Category: Basis

basis

SAP support portal security: mail filtering

SAP support portal is used in your company for many items: EWA’s, reporting issues, downloading software.

Protection of the accounts on SAP support portal for your company is required.

This blog will explain the setup of the security feature for mail filtering.

If you don’t set this up, your user overview will continuously show this warning:

Setting up mail filtering

Go to the support page for mail filtering:

Use the Add Domain button to add a new domain.

Domains to add:

  • Your company mail domain(s)
  • sap.com domain (for support from SAP)
  • Domain of your supplier maintaining your SAP system, in case they use their own mail ID

Background

Background of this feature can be found in OSS note 3025172 – How to add or remove email domains for my customer number – SAP ONE Support Launchpad.

Measurement of developer licenses

Every year SAP measures the licenses. The developer licenses are the most expensive licenses and also the ones which are under continuous debate with SAP.

Questions that will be answered in this blog are:

  • What is a developer and why is it so hard to measure?
  • How can I go back to the DEVACCESS measurement on my non-S4HANA systems?
  • What are the complexities on S4HANA with measuring developers?

Developer definition

Most likely the definition in your contract clearly states developer is only for creation and changing custom code (Z code). And not for applying OSS notes. The measurement should follow the definition.

Developer measurement on non-S4HANA system

On a non-S4HANA based system, the developer key concept still exists. This means a developer key needs to be called off at sap support site for keys. This mechanism is hackable, but in the end in the system table DEVACCESS is filled with everybody who has filled in the keys.

SAP has given update notes on the USSM user measurement programs that use the S4HANA logic, which is described below.

By applying OSS note 3225435 – USMM2: Development Workbench check – Restore old version, you can revert back to the original way of working that measures entries in DEVACCESS table and changes to REPOSRC.

The measurement of developers has to run on the development system. For security reasons, you should delete all entries in DEVACCESS table in all non-development systems.

When a developer is leaving, you should also delete the corresponding entry in DEVACCESS table to avoid it from being counted in the license measurement.

Read this blog on the deletions of entries in DEVACCESS table.

S4HANA logic (or better no logic)

In S4HANA SAP removed the developer key (see this blog). In the USMM measurement program SAP has put in logic to measure a developer as everybody who creates a transport entry of type Workbench. Text from the word document attached to note 3038370 – USMM2: Development Workbench Check alte Version wieder herstellen:

"In the current version of the check all users are shown that have made an entry of type K (workbench request) or S (development/correction) in the field TRFUNCTION in the table E070 within the last year."

Note 3038370 is now obsolete and replaced with OSS note 3225435 – USMM2: Development Workbench check – Restore old version.

This means also the following actions are counted as developer:

  • Basis team applying OSS note
  • Consultant making a client independent customizing
  • Many more actions that lead to entries in workbench request

This logic of SAP does not make any sense. As customer you can have big debates with SAP on this.

It is really unclear why SAP is not simply checking the REPOSRC changes on S4HANA system done on Z code last year. This will simply give list of real changes done on custom code by whom. That would be fair measurement.

SAP, if you read this, you can take over this idea.

OSS notes with or without manual instructions

Some OSS notes have manual instructions to create SAP Z programs or to alter SAP objects. To avoid discussions with SAP, it is best if you carry out these instructions by an ABAP developers, rather than a basis consultant. Not only does the ABAP developer has a better clue on what the impact is, it also makes sure that the Z coding and changes to standard SAP are registered in the system and transport on the ABAP developers name. This will avoid discussions on developer licenses.

If basis applies the automatic OSS notes, these are not core custom developments. Check if these are counted by the measurement program. Then check the definition in your contract. Most likely the definition in your contract clearly states developer is only for custom code (Z code). And not for applying OSS notes.

SSCR key listing and developer license

You can run program RSUVM080 to quickly get overview of developer SSCR keys in development system or view in table DEVACCESS. More on RSUVM080 in this blog.

