Data Interfaces

The data with which the ABAP programs work, is mostly stored in the central databank of the SAP System. However ABAP programs can also access the file systems of the other two layers of the client-server architecture. That means they can also save or read persistent data from the workstations of the application layer or the desktop computers of the presentation layer. A common use of this possibility is the transfer of data within the SAP system. You can import files into an ABAP program, regardless of what format they have in the file system of the server, edit them there and then save them to the databank. You can also write data from a databank to be edited further in these file systems, as for example with desktop applications for presentation purposes.

Working with Files on the Applications Server Working with Files on the Presentation Server

As the names of files and directory paths vary from operating system to operating system, it is usually the case that programs that access files directly are not platform-independent. The SAP Web AS ABAP System contains a function module and a range of transactions that allow you to work with platform-independent filenames. Using Platform-Independent Filenames

Working with Files on the Application Server

In ABAP, there is a range of statements for processing data that is stored in sequential files on the application server instead of the database.

OPEN DATASET opens a file for a particular type of access and storage. TRANSFER transfers the contents of a data object to a file.

READ DATASET transfers data from a file to a data object. GET DATASET using the addition POSITION the current position of the file pointer in a file is ascertained. Using the addition ATTRIBUTES further characteristics of the file are obtained.

SET DATASET using the addition POSITION the position of the file pointer is specified. Using the addition ATTRIBUTES further characteristics of the file can be specified.

TRUNCATE DATASET sets the end of a file to a specified value, thereby changing the size of the file.

CLOSE DATASET closes a file. DELETE DATASET deletes a file.

For further details about these statements and their additions, see the keyword documentation.

During sequential file operations, the system performs a range of automatic checks, some of which may lead to runtime errors. Refer also to the chapter: Automatic Checks in File Operations.

1.1 Automatic Checks in File Operations

The SAP System automatically performs the following checks in operations with sequential files: It checks the authorization object S_DATASET to see whether the current program may access the specified file. Authorization Checks for Programs and Files It checks in table SPTH to see whether the specified file is registered for file access from ABAP. Table SPTH also allows you to check the users authorization. General Checks for File Access

1.1.1 Authorization Checks for Programs and Files

When you access sequential files on the application server using the following statements
OPEN DATASET READ DATASET TRANSFER DELETE DATASET

the system automatically checks the users authorization against the authorization object S_DATASET. This object allows you to assign authorization for particular files from particular programs. You can also assign the authorization to use operating system commands as a file filter.

Do not use S_DATASET to control general access rights to files from ABAP, or user-dependent authorization checks. Instead, use table SPTH (see also General Checks for Accessing Files).

The Authorization Object S_DATASET The object S_DATASET consists of the following fields:
ABAP program name Name of the ABAP program from which access is allowed. This allows you to restrict file access to a few programs specifically for that task. Activity Possible values are: Read file normally Write to or delete file normally Read file with filter (operating system command) Write to file with filter (operating system command) File Name Name of the operating system file. This allows you to restrict the files to which the user has access.

For more information about authorization objects, refer to the Rolesdocumentation.

Users and

If the result of the automatic authorization check is negative, a runtime error occurs. You should therefore check the authorization in your ABAP program before accessing the file using the function module AUTHORITY_CHECK_DATASET.

The Function Module AUTHORITY_CHECK_DATASET This function module allows you to check whether the user is authorized to access a file before the system tries to open it. This preempts a possible runtime error that can otherwise occur in the automatic authorization check. The function module has the following import parameters:
PROGRAM Name of the ABAP program from which the file is to be opened. If you do not specify a program name, the system assumes the current program. ACTIVITY Access type, with the following possible values:

Read file Change file READ_WITH_FILTER WRITE_WITH_FILTER Delete file

These values are defined as constants in the type group SABC as follows: TYPE-POOL SABC . CONSTANTS: SABC_ACT_READ(4) SABC_ACT_WRITE(5) SABC_ACT_READ_WITH_FILTER(16) SABC_ACT_DELETE(6) VALUE 'READ', VALUE 'WRITE', VALUE 'READ_WITH_FILTER', VALUE 'DELETE',

SABC_ACT_WRITE_WITH_FILTER(17) VALUE 'WRITE_WITH_FILTER',

SABC_ACT_INIT(4) SABC_ACT_ACCEPT(6) SABC_ACT_CALL(4) FILENAME Name of the file that you want to access.

VALUE 'INIT', VALUE 'ACCEPT', VALUE 'CALL'.

TYPE-POOLS SABC. ..... CALL FUNCTION 'AUTHORITY_CHECK_DATASET' EXPORTING PROGRAM ACTIVITY FILENAME EXCEPTIONS NO_AUTHORITY = SY-REPID = SABC_ACT_READ = '/tmp/sapv01' = 1

ACTIVITY_UNKNOWN = 2. ...... This function module call finds out whether the current program may access the file /tmp/sapv01.

