Issue

You perform static code scanning on our SAP ABAP systems, and the solution finds an issue in the Avantra ABAP code, which is reported as high severity »Cross-Client Access to Business Data«.

Reason

For monitored SAP ABAP systems Avantra delivers ABAP code via transports that must be imported into the ABAP systems. This code is used to extract various monitoring data where an existing SAP RFC/BAPI is not available or adequate. To communicate with SAP an RFC user is required and this is normally set up in the system client ‘000’ because the information required normally resides in only one client.

However, for business related data such as IDocs, Emails, Number ranges, etc…this data is specific to one or more ‘business’ clients i.e. client 001, 100, 250, etc… and hence Avantra needs to be able to provide a method of monitoring this data.

This is done - only for this small list of business objects - via enhancing the ABAP SQL SELECT statement with the ability to read across multiple clients from its one logged in RFC client. To achieve this we use the SELECT … CLIENT SPECIFIED syntax.

Even though this code has been deprecated from SAP ABAP release >= 7.54, it is still widely used and cannot, due to backward compatibility issues, be replaced with statements like e.g. USING ALL CLIENTS.

Another benefit of this approach is also to avoid having to create RFC users in each client and the administrative overhead for maintaining all their credentials.

To stay compatible with previous releases < 7.54 and to be able to deliver a single version independent transport, we still keep this code even for SAP S/4HANA with ABAP >= 7.54.

Resolution

Accept the corresponding findings in your static code scanning solutions.