartu jakarta sehat
Implementasi kartu jakarta sehat
 
Elvens kall
Elvens kallElvens kall
Elvens kall
 
Ferreteria gutierrez 1
Ferreteria gutierrez 1Ferreteria gutierrez 1
Ferreteria gutierrez 1
 
150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet i150527 cuestionario evaluación club de internet i
150527 cuestionario evaluación club de internet i
 
Proyecto de verano delicias
Proyecto de verano deliciasProyecto de verano delicias
Proyecto de verano delicias
 
Helpedia 2.0
Helpedia 2.0Helpedia 2.0
Helpedia 2.0
 
Phone android jelly bean
Phone android jelly beanPhone android jelly bean
Phone android jelly bean
 
Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011Carta de España Nº 674 Septiembre 2011
Carta de España Nº 674 Septiembre 2011
 
Comte de Rius, Química
Comte de Rius, QuímicaComte de Rius, Química
Comte de Rius, Química
 
Nbolmnf
NbolmnfNbolmnf
Nbolmnf
 
Optymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NETOptymalizacja aplikacji ASP.NET
Optymalizacja aplikacji ASP.NET
 
En torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy MeloEn torno a la cultura escrita – margaret meek- Leidy Melo
En torno a la cultura escrita – margaret meek- Leidy Melo
 
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
Equipo de trabajo de Hospital Pirovano - Jornada "Convivencia Escolar para un...
 
Cómo hacer sal de colores.
Cómo hacer sal de colores.Cómo hacer sal de colores.
Cómo hacer sal de colores.
 
Caracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicosCaracteristicas de los modulos fotovoltaicos
Caracteristicas de los modulos fotovoltaicos
 
Paso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en JimdoPaso a paso: Como hacer una pagina en Jimdo
Paso a paso: Como hacer una pagina en Jimdo
 
Manual del-equipo-para-kendo
Manual del-equipo-para-kendoManual del-equipo-para-kendo
Manual del-equipo-para-kendo
 
Training Needs Analysis Modified
Training Needs Analysis ModifiedTraining Needs Analysis Modified
Training Needs Analysis Modified
 
Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014Catalog LEICA Silverline | Optics Trade | 2014
Catalog LEICA Silverline | Optics Trade | 2014
 
Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12Seminar Social Media Marketing WS11/12
Seminar Social Media Marketing WS11/12
 

Similar to 10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able Solarwinds N-able
 
Cloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootCloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootSufyaan Kazi
 
My Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to PlatformsMy Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to PlatformsVMware Tanzu
 
How to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content ManagementHow to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content ManagementPercussion Software
 
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...AutoRABIT
 
Automating your ms world part 3 a brand new way to monitor with am ps web
Automating your ms world part 3 a brand new way to monitor with am ps webAutomating your ms world part 3 a brand new way to monitor with am ps web
Automating your ms world part 3 a brand new way to monitor with am ps webSolarwinds N-able
 
Kickstart Your Next No-Code Web App with FME 2022.2
Kickstart Your Next No-Code Web App with FME 2022.2Kickstart Your Next No-Code Web App with FME 2022.2
Kickstart Your Next No-Code Web App with FME 2022.2Safe Software
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedUnit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedRainer Winkler
 
Introducing Keyword-driven Test Automation
Introducing Keyword-driven Test AutomationIntroducing Keyword-driven Test Automation
Introducing Keyword-driven Test AutomationTechWell
 
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...eG Innovations
 
Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Ravi Tamada
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
N able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platformN able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platformSolarwinds N-able
 
WordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesWordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesSpectrOMTech.com
 
Programmable infrastructure with FlyScript
Programmable infrastructure with FlyScriptProgrammable infrastructure with FlyScript
Programmable infrastructure with FlyScriptRiverbed Technology
 

Similar to 10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP (20)

The how and why of patch management by N-able
The how and why of patch management by N-able The how and why of patch management by N-able
The how and why of patch management by N-able
 
Server pac 101
Server pac 101Server pac 101
Server pac 101
 
StarForce ProActive for Business
StarForce ProActive for BusinessStarForce ProActive for Business
StarForce ProActive for Business
 
