LiveCompare: Restricting Access to Sensitive Tables with the Tables Blacklist

LiveCompare extracts SAP application data using a set of proprietary remote function calls (RFC) developed in ABAP and deployed in each SAP application server to be analysed. To invoke an RFC, LiveCompare must first authenticate with the SAP application server. The user account used by LiveCompare is subject to SAP authorisations. It is impossible for LiveCompare to access data that it hasn’t expressly been granted access to.

Historically, if a user wanted to exclude sensitive tables from LiveCompare they would have to modify the SAP authorisations. Users have asked us for a simpler way to accomplish this inside LiveCompare. This often meant creating two user accounts:

  1. Account A – access to all tables
  2. Account B – limited access to tables

Then in LiveCompare, an RFC destination is created to use each account. Finally two projects are created to segregate access to the RFC destinations and thus the sensitive tables.

The soon-to-be-released LiveCompare 3.8 release 4 simplifies this by adding a “tables blacklist” feature per RFC destination. Now users can effectively hide sensitive tables from LiveCompare users without having to mess about with their SAP account authorisations.

By default, the blacklist is empty. Here’s the result of comparing T001 between SAP23 and S54:

I can see that records have been read from T001 from both systems. This is clear when I switch to the Contents tab:

Now let’s add T001 to the SAP23 tables blacklist.

I select the SAP23 RFC Destination. I’ve scrolled down on the General tab:

Click Download to retrieve the current tables blacklist. Since this is the first time, LiveCompare will give me the template. The file is an Excel spreadsheet.

I replace the two example tables with T001:

Back to the RFC Destination and click Upload:

Choose the file I just saved and click Save. LiveCompare updates the tables blacklist for the RFC Destination.

Running Quick Compare again I can see the effect of the tables blacklist. LiveCompare reports that there are no records in T001 on SAP23:

This is clear from the Contents tab:

where every records is reported as “in2” meaning it exists only in S54.

Let’s run a workflow and try and read the contents of T001:

Read SAP Table fails – because the table is blacklisted.

If you have an analysis that optionally depends on table contents that may be blacklisted then you’ll have to account for this in the workflow. I will publish a follow-up post where I’ll cover this in detail.

Conclusion

LiveCompare is always subject to whatever SAP authorisation users impose. The tables blacklist feature adds an application-level way to hide sensitive tables from LiveCompare users on a per-RFC Destination basis. Watch for the LiveCompare 3.8 release 4 announcement coming soon.