Xiting ABAP Alchemist

ABAP Alchemist can help you optimize custom ABAP code and make recommendations for missing authorization checks. The built-in API Finder helps developers find standard SAP functions (e.g., BAPIs) that can be easily reused in custom code, thereby reducing the risk of introducing redundant code that might contain vulnerabilities.

ABAP Alchemist also offers recommendations for implementing additional security checks that have not been implemented within the source code. Possible weaknesses can be identified and remediated based on suggested improvements, and potential security gaps can then be closed.


Despite best practice guidelines and certain tools provided by SAP, developing custom applications introduces risk to your SAP landscape. With self-developed applications, correct authorization assignment is difficult if the developer did not implement the proper authority checks in the source code. However, the existence and accuracy of authority checks in the source code is essential to provide proper access control in SAP.

Granular access control of authorizations is only possible after security checks have been established and optimized in your custom applications. But traditional code scanning techniques only tend to focus on identifying classic coding errors, without providing sufficient information to developers and role administrators about how to fix the resulting authorization issues. 


Call Stack Analysis

One of the many valuable features of ABAP Alchemist is the call stack analysis. It allows you to examine code that goes beyond the boundaries of the selected object. For example, ABAP Alchemist can scan a transaction code (TCODE) as well as any programs, functions and classes that are part of the call stack.

As a result, ABAP Alchemist supports both developers and authorization administrators in identifying encapsulated functions within the source code.

SU24 Optimization

The integrated optimization function for SAP’s authorizations proposals database (SU24) allows you to compare and maintain suggested values for analyzed development objects based on the security checks contained in the code. As a result, you can keep your SU24 database properly maintained, which increases transparency and role maintainability. 

Flexible configuration options that allow you to define the scanning scope and the depth of the scan (call stack) make ABAP Alchemist a favorite tool among developers and role admins. Predefined checks can be used on a recurring basis and serve as a proactive measure within an internal control system (ICS).

Learn more about the modules of the XAMS!

We look forward to your inquiry!


Use Case
ABAP Alchemist in action: Quality control of customer-specific ABAP code.

On-Demand Webinars
Attend our webinars and learn more about the XAMS and SAP security.

SAP Security Blog
Learn more about the innovative modules of the XAMS in our blog posts.

Other XAMS Modules

Role Designer

Create sustainable authorization concepts, perform a what-if analysis, scan for SoD conflicts during the design phase, and quickly migrate roles to SAP S/4HANA using a virtual role design cockpit.

Role Builder

Virtually eliminate the need to test new roles or role changes through an innovative concept called Productive Test Simulation (PTS).


Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now