LUI: license utilization information

The LUI (license utilization information) is a new tool provided by SAP to help you better manage the insights into your current utilization.

Questions that will be answered in this blog are:

  • How do I use the LUI tool?
  • Where do I find more information on the LUI tool?
  • Does the LUI tool work for on premise systems and cloud systems?

Use of the LUI tool

The LUI tool is part of the support pages of SAP and can be reached using this link.

Open opening the link and logging on, you start with the overview screen:

As you can see the overview is both for On Premise as well as Cloud based solution licenses.

You can zoom into the details per license to see the trend:

This can help you to detect since when (and then you will check why) you are crossing the line of having utilized too much. This enables you to either take actions to go back, or simply procure more licenses.

For the SAP cloud products, the actual usage is automatically added by SAP. If you want to add usage data for the on premise systems, you will need to upload the LAW files.

Background information

Main LUI tool page can be found here.

LUI introduction video can be found here.

LUI FAQ can be found here.

Manual for using LUI can be found here.

Manual for preparation of measurement data for on premise systems can be found here.

S4HANA security parameter baseline changes

If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.

Questions that are answered in this blog are:

  • Where can I find information on security parameter changes after S4HANA conversion or upgrade?
  • How can I check if the changed security parameter are properly implemented in my S4HANA system?

Security parameter changes S4HANA

OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.

This note is also referring to OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background.

Checking implementation of security parameter changes in the system itself

After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:

Adding critical objects to the transport check tool

The transport check tool is a very good SAP delivered tool to check sequences in SAP transports. It also has a feature on the import timing.

The option for online import criticality check is not always understood. The power of this option will be explained in this blog.

Questions that will be answered in this blog are:

  • How can I check for critical objects in my transport?
  • How can I filter on the settings per system?

Critical object definition

A critical object is content in your transport that you consider as import for live operations. Examples of critical objects:

  • Indexes (upon import of index of huge table, your system will be very slow or halted)
  • Customer extends of tables (upon import the ABAP code will recompile and all current user sessions using that table will terminate with a short dump)
  • Critical user exits like SAP MV45AFZZ
  • Any other object you think basis team should validate before importing to productive system

Critical object check implementation in target system

In the target system for import (normally user acceptance system and productive system), you have to maintain table /SDF/OI_CRITOBJ in SM30 with the transport objects:

This is the implementation for the 3 checks mentioned above. Notice the use of the * wildcard.

You can take the values from a transport in the SE10 transaction.

This table you need to fill per target system. This enables you also differentiate per system. For your ECC productive system the values can differ from the BI productive system, etc.

Also make sure that the Solution manager user in the managed system has sufficient rights to remotely read this data. See OSS note 2257213 – Authorizations for RFC users for SAP Solution Manager 7.2 SP02 and higher.

Running the critical object check

When you run the transport check tool transaction /SDF/TRCHECK select the option for Online Import Criticality:

This will now start the analysis. If a critical object is found it will show like this:

Double click on the line will give the details:

In this case it reports on a table extend to EKPO table and it shows that EKPO is read intensively.

This should warn you not to import this with many users in the system, but on a quiet time or even when all users locked out of the system.

Set up parallel landscape for upgrades and conversions

When doing a conversion from SAP ECC towards S4HANA you will face a long period where the system is frozen for changes. In most cases business changes still need to continue. For this situation setting up a parallel landscape is a good solution. A parallel landscape might be required for other major upgrades or large data conversions.

How does a parallel landscape work?

How does the parallel landscape work? Initially we have a DEV, UAT and PRD system landscape where transports move from DEV to UAT to PRD system.

With a parallel landscape we install a second development and UAT environment of the same version as the production system. Let’s call them DE2 and UA2.

Now we can start to convert and upgrade the DEV and UAT system to the new target version.

Now 3 development moves are happening:

  1. From DE2 to UA2 to PRD the changes that business is needing (automated support via STMS).
  2. From DE2 to DEV system there is manual synchronization required (dual or double maintenance): all code changes and settings need to be redone (or in some cases even redeveloped).
  3. Transport from DEV to UAT (automated support via STMS): here is where you make your future fixes and developments and move these from DEV to UAT system for testing.

