Security Guide for ADK-Based Data Archiving

ADK (Archive Development Kit) is an established ABAP technology used for data archiving. It is employed to extract dormant data from growing databases and provide long-term access to this archived data. For data archiving for JAVA applications and XML-oriented ABAP applications, SAP has developed a new technology. For more information on security aspects related to XML-based archiving see Security Guide for XML-Based Data Archiving.

ADK-based archiving relies on two main elements, which are used for the development and administration of archiving solutions: Archive Development Kit (ADK) and Archive Administration (transaction SARA).  ADK and SARA are part of the standard SAP Web Application Server. ADK is the Application Programming Interface used by the applications to develop archiving solutions, while Archive Administration (transaction SARA) is used mainly by data archiving administrators to manage all tasks related to data archiving, including job scheduling and management, writing, reading and deletion of data, as well as Customizing.

Technical System Landscape: Security-Relevant Interfaces

The following figure shows the different elements involved in ADK-based data archiving, and the interfaces that connect these elements.

From a security point of view, the interfaces shown in the figure can be described as follows:

·        Interfaces 1: End user and data archiving administrator accessing the ABAP application system, Archive Administration (transaction SARA), and the Archive Information System (SAP AS).

·        Interfaces 2: File system interface for ABAP applications.

·        Interface 3: ArchiveLink interfaces.

Interface 1

Here end users and data archiving administrators access the ABAP application system and use Archive Administration (transaction SARA) and the Archive Information System (SAP AS).

·        Archive Administration

There are two levels of security checks involved for end users and administrators trying to execute archiving programs. Within Archive Administration (transaction SARA) and on the ADK side authorization object S_ARCHIVE checks what kind of authorization the user or administrator has, when ADK detects that a write, delete, read or reload action is being started. It is possible to make S_ARCHIVE more application specific by using an archiving object as one of its parameters. 

On the application side it is possible to restrict authorization further, to certain fields, for example. This is mainly valid for display functions and depends on the application.

For more information about S_ARCHIVE, see User Authorization Checks under the ADK documentation.

·        Archive Information System

Ў        A specific authorization object does not exist for the Archive Information System, because it is a generic tool used by different applications. The following authorizations are needed as part of SAP AS:

§         Transaction SARI: for transaction SARI you need the authorization

S_ARCHIVE[ACTVT -> 3; APPLIC -> applic; ARCH_OBJ -> object]

object is the archiving object to which the infostructure belongs. applic is the application area belonging to the archiving object, which can be found in the field of transaction AOBJ.

§         Creating or changing infostructures: authorizations

S_TABU_DIS[ACTVT->02; DICBERCLS-> BS]
S_TABU_CLI[CLIIDMAINT->X]

For the transport of the changes

S_TRANSPRT[TTYPE->UPGR; ACTVT->70]

§         Activating an infostructure, filling or deleting infostructures: authorizations

S_ARCHIVE[ACTVT-> 02; APPLIC-> applic; ARCH_OBJ-> object,]

Ў        Display of data in Archive Explorer: As mentioned, SAP AS is a generic tool and it is therefore not possible to deliver application-specific authorization checks for the display of data from the archive information structure, either. It is, however, possible to implement user exits to run application-specific authorization checks (see SAP Notes listed below).

Ў        For the technical view the system runs the same authorization check for displaying data, as the Data Browser (transaction SE16).

Ў        For business views, also called application-specific views, the authorization check of the corresponding application is run, before data can be displayed.

For more detailed information on the above-named points see the following SAP Notes:

175901 – Insufficient authorization checks in the Archive Information System

156336 -  Authorization object S_ARCHIVE for status management

Interface 2

This is the interface between the ABAP application system and the file system. During ADK-based data archiving archive files are written to a file system. Here the relevant security aspects focus on the following issues:

·        Protection against exchange and corruption of archive files

During the write session ADK creates and saves the name of the archive file, under which it is written to the file system.  Later this name is used for read accesses to the archive file.

To ensure that the file being accessed is the original file under the correct name, ADK creates an additional file key that is saved within the archive file. This then ensures that the file you are accessing is the file that was originally written to the file system.

To ensure that the file being accessed has not been modified in any way, you can use check sums. These are used during the write phase and should be switched on for the read, delete and reload programs, as well. You can switch on these checks in Cross-Archiving-Object Customizing under Check Access for Archive Selection.

·        Protection against unauthorized read accesses to archive files

There are three levels where unauthorized accesses to archive files are prevented:

Ў        Operating System – access to archive files created by ADK is only granted to the technical SAP system user known to the Operating System.

For more information see Operating System Security.

Ў        Authorization object S_DATASET – this authorization object checks that the SAP user has the necessary authorizations to be able to read files from an SAP system.

Ў        SAP-specific file format – ADK creates archive files in an SAP-specific compressed file format, which can only be read within an SAP system.

Interface 3

The ArchiveLink interfaces are used as a communication interface between SAP Web AS and storage systems. It facilitates the transfer of archive files to storage systems. For more information on this topic see ArchiveLink or Content Management System.