Skip to Content

Download basket approvals gone with the wind


After spotting what I thought was a security gap in SAP I now call out to all community members to support the idea to remove download basket approval for files downloaded on SAP Service Marketplace. I invite everyone to read the blog and vote for the idea on idea place. Together we can stand strong and make a difference.

Idea on SAP Idea place

Youtube – approving download files without using maintenance optimizer

The video already has a good amount of views for the time it has been online and several persons notified me they didn’t yet know this “workaround” to approve download files.

The sentiment coming from most of those persons comes down to the fact that they find it useless to go through a full maintenance process to approve a single file which is sometimes the case.

Why oh why?

The question is what the real reason is that SAP implemented this “feature”. As far as I can see the real reason seems to be that they wanted to force SAP customers to integrate SAP Solution Manager into their system landscape.

To me the whole notion of forcing customers to implement a piece of software is not compatible with the new SAP as they now position themselves. Listening to the customer and doing something with the feedback provided. In my opinion the time is right now to provide the feedback but I would prefer I’m not the only one sending that feedback. I need your help to provide feedback.

Download basket security gap or feature?

Ever since the overhyped Black Hat conference security has been kicked up a notch on the importance ladder. It has become a sensitive topic. Even blogging about hidden features or tricks generates some haters stating the blog should be deleted. I didn’t see that one coming but hey not everyone can love you right. Nothing wrong with that.

Now to the point of the alleged security gap. When I was creating the Youtube video previously mentioned in this blog I wondered to what extend the download basket was in fact secure. From a technical point of view you have two spots where an S-user is inserted. Once in the RFC connection used to connect to the SAP back-end and once in the table AISUSER to bind a certain S-user to a SAP user.

So I changed the S-user in the table AISUSER to the S-user of another company, ignored the warning that was triggered afterwards and went on to test the same function module shown in the Youtube video. To my surprise I could access the download basket data of that S-user as well.

Checking with SAP

Instead of blogging it out immediately I decided to create a customer message and check with SAP if this was normal behavior as I was convinced I seemed to have found a security gap.

You could argue that you cannot do anything with download basket content of another S-user but I wondered to what extent it could be further exploited and function modules to download content right into EPS/in for example could be used in the same way. Besides that you still have the fact that you could figure out what someone else or a rival company is doing in terms of download files and implementing SAP software.

Feature it is

Apparently it’s a feature was the final outcome of the customer message with SAP. Any company that is tied to another in some or the other way through VAR or CCC can access S-user download basket content of all users in those companies. I didn’t even know there was any kind of those relationships between the two companies I tested.

I tested out some other company combinations and most failed so there has to be some kind of truth behind the fact that the companies have to be tied together somehow or some in way.

Why is that feature there then?

So then the next question becomes why is that feature there? Because some customer just refuse to put a Solution Manager in place and then the only way they can download/implement a support package stack is by help of their VAR partner who approves the download files for them.

Common sense and waste of time

In general I don’t find forcing the need to have a Solution Manager in place a good idea but let’s leave that aside for the moment.

The fact that SAP wants to let the customer use the maintenance optimizer to download Enhancement Packages and complicated combinations of SAP components makes sense because it helps prevent wrong combinations of software components (to some extent) and provides a more “safe” procedure compared to the previous manual stack downloads.

Besides that change tracking is often in place in another form at companies so the maintenance optimizer is only used to select and download files, not to keep track of SAP system changes.

The fact that you have to approve a single file that you need to download from SAP service marketplace is just ridiculous and a waste of time. Apparently it’s the service marketplace team that has the right to place a file as “needs approval” or not.

Everyone seems to be using workarounds anyway, keeping a maintenance transaction open on the approval step or using the function module mentioned in the Youtube video. The question raises then? Why is the approval still there?

We can provide freedom to the download files and save us time and money by not having to perform a step which is not called for. Let us vote up the idea to remove download basket approvals through Idea Place:

You must be Logged on to comment or reply to a post.
  • Tom,

    two things;

    1, you are missing the point

    2, seems like you have too much free time, I’ll have a word with your Boss and get him to give you more work

    and finally, if you don’t like the way SAP works, then in this free world nobody is stopping you from for example moving into the fusion area

    with regards to your main poll, I’m not voting but will simply say, no complaints from my side and happy with the status quo

    All the best


    • Hello Petr

      1) What’s the point then?