Conflicts between points 2 and 3 often need manual resolution.

At the go-live moment, all transports are imported into PRD from the UAT environment. After live the DE2 and UA2 system can be decommissioned.

Costs of a parallel landscape

Don’t underestimate the costs of a parallel landscape:

  • Your infrastructure for Development and UAT system will double.
  • If you are unlucky you also need parallel landscape for connected systems like BI and SCM.
  • You need basis resources to install, setup, monitor and update the extra systems.
  • More transports to monitor and to keep track of.
  • The double maintenance is a lot of work to be done manually. You need also extra person to keep track of administration that the double maintenance is done properly.

Tooling might exist to help, but in practice it cannot cover too many use cases. So don’t get your hopes too high on them.

Alternatives for parallel landscape

There are alternatives for a parallel landscape:

  • Accept the freeze period
  • Set up an emergency repair box: copy productive system to a special system for emergency repairs only

These alternatives can be an option for smaller landscapes and organizations.

S4HANA conversion preparations

You are going for S4HANA conversion if your start release is ECC6.0. Then you are not only upgrading your system, but actually a large part of your data (financial data, stock data, customer data, vendor data, etc) is converted from the ECC 6.0 to the S4HANA data model.

A great amount of preparations are required for a conversion to S4HANA. If you are on a S4HANA start release and want to upgrade to a higher version, the steps are far less. In that case read the blog on upgrading in stead of the blog below, which focuses on the conversion.

Summary of preparations to consider:

Readiness check and pathfinder

A good first step is to run the S4HANA Readiness Check 2.0. This tool will give you a first insight into the use of your current system and potential blocks and work for the S4HANA conversion. How to run the check is explained in this blog.

The readiness check is more based on existing functionality. The pathfinder tool is a tool that can help you more into new and innovative scenarios. Read more about pathfinder in this blog.

Sizing

You need to switch your system from your current database to a HANA database. This has impact on both your database size and your system sizing. Read more about in this blog on S4HANA system sizing, based on your current system usage.

A database migration can be done before the S4HANA conversion, but in most cases the database migration and S4HANA conversion are combined in one step.

Data archiving

To speed up the data migration, data archiving and data deletion is required to execute in many cases. The archiving and deletion can already be done before your S4HANA conversion project starts. For information on deletion of technical data read this blog. For data archiving, you first start with the business discussions on retention times (read this blog). After the discussions are done, you execute the technical execution according to this blog.

Remove unused clients

Unused clients must be removed. Removal of clients 001 and 066 are mandatory and to be removed before the conversion starts. Read more in this blog.

Add-ons

Add-ons can be the worst nightmare in a S4HANA conversion. If an add on is no longer required, first check if it can be uninstalled.

See OSS note 2011192 – Uninstallation of ABAP add-ons for SAP delivered add-ons, and OSS note 2911053 – Uninstallation configuration for 3rd party delivered add-ons.

If you do need to convert your system to S4HANA including the add-ons, please read OSS note 2214409 – SAP S/4HANA: Compatible Add-Ons. This note refers to the list of compatible SAP and 3rd party add-ons for each S4HANA version.

The SAP add-ons will normally be ready within few months after release of new S4HANA version. 3rd party add-ons differ per supplier. Some are really fast and can deliver you the needed ACP file within a week. Some take months or longer than 1 year. If you have such a poor add-on supplier, your complete conversion will block until the supplier has done its work. Best to impose pressure via management (best is via CIO or head of IT procurement) on the supplier to speed up.

Custom code adjustments

During the S4HANA conversion process all custom code must be validated and adjusted in these cases:

  • Changes due to HANA database change
  • Changes due to S4HANA data model changes

You can already change in the existing ECC 6.0 system parts of the code before the actual conversion. To see what you need to change, you need to set up an extra ABAP netweaver stack and run remote ATC checks for S4HANA readiness of the custom code. Read the details in this blog.