Cloud native Microservices using Spring Boot
Cloud native Microservices using Spring BootCloud native Microservices using Spring Boot
Cloud native Microservices using Spring Boot
 
My Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to PlatformsMy Personal DevOps Journey: From Pipelines to Platforms
My Personal DevOps Journey: From Pipelines to Platforms
 
How to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content ManagementHow to Write a Request for Proposal (RFP) for Web Content Management
How to Write a Request for Proposal (RFP) for Web Content Management
 
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
Introduction of ARMule and a live demo - AutoRABIT at Tri-Valley Salesforce D...
 
Automating your ms world part 3 a brand new way to monitor with am ps web
Automating your ms world part 3 a brand new way to monitor with am ps webAutomating your ms world part 3 a brand new way to monitor with am ps web
Automating your ms world part 3 a brand new way to monitor with am ps web
 
Kickstart Your Next No-Code Web App with FME 2022.2
Kickstart Your Next No-Code Web App with FME 2022.2Kickstart Your Next No-Code Web App with FME 2022.2
Kickstart Your Next No-Code Web App with FME 2022.2
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedUnit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presented
 
Introducing Keyword-driven Test Automation
Introducing Keyword-driven Test AutomationIntroducing Keyword-driven Test Automation
Introducing Keyword-driven Test Automation
 
Webinar: Mass Additions – R12 Asset Management
Webinar: Mass Additions – R12 Asset ManagementWebinar: Mass Additions – R12 Asset Management
Webinar: Mass Additions – R12 Asset Management
 
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
Make synthetic monitoring a critical part of your IT monitoring strategy: Why...
 
Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022Vizag Virtual Meetup #7: Trending API Topics for 2022
Vizag Virtual Meetup #7: Trending API Topics for 2022
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
N able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platformN able - 5 things to look for in msp automation platform
N able - 5 things to look for in msp automation platform
 
WordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesWordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that Scales
 
Programmable infrastructure with FlyScript
Programmable infrastructure with FlyScriptProgrammable infrastructure with FlyScript
Programmable infrastructure with FlyScript
 

More from Virtual Forge

How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeVirtual Forge
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...Virtual Forge
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksVirtual Forge
 
Stabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnStabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnVirtual Forge
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANAVirtual Forge
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenVirtual Forge
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonVirtual Forge
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Virtual Forge
 
Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?Virtual Forge
 
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Virtual Forge
 
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Virtual Forge
 
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Virtual Forge
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsVirtual Forge
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Virtual Forge
 
Die Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitDie Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitVirtual Forge
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Virtual Forge
 
ABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesVirtual Forge
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Virtual Forge
 

More from Virtual Forge (19)

How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP Code
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New Risks
 
Stabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnStabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickeln
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANA
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
 
Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?Uninvited Guests: Why do hackers love our SAP landscapes?
Uninvited Guests: Why do hackers love our SAP landscapes?
 
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
 
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
 
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
 
Die Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitDie Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP Sicherheit
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
 
ABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesABAP Code Qualität - Best Practices
ABAP Code Qualität - Best Practices
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP

