GRC
HR
SCM
CRM
BI


Article

 

Accessing SAP Tables

by Thomas G. Schuessler | SAPinsider

July 1, 2002

by Thomas G. Schuessler, ARAsoft SAPinsider - 2002 (Volume 3), July (Issue 3)
 

I hope that we all agree that the best way to access SAP data is via BAPIs. But sometimes you will find that no BAPI exists (at least in the SAP release you are using) that provides the data you need. In this article, I will look at some of the different ways in which you can deal with this situation. I will limit the scope to read-only access.

Option 1: Write Your Own RFM/BAPI

BAPIs are RFC-enabled Function Modules (RFMs) that are defined in the Business Object Repository (BOR) and follow the rules of the SAP BAPI Programming Guide. Once you have created an RFM adhering to the BAPI rules, it is not much extra effort to add the RFM to the BOR by using the BAPI Wizard in transaction code SWO1.

Writing your own RFM or BAPI to read data from the SAP database is actually not very difficult, as long as you know ABAP (or someone who knows ABAP). You define an interface with the required selection parameters and result table(s), add some ABAP code (mainly one or more SELECT statements), and you are almost there.

The biggest challenge is to do the proper authorization check. In ABAP, there is no global authorization check defined for a database table. You need to find out which authorization(s) ought to be checked and add the appropriate ABAP statements. If you are not an expert in the particular SAP module to which the table(s) you want to retrieve belong, you should talk to an experienced application consultant.

To show you that writing a data retrieval RFM is really not that difficult, I have created a simple function (see Listing 1 below) that retrieves the clients from SAP, allowing you to optionally select only the clients of a particular category (production, training, etc.). The only thing missing is the authorization check, but this table does not seem very security-sensitive (and also it is Saturday and I do not know where my application consultant is…).

FUNCTION Z_CLIENTS_GETLIST.
*"----------------------------------------------------------------------
*"*"Local interface:
*"  IMPORTING
*"     REFERENCE(CATEGORY) LIKE  T000-CCCATEGORY DEFAULT SPACE
*"  EXPORTING
*"     REFERENCE(RETURN) LIKE  BAPIRET2 STRUCTURE  BAPIRET2
*"  TABLES
*"      CLIENTS STRUCTURE  T000 OPTIONAL
*"----------------------------------------------------------------------

if category is initial.
  select * from T000 into table clients.
else.
  select * from T000 into table clients where CCCATEGORY = category.
endif.


ENDFUNCTION.
Listing 1 Function Z_CLIENTS_GETLIST

Option 2: Access the Relational Database Directly

SAP uses standard relational databases like SQL Server and DB2 (and there is this other one, the name of which eludes me for the moment). Almost all SAP data is stored in transparent format so that you can access the tables directly using standard SQL or anything based on it (ODBC, JDBC, etc.). Remember that we are talking about read-only access only; updating tables directly from without SAP is definitely not recommended!

The biggest disadvantages of reading the tables directly are:

  • You need to define authorizations directly in the database. Since there are thousands of tables in an SAP database, this requires additional administrative effort.

  • You do not benefit from the database buffering in SAP.

If you are willing to maintain the additional authorizations, though, then this is a viable alternative to writing your own RFM/BAPI.

Option 3: Use RFC_READ_TABLE

I have received numerous inquiries about this RFM in the past. Do we really need to write our own RFM/BAPI if there is a general-purpose table reader? I believe that you should be very hesitant to use this RFM for the following reasons:

  • To be able to run this RFM, a user needs the same authorizations that are required by the universal Data Browser (SE16). This means that a user capable of calling RFC_READ_TABLE can view any(!) table in SAP. If you believe that anybody but an auditor should have this kind of access in a production system, our views of security are totally incompatible.

  • For some tables, RFC_READ_TABLE does not work at all.

  • The width of the data being returned is formally limited to 512 bytes (and is even lower in reality, for reasons unbeknownst to me).

Given the very sensitive security issues associated with this RFM, I recommend that it is only used in special applications. One good example would be a tool for auditors to verify that nobody in a production system has extensive authorizations that should not be available to any single person in that combination. For this analysis you need access to quite a few tables for which there are no RFMs or BAPIs. And auditors by definition are employees with a very high level of trust.

My Recommendation

Writing your own data retrieval RFM or BAPI really does not take that much effort. In most scenarios it would be my preferred solution.

If you want to build an auditing tool or something similar, though, and would like an easy-to-use Java component that facilitates access to RFC_READ_TABLE and knows how to work around most of its limitations, send me an email.


Thomas G. Schuessler is the founder of ARAsoft (www.arasoft.de), a company offering products, consulting, custom development, and training to a worldwide base of customers. The company specializes in integration between SAP and non-SAP components and applications. ARAsoft offers various products for BAPI-enabled programs on the Windows and Java platforms. These products facilitate the development of desktop and Internet applications that communicate with R/3. Thomas is the author of SAP’s BIT525 “Developing BAPI-enabled Web Applications with Visual Basic” and BIT526 “Developing BAPI-enabled Web Applications with Java” classes, which he teaches in Germany and in English-speaking countries. Thomas is a regularly featured speaker at SAP TechEd and SAPPHIRE conferences. Prior to founding ARAsoft in 1993, he worked with SAP AG and SAP America for seven years. Thomas can be contacted at thomas.schuessler@sap.com or at tgs@arasoft.de.

Did you find this article helpful? Get access to the latest updates and resources from SAPinsider with a free subscription.

Get the SAPinsider subscription now »»

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