Next to S4HANA readiness, you can also scan your custom code for use of unsupported SAP objects. Read the details in this blog.

Custom code performance

You can use the SQLM and SWLT tools on your current productive system to determine your code points that already eat up most of your system performance now. These points are an opportunity to improve in the S4HANA conversion.

Data transition validation tool

During the S4HANA conversion FICO data and other data will be migrated to new data structures. The business needs to validate if the conversion was done correctly and proof this. Consider the use of the DTV tool (data transition validation) for this purpose.

Use of Eclipse for custom code

On S4HANA many new developments are possible in custom code, like CDS views. For these tools the ABAP developers need on their front end the ABAP Eclipse tool. Read these blogs: installation of ABAP Eclipse and backend activation.

S4HANA simplification items

The S4HANA simplification items must be dealt with. Already before starting the conversion, you can run the simplification items checks and assess their impact. Read this blog on how to run the S4HANA simplification items check.

CVI integration / BP integration

The CVI (customer vendor integration), also known as BP (Business Partner) integration can be a very time consuming piece of the S4HANA conversion preparation. More on this topic can be learned on the OpenSAP training dedicated to the Business Partner conversion in S4HANA.

FICO changes

In S4HANA new general ledger and new asset management are mandatory to be used. If your current system does not yet use new general ledger and/or new asset management, you need to plan a lot of time for the FICO consultants and FICO business for the FICO data conversion.

SLT triggers

If you are using SLT triggers, also check this OSS note carefully: 2755741 – Potential Impact of SLT During SAP S/4HANA System Conversion / Upgrade of S/4HANA System. In some cases it is better to drop the triggers and recreate after the upgrade.

Set up of parallel landscape

Most likely your ECC system has a lot of topics to be dealt with. This also means that the conversion project will take between 6 and 12 months in duration. During this time more or less changes must continue to be implemented for diverse business and legal reasons.

For most support packages and upgrades a parallel landscape might be over the top. But for a S4HANA conversion it is definitely not a luxury item.

Best to start your planning and implementation directly with a parallel landscape in mind.

More about parallel landscape in this blog.

Security parameter changes

After the conversion to S4HANA you need to consider new and updated security parameter recommendations from SAP. You can prepare yourself already for this step. Read more in this blog.

Downtime reduction

An S4HANA conversion can take a long time to implement, but also a long time to run in productive system. It can take a complete day, weekend or even extended weekend (including Friday and Monday) to execute the conversion on production.

During your S4HANA conversion you should really spend time on downtime minimization.

First step is to determine the maximum downtime you are allowed to have by the business. If you have this timing, use the first sandbox and development system conversions to measure the expected downtime as first estimate. You can use the downtime recording from the SUM tool. But you have to add time for many more elements:

  • Graceful shutdown
  • Data checks after the migration
  • Transport imports after the migration
  • System validation after the imports
  • Graceful startup

Test the actual downtime on your acceptance system. If required, you can also create extra copy of production to a special conversion upgrade dress rehearsal system to practice the downtime and your optimizations.

Tips for downtime reduction:

  1. Check the SUM options for downtime reduction
  2. Check the downtime optimization app from SAP: see this blog
  3. Consider to include customer transports in SUM: see this blog
  4. Consider to contact SAP if your system is very large and you outage window requirements are not met by the actual times. SAP can offer tailored services to further reduce your downtime. These services are expensive, but can be worth the money to help your project meet the business maximum downtime requirements

Transaction codes that are changed

S4HANA conversion comes with changes to transaction codes. Old ones are replaced by new ones. New transactions are present. FIORI tiles replacing transaction codes. And many more. Unfortunately there is no central list. OSS note 3118651 – How to identify, which Apps/Transaction codes are obsolete or replaced in SAP S/4 HANA? provides hints on assembling a list for your use case.

