Check custom code for use of unreleased SAP objects

Custom code can use standard SAP code and SAP objects. Some of these objects might technically exist, but are in an unreleased status. This might mean SAP will not give support on them, or might remove them in a future upgrade.

Also when you want to move to the BTP ABAP cloud, you cannot use the unreleased code.

Questions that will be answered in this blog are:

  • How can I scan my custom code for use of unreleased standard SAP objects?

Tool preparation

First install the program SYCM_UPLOAD_RELEASED_OBJECTS by applying OSS notes 2989803 – Check Usage of Released Objects with the Latest List of Released Objects and 3143521 – Check for Released Objects: Introduce Finding “Usage of API that will not be released”.

And download the attached file in the same note in the attachments section;

Now run program SYCM_UPLOAD_RELEASED_OBJECTS and upload the file to a new SCI variant:

After the upload, you will find this new variant SAP_CP_READINESS_REMOTE in SCI:

ATC run for unreleased code

Now you can start new ATC run with this newly created variant SAP_CP_READINESS_REMOTE:

Run the variant for you custom code (can take few hours).

Result can be shown as special whitelist item:

ST06 OS host monitoring

If you want to see how well your OS is doing in terms of CPU, memory, disc utilization, etc, then transaction ST06 OS host monitoring is your solution.

Questions that will be answered in this blog are:

  • How to use transaction ST06?
  • How to get information on CPU, memory and disc usage on OS level?
  • What is different in ST06 when my SAP system runs in the cloud?

ST06 transaction

Start transaction ST06:

Top left you can select the application server you want to inspect. On the right screen you see the details. Bottom left you can select different tools or specific sections and history.

For more background on all ST06 issues and functions, read OSS note 2067546 – ST06/OS07N: Overview note.

ST06 and systems running in cloud

If your SAP system runs on infrastructure in the cloud, your infrastructure provider may have a certain setup that may not allow all ST06 functions to work as with a system installed in your own data center.

OSS notes on this topic:

1656250 – SAP on AWS: Support prerequisites

2015553 – SAP on Microsoft Azure: Support prerequisites

2855850 – SAP Applications on IBM Power Systems Virtual Servers

3028990 – Some information is not displayed in ST06 on Azure Cloud – Netweaver

3101323 – Incorrect disk size values in ST06 for cloud systems

Other OSS notes

Other notes:

ABAP code to write to application log

The SLG1 application log is a powerful mechanism to support team in SAP systems.

This blog will explain how you can write to the application log in your own custom ABAP code using ABAP code below.

It is recommended to create one single SE24 ABAP class for the application log that can be re-used in all your custom code.

Instantiation method

First method to create is the instantiation method:

   DATA: zls_log        TYPE bal_s_log,
         zlt_log_handle TYPE bal_t_logh,
         zlt_message    TYPE bal_t_msg. 

      zls_log-object     = ziv_object.
      zls_log-subobject  = ziv_subobj.
      zls_log-extnumber  = ziv_extnumber.
      zls_log-aluser     = sy-uname.
      zls_log-alprog     = sy-repid.


 CALL FUNCTION 'BAL_LOG_CREATE'
      EXPORTING
        i_s_log                 = zis_log
      IMPORTING
        e_log_handle            = zgv_log_handle
      EXCEPTIONS
        log_header_inconsistent = 1
        OTHERS                  = 2.

As input you have to give SLG1 object name and sub object name. You can re-use existing or create new custom one in transaction SLG0.

Now you have a log handler.

Add the messages

Now you can add a method to add one or more messages, re-using the log handler:

zls_msg      TYPE bal_s_msg,

      CALL FUNCTION 'BAL_LOG_MSG_ADD'
        EXPORTING
          i_log_handle     = zgv_log_handle
          i_s_msg          = zls_msg
        EXCEPTIONS
          log_not_found    = 1
          msg_inconsistent = 2
          log_is_full      = 3
          OTHERS           = 4.

