Table of Contents

1. What is ACE-S? 2

2. Why does PwC use ACE-S? 2

3. Does ACE-S have any impact on my system? 3

4. Will ACE-S download any confidential data? 3

5. How can I install ACE-S? 4

5.1 Importing the transport 4

5.2 Manually creating the program 8

5.3 Is it possible to change the name of the ABAPs? 11

6. How can I run ACE-S? 13

6.1 Setup directory access for ACE-S using the PACE authorisation group 13

6.2 Select the ACE-S parameters 13

6.3 Run the ABAP (execute in Background) 20

6.4 Run the ABAP (execute F8) 21

6.5 Check status of the ABAP 21

7. What authorisations are required to run ACE-S? 21

8. How do the ABAP programs work? 22

9. What volume of data is downloaded and how long does ACE-S take to run? 23

10. How can I transfer the downloaded data to the ACE-S user? 23

11. How do I use the File management functionality? 24

11.1 Extracting the files from the application server 25

11.2 Deleting files from the application server 27

ACE-S version 9 1 of 30
1. What is ACE-S?

ACE-S is an abbreviation for “Auditing and Consulting Engine for SAP”.

SAP contains many controls, which are embedded in the system. ACE-S extracts configuration controls and
security data from SAP and analyses it to determine whether controls have been appropriately designed and
implemented into SAP.

To achieve this, data has to be downloaded from the SAP system. The ABAP programs do this in a very flexible
way. They have to be SAP-release independent and adaptable to how SAP has been configured and
implemented.

In brief, ACE-S consists of:

● two ABAPs which are the SAP part of the tool and download the required information from SAP;
● the ACE-S tool (PC part) which analyses the security and configuration control elements implemented
in an SAP environment; and
● the SL (Standard Library) which is a repository of all PwC researched and approved tests.

ACE-S can be run on any SAP instance and can therefore be used to analyse controls within SAP
implementation projects (pre go-live testing) as well as to perform reviews of productive systems (live testing).

ACE-S version 9 is executable on all SAP R/3 releases version 4.7 and higher (including any ECC or HANA
systems).

2. Why does PwC use ACE-S?

SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentary
and difficult to use effectively. With ACE-S, configuration and security controls can be analysed easily using
standard tests tailored to each ACE-S review. Complex search criteria can be applied within ACE-S, allowing
users to perform high level reviews and then drill down to complete more detailed testing in areas identified for
additional work.

ACE-S produces standard exception reports which are easy to understand and help with the subsequent
resolution of the identified issues.

ACE-S also enables PwC to perform an independent assessment of rule sets our clients have developed using
the SAP GRC products. By using ACE-S, the client’s rule set can be mapped and compared to functions
researched in detail. This allows PwC to apply the benefit of research to each client’s environment.

ACE-S version 9 2 of 30
3. Does ACE-S have any impact on my system?

ACE-S has been designed to minimise the impact on the SAP environment where it is run, either in terms of
system performance or data manipulation. This is because:

● only an ABAP is required for ACE-S, together with an entry in table SPTH to protect access to the file
system;
● there are no other objects installed during the execution of the program; and
● the entire process is under your control.

By sequentially reading and writing from the SAP database to the disk of the application server, any impact on
system performance is reduced to a minimum.

The master ABAP /PWC/ACE9M generates the temporary ABAP /PWC/ACE9T. That is the only change that
ACE-S makes on the SAP system.

Expressly, ACE-S does not:

* Change any SAP repository objects (tables, structure, ABAPs, etc)

* Change any table contents

4. Will ACE-S download any confidential data?

ACE-S downloads authorisation, configuration, log and some master data. For certain large tables, ACE-S will
download only specific fields of interest. ACE-S also has a functionality to download detailed transactional data,
but this feature is not activated by default.

PwC uses the same ABAP on multiple SAP versions and for different SAP products. This increases the flexibility
and ease of use during installation. To achieve this flexibility, the ABAP has been designed very dynamically,
analysing the SAP environment and searching for the required tables. As such, it is not possible to provide a list
of tables upfront. However, we have built in a feature which satisfies the need for transparency.