FIORI app recommendations

The FIORI app recommendations tool can already be used before the start of your S4HANA conversion project. You can use the current ST03N data in your ECC system and upload it to the FIORI app recommendation tool. This can give you insights into parts where you can support the user better with FIORI apps. More information on the FIORI app recommendations tool can be found in this blog.

Use of embedded LiveCache

In case your ECC system is connected to SCM APO system, you might consider to start using the embedded LiveCache in S4HANA as a replacement of the SCM APO system livecache.

This can only be done if:

  • SCM is not used by other ECC systems as well
  • You validated you can replace all functions
  • You have sufficient time in your project for the replacement

If yes, it will save you a complete SCM landscape.

More background on embedded LiveCache setup is in this blog.

SAP best practices

SAP has an excellent best practice document “Upgrading SAP S/4HANA: Why, How, and Best Practices”.

S4HANA upgrade preparations

When you are already using S4HANA, you will still want to regularly upgrade to the newest version. This blog will explain the preparation steps for a next upgrade.

If you are looking for information about S4HANA conversion (from ECC to S4HANA): read this dedicated blog on S4HANA conversion preparations.

Questions that will be answered are:

  • What do I need to check as part of an S4HANA upgrade?
  • Where do I find information on the HANA database revision upgrade?
  • Do I need to run the simplifications check again?
  • Do I need to check my addons again?
  • How can I check for differences in SAP FIORI apps?
  • How can I reduce downtime for my S4HANA upgrade?
  • How can I know about changes to security parameters after the S4HANA upgrade?
  • If I am upgrading an existing S4HANA system to a higher version, do I still need to do the simplification items?

HANA database revision

For each S4HANA upgrade, first you must apply the minimum revision published by SAP before you can start the upgrade.

You can apply this revision already in your running system as well.

HANA DB revision usage for S4HANA can be found in this OSS note: 2655761 – SAP S/4HANA – restrictions and recommendations regarding specific revisions of SAP HANA database for use in SAP S/4HANA.

Add ons

For each upgrade, you need to validate that the addons you use are already released for your target upgrade version.

Generic OSS note is 2214409 – SAP S/4HANA: Compatible Add-Ons. This will refer to version specific OSS note you must read.

Simplification items

For each upgrade, you must update the TCI note for the simplifications items and run the checks. See blog. So you still need to do simplification items between the versions!

For an ECC to S4HANA conversion this list is long to very long (can contain over 100 items). For an upgrade from S4HANA lower to higher version, the list is typically only 10 or less items.

FIORI apps impacted by the upgrade

FIORI apps can change between versions. Older apps are replaced by new ones. You might need to act on this if the apps are used by the business. To get a list of SAP FIORI app differences, follow the instructions from this SAP blog.

Readiness check

Also for S4HANA upgrades from older to newer S4HANA version, you can run the readiness check. Read more about it in this blog.

SLT triggers

If you are using SLT triggers, also check this OSS note carefully: 2755741 – Potential Impact of SLT During SAP S/4HANA System Conversion / Upgrade of S/4HANA System. In some cases it is better to drop the triggers and recreate after the upgrade.

Custom code checks

A quick check on the use of unreleased SAP objects in custom code can help to avoid upgrade issues. To execute the run, check this blog.

Downtime reduction

An S4HANA upgrade can take a long time to run in productive system. It can take a complete day to execute the upgrade on production.

During your S4HANA upgrade you should really spend time on downtime minimization.

First step is to determine the maximum downtime you are allowed to have by the business. If you have this timing, use the first sandbox and development system conversions to measure the expected downtime as first estimate. You can use the downtime recording from the SUM tool. But you have to add time for many more elements:

  • Graceful shutdown
  • Transport imports after the upgrade
  • System validation before startup
  • Graceful startup

Test the actual downtime on your acceptance system. If required, you can also create extra copy of production to a special conversion upgrade dress rehearsal system to practice the downtime and your optimizations.

