Mass locking and end validity date of users

There are 2 good reasons for mass locking and ending validity date of user: security and licenses.

Questions that will be answered in this blog are:

  • How can I mass lock users automatically if they have not logged on for a certain time?
  • How can I mass set the validity date of the users that did not log on for a certain time?

Automatic lock of user after expired logon

In RZ11 you can set parameter login/password_max_idle_productive with an amount in days.

Password max idle initial

If the user (including yourself) did not logon to the system after this amount of days the password is still valid, but it does not allow you to logon.

If the user tries to logon after the period he will see this error message and cannot continue:

Password deactivated

In SU01 such a user looks like this:

Password expired

If you also want to automatically lock users after you give them a new password, use the parameter login/password_max_idle_initial.

Initial passwords is one of the nice ways of entering a system as hacker. Especially if the initial password used by the admin is more or less the same (like Welcome_1234!). Countermeasure: instruct your admins to use the Password Generator. This will generate long random once off password.

Mass setting of user validity date

For user measurement and security reasons you want to limit the validity period as well. Users who are locked still count for user measurement (see blog on license measurement tips & tricks). Users locked and unlocked by some method can be security threat.

Standard SAP program RSUSR_LOCK_USERS (built on top of program RSUSR200) is the tool to achieve this.

It has quite a long selection screen:

RSUSR_LOCK_USERS screen 1

On the first block set the dates for last logon and password change to get a good selection of users.

RSUSR_LOCK_USERS screen 2

On the second block very important to only select Dialog Users.

First run with Test Selection to get a list. If you are happy with the list, run it with Set End Of Validity Period.

Performance and bug notes (OSS search hints RSUSR200 and RSUSR_LOCK_USERS): 
2615606 - SUIM | Search for users with incorrect logon does not work
2628060 - SUIM | RS USR200: Poor performance

 

SAP tool for measuring current indirect access

In the previous blog the new SAP license model for indirect access. The biggest challenge after reading the blog will be: how can I know the impact for my situation and my SAP system?

For this purpose SAP has developed an estimation tool.

Questions that will be answered in this blog are:

  • Which note do I need to apply to get the estimation tool?
  • How do I run the estimation tool?
  • Why is the tool estimation only?
Warning: this tool only gives estimation. The tool cannot take into account specific configurations you have done to standard SAP that influence the outcome. Also the tool cannot take into account potentially company specific agreements you have made with SAP.

Installation of the estimation tool

The OSS note to install is depending on your version (S/4HANA or ECC):

Running the estimation tool

After the note is installed you can start program DAC_S4_COUNT_DOCUMENTTYP_ITEM:

Digital access check tool start screen

Fill out the date and user ID to check.

Result is the amount of documents in the period:

Digital access check tool result

How does the counting work?

The counting estimation in the ABAP is simply executing a select count for the timeframe and user on the respective tables for specific document types.

Example below is the counting of purchase order line items:

Check tool count statement

Here you can see only lines from EKPO with type lc_bstyp_f (which has value ‘F’) are selected. If you have configured your system differently (for example copied F to Z and are using Z) the count program will not find and report this.

This is the reason why the program is only to give you an estimation.

Tool updates

The tool is heavy in development. Regularly check the tool OSS note for new updates of the note version.

SAP new license model for indirect access

This blog will explain about the new SAP license model for indirect access, also known as Digital Access license.

Questions that will be answered in this blog are:

  • Where to find reference material on the new SAP license model?
  • How does the new SAP license model look like?
  • What are the exact definitions inside the documents for digital access?
IMPORTANT:
The explanation in this blog is to help you understand. This is not a replacement of the official SAP site. Please always check the latest official SAP site on the latest status of licensing. The document to search for in the SAP site is called SAP licensing guide (a guide for buyers).

References

Before starting the explanation these are important and useful references:

  • Official announcement on the new license model can be found following this link.
  • Generic explanation of the indirect access model can be found following this link.
  • Explanation on indirect access for existing systems can be found following this link.
  • Background on new model document details can be found following this link.
  • Useful background documents hosted by ASUG group, follow these 2 links: link1 and link2.