The ABAPs write a reference list of all downloaded tables to the file B0002.XJF. The file will show the table
name, table description and in which file the downloaded data is stored. Please note that due to optimisation
reasons, one table can be stored in multiple files - this is also visible in the reference file mentioned above. With
this transparency feature, you have the opportunity to review the downloaded data. Please do not hesitate to
contact your PwC contact person if your review raises any questions or if you do not want to hand over certain
files.

For additional security and confidentiality measures, the ABAP performs an authorisation check on the object
S_TABU_DIS (and S_TABU_CLI if it is a client independent table), requiring the user executing the program
to have appropriate display access to the tables being downloaded by ACE-S.

For more information on the authorisation checks done when executing the program, please refer to section 7 of
this document.

ACE-S version 9 3 of 30
 The ABAP extracts security-sensitive information and access should only be granted to
the person responsible for executing it. Standard change control and testing process
should be followed to put the ABAP into production.

The directory to which data is downloaded should preferably be encrypted and access
to the directory should be carefully controlled. Once the data has been securely
transmitted to PwC, the downloaded files should be removed.

5. How can I install ACE-S?

There are two ways in which ACE-S can be imported into your system:

1. By using the transport provided.

2. By creating a program on your system and pasting the code manually into the program.

The preferred method is (1), but for the sake of completeness, both methods will be explained.

5.1 Importing the transport

This is the preferred method, as everything required to run ACE-S in a secure and efficient manner, has already
been created for you in the transports provided. There are two sets of transport files provided:

● Transport request number C26K904078 – this is contained in the K904078.C26 and R904078.C26
files
● Transport request number F04K900783 – this is contained in the K900783.F04 and R900783.F04
files

5.1.1 What does the transport file contain?

The “C26K904078” transport request contains:

● Program /PWC/ACE9M – this is the main ABAP program – it also includes an authorisation group
“ZPWC” for the program.
● Program /PWC/ACE9T – this is the temporary ABAP program – it is used by the main ABAP program
stated above and does not need to be executed manually.
● Transaction codes:
○ /PWC/ACE9M – this is a transaction code to execute the main program directly.
○ /PWC/ACE9_SPTH – this is a transaction code to maintain the menu paths that are allowed to
be used in the main program on. It is a parameter transaction for SM30, without selection
screen, to maintain table SPTH. See detailed explanation below.
● PACE authorisation group – this is a value added to table SPTHB and should be used in conjunction
with the menu path defined in the /PWC/ACE9_SPTH t-code mentioned above.

The “F04K900783” transport request contains the following:

● Roles to execute ACE-S – they are explained in more detail in section 7. Please note that it is not
mandatory to use the role transport, but it is available to you, should you wish to use it.

ACE-S version 9 4 of 30
Note that the program and the transaction codes have a /PWC/ prefix. This is a registered namespace with SAP
and it means that these objects cannot be changed once imported, unless it comes from an authorised transport
from PwC.

5.1.2 How to import the transport file

Please note that, because the transport was created in an SAP system that is not part of your environment, it
needs to be re-imported in each system (ie. in DEV, QAS, PRD) via the method outlined below – you cannot
move the transport through the landscape as you would transports that were created in your own system. If you
would like to use the traditional transporting methods, for example via CHARM, you need to obtain the text
ABAP files, described in section 5.2. You will not be able to use these transport files in CHARM.

Once you’ve obtained the K904078.C26 and R904078.C26 files, you need to copy them into the application
server’s transports directory. This is usually configured in directory parameter DIR_TRANS (Can be viewed
from t-code AL11). The default folders are usually as follows:

● //XXXXXXXXX/usr/sap/trans/cofiles/ - copy the K904078.C26 file in here

● //XXXXXXXXX /usr/sap/trans/data/ - copy the R904078.C26 file in here

(Where the Xs represent the name of the application server)

If you cannot find the “cofiles” and “data” folders, please contact the person responsible for transports on the
systems. They will be able to direct you to the correct place.