      2) You can surely have a word with my boss but don’t be surprised if he is one of my fans. As you can see below in my signature I express my own opinion on SDN.

      Idea place has been created to implement ideas. If the idea is to make something the way it was and a lot of persons agree than it is a succesfull idea.

      We will have to see how that one turns out of course.

      Kind regards


      • Hi Michelle,

        I’m with you

        also a keen reader of blogs and been on the forums since the pioneering days of Iview Studio !

        all the best


        • I’m glad someone else feels that way!   Reading blogs is fun.  Commenting is great!  Well Petr, you got people commenting so that isn’t all bad!  It makes me smile actually.Michelle

          • Hello Michelle

            I agree with you that comments are important and different opinions are as well.

            Those sarcasm tags would have come in handy though 😉

            Kind regards


        • Hello Petr

          You should actually give blogging a try, it’s really rewarding, Michelle and I already voiced for it in the past and I’m sure she still feels that way as well.

          Kind regards


          • BLOG!  Yes, as usual, I agree with Tom.  I’m one of his fans and follow him.  Anyway, you have ideas and opinions, you just voiced them.  We (I mean me.  I can’t speak for the community.   But if I had to bet, I bet they would too.)  We even welcome sarcastic blogs.  Again you may want to let people know when you are being sarcastic.

          • Hi Tom,

            I’ve blogged in the past about BSP’s when I was touching that back in 2004, blogged under a different incarnation then, but lost the password hence the different username.

            Sometime later had a great argument with Craig about being on here as a pseudo name and not under real name – you know because he was pushing hard for everyone to maintain their profiles etc.

            so yes, I have blogged 🙂

            great blog, great discussion – that is what sdn is about.

            all the best nice weekend,

            Petr (pseudo name)

            that will open a whole new can of worms ! my point to Craig was, pseudo name or not it’s the contribution which is important

            p.s. ok I put an idea on the idea place, this morning, I actually have a lot of your blogs because when I see something good in the blogs I save it to a word document and put it in my tech library (hard disk) but it’s a chore and it would be nice if we could save blogs as pdfs, so here’s my idea place contribution…


      • Hi Michelle

        As always it’s a pleasure to see you comment on so much blogs on SDN. I also like commenting because I like thinking about things and I do want to know other persons opinions as well as I’m curious by nature.

        I try to leave a good part of free time to spent time with my kids, family and friends. It’s really important to me. So important I might even not take a career opportunity. Work life balance is underrated by many.

        As a #sapadmin I do feel the constant urge to keep progressing. Technology is just one of those aspects, things are moving fast nowadays and I don’t want to slack behind.

        SCN is great and SCN and wasting time is not something I would normally use in one sentence, except this time to make the point.

        Kind regards


    • Blag,

      if you also have free time on your hands then get back to being a Mentor 🙂

      you’ve done a great job over the years, keep it up.


      • Petr:

        Now, you’re making me feel like the bad guy -:( Sorry for thought about you as a Troll, but you have to admit that your comment wasn’t in the best shape -;) And also, so time ago we had a big problem with a very ugly troll, who was impersonating some nice community people…now that you have cleared your comments, I’m happy to know that you are the real Petr and not a wolf in a sheep suit -;)

        And for the Mentor thing…I should go back next year, by TechEd time…as I’m using my free time to focus in new technologies like HANA and Gateway -:)


          • Hi Michelle,

            it wasn’t you.

            But I felt sorry for the blogger, he’d done a really nice blog explaining and sharing something he had learn’t and with screenshots etc, and then the first reply was, dude, this should be in the wiki not as a blog !

            I felt sorry for him 🙂

            All the best,


          • and this is why I love the blogs because they are accumulating every day and we have a sequential daily list of new blogs to read through and see if there is something interesting respective to our area of SAP.

            but the wiki, I only ever get to the wiki from SDN library searches and google

            but coming into work each morning and checking the new blogs keeps us all uptodate with interesting things, growing on a daily basis in time sequential order


