Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Remote code analysis in ATC - Maintain exemptions approvers according to their responsibilities

OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎02-22-2022 1:07 PM

This is the twelfth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).

See also the blogs:

Motivation

If developers want to supress ATC findings from the ATC result list, they can create exemption requests for those findings, which have to be approved by a quality expert (see also the blog Remote Code Analysis in ATC – Working with Exemptions). Until now, while requesting an exemption a developer could choose any quality expert from the approver list, which was maintained by the ATC administrator in the SAP GUI transaction ATC.

For example, the hard-coded username can present a security risk and it appears as an error in the ATC result list:

While requesting the exemption for this ATC finding a developer can choose any approver from the list:

This list is maintained on the central ATC check system in the ATC transaction (under Exemptions->Maintain Approvers):

Especially in remote ATC scenario, if one central ATC system manages the quality of a number of local systems in the customer landscape, it can be useful in some cases to be able to specify the areas of responsibility of the approvers in more detail. For example you might want to assign some experts as approvers for a specific software component, an experienced security expert as an approver for security issues and so on.

This is now possible with the SAP Note 3128712 - Enabling a more flexible means of assigning exemption processing responsibilities.

How to maintain the areas of approver responsibilities

The ATC administrator can define areas of approver responsibilities on the central ATC check system in the ATC transaction under the Exemptions ->Maintain Approver Responsibilities:

Under the Responsibilities tab approvers can be assigned to the specific areas of responsibilities. It is also possible to assign one approver to multiple areas of responsibilities or several approvers can take care of the same area of responsibility. Under the Areas tab the areas are defined based on check groups (for ATC check specific aspects) and objects groups (for object specific aspects). The details of the groups are maintained in the respective tabs Check Groups and Object Groups.

Let’s take a closer look at this using our source code example containing the security issue with the hard-coded username. This source code example also contains another issue, related to the read access to the table without ORDER BY clause, which appears as a warning in the ATC result. We want to establish a security expert, who will be an approver for all ATC security related exemptions, and all other ATC exemptions should be approved by other selected approvers. Let’s start with the tab Responsibilities (you can start with any tab) and assign the user DOLINSKAJA as approver for security findings related exemptions and the users JUNG, EDER and BERND as approvers for all non-security issues (just click the “+” button and enter an approver and an area of responsibility):

Now you can define the SECURITY and NON-SECURITY responsibility areas by providing area name and description. For this example we want to focus our responsibilities areas on ATC security checks and not distinguish objects groups (just consider all objects):

Next, we will define the ONLY_CVA check group by providing name, description and the check class (of course it is possible to define more complex selection options by for example adding additional categories, using patterns in the Option column and so on):

Now we define analogous to the ONLY_CVA check group, the ALL_EXCEPT_CVA check group, containing all checks except of the security checks:

Finally, we define the object group, containing all objects (since we don’t distinguish object groups in this example):

Generally, there are more options for the definition of object groups. In the Selection Options area you can use as a selection option “System Group”, “Application Component” or “Software Component” or define objects namespaces using patterns:

After saving changes we click the Check button to validate all our entries. The warning below signalizes that we haven’t defined any selection options for the object group ALL. This is correct, but in our example it is not required. Since during definition process of approver responsibilities areas you do many inputs, you should always use the Check button to verify your changes.

Don’t forget to click the Save button to save all your changes.

Finally, the approver areas of responsibilities must be enabled in the ATC transaction (under the Basic Settings😞

Now developer can rerun the ATC over the source code example. If developer now requests an exemption for the security finding, only the security expert will be suggested as approver in the Request Exemption wizard:

If developer requests an exemption for another ATC finding (read access to the table without ORDER BY clause), then the approvers of the NON-SECURITY responsibility area will be suggested:

Of course you can continue the definition and for example assign the security expert as approver for all other responsibility areas or restrict the responsibility of the security expert to a certain software component and so on.

How to extend the selection options for check groups and object groups

For the check groups we consider currently only the Check Class as a selection options category. You may want to expand this in order for example to differentiate non-security checks on the ATC message level. For such use cases there is the possibility to extend the check group selection criteria over the BAdI:

You can then create your BAdI and implement the interface IF_SATC_CI_CGRP_FILTER. This interface has only one method IS_PART_OF_GROUP, which gets as input the information about check name and message code, and you can use this information to override the selection options of the check group with your own aspects.

In the same way you can extend the object group by creating the BAdI for the object group and implementing the corresponding interface IF_SATC_CI_OGRP_FILTER:

There you get more information as input from the IF_SATC_CI_XMPT_OBJECT_INFO interface, for example object type, object name, system group and so on. Thus, you can use more criteria for the object group definition, for example define the object group containing objects older then a specific date or objects from a specific system and so on.

In this way you can flexibly override the selection options of a check group or/and an object group with your own BAdIs.

9 Comments
IanStubbings
Active Participant
‎03-23-2022 12:19 PM

Hi Olga

Thanks for your continued work on the ATC. This new functionality is very interesting to us.

On checking the OSS note though, do I correctly understand that the satellite systems need prerequisite notes applying and the system needs to be at least on 7.40?

Thanks

Ian

OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎03-23-2022 12:45 PM
Hi Ian,

yes, your understanding is correct.

Best regards,

Olga.
IanStubbings
Active Participant
‎06-06-2023 10:43 AM
Hi Olga

We now have a system where I can test this out (S/4 HANA 2022 SP1 on premise) but facing an issue where no approvers are shown in the dropdown list. This was the case before configuring Maintaining the Approver Responsibilities and now also after as well.

 


 

When typing in the same username as the exemption creator, it validates it (Error relating to 4 eyes for example), so clearly it is there but just not shown. When typing in a different user (also in the approver list and showing as 'green' in terms of auth check), it also validates this and says 'Approver or area does not exist'.

Can you advise?

Thanks

Ian
niba1
Employee
Employee
‎06-06-2023 2:14 PM
Hello Ian,

could you please check if the latest version of note 3053248 is implemented in your system. This should solve some known issues with the value help. In case you are using a remote scenario the note needs to be applied in the central check system and in the checked systems.

If this does not solve your issue we will probably need system access to analyze this further. In that case I would ask you to open a ticket on component BC-DWB-TOO-ATF.

Regards,
Nils
IanStubbings
Active Participant
‎06-06-2023 2:49 PM
0 Kudos
Thanks niba . I'll check out the note and report back.

Regards

Ian
IanStubbings
Active Participant
‎06-09-2023 2:13 PM
0 Kudos
Hi Nils

We have attempted to apply the 3053248 note but the search help SATC_CI_APROVER_ONLY_SHLP does not exist on our system. We are raising a request for component BC-DWB-TOO-ATF as suggested.

Thanks

Ian

 
IanStubbings
Active Participant
‎07-22-2023 6:34 PM
0 Kudos
Hi Olga

Will this functionality be included in the Cloud ATC version in the near future?

Thanks

Ian
OlgaDolinskaja
Product and Topic Expert
Product and Topic Expert
‎07-24-2023 8:29 AM
0 Kudos
Hi Ian,

the approver areas for exemptions will come later, not before the 2405 release.

Kind Regards,

Olga.
IanStubbings
Active Participant
‎07-24-2023 8:32 AM
Hi Olga

Ok. Thanks. Good to know it is on the backlog though 🙂

Regards

Ian
Labels in this area
Popular Blog Posts