Once you’ve copied the files to the correct place, go to transaction code STMS and press F5 (“Import overview”
button):

Double-click on the system you want to import the files in and you should get to the Import Queue for your
system. The transport files cannot be seen yet, as they need to be manually added. This is done by going on your
menu bar: Extras > Other requests > Add:

Manually input the transport request number (C26K904078) as follows and press Enter:

ACE-S version 9 5 of 30
In the next window you’ll be asked to confirm – press yes and you will see that the transport has been added to
the import queue. To release the transport, simply click on the transport number and press the “Import
Request” button (Ctrl + F11).

Next, you need to specify the target client. The transport should always first be imported into your Development
and the Quality Assurance System so it can follow your standard change control process, including proper
testing. Then go to the Options tab and specify the following:

ACE-S version 9 6 of 30
The last box needs to be checked because the transport was generated in a (more than likely) different version
of SAP than the one you’re running. If you don’t check this box, SAP will not allow the request to be imported. If
you don’t see this option, then it means that the version is up to date and you shouldn’t have any issues
continuing with the import.

It is also recommended to overwrite the original files and objects, especially if you have not used the deletion
transports provided (see 5.1.3 below).

Once done, the transport should have been imported into your system. To execute the ACE-S program, simply
execute transaction /n/PWC/ACE9M – it will lead you directly to the program’s selection screen.

5.1.3 How to delete the transported /PWC/ACE9 program

Because this is a program created with a registered /PWC/ namespace, it isn’t possible to delete the program via
conventional methods. Deletion transports can be provided by your PwC contact – F04K900771. Follow the
same steps as described in 5.1.2 above and release the transport accordingly. To delete the package that
contains the /PWC/ACE9M program and t-code, use the transport F04K900722. Note that these transports
need to be released sequentially — you cannot delete a package while it still contains objects within it.

ACE-S version 9 7 of 30
5.2 Manually creating the program

This is not the preferred method as it involves a much more manual process, which could increase the chances
of error. Also, it will not be created under the registered /PWC/ namespace. Nonetheless, if you still want to
create the program via this method, please ask your PwC contact for the ZACE9M.txt and ZACE9T.txt files.

ACE-S comprises of two custom ABAP programs that need to be loaded into the SAP production environment:

ZACE9M.TXT The master ACE-S ABAP

ZACE9T.TXT The temporary ABAP which is called by the master as necessary

5.2.1 Copy the ABAP programs onto the SAP GUI client

The two ABAP files can be provided manually (both files together are less than 150K in size). These files should
be copied onto the local hard drive of the workstation from which the ABAPs will be loaded into SAP.

5.2.2 Upload the 2 ABAPs into SAP

The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.
Please note that the ABAPs should always be uploaded in the Development environment and tested before
transporting them to the production environment.

5.2.2.1 Create the ACE-S program in SAP

Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

In the program field enter ZACE9M as the program name and click on Create:

Please make sure that the names of the programs created in SAP match the file names of the ABAP provided i.e.
ZACE9M and ZACE9T (ignore the .txt file extension).

Note: You will need an OSS/Developer key to load the ABAP.

5.2.2.2 Assign attributes to the ACE-S program

ACE-S version 9 8 of 30
In the following screen, assign the program attributes as below and click on “Save”:

Title: Enter a text that describes the ABAP such as “ZACE9M”

Type: Select “Executable Program”

Application: Select “Cross-application”

Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click “Save,” to
save the program attributes.

A message will be received indicating “Attributes for program ZACE9M saved.”

ACE-S version 9 9 of 30
5.2.3 Deploy the ACE-S ABAP into the SAP program created

Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

Copy and paste the code from the ZACE9M.TXT text file as displayed below.

Select the “Save” button. A message will be received indicating that the program has been saved as displayed
below.

Return to the ABAP Editor initial screen using the Back Arrow in the toolbar.

