I hope that we all agree that the best way to access SAP data is via
BAPIs. But sometimes you will find that no BAPI exists (at least in the
SAP release you are using) that provides the data you need. In this article,
I will look at some of the different ways in which you can deal with this
situation. I will limit the scope to read-only access.
Option 1: Write Your Own RFM/BAPI
BAPIs are RFC-enabled Function Modules
(RFMs) that are defined in the Business Object Repository (BOR) and follow
the rules of the SAP BAPI Programming Guide. Once you have created an
RFM adhering to the BAPI rules, it is not much extra effort to add the
RFM to the BOR by using the BAPI Wizard in transaction code SWO1.
Writing your own RFM or BAPI to read data
from the SAP database is actually not very difficult, as long as you know
ABAP (or someone who knows ABAP). You define an interface with the required
selection parameters and result table(s), add some ABAP code (mainly one
or more SELECT statements), and you are almost there.
The biggest challenge is to do the proper
authorization check. In ABAP, there is no global authorization check defined
for a database table. You need to find out which authorization(s) ought
to be checked and add the appropriate ABAP statements. If you are not
an expert in the particular SAP module to which the table(s) you want
to retrieve belong, you should talk to an experienced application consultant.
To show you that writing a data retrieval
RFM is really not that difficult, I have created a simple function (see
Listing 1 below) that retrieves the clients from SAP, allowing
you to optionally select only the clients of a particular category (production,
training, etc.). The only thing missing is the authorization check, but
this table does not seem very security-sensitive (and also it is Saturday
and I do not know where my application consultant is…).
*" REFERENCE(CATEGORY) LIKE T000-CCCATEGORY DEFAULT SPACE
*" REFERENCE(RETURN) LIKE BAPIRET2 STRUCTURE BAPIRET2
*" CLIENTS STRUCTURE T000 OPTIONAL
if category is initial.
select * from T000 into table clients.
select * from T000 into table clients where CCCATEGORY = category.
Option 2: Access the Relational Database Directly
SAP uses standard relational databases like SQL Server and DB2 (and there
is this other one, the name of which eludes me for the moment). Almost
all SAP data is stored in transparent format so that you can access the
tables directly using standard SQL or anything based on it (ODBC, JDBC,
etc.). Remember that we are talking about read-only access only; updating
tables directly from without SAP is definitely not recommended!
The biggest disadvantages of reading the
tables directly are:
- You need to define authorizations directly in the database. Since
there are thousands of tables in an SAP database, this requires additional
- You do not benefit from the database buffering in SAP.
If you are willing to maintain the additional
authorizations, though, then this is a viable alternative to writing your
Option 3: Use RFC_READ_TABLE
I have received numerous inquiries about this RFM in the past. Do we
really need to write our own RFM/BAPI if there is a general-purpose table
reader? I believe that you should be very hesitant to use this RFM for
the following reasons:
- To be able to run this RFM, a user needs the same authorizations that
are required by the universal Data Browser (SE16). This means that a
user capable of calling RFC_READ_TABLE can view any(!) table in SAP.
If you believe that anybody but an auditor should have this kind of
access in a production system, our views of security are totally incompatible.
- For some tables, RFC_READ_TABLE does not work at all.
- The width of the data being returned is formally limited to 512 bytes
(and is even lower in reality, for reasons unbeknownst to me).
Given the very sensitive security issues
associated with this RFM, I recommend that it is only used in special
applications. One good example would be a tool for auditors to verify
that nobody in a production system has extensive authorizations that should
not be available to any single person in that combination. For this analysis
you need access to quite a few tables for which there are no RFMs or BAPIs.
And auditors by definition are employees with a very high level of trust.
Writing your own data retrieval RFM or BAPI really does not take that
much effort. In most scenarios it would be my preferred solution.
If you want to build an auditing tool or
something similar, though, and would like an easy-to-use Java component
that facilitates access to RFC_READ_TABLE and knows how to work around
most of its limitations, send me an email.
G. Schuessler is the founder of ARAsoft
a company offering products, consulting, custom
development, and training to a worldwide base
of customers. The company specializes in integration
between SAP and non-SAP components and applications.
ARAsoft offers various products for BAPI-enabled
programs on the Windows and Java platforms.
These products facilitate the development of
desktop and Internet applications that communicate
with R/3. Thomas is the author of SAP’s
BAPI-enabled Web Applications with Visual Basic” and
BAPI-enabled Web Applications with Java” classes,
which he teaches in Germany and in English-speaking
countries. Thomas is a regularly featured speaker
at SAP TechEd and SAPPHIRE conferences. Prior
to founding ARAsoft in 1993, he worked with
SAP AG and SAP America for seven years. Thomas
can be contacted at firstname.lastname@example.org or