1.1.2 General Checks for File Access

When you access sequential files on the application server using the following statements
OPEN DATASET TRANSFER DELETE DATASET

the system automatically checks against table SPTH. This table regulates general read and write access from ABAP to files, and whether files should be included in security procedures. In table SPTH, you can prevent read or write access to genericallyspecified files, independently of the SAP authorization concept. For all other files (that is, those for which read and write access is allowed according to table SPTH), you can execute authorization checks with the SAP authorization concept. To enable you to do this, you can specify authorization groups in table SPTH for program-independent user authorization checks.

SPTH contains the following columns for this purpose:

PATH This column contains generic filenames. This means that the files on the application server to which an entry in this column applies retain the attributes specified in the remaining columns of this line.

Suppose SPTH contains the following three entries in the column PATH: * /tmp /tmp/myfile The entries are then valid as follows: First line: All files on the application server apart from the path /tmp Second line: All files on the application server in the path /tmp apart from the file /tmp/myfile Third line: The application server file /tmp/myfile SAVEFLAG This column is a flag that you set using X. If the flag is set, the files specified in the PATH column are included in security procedures. FS_NOREAD This column is a flag that you set using X. If the flag is set, this means that no access to the files specified in the PATH column is allowed from ABAP. This flag overrides all user authorizations. If you set FS_NOREAD, FS_NOWRITE is also automatically set. If the flag is not set, it is possible to access the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and Authorization Check for Particular Programs and Files). FS_NOWRITE This column is a flag that you set using X. If the flag is set, this means that no write access is allowed to the files specified in the PATH column. This flag overrides all user authorizations. If the flag is not set, it is possible to change the files from ABAP if the authorization checks are successful (see also the FSBRGRU column and Authorization Check for Particular Programs and Files). FSBRGRU

This column contains the names of authorization groups. An authorization group corresponds to the first field (RS_BRGRU) of the authorization object S_PATH. You can use the second field of the authorization object S_PATH (ACTVT) to check whether the user has authorization to read (value 3) or change (value 2) the files in he authorization group. Entries in FSBRGRU specify groups of files on the application server. You can control the access to files by assigning authorizations for the authorization object S_PATH.

Unlike authorization checks using the authorization object S_DATASET (see Authorization Checks for Particular Programs and Files), the authorization check against the authorization object S_PATH is independent of the ABAP program used to access the files. Furthermore, the check is not restricted to individual files. Instead, it extends to all of the generically-specified files in the PATH column. If there is no entry in the column FSBRGRU, the files in the column PATH are not assigned to an authorization group, and there is no authorization check against the authorization object S_PATH.

If the automatic check for a file access fails, a runtime error occurs.

Suppose the table SPTH contains the following entries: PATH * /tmp /tmp/files X SAVEFLAG FS_NOREAD X

FS_NOWR X

With these settings, ABAP programs cannot access any files on the application server apart from those in the path (/tmp). All ABAP programs can read from and write to the files in that path. Only users with authorizations for the authorization group FILE can use ABAP program that read from or write to files in the path /tmp/files. These files are also included in the security procedure. With the above table entries, the following program extract would cause a runtime error for any user: DATA: fname(60) TYPE c. fname = '/system/files'.

OPEN DATASET fname FOR OUTPUT.

3 Working with Files on the Presentation Server

Use the following function modules when working with files on the presentation server: GUI_DOWNLOAD and GUI_UPLOAD. Class CL_GUI_FRONTEND_SERVICES gives you the relevant information. The physical names of the files depend on the operating system of the presentation server. You can, however, make your ABAP programs platform-independent by using logical filenames. For further information, refer to Using Platform-Independent Filenames.

4 Using Platform-Independent Filenames

The file names that you use in ABAP statements for processing files are physical names. This means that they must be syntactically correct filenames for the operating system under which your SAP system is running. Once you have created a file from an ABAP program with a particular name and path, you can find the same file using the same name and path at operating system level. Since the naming conventions for files and paths differ from operating system to operating system, ABAP programs are only portable from one operating system to another if you use the tools described below. To make programs portable, the SAP system has a concept of logical filenames and paths. These are linked to physical files and paths. This link is defined in special tables. You can define these tables in accordance with your requirements. In an ABAP program, you can then use the function module FILE_GET_NAME to generate a physical filename from a logical one. Maintaining platform-independent filenames is part of Customizing. For a full description, choose Tools Business Engineer Customizing, followed by Implement. projects SAP Reference IMG. On the next screen, choose

Basis Components System Administration Platform-independent File Names. For a more detailed description of the function module FILE_GET_NAME, enter its name on the initial screen of the Function Builder and choose Goto Documentation. On the next screen, choose Function module doc. Another way of maintaining platform-independent filenames is to use the Transaction refer to the FILE. For information about platform-dependent filenames, Platform Independent Filename Assignment section of the

Extended Applications Function Library documentation.