5.2.4 Activate the ABAP

The ABAP needs to be activated before it can be run. Select the ZACE9M program and click the “Activate”
button (or use: Program > Activate).

ACE-S version 9 10 of 30
Select the row containing ZACE9M and click on the “OK” button:

5.2.5 Load the temporary ABAP

Repeat steps 5.2.1 to 5.2.4 for the program ZACE9T.

5.3 Is it possible to change the name of the ABAPs?

If the ACE-S ABAPs do not conform to the naming convention used, it is possible to change their names from
ZACE9M and ZACE9T. If this is done however, the code in ZACE9M must be changed to ensure that the master
ABAP calls the renamed temporary ABAP and not ZACE9T. This requires one line of code to be changed which
is found in the ZACE9M ABAP.

ACE-S version 9 11 of 30
Please note that this cannot be done in the program created by the transport, as it is contained in a registered
/PWC/ namespace.

To change the names of the ABAPs programs, search for the line:

DATA: SUBREPID LIKE SY-REPID VALUE 'ZACE9T'.

and replace ZACE9T with the new name for the ABAP program.

ACE-S version 9 12 of 30
6. How can I run ACE-S?

6.1 Setup directory access for ACE-S using the PACE authorisation group

The ACE-S ABAP has been programmed to require the user running the program to have access to the file path
authorisation group PACE. Therefore, the file path that will be used to download the files to, needs to be
authorised in table SPTH and assigned to authorisation group PACE.

a. Transport method: Execute transaction /PWC/ACE_SPTH to maintain the file path you want to use for
ACE-S. /PWC/ACE_SPTH is a parameter transaction of SM30 restricted to table SPTH.
b. Manually creating the program: Add authorisation group PACE in table SPTHB using transaction
SM30. Then maintain the file path you want to use for ACE-S in table SPTH.

Please also note that this is a customising change and must be done in development and tested thoroughly
before being transported through to production. The path is system-specific; therefore, we would recommend
using the same path in DEV, QAS and production. Should the path not be the same, please be sure to use the
path that is relevant for the production system when you are transporting it through to production - i.e. the path
specified in DEV and transported through to production should be the path you need in the production system.

Please note that in the screen print above the “NR (No Read)” has been unchecked for file path “*” and “/”.
Good practice is to first restrict all file paths on the server, by checking the “NR” box, and then authorising
specific paths on the server (i.e. white list concept). Do not change this setting without evaluating which batch
jobs have already been set up, which file path they require access to and maintaining SPTH accordingly.

For more information on the authority checks required, go to section 7.

6.2 Select the ACE-S parameters

To run ACE-S only the master ABAP, /PWC/ACE9M needs to be started. /PWC/ACE9M will generate and run
the temporary ABAP Program /PWC/ACE9T as and when required without further manual intervention.

ACE-S version 9 13 of 30
Execute the transaction code /PWC/ACE9M (or program ZACE9M through SA38, if you’ve chosen the second
method):

Go to main selection; enter the path maintained in 6.1 above and the financial year. Test the batch server – this
will also confirm whether the path specified on the application server is valid.

Below is a table which shows what the default is for each download in the program.

ACE-S version 9 14 of 30
In most cases, the default parameter values should be correct (except the application server path and the start of the financial year as mentioned above). The different parameters
are explained below:

Tab Section Parameter Description Default Values Recommendation

Path on the application

This must be maintained see
server* This defines the specific path on the application N/A
the note below.
Required Parameter server where the ACE-S data will be downloaded to.