The new model

The new model consist of 3 components:

New indirect access model

  1. Direct human access
  2. SAP applications (engines)
  3. Indirect access / digital access
Formal definition:

Digital Access to SAP ERP (“ERP”)

This Package grants (a) humans a license to Use ERP through Non-SAP Application(s) that is/are directly integrated to ERP without the need to be licensed as a “Named User” of ERP and (b) non-humans (e.g. bots, sensors, chips, devices, etc.) a license to Use ERP directly or through Non-SAP Application(s) that is/are directly integrated to ERP and without the need to be licensed as a “Named User” of ERP (collectively, “Digital Access of ERP”).
All Digital Access of ERP will be licensed based exclusively upon the number of Documents created annually by such Digital Access of ERP.  Documents are unique records (i.e. unique digital line-items/objects) as defined in the “Document Definitions” column of the below table.  Each Document shall count as one (1) Document, except for Material Documents and Financial Documents which shall each count as two tenths (0.2) of a Document.  However, where the automated processing in ERP of a Document from one Document Type results in the subsequent creation in ERP of one or more additional Documents of different Document Type(s), such additional Documents shall not be counted.
Where a Non-SAP Application is connected to ERP via a Connectivity App, such Non-SAP Application is still deemed directly integrated to ERP for purposes of this provision.  Any humans and/or non-humans using ERP through application(s) (e.g. Ariba, Concur, Successfactors, Hybris) that is/are integrated to a Non-SAP Application that is directly integrated to ERP do not need to be licensed as a “Named User” of ERP.

In practice this should means documents posted via generic interface user, IOT device, 3rd party application, cloud application posting data in SAP system, etc.

By simply counting documents and agreeing on a price per document, this will simplify the ever ongoing discussion on indirect access.

Digital access based on output

Document definitions

SAP starts with 9 documents. You can find the list and definition in the table below.

Digital access based on documents

 

Document Types Document Definitions
Sales Document A Sales Document is (i) a line item record that represents the material and/or service being sold or quoted and/or (ii) a record that represents an individual order/release against a scheduling agreement which indicates the material and/or service being sold.
Purchase Document A Purchase Document is (i) a line item record that represents the material and/or service being ordered or requested and/or (ii) a record that represents the release against a scheduling agreement which indicates the material and/or service being procured.
Invoice Document An Invoice Document is a line item record that represents the material and/or service being billed.
Manufacturing Document A Manufacturing Document is (i) a record which represents the production-related details associated with manufacturing a material, including: the type, quantity and color of what to produce, when to produce it, where to produce it and/or other distinguishing characteristics, and/or (ii) a record that represents a confirmation which indicates the status of the processing activities associated with manufacturing orders.
Material Document A Material Document is a line item record that represents a specific material being received, issued or transferred to, from or within a storage location or plant.
Quality Management Document A Quality Management Document is (i) a record that represents the details of a nonconformance being reported including the information required for problem solving and/or (ii) a record that represents results of an inspection.
Service & Maintenance Document A Service & Maintenance Document is (i) a record that represents the details of work to be performed including the information needed to plan, execute and bill for a service or maintenance request , and/or (ii) a record that represents the details of a problem being reported including the information required for problem solving and/or (iii) a record that represents the status of the processing associated with service orders and maintenance orders  and/or (iv) a record that represents a claim by a customer for repair or replacement or compensation for under-performance, pursuant to terms in a warranty document.
Financial Document A Financial Document is a record that represents accounting information in a financial journal.
Time Management Document A Time Management Document is (i) a record that represents an employee’s time worked and assigned to business related objects and/or (ii) a record that represents a confirmation (e.g., a progress update) which indicates the status of the processing activities associated with manufacturing orders.

USMM2: new license measurement program

This blog will explain on the new USMM2 procedure.

Questions that will be answered are:

  • When do I get the new USMM?
  • How to technically activate the new USMM?
  • How to run the new USSM?