          • Hi Petr (sorry Tom that we are again hijacking your blog comment space with responses to Petr),
            I agree that it is disheartening to get pushback for something that one has spent so much time and effort writing/creating.  I think though that the rules evolved for that kind of blog moderation when there was a rash of activity in the blog space that caused the community to question the quality of the postings and request us to be more heavy handed.  But(and here we go again with the Jive migration thing), that style of moderation will be less and less the rule going forward.  Also, the blogs will be appearing in their respective topic area spaces in Jive so that the “queue” of daily posts will not be so randomized.  That being said, I love scanning all the new posts, no matter what the topic or subject matter.  I wonder how many others in the community like such a “generalist” view of contributions.  It appears you do Petr, as do I. As for the wiki?  Wiki contents are for instances where multiple authorship is helpful to build supplementary documentation or contents. (read David Branan’s blog on the distinction: St. David Slays the Wiki-Weblog Dragon ).  Blogs, as you might note, are usually a more personal representation of ideas or personal ways or experiences of solving things.
            Lastly,and unrelated:
            I’ll add a word of caution to everyone here about “jumping to conclusions” around trolls.  As long as personal attacks are avoided, real critique, is welcomed.  But Petr, I think you were pushing the limits by making your critque very very personal to the author.  Humor like that is best left for “the coffee corner” and even there is not always appropriate.  Understand please, that certain language can be read by an author as being a personal attack even if meant as humor. Glad you all straightened that out here.
          • Hi Petr, (and apologies to Tom for yet again hijacking his blog comment space to answer Petr)
            I agree it is extremely disheartening to see one’s content being rejected for being in the wrong space on SCN.  To be fair the rules around what constitutes a blog and what a should be a wiki entry were created in answer to community requests for better quality blogs and less “documentation” type blogs that failed to include personal experience in creating solutions.  Wikis are more appropriate for contents that benefit from communal authorship and are more documentary in nature.  See David Branan’s excellent blog for reference: St. David Slays the Wiki-Weblog Dragon.
            Going forward (and here again we reference the Jive Migration), blogs will be posted to an explicit topic space. 
            I wonder if there are others like you and I Petr that love scanning blogs from a generalist view without regard for topic or solution but just as an overall interest in “what’s new”.  Those kind of blogs going forward will be less prevalent and might necessitate a search under a specific theme (including community-based ones).

            On the topic of trolls.  A word of caution to all: let’s not confuse critique with troll behavior.  On the other hand, I think Petr did veer into the realm of humor that seemed like a personal attack so it wasn’t a surprise that folks found his original statements “troll-like”.  Watching the conversation unfold was very heartening though.  I’m glad each side had a chance to communicate transparently and the issue of troll-like behavior was put to rest.

          • Wow – I’m like Petr and simply search blogs for relevant ones.  I’ll have to start going into other areas!  That’s fine.  Then I get to learn a little more.

          • Morning All,

            first of all, thank you Marilyn for feedback, Tom for hosting this discussion and also Michelle for feedback.

            If I may be so rude as to continue to troll this discussion and add another of my 0.02$   (please teasing – not offended – love sap – all friends on sdn)

            Ok here goes….

            So Marilyn has said blogs are going to be changed, Michelle replied, ‘ I get all the great ideas announced in a blog and then start digging. I’m behind writing a why blog, or an introduction blog with a link to the WIKI.’.

            One of the things I enjoy as a SAP Basis techy and I have done this modus operandi for years,

            when I arrive in the office each morning over a coffee I read interesting new things in the SAP Basis techy space, before SDN, and even before Iview Studio I would have read latest OSS Notes !  still do that these days for 7.3 searching each morning by date for the latest OSS Notes, but, for the last, how long, at least 6 years, the SDN blogs have provided a morning fix of interesting ideas, suggestions, solutions, products in the SAP Techy space, and I can say, I have gleaned mountains of knowledge through browsing the blogs each morning over a coffee.

            Here’s a case point, this morning I just saw this one, I will read it and then save it to a Word Document and add it to my library:

            Communication between Planning Application(32 bit) and SAP BW (64 bit)

            Communication between Planning Application(32 bit) and SAP BW (64 bit)

            Should this be a blog or a wiki ?

            Either way, for my 0.02$ I think there should be blogs everyday and even if like Michelle said they simply and only are one line pointing to a Wiki or SDN Library article or deeper into another vertical blog section.

            It will be a shame to lose this morning new content, but on the other side, as Michelle rightly pointed out, if we have to navigate to a new area to read our blogs, well it might lead us to other information that we were not aware of.