The start of the financial year date is used for

Start of the financial year download date related data, such as change N/A This must be maintained.
documents, etc.
Click the Test button to test the following:

● if valid path entered

● if application server has been selected
Test the batch server specified
Scheduling ● scheduling of a batch job N/A
Batch Server before running the ABAP.
Parameter ● disk space available
Main Selection
● access to path
● files ending with .XJF in directory
● if user has write access
● authorisation
Decide on Default values or Custom values for the
following:
● Standard Download
● Log Download
If your PwC contact has not
● Additional Download
Everything Default except advised which option to select,
Download Options Options ● KPI Download
Batch Job Options please confirm with them
● Posting Download
before executing the program.
● Report Testing
● Authority Check Testing
● Extended Download
● Batch Job Options

ACE-S version 9 15 of 30
Tab Section Parameter Description Default Values Recommendation

Standard The Default selection will download all tables. Selected If your PwC contact has not
Standard Download advised which option to select,
Selection Custom (Business Process The Custom selection will allow you to select which please confirm with them
Not Selected
+ ITGC/Basis) tables to download. before executing the program.
Defines if tables with authorisation groups should
Authorisation groups Selected Should not be changed
be downloaded.
Selection based on Defines if authorisation object help will be
Object help information Selected Should not be changed
Type downloaded.
Defines if the tables related to field status are
Field status definition Selected Should not be changed
downloaded.
Standard Defines if desolved values are downloaded.
Download Desolved values Desolved values allow ACE-S to display a
Selected For All Tables Should not be changed
Selection Based on drop-down list of possible values for authorisation
Area fields.
Defines if core tables of the base component are
Base component Selected For All Tables Should not be changed
downloaded
This selection enables authorisation data from all
Data Analysis for all clients Selected Should not be changed
other clients to be downloaded as well.

Download Limits Defines if user information in the tables USR03,

With user details
and Clients
Download Limit in MB
Selected Should not be changed
ADCP, ADRP are hidden in the download.
This setting controls the standard size limit for
non-mandatory tables. If these tables are larger 20mb Should not be changed
than this amount, then they will not be downloaded.

No Log Data Not Selected Should not be changed

Log Download
selection
Include Log Data Selected Should not be changed
Log Download
● User Log
● Authorisation Log
Log Selection Log Selection ● Table Log All Logs Selected Should not be changed
● CDB Log
● Role Log

ACE-S version 9 16 of 30
Tab Section Parameter Description Default Values Recommendation

● Transport Import Log

● Monthly TLD Log
● CDC Log
● Profile Log
● Batch Authorisation Log
● Monthly DLD Log
● System Log
ACE-S will download data generated by the SAP
Performance Monitor. In ACE-S this is called
Transaction Log Data (TLD).
Month, weekly or daily data: Specifies the summary
level at which the data will be downloaded. Tld = 18
TLD and Record Limit Should not be changed
Period limit: This setting will limit the data Record = 4 Million
downloaded to respectively the number of months,
weeks or days specified.
Record limit: This setting will limit the data
downloaded to the number of records specified.

Download Limit and Defines if data is only downloaded from the current
Log Analysis for all clients client or all clients in the SAP instance. Selected Should not be changed
Clients

No additional tables Does not allow additional tables to be included in Selected Should not be changed
Additional
Additional Table the download.
Download
Download Selection Allows additional tables to be included in the
Include Additional tables Not Selected Should not be changed
download.

No KPI New feature in piloting phase – please do not use Selected Should not be changed
KPI Download KPI Download yet
Selection New feature in piloting phase – please do not use
Include KPI Not Selected Should not be changed
yet
Downloading posting information based on
BKPF/BSEG and related tables based on selection
Posting No Posting Data criteria via ACE-S ABAP. Selected Should not be changed
Posting Download
Download By default, data will not be downloaded.
Selection

ACE-S version 9 17 of 30
Tab Section Parameter Description Default Values Recommendation

If selected for download by ticking one of the two

Include Posting Data options, then please specify filtering criteria, since Not Selected Should not be changed
no limits apply.

No Report Testing Selected Should not be changed

If the selection ‘Only Report Testing’ (Only Rep) is

Report Testing Report Testing selected, then no other parameters above are
Selection considered (including path). The ABAP will then
Only Report Testing Not Selected Should not be changed
solely analyse the specified reports and produce an
on-line report – NO DATA will be written to the
application server.