Save the log

Create a method for saving the application log, again re-using the log handle:

    CALL FUNCTION 'BAL_DB_SAVE'
      EXPORTING
        i_t_log_handle   = zlt_log_handle
      EXCEPTIONS
        log_not_found    = 1
        save_not_allowed = 2
        numbering_error  = 3
        OTHERS           = 4.

Set up once and re-use

Set up the application logging helper class once in SE24 and tell all your developers to re-use it. You might find out that you developer already used the function modules above a lot in their Z code. This can be found with the ABAP code scanner tool. Check case by case when it makes sense to swap to the central helper class.

New Z application log objects

Using transaction SLG0 you can set up custom application log objects and sub-objects.

SLG1 application log

SLG1 application log is a powerful function in supporting productive system. This blog will explain the backgrounds.

Questions that will be answered in this blog are:

  • What is the intended use of SLG1 application log?
  • Should SLG1 application log be used by the business or IT only?
  • How can I download or export the logs from SLG1?
  • How can I clean up or delete SLG1 logging?

Intended use of SLG1 application log

The SLG1 application log is primarily intended for use by IT staff to support the SAP system. The logging can be used to analyze issues that the user is reporting, without IT staff requiring direct access to the business data transactions (not even to display data). Most standard SAP applications will log errors in the application log.

The logging can be for:

  1. Technical errors
  2. Functional error (like missing customizing)
  3. (master) data errors

When you are having frequent (master) data errors that primarily show in SLG1 application logging, it can make sense to give access to SLG1 for your business key users. You should train them on the transaction, since it might be too technical for them.

Use of SLG1 application logging transaction

Start the application logging with transaction SLG1 and fill the required fields:

Best to start with Only important logs to reduce the volume.

Output can look like below:

On top open the alert and click on it. At the bottom part of the screen the details will be displayed.

SLG1 objects

The object and subobjects for data filtering in SLG1 are defined in transaction SLG0:

Export of SLG1 logging

To export SLG1 logging, start transaction SLGD:

The output of SLGD can be done on ALV screen, from which you can download the data.

More background in OSS note 2546052 – Transaction SLG1 – Cannot download or export error logs.

Deleting SLG1 application log

You can use transaction SLG2 to delete the application log. For more details see blog on technical clean up.

Logging levels

Next to deletion there is another option to reduce the amount of application log entries: setting the logging level. In many customizing settings for diverse applications, the log level can be set. This can range from: error only to everything. The everything setting is typical for a development system. The error only is typical for a productive system. Upon issues, you can still set the productive system temporarily to everything. Unfortunately: this feature is per function and has to be setup in customizing in the specific application, and not all functions support the log level settings function.

ABAP code to write to application log

If you want to write entries to the application log in your custom ABAP code, read this blog.

Relevant OSS notes

3195797 – Incorrect authorization default values for transaction SLG1

SAP Screen Personas installation and basis configuration

SAP Screen Personas can be used to create variants of SAP GUI transactions. This blog will describe the basis installation and basis configuration part of SAP Screen Personas.

Questions that will be answered are:

  • How to install SAP Screen Personas?
  • How to perform the basis configuration of SAP Screen Personas?
  • How to check the health of SAP Screen Personas?

Installation of SAP Screen Personas

The installation process and prerequisites are clearly listed on the SAP Screen Personas help file for installation.

If you have an older version of SAP netweaver; carefully check the kernel requisites. Newer versions will not have any issue. For each support package there is a separate OSS note: 3115416 – SAP Screen Personas 3.0 SP14: Released Notes Information.

Installation of the PERSONAS addon can be done via SPAM/SAINT (simplest way) or via the maintenance planner. Next to the core add on, apply the support packages.

After the addon installation on development system, you need to open the namespace /PERSONAS in SE06. Otherwise you will not be able to apply bug fix OSS notes.

Read the master note per support package to see which OSS notes need to be applied.

Basis configuration of SAP Screen Personas

Basis configuration of SAP Screen Personas is described on the SAP help file.