Activation of USMM2

USMM2 is activated if you install a recent support package: SAP_BASIS release 7.50 (SP 11), 7.51 (SP 06) and 7.52 (SP 02). With the import of the support package the old USMM is simply replaced with the new one. Official background document from SAP: please follow this link.

The old transaction USMM is still available using transaction USMM_OLD. The only action to do is to activate the new SICF nodes:

USMM2 SICF nodes

New USMM master data

After starting USMM you reach the new start screen:

USMM new start screen

The basic options are still the same. Here you set the basic master data for the user measurement.

Newer feature is the rule-based classification:

USMM rule based classification

More information from SAP on this feature: follow this link.

Executing the new system measurement

From the USMM start screen hit the system measurement button. The new web part of USMM will start.

USMM check notes

The first part is to update the USMM tool and measurement programs.

Yes, also the user measurement programs are written by SAP and are definitely not bug free.
If the measurement program measures too much, apply the notes you find. If the measurement program measures not accurately and SAP does not inform you to apply the note, then you cannot help it that SAP makes a mistake and charge you too little. 
When SAP asks you politely to apply the OSS note best to comply to the request.

In the second step you can do the user classification check and adjust when needed:

USMM user classification

The third step will fire the regular measurement jobs:

USMM peform measurement

In the last step you can transfer the results or download the LAW file:

Result transfer

Printed format

You can use transaction USSM_PDF to get a PDF format of the user measurement.

 

 

SLAW2: license measurement consolidation

This blog will explain about the SLAW2 tool as successor of the SLAW tool used for license measurement consolidation. For background information on SLAW tool, see this blog.

Questions that will be answered in this blog are:

  • How to technically activate SLAW2?
  • How to setup system master data in SLAW2?
  • How to consolidate user measurement data in SLAW2?
  • How to use the SLAW2.0 information system?
  • Differences between SLAW and SLAW2?

SLAW2

Depending on your system, when you start the SLAW transaction, you might be mandatory routed to SLAW2.

SLAW1 replaced by SLAW2

In this case you are forced to use SLAW2.

Basic activation of SLAW2

Before you can use SLAW2 web part you have to enable the corresponding SICF nodes:

LAW2 SICF nodes

SLAW2 system settings

If the basic activation is done, start SLAW2 by using the transaction SLAW2. This will open the SLAW2 start screen:

SLAW2 start screen

In the master data you start first with checking the already present systems (if you were using SLAW before) or adding a new system.

SLAW2 create new system

In this screen you can also goto the general SLAW2.0 settings:

SLAW2 settings

Running the consolidation in SLAW2

The basic principle of SLAW2 and SLAW are the same. The buttons are in different place. SLAW2 is helping you in bit more fancy roadmap style.

If your system data is properly set up, you can select the Start new or Change Consolidation button in the start screen:

SLAW2 consolidation

The roadmap on top shows in which part of the process you are.

You can show the results and start the Combine Users process.

SLAW2 combine users

Next step is the Consolidate users step:

SLAW2 consolidate users

As last step you can see the results and submit to SAP.

In contrast to the old SLAW, the consolidation is done. If you want to repeat, you have to create a new consolidation.

SLAW2 information system

On the start screen of SLAW2 you can go to the LAW2.0 information system.

SLAW2 information system

From here you can create lists and filter them. The results can be exported to excel for further processing, analysis and clean up.

SLAW versus SLAW2.0

The features in SLAW2.0 and SLAW are basically the same. The positives of SLAW2.0 are the information system and roadmap support. The old SLAW is easier if you have more iterations in cleanup.

As said before, depending on your version, SAP forces you to use SLAW2.0.

 

SAP user measurement consolidation for multiple systems: SLAW

This blog will explain how to consolidate multiple SAP user measurements into 1 combined measurement using the SLAW tool.

Questions that will be answered are:

  • How to use the SLAW tool?
  • Which options and help does it bring for consolidation of user measurement?
  • How to consolidate if users have different user ID’s across the systems?

Preparation of consolidation

In each of the systems where you have run USMM user measurement, you have to export the data in the LAW file format. To do this goto USMM and select menu option System Measurement and Export to LAW file:

Export of LAW file

Save as local file is the most common and easy option. Repeat this for all your systems.