No Authority Check Testing Selected Should not be changed

The selection ‘Only Authority Check Testing’ allows

Authority Check you to specify the reports. If you want to specify
Authority Check
Testing multiple reports, then click on the icon to the right
Selection Only Authority Check
of the field allowing you to specify multiple reports. Not Selected Should not be changed
Testing
You can also enter transaction codes; in this case
ACE-S will evaluate the transaction and search for
the associated report.
Use ACE-S ABAPs to efficiently download large SAP
transactions and master data tables.
No Extended data Used largely for CAATs purposes – ready to be used Selected Should not be changed
Extended with ACL.
Extended download
Download
Selection By default, data will not be downloaded.
If selected for download, then please specify
Include Extended data filtering criteria. Despite the limits for extended Not Selected Should not be changed
data, the downloaded data can get quite big.
Needs to be reviewed before
Job Name Name to identify your job. Automatically Populated
Batch Job executing
Directory and Job
Options Classification of background jobs according to
Testing Parameters Needs to be reviewed before
Job Class priority and job type. Automatically Populated
executing

ACE-S version 9 18 of 30
Tab Section Parameter Description Default Values Recommendation

Select one of the following classes for your job:

A: Jobs with high priority whose execution is

necessary for further processing.
Class A jobs are always processed before jobs of
other classes

B: Jobs that should be run at regular intervals, for

example, jobs transferring performance statistics.
C: Jobs that neither fit into class A nor in class B
and that do not require a higher priority. Class C is
the default class.
To be able to enter class A and B, you must have an
authorisation for the authorisation object
Background processing: background administrator.
If selected, the batch job will start immediately after Needs to be reviewed before
Immediate Job start Selected
execution. executing

Start Date and Time Specify a date and time for the batch job to start if Read Only
“Immediate Job Start” has been deselected.
User under whose authorisations the job is to be
processed. The default for this field is your
username; the job will be executed using your
authorisations. Needs to be reviewed before
Username Automatically Populated
executing
If the job is to be executed using another user's
authorisations, enter that username. Note, you must
have the authorisation to enter this name

ACE-S version 9 19 of 30
* In the “Path on the application server” field, specify the exact location (e.g. [Drive]:\usr\sap\ACE_S, for
Windows NT, or /usr/sap/ACE_S, for UNIX servers) on the application server (or other server with a mapping
from the application server) where the downloaded data is to be saved. The directory should have enough free
space to accommodate the downloaded data (typically between 500MB and 2GB is required).

Please note that for security reasons, only the following characters are allowed for the application server path
name:

- All alphabetical characters (upper and lower case)

- All integers (0-9)
- Only the following special characters: ._\/$

The operating system that is used to write the ACE-S files to (XJF’s) must be the same
as the SAP application server operating system.

6.3 Run the ABAP (execute in Background)

Execute ACE-S in the background by selecting the menu path: Program > Execute in Background:

If the “Execute Immediately” button is pressed, then you will see a message that the program has started as a
background job.

ACE-S version 9 20 of 30
6.4 Run the ABAP (execute F8)

Running the ABAP using the normal execute button, will also start the batch job in the background, depending
on the options selected under “Batch Job Options”.

6.5 Check status of the ABAP

To check the status of the ABAP, go to the Own Background Jobs screen (Transaction code SMX). A status of
Active means that the job is still running. A status of Finished means that the job is complete.

7. What authorisations are required to run ACE-S?

The following authorisations are required to run ACE-S:

Authorisation checks, if using the transport:

● S_TCODE /PWC/ACE9M
● S_ADMI_FCD with PADM, SM21
● S_BTCH_JOB with RELE (in JOBACTION field)
● S_DATASET with ACTVT 06, 33, 34 and PROGRAM /PWC/ACE9M
● S_LOG_COM with Command LIST_DB2DUMP
● S_TABU_CLI with X
● S_USER_AUT with ACTVT 03 (Display) and 08 (Display Change Documents)
● S_USER_GRP with ACTVT 03 and 08
● S_USER_PRO with ACTVT 03 and 08
● S_SCD0 with ACTVT 08
● S_TABU_DIS with ACTVT 03 and the authorisation groups for all the tables dynamically downloaded
by ACE-S
● S_PROGRAM with * (in user action field) and ZPWC (in auth group field)
● S_RZL_ADM with ACTVT 03

Additional authorisation checks, if using the PACE authorisation group as detailed in section 6.1 above (only
available if using the transport method):
- S_TCODE /PWC/ACE_SPTH
- S_PATH with ACTVT 02 and 03 and PACE authorisation group
(NB: this contains maintenance access – it should only be done by appropriate people that are responsible for
table maintenance and basis administration on your production system).