Tips for downtime reduction:

  1. Check the SUM options for downtime reduction
  2. Check the downtime optimization app from SAP: see this blog
  3. Consider to include customer transports in SUM: see this blog
  4. Consider to contact SAP if your system is very large and you outage window requirements are not met by the actual times. SAP can offer tailored services to further reduce your downtime. These services are expensive, but can be worth the money to help your project meet the business maximum downtime requirements

Security parameter changes

After S4HANA upgrade, there are new and updated security parameters. Read more on this topic in this blog.

SAP best practices

SAP has an excellent best practice document “Upgrading SAP S/4HANA: Why, How, and Best Practices”.

ST06 OS host monitoring

If you want to see how well your OS is doing in terms of CPU, memory, disc utilization, etc, then transaction ST06 OS host monitoring is your solution.

Questions that will be answered in this blog are:

  • How to use transaction ST06?
  • How to get information on CPU, memory and disc usage on OS level?
  • What is different in ST06 when my SAP system runs in the cloud?

ST06 transaction

Start transaction ST06:

Top left you can select the application server you want to inspect. On the right screen you see the details. Bottom left you can select different tools or specific sections and history.

For more background on all ST06 issues and functions, read OSS note 2067546 – ST06/OS07N: Overview note.

ST06 and systems running in cloud

If your SAP system runs on infrastructure in the cloud, your infrastructure provider may have a certain setup that may not allow all ST06 functions to work as with a system installed in your own data center.

OSS notes on this topic:

1656250 – SAP on AWS: Support prerequisites

2015553 – SAP on Microsoft Azure: Support prerequisites

2855850 – SAP Applications on IBM Power Systems Virtual Servers

3028990 – Some information is not displayed in ST06 on Azure Cloud – Netweaver

3101323 – Incorrect disk size values in ST06 for cloud systems

Other OSS notes

Other notes:

SLG1 application log

SLG1 application log is a powerful function in supporting productive system. This blog will explain the backgrounds.

Questions that will be answered in this blog are:

  • What is the intended use of SLG1 application log?
  • Should SLG1 application log be used by the business or IT only?
  • How can I download or export the logs from SLG1?
  • How can I clean up or delete SLG1 logging?

Intended use of SLG1 application log

The SLG1 application log is primarily intended for use by IT staff to support the SAP system. The logging can be used to analyze issues that the user is reporting, without IT staff requiring direct access to the business data transactions (not even to display data). Most standard SAP applications will log errors in the application log.

The logging can be for:

  1. Technical errors
  2. Functional error (like missing customizing)
  3. (master) data errors

When you are having frequent (master) data errors that primarily show in SLG1 application logging, it can make sense to give access to SLG1 for your business key users. You should train them on the transaction, since it might be too technical for them.

Use of SLG1 application logging transaction

Start the application logging with transaction SLG1 and fill the required fields:

Best to start with Only important logs to reduce the volume.

Output can look like below:

On top open the alert and click on it. At the bottom part of the screen the details will be displayed.

SLG1 objects

The object and subobjects for data filtering in SLG1 are defined in transaction SLG0:

Export of SLG1 logging

To export SLG1 logging, start transaction SLGD:

The output of SLGD can be done on ALV screen, from which you can download the data.

More background in OSS note 2546052 – Transaction SLG1 – Cannot download or export error logs.

Deleting SLG1 application log

You can use transaction SLG2 to delete the application log. For more details see blog on technical clean up.

Logging levels

Next to deletion there is another option to reduce the amount of application log entries: setting the logging level. In many customizing settings for diverse applications, the log level can be set. This can range from: error only to everything. The everything setting is typical for a development system. The error only is typical for a productive system. Upon issues, you can still set the productive system temporarily to everything. Unfortunately: this feature is per function and has to be setup in customizing in the specific application, and not all functions support the log level settings function.

ABAP code to write to application log

If you want to write entries to the application log in your custom ABAP code, read this blog.

Relevant OSS notes

3195797 – Incorrect authorization default values for transaction SLG1