            To conclude, thank you for a fantastic SDN your work is much appreciated by the wider more silent community.

            Kind regards,


          • Hello Petr

            I can imagine some of my blogs could fit in the wiki space as well.

            There are a few things that prevent me from using the wiki:

            1) I haven’t found many wiki pages or area’s that I find very interesting which are related to #sapadmin

            2) Because of existing structures some data seems to be in multiple places or the area’s / links are confusing

            3) Editing other persons contributions is also a point of discussion. Who sais your contribution should replace the other persons contribution? Which one is of better quality (speaking about almost exact same content).

            A discussion on the topic “wiki” or even a discussion group wouldn’t be a bad idea. To me it seems like the wiki space (at least for #sapadmin and area’s I’m interested in) is not that interesting.

            Maybe I’m wrong and you can point out some great stuff but overall it’s not a place where I constantly follow-up content or go check.

            Kind regards


          • Hi Tom,

            I’m with you.

            That’s why I like the Blogs section, a big box which grows everyday with new interesting content – in programming terms, a rippling stack ! And we can browse the new stuff every morning over a coffee. SAP Basis Admin heaven 🙂

            If the Management want to change things then so be it 🙂

            I totally agree with your comment, and the same counts for me:

            Wiki – ‘ but overall it’s not a place where I constantly follow-up content or go check’

            The only time I go to the Wiki is when an SDN Library Search or Google point me there.

            I am happy the way it is.

            All the best,


          • Some of my blogs can fit in WIKI spaces as well – I agree.  I’m not repeating that your blogs could.  I’m saying my blogs could as well.<br/><br/>But I think you miss some of the richest part of being a community.  We can add / change what you put out there.  There are 1000 ways to do just one thing in SAP.  We – me, I may not read all the comments to find out the different ones.  (I usually do – but I told you I was addicted.)<br/><br/>Also – not you Tom – there are some blogs that I see different comments that the blog has got some of the features not quite right.  In a WIKI that could be changed.  <br/><br/>A WIKI is a living breathing document like – Wikipedia.  Just think how much it has grown.  The amount of contributors.   <br/><br/>The introduction blog.  OK – so I totally agree – I have to use Google to find WIKIs where I use information.  That would be why I would normally write an introduction blog.  I haven’t written anything technical lately.  But that’s what I’m thinking I’ll do.  Maybe put enough information in my blog to make people want to click on that WIKI link.<br/><br/>Now my $100 <Ha!  I beat your 2 cents.  Strange humor here >  I don’t think it matters, WIKI or blog.  I just would like to see a WIKI when it is technical in nature.  BUT truly, I just want to see the information.  There is always things I don’t know.<br/><br/>So WIKI / Blog?  Do either.  Add to the community.  But you know my preference.  And I have to admit, even though I was at Teched, I didn’t stop to see what the new SCN will look like.  It may helps us out a lot.<br/><br/>So know that I’ve written a book, when I see a good blog, and have the time, I’ll add it to a WIKI and comment.<br/><br/>All the best – LOVE the debate,<br/><br/>Michelle<br/><br/>Yes Tom at times I use my spooky powers, and know what you are thinking.  I bet you can guess my thoughts too!<br/>

          • Hi Michelle,

            I am only a poor lowly SAP Basis Technician so I cannot possibly imagine to go anywhere near your $100– so if you don’t mind my trolling 🙂 you’ll have to accept another $0.02

            I agree with you 100%:

            Maybe put enough information in my blog to make people want to click on that WIKI link.

            and keep the horizontal blogging rippling stack so that we can come in each morning and read new blogs which back link to new wiki pages


            ok I need to go and lie down 🙂

            all the best,


          • Hello Marylin

            Michelle is absolutely right, I have tons of respect for you and I admire what you and how well you do it. So you are more than welcome to hijak my blog comments 🙂

            I also love the fact that Michelle can voice for me due to the mails we have been exchanging. Community spirit at it’s best.

            Kind regards


  • Tom thanks for stepping up and giving voice to what many of us have ranted about privately for years.
    My vote is up on Idea Place.

    ps. Trolling is it possible the Petr forgot the tags on his comments?