The roles, containing the access listed above, have been created in transport request F04K900783 (For
instructions on how to import transports, refer to the steps detailed in section 5.1). For the standard role to
execute ACE-S, you can assign role /PWC/ACE_EXECUTE. For the additional authorisation group
maintenance, you can assign role /PWC/ACE_MAINTAIN_SPTH.

ACE-S version 9 21 of 30
NB: Only assign these roles to appropriate users that are generally responsible for these tasks
on your system.

Additional authorisation checks if not using the transport method (not encouraged):
- S_PROGRAM with implemented P_GROUP and S_TCODE

Additional authorisation checks if exporting Transaction Log Data:

● S_TOOLS_EX with authorisation value S_TOOLS_EX_A
Without having object S_TOOLS_EX the downloaded TLD data (aka performance
monitor data) will be encrypted.

At the operating system level:

● The SAP user at the OS level must have write access to the directory specified in the “path on the
application server” field in the ABAP.

The ABAP extracts security-sensitive information and access should only be granted to
the person responsible for executing it. Standard change control and testing process
should be followed to put the ABAP into production.

Please remove the ABAP once the assignment is complete, if it is not a recurring
engagement. Older versions of the ABAP should not be retained. Any updates PwC
provides should be used to overwrite any older versions.

The directory to which data is downloaded should preferably be encrypted and access
to the directory should be carefully controlled. Once the data has been securely
transmitted to PwC, the downloaded files should be removed.

8. How do the ABAP programs work?

There are two ABAPs on your system:

● /PWC/ACE9M (Master ABAP) and
● /PWC/ACE9T (Temporary ABAP).

The Master ABAP generates and executes the Temporary ABAP.

The overall purpose of these ABAPs is to search for relevant data and to download this to the application server
file system. The downloaded data can be split into three types:

● Special data (downloaded by Master ABAP).

Some data is downloaded by the Master ABAP directly. This data is downloaded based on a join of

ACE-S version 9 22 of 30
 multiple tables, a selection of a single table or standard SAP function.

● Standard data (downloaded by Temporary ABAP).

Each downloaded file relates to one SAP table. In the procedure ‘FILLFIXB0005’ these tables are
selected and the names of the tables are saved in an internal table (B0005). The Temporary ABAP is
generated for each entry in this table and submitted by the procedure ‘EXP-STAND’. The Temporary
ABAP then downloads the data to the specified directory path on the application server.

● Data of internal tables (downloaded by Master ABAP).

During the import, seven internal tables are populated. These tables describe the downloaded data.

The ABAPs do not change or modify any data in the SAP system.

9. What volume of data is downloaded and how long

does ACE-S take to run?

The volume of data and run-time of the ABAP cannot be predicted exactly as ACE-S dynamically selects which
data to run depending on the size of the SAP implementation (i.e. number of users) how authorisations have
been built and the scope of the data to be downloaded as defined in the variant of the ABAP.

However, an example is provided below:

Example

SAP Release ECC6

Number of users: 2,545

Scope of downloaded files: Full

Number of downloaded files: 1,841

Space required on application server: 1.16 GB

Run time of the ABAP: 2 hours

10. How can I transfer the downloaded data to the ACE-S

user?
Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files
(e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 2000 files (depending
on the size of the SAP instance) with the .XJF extension will be saved here.

The names of the output files generated by ACE-S should not be changed.