LAW consolidation

You need to select one system for consolidation. This can be your main ECC productive server or for example your solution manager system.

In the consolidation system start transaction SLAW:

SLAW start screen

The consolidation process consists of 4 steps:

  1. Load all the LAW files
  2. Combine the users
  3. Consolidate
  4. Send consolidated results

First load all of your LAW files, before going to the user combination.

In the step Combine Users you have several options to combine the users:

Combine users

The best option for your consolidation is dependent on the differences per system. If you user name is the same per system, then this is good option. If the username is different per system, but your email is kept consistent per system, then this is a better option. Last resort is to do by name.

After the combination you can start the consolidation. Result of the consolidation for testusers on name looks as follows:

Consolidation on name

If you see cleansing opportunities, do use them. After the cleansing start USMM again, export LAW file and rerun the consolidation.

SLAW2

The SLAW tool has a successor in the SLAW2 tool. See this blog to see how SLAW2 works.

 

 

SAP user measurement

This blog will explain about SAP user measurement.

Important: this blog will explain in general terms. Your own company might have bit different agreements in their contract! Especially for larger companies no SAP contract is ever the same.

Questions that will be answered in this blog are:

  • How to measure users in the SAP system?
  • How can the USMM tool help in the clean up?
  • How does it work when I have same user in multiple productive system?

USMM user measurement tool

The user measurement tool USMM is the starting point. Start transaction USMM and you will come to the tool launch page:

USMM start screen

Important first step is to go to the tab User Types and activate the types according to your contract:

USMM active user types

Reminder: these types can be different company depending on the contract.

These activated types will now be visible in the SU01 License tab:

License tab in SU01

User classification check

In the USMM tool the first thing to do before running the measurement is to validate the user classification. From the USMM start screen click the user classification button. This will now list all the users in your system and the assigned or determined user classification:

User classification overview

If you want to change a classification you can do that in SU01 license tab, or directly from this screen by selection of the record(s) and pressing the Classify Selected Records button.

General rules for classification:

  • Background users (type B and S) typically count as Technical users
  • Non-classified dialog users will be set to Default (meaning SAP will count them as the most expensive type of users)
  • Locked users will be counted as well
  • Users outside of validity period will not be counted in the measurement
Deleted users and users outside of validity date will not be counted in the measurement, but the statistics of these actions will be!
If you execute regular clean up (every month or quarter) this will be seen in the statistics. If you do clean up just before the measurement it will be seen as well, and might lead to discussion. If you do monthly clean up discussions will end fast.

Executing the user measurement

After you have classified and checked all the users,you can start the user measurement in USMM by hitting the System Measurement button.

The USMM tool will now run by firing a huge amount of SM37 jobs. Wait until the jobs are finished (typically max 10 min runtime). Then you can see in USMM the result of the run in the log:

USMM run log results

The USMM tool will both do the user and automated engine measurement.

The USMM tool can be run as frequently as you want. The Send to SAP button is a real send and cannot be reverted.

Improving the USMM results

You can improve the USMM results via the User Data Analysis button:

User data analysis

Here there are several lists to help you find why certain elements are reported.

You can use this lists to find errors in the classification and do extra cleanup. Then you can rerun USMM before you submit the data to SAP.

Multiple productive systems

If you have multiple productive systems a lot of users will be present in both systems. Example: user is present in the core ECC system and runs reports in the BI system.

For the SAP user measurement you want to count the user only once.

To help you in this administration activate in USMM the Multi-Client/System type:

Multi client system user type

In SU01 license tab you can now refer to this type, and set the main system for user measurement:

Multi system user in SU01 tab

If you have multiple systems you run USMM per system. For consolidation of the runs per system you can use the SLAW tool (license administration workbench), or it successor the SLAW2 tool.

SAP user measurement background information

The most current SAP user measurement background information can be found on the SAP support pages for user measurement.

USMM2

In newer systems USMM is replaced by USMM2. For more information on USMM2 see this blog.