  • Tom,
      Thanks for putting this together.  I can only reiterate what I said over at Idea Place

    The current situation is that I can download full install kits for various releases of various system types but I (supposedly) can’t patch these systems without a Solution Manager instance.  Given that new security vulnerabilities are found weekly, if not daily, the need for an extra instance (Solution Manager) to perform patching presents a “clear and present danger” to the security of these systems.


    PS it’s worth checking up on someone’s activity before deciding if they’re a troll. While not active as a blogger Peter Soldberg has posted and answered questions in (mostly) the BW forums in the last 12 months

    • Hi Martin

      Thanks for your comment and support. I can’t really think of any #sapadmin I know that wouldn’t want the approval gone so my mission now is to unleash the ideavirus and make sure the vote counter keeps ticking.


      PS It always good if people share and help other people but how can I not feel offended by his comment? I know I shouldn’t be but I’m only human after all. I just hope his answers on the forum are of better quality and I bet he didn’t research me either.

      • Hi Tom,

        #1, no offence was intended by my comments

        #2, it was tongue in cheek

        #3, we all have our interests, motivations, priorities, frustrations, in the SAP space – and this is one of yours – no worries – didn’t mean to offend

        #4, after 12 years of being a sap basis technician, and the last 6 years SAP feeding my children, I see sap in a spiritual way and am reluctant to question sap – if I can say, you have a point, you may be right, but I will not say a word against the sap way and am grateful for it

        #5, all the best, keep blogging, hopefully this feedback removes any offence you may have taken yesterday

        nice weekend, keep up the great blogs 🙂


          • Hi Tom,

            to provide a little more light on where I sit,

            as a fellow basis technician you have my sympathy

            however as a father I am grateful for sap’s interpretation of obfuscation and more of it and long may it last

            I cannot count on my hands any more how many times I have seen bosses put their heads in their hands at the hurdles we have to jump through to keep this stuff running – but I am grateful for it

            all the best,


  • AFAIK SAP made the use of SolMan mandatory to help customers download the right patches (oh, and of course, to get SolMan out to clients).

    Nothing against SolMan, but SAP did this in a time where SolMan just didn’t deliver just one promise SAP sold. With 7.1 this may change, but SolMan lost it’s credits at clients. That is sad, considering that SolMan (in theory) offers some great functionality.

    What SAP should do is to offer both options, but only give support for patches downloaded the offcial way.

  • Hello Tom,
    I am a limbo as to whether support the idea in idea place as I am afraid I fully get your point.
    Oops!!Few blogs make me feel as if I am a naive?When will I grow up with SAP?


    • Hello Kumud

      The point is the approval was not there before (some years ago) and SAP obligated the approval in an attempt to push Solution Manager to all customers. Something which does not match the current vision and openess of the new SAP in my opinion.

      Besides that it’s a drag as a #sapadmin to have to spend five additional minutes of our time to approve a download file.

      An approval process only makes sense if the person approving doesn’t equal the person who needs the approval. That’s yet another great reason to vote to have the approval removed.

      Hope you understand better now.

      Kind regards


  • Hello Tom,

    Gone with the wind… or we will have to blow a wind of revolution!

    It’s not fair from SAP to close your poll… at least it did survive to the SCN migration 😉

    By the way it’s a pity to see how many interesting posts have been lost and how slow is SAP to recover them:

    Imagine what would happen to you if you make the same mistake for a customer data migration!

    That shows how much SAP cares about SDN/SCN…

    Just look few lines above at these poor answers packed on the right side… SCN site design is a major success !!!


    • Hello Yves

      The reason was apparently that the category was not “ok”. Although I do think the category is related, the team behind the category is not responsible for download approvals. However, less effort seems to have been made to get the idea to the right persons which is a pitty. It shows how SAP IdeaPlace is seriously lacking in certain areas.

      On the lost blogs, it’s too bad that some blogs got lost in the migration. However, I do know some of the SCN team members who worked on the migration and I can tell you that they worked really hard to get the migration done (day and night sometimes) and in the end it was a huge migration, needless to say the migration was underestimated. I do feel SAP is putting in effort to restore the lost blog content and I do think they care about SCN.

      The design of the new SCN is nice, the functionality could still use some tweaks though 🙂 .

      Kind regards


  • Yep, it’s useless. I just keep a “Miscellaneous” transaction open.