Activation steps in SICF:

  • Activate SICF nodes personas and personas3
  • Activate SICF nodes se (for the slipstream engine)
  • Make sure ITS webgui is active in SICF, if not follow the instruction on this blog

In PFCG generate these roles:

  • /PERSONAS/ADMIN_ROLE
  • /PERSONAS/CONSUMER_ROLE
  • /PERSONAS/EDITOR_ROLE

Validation of installation and check for new OSS notes

Start transaction /PERSONAS/HEALTH to see the health status and check for new OSS notes:

The first tab has the services status. You might find an issue for WebDynpro Compression. If this is red, goto SCIF node UI5_UI5 and set the compression to Yes:

Next check on the tab System Status:

In case of issues with Transport system synchronization run program /PERSONAS/CONVERT_E071.

On the Notes Status tab press the Check Notes button to see if there are any new relevant OSS notes. Apply the notes and make sure all is ok:

Update of client source files

Per support package SAP releases an OSS note with more frequently released patched for the client source files: 3115432 – SAP Screen Personas 3.0 SP14: Update of Client Sources Files.

Compare and copy table entries from client 000

After a support pack, system upgrade or feature pack upgrade, new customizing can be delivered by SAP (see also OSS note 337623 – Customizing after installation or upgrade). To avoid changes to the main client customizing, this new customizing is delivered in client 000. You need to either manually look up the values in client 000, or compare using the tools mentioned below. There is and option to adjust the records after comparison; pull the data from client 000 to the main client and then save it.

Questions that will be answered in this blog are:

  • What are the prerequisites for a comparison with client 000?
  • How can I compare table entries with client 000?
  • How can I adjust table entries with entries from client 000?

Prerequisites for comparison

In order to execute the comparison you need to set up Transaction SCMP can be used to compare entries between the main client and client 000. Prerequisite is that you have setup an RFC from your main client to client 000 with reading right in client 000.

In SCC4 you must set the proper client comparison rights:

SCMP comparison for single table

Transaction SCMP can be used to compare entries between the main client and client 000.

Start screen:

We use table T005 (countries) as example. Run the comparison:

SCMP is only comparison transaction. You cannot adjust entries.

SCU0 or OY19 comparison for multiple tables

If you want to compare multiple tables, use transaction OY19 or SCU0:

Choose selected activities:

Select the IMG node(s) to compare and click the green OK button:

Select the RFC and start:

Results:

SM31 adjustment

To adjust the settings, start transaction SM31 for the table view V_T005:

Click maintain and select the entry to adjust. Now select menu option Utilities and option Adjustment. In the popup select the RFC to use:

Select the detailed entry and press copy entry:

Reference OSS notes

References:

SAP trust center

As company you are relying on SAP to provide support and services. But how do you know if SAP is doing a good job on this part?

If an internal auditor or external auditor asks you to show or explain the elements of SAP delivered support, where do you get the information?

SAP trust center

SAP has a good site to start with this information: the SAP trust center.

Here you can find:

  • Security policies
  • Security frameworks
  • List of sub-processors employed by SAP to provide services (sub-processor can be on infrastructure level like AWS, Azure, etc, but also manpower like Accenture, TCS, etc.)
  • Compliance documents like SOC1, SOC2, ISO 27001, ISO 9001, etc reports (or go directly to the compliance finder)

Not all reports are public. For some you must be customer of the product or service. Some parts require acknowledgement of non-disclosure agreement before you can get the report.

Security white paper

Another good document is the SAP security white paper.

SM05 HTTPs session management

Transaction SM05 can be used to manage HTTPs sessions in an ABAP stack in similar way as GUI sessions in SM04.

SM05 HTTPs session management

Start transaction SM05:

On top you can see % of free sessions.

In the table, you can see the sessions and if needed delete them. The right columns show the logon method (password, SAML, X.509, etc). This might be helpful in investigating issues with logon. The solution could be different per logon method.

OSS notes regarding SM05

Relevant OSS notes:

ABAP editor lock

ABAP programs can be protected from changes by setting the editor lock. Only do this for very critical programs.

This blog will primarily focus on methods to remove the editor lock.

Editor lock

The editor lock is set on the properties of an ABAP program:

The property to set