These files now need to be transferred from the application server to the ACE-S user. There are several ways of
doing this and the best way will depend on the system architecture and the software and hardware available.
Note that often the data must first be transferred from the SAP application server to an SAPGUI PC because of
restricted access rights on the SAP application server. Please note that the data is sensitive and should be
removed once transferred and access to the data should be carefully controlled at the operating system level and
preferably encrypted.

ACE-S version 9 23 of 30
Options available are:

Option Method Considerations

Memory stick (or other portable Zip up the data in packets and use a memory stick Access to a USB port is needed. Ensure that
media) to transfer the data to the ACE-S user either the memory stick or the zip file is
encrypted.

FTP and email E-mail the zipped data in packets to the ACE-S Data needs to be zipped into packets <5MB
user and e-mail security may be a concern. Zip
files should always be encrypted and the
password should not be shared via email.

FTP and MFT2GO Zip the downloaded files and ask your PwC contact Access to the MFT2GO website is needed.
for a link to our secure large file transfer service,
MFT2GO

Please transfer all files created during the download including 0KB files.
If you have any questions or queries or get any error message, please contact your local PwC auditor with
screenshots, and details of the error message.

11. How do I use the File management functionality?

This functionality was primarily designed to enable the user to compress and extract ACE exchange files (XJF
extension) via the front-end rather than manually copying them from the application server after the ABAP has
been executed. This is especially useful in private cloud-based SAP solutions where infrastructure support has
been outsourced to a third party. The functionality is limited to files with the extension “XJF” and cannot be
used to download or delete other files on the application server.

Note that in both the “Extract Files” and the “Delete Files” function, there is a user editable field called “No. of
Files”. This field indicates the maximum number of files that can be read from the application server. If the
version of NetWeaver is 7.5 or higher, it will default to 100,000 and if it is lower than 7.5 it will default to 5,000.
If you get the “File Argument error” error when executing the function, try reducing the number of files to be
read from the application server.

ACE-S version 9 24 of 30
11.1 Extracting the files from the application server

To obtain the files:

● Execute the program via t-code /n/PWC/ACE9M (or program ZACE9M through SA38, if you’ve chosen
the manual method and you haven’t assigned the program a custom transaction code) and input the
path on the application server where the files reside:

● Select “File Management” option in the main selection screen:

ACE-S version 9 25 of 30
 ● Navigate to the File Management tab and select the Extract Files radio button. Enter the path on your
local drive where you would like the files to be extracted to and enter a name the files should be zipped
as and Execute (F8):

ACE-S version 9 26 of 30
 ● The program will take you to a screen where the user can select which files to extract. All files will be
selected by default. Click on “Save files” once satisfied with the selection:

● This functionality only works by running it in the foreground. The screen above will have a message at
the bottom left of the screen showing the progress of the extract. If the program ends before the extract
is finished, ACE will not remember which file it last downloaded, but the user can deselect the files that
have already been downloaded before clicking on “Save Files” again.
● Depending on the size of the exchange files, this may take a while and is resource intensive, so we
advise running this functionality after hours to minimise the impact on operations.

11.2 Deleting files from the application server

To delete the files:

● Execute the program via t-code /n/PWC/ACE9M (or program ZACE9M through SA38, if you’ve chosen
the manual method and you haven’t assigned the program a custom transaction code) and input the
path on the application server where the files reside:

● Select “File Management” option in the main selection screen:

ACE-S version 9 27 of 30
 ● Navigate to the File Management tab and select the Delete Files radio button and Execute

● The program will take you to a screen where the user can select which files to delete. All files will be
selected by default. Click on “Delete Files” once satisfied with the selection:

ACE-S version 9 28 of 30
 ● Please note the status bar on successful file deletion.

© 2022 PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers to the network of
member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member
firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other
member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of
its member firms nor can it control the exercise of their professional judgement or bind them in any way. No member firm is
responsible or liable for the acts and omissions of any other member firm nor can it control the exercise of another member
firm's professional judgement or bind another member firm or PwCIL in any way.

ACE-S version 9 29 of 30