    I applaud SAP for pushing Solution Manager but how about giving those
    managers who think they don’t need to know squat about SAP (‘I did JD Edwards, I
    know ERP’) some incentive so we advocates don’t get beaten up every time we try
    to show them a better way? Last I checked management was more interested in $$$
    than what the lowly Basis guy had to say.

    Thanks Tom,

    David Hill

    Lowly Basis Guy

    • Hi David

      I’m still fighting for this one and I won’t give up easily. I’m getting the same comments from nearly all basis admins out there! If SAP now would only get back to me.

      To be continued…

      Best regards


  • I just want the basic MOPZ functionality in the cloud. Why on earth should I who is the only server guy in a 30 person company have to deal with installing, fixing, and maintaining a server for the express purpose of applying SPS updates to my other SAP systems.

  • Hello Tom, i don’t think that this option could be a good option; you are right that approval process could be a quick tedious if you don’t work on maintain running and up to date the sap solution manager, but if you get it up-to-date you only will spend 5 o less minutes to download / approval the software.

    I share that mopz need some improvements, but don’t to remove it at all.

    Today is really hard to explain ours customer the benefits of use a Solution Manager in their system landscape sap and no-sap, for example like Thomas Bezak that sames to think that solman is only for approval software and not a good tool fo normal or small landscapes.

    Approval process will grant security options to maintenance operation in each sap landscape, and all work that you can do to maintain your system availability more secure is invariable.

    That’s my personal thinking about mopz don’t get angry with me about that 😉

    Best Regards,


    • Hi Luis

      I respect other opinions and it’s always good to get other perspective. A fool never changes his mind. It doesn’t necessarily mean I agree though.

      The approval in the download basket certainly has it’s place for a so called legal approval which can happen (I’ve seen that happen).

      An approval outside of that only makes sense if the person approving is a different person from the person placing a file in the download basket so for the approval to make sense, they should not allow you to approve your own downloads basically.

      I’ve been collaborating with the LMDB team and they actually picked this one up for me, to discuss this with the person responsible for it. I’m awaiting feedback on it after a long time that I’ve been chasing this.

      75% or something uses a workaround like calling a specific function module to perform the approval hence they don’t use MOPZ to approve.

      In terms of SAP Solution Manager, I think nowadays there are plenty of other scenarios that can add value at customer side so I personally think Solution Manager has it’s place. Taking away download basket approval for non legal items won’t change that.

      Best regards


  • Hi Tom

    It’s very sad to see that after all this time, not only approval is still
    there but now we are facing another and stronger obstacle with export

    Approval was just annoying, but we were still autonomous with it (just
    forced to jump to solman and run /TMWFLOW/MO_UI_BASKET_AUTHORIZ).

    With Export approval I is getting worst because you need to open a message and
    wait until it is answered, blocked in your work.

    I’m currently installing a system, urgently needed by a customer… I did
    not had the media in stock (with all these obstacles I’m now collecting all the media I’m able to grab on a dedicated external drive). Validation was not that long, but I lost a day. While installing I decide to download the latest kernel patch and… Kaboom again 😡 , export validation required, for a kernel patch !


    I can understand that nobody at SAP seems to care about the time lost by
    basis people when installing system, but why being that vicious and requesting
    approval for everything ? I once even had export exception for a language media, known for containing very sensitive cryptographic stuff 😯

    (Top One Thing SAP found to help its customers).

    Does anybody know why media are subject to export validation, I thought it was related to crypto ?


    • Hi Yves

      I haven’t seen the approval step in downloading SP stacks lately but on single downloads indeed, it’s still there. I did find someone who knows the owner of the process but I haven’t heard anything back so far (I’ll check that again).

      Yes, it’s related to national regulations to export cryptographic software:

      1468595 – Support Package Stacks: Export Check

      I would open the message and at the same time inquire why it’s really necessary.

      Best regards


      • Hi Tom,

        Thanks for taking time to answer. I did get Export approval few days ago after an MOPZ.

        What I don’t understand is that downloading a kernel patch for a registered SAP customer is not really a matter of exporting a sensitive technology, just updating a product my customer already use.

        I could understand for new / extra components (such as cryptolib) but not for a newest version of kernel.

        That will be great if the friend of the friend of the man hidden somewhere who’s in charge of that could explain us the reason. Sometime I feel it is just randomly managed !

        I’ll try to open a message on that with low priority.