  • 1.
  • 2. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Dr. Markus Schumacher © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. March 18, Heidelberg SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage Ten golden rules for coding authorization checks in ABAP Andreas Wiegenstein
  • 3. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Andreas Wiegenstein (Twitter: @codeprofiler)  Founder of Virtual Forge (Heidelberg), responsible for R&D  SAP Security Researcher, active since 2003  Received Credits from SAP for 66 reported 0-day Vulnerabilities  Speaker at international Conferences  SAP TechEd (USA & Europe), DSAG (Europe)  BlackHat (Europe), Hack in the Box (Europe)  Troopers (Europe), IT Defense (Europe), RSA (USA)  Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)  Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)  Created training class WDESA3 (ABAP Security) @ SAP University My car, my house, my boat, … I am with
  • 4. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Authorizations in Custom Code Ongoing survey, results as of March 12, 2014
  • 5. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks General advice  Check with your business department, if (and which) authorizations are required in order to execute the business logic you provide.  As a fallback, analyze code that is similar to your business process for authorization checks.  If authority checks are required for your custom business logic, add them to your code. On average there are 866 missing authority checks in custom code.
  • 6. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #1 Perform authority checks (cont’d) Specific advice  Don't rely on S_RFC authorizations. They only determine, *if* a function module can be invoked remotely. They are by no means related to the specific business logic of your custom code. You don't want users with S_RFC * authorizations to be able to issue purchase orders or to raise someone's salary. Auditors don't like this either...  Don't rely on authorization groups assigned to reports. They are usually coarse grained, as the same authorization group is used for multiple programs. And they are not necessarily related to the specific business logic of your custom code.  Always check start authorizations when using CALL TRANSACTION, as no implicit start authorization check is performed by the kernel.  Function module AUTHORITY_CHECK_TCODE  Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
  • 7. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #2 Perform authority checks according to SAP standard functionality General advice  Always use functionality based on the ABAP command AUTHORITY- CHECK in order to perform authorization checks. (A common bad practice is to base authorizations on usernames.) On average there are 187 hard-coded username checks in custom code.
  • 8. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #3 Check the result of an authority check General advice  Always check the result of sy-subrc after you perform an AUTHORITY-CHECK. sy-subrc with value zero means authorization sufficient.  Since other ABAP commands also change sy-subrc, make sure to perform the sy-subrc check *immediately* after the AUTHORITY- CHECK. On average there are 13 broken authority checks in custom code.
  • 9. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #4 Perform authority checks for the user that is actually logged on General advice  Only check the authorization of the currently logged on user (by avoiding the optional parameter FOR USER). On average there are 2 ‘alias’ authority checks in custom code.
  • 10. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #5 Always use APIs instead of AUTHORITY-CHECK, if they exist General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Use AUTHORITY_CHECK_TCODE instead of S_TCODE  Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH On average there are 92 insufficient authority checks in custom code.
  • 11. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #6 Declare all fields of the authorization object General advice  Always use specialized API functions for authorization checks instead of AUTHORITY-CHECK. Specific advice  Always make sure to specify all fields of the authorization object you check.  If there are fields you don't want to check, mark them as DUMMY in order to make your intentions explicit. No meaningful statistical information available at this time.
  • 12. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #7 Don't use DUMMY values in important fields General advice  Do not use DUMMY values in important authorization fields like 'ACTVT' On average there are 8 DUMMY authority checks (ACTVT) in custom code.
  • 13. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #8 Don't program privileging authorization checks AUTHORITY-CHECK OBJECT 'S_DEVELOP' ID 'DEVCLASS' FIELD '*' ID 'OBJTYPE' FIELD 'PROG' ID 'OBJNAME' FIELD lv_prog ID 'P_GROUP' DUMMY " Field not required in this context ID 'ACTVT' FIELD '03'. IF sy-subrc = 0. READ REPORT lv_prog INTO lt_code. ENDIF. General advice  Avoid "*" values in authorization fields, as they force administrators to grant unnecessarily high privileges to users On average there are 2 privileging authority checks (ACTVT) in custom code.
  • 14. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #9 Make authorization checks early in your business logic General advice  If an authorization check is required for a given business logic, it should be checked as early as possible No meaningful statistical information available at this time.
  • 15. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Golden Rule #10 Perform authorization checks in order to avoid dumps Specific advice  Always make sure to test for S_DATASET and S_PATH authorizations before you open a server-side file. No meaningful statistical information available at this time.
  • 16. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Further Information Blog Post “Ten golden rules for ABAP authorization checks” https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
  • 17. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Twitter: @codeprofiler © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Thank you for your attention Andreas Wiegenstein CTO
  • 18. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Insert CTA Header MISSED THE BIZEC SAP SECURITY WORKSHOP AT TROOPERS14 CONFERENCE? CLICK HERE FOR A RETROSPECTIVE + ALL PRESENTATIONS FOR FREE DOWNLOAD
  • 19. © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.  Click to edit Master text styles  Second level  Third level  Fourth level  Fifth level © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH. © 2014 Virtual Forge GmbH.