Access to Learning Hub Excercise Documents
In my last post about SAP Learning Hub I showed that it is possible to access learning material PDFs that are not part of your active subscription. All you need to know is the URL to a PDF to access it, independent if the course is part of your subscription or not. The information needed to construct such a URL is available to every SAP Learning Hub (LH) subscriber. Seems that some access checks are not working correctly at the file server that hosts the PDF files. At least you need to have a valid subscription. That is: you must be logged on to LH to be able to access the files. While the role-based access protection is not working, a valid session the plateau service is needed. Ignoring the basics of security and not validate if at least the user is logged would not happen. Anonymous access won’t happen to a cloud company.
Expectation management is important, so: the learning exercises for many courses are not access protected. Just like with the training PDFs, you need to know the URL to the PDF, but this time a valid LH subscription is not needed. The URL is a fixed part that points to the server and the technical name of the exercise. The technical name is a little bit harder to construct, it is not just filling in the name you can find in the course Excel file. Every file name starts with SAP_LA_ followed by the technical name (no Col) and ends with _EX.pdf.
- Fixed part: https://origin-saplearninghub.plateau.com/icontent/CUSTOM_eu/SAP/self-managed/SAP_Live_Access/EX/SAP_LA_
- Followed technical exercise name: <course number>_<language>_<version>
- And finally: _EX.pdf
Where to find the exercises
But how to find the technical exercise name? First, find courses that come with exercises. Filter for delivery method practice in the Excel file.
Using the LH web site is also possible. These practice courses are listed in LH under the practice tab.
Selecting a practice shows that a practice consists of several documents, most important the ones for the actual exercises. For BC401 the exercise document is available in English and German (EN and DE).
Clicking on the exercise link opens a browser popup that reveals the URL to the file.
This is not the training PDF. This is the document with exercises and solutions. It is easy to get the URL for the BC400 exercise using the information provided by the Excel file:
While the practice filter in the Excel helps to find out if an exercise is offered, to get the download URL you can refer to the normal course information. Just remember that it is not possible to simply copy & paste the course name in the Excel due to the Col part. BC400_EN_Col18 > BC400_EN_18. Going through the Excel looking for practice course entries gives a nice list of PDFs that are public available on the internet. No authentication needed.
- … and so on.
As the access is anonymous it does not matter if a course is in my LH subscription or not. AR520 is not part of my subscription, yet:
You might think: nice but doing this for every exercise document in the Excel is too much manual work. Well, as with the course PDFs, the firewall configuration SAP uses is deeply relaxed. I put all the possible links in a text file and then started to download them. One by one, in one single download run.
The firewall did not care. Not only can you download gigabytes of data (learning PDFs), but also do so without any authentication headers set. When I say that security needs to be part of the DNA of a company, any company, but specially for cloud companies, this is one example that shows that there is still a long way of learning ahead. An intelligent firewall that blocks unusual requests, or throttles bandwidth? I doubt that my download was a normal usage pattern. SAP customers should ask SAP what they do to protect your data and systems. If the same level of intelligent services is used to protect an S/4HANA Public Cloud instance, I’d be worried. What worries me is that I reported this months ago, and it is still not patched. I do not know the details what makes it so complicated to fix this. I’d think that adding a simple rule to the firewall to check that the user has the LH authenticated user cookie or header is the fastest and easiest way to provide a fix. And then start to fix the root cause. Or is the anonymous access intended?
As the files are still freely available: maybe protecting access to them is not so important. I agree. These are just the exercise documents. You need a system to try them out. You need data, or for the ABAP exercises, the samples in the ABAP system. To get these, a LH training system is needed. This shows the actual value of LH: not just PDFs, but live systems, learning sessions, etc. It is easy to gain access to the official training PDFs. I do not see the value of LH in providing the PDFs via a paid subscription. Dear SAP: why not make the training and exercise PDFs freely available? Focus on the value of LH. The biggest asset is the access to training systems. Why not offer only this as a paid service? Maybe 50€ per month for access to a prepared training system. Maybe even a complete landscape for more complex trainings? Ariba with S/4HANA integration. CPI and S/4, maybe with Data Intelligence and some BTP services? Completed by expert sessions available on LH. That would add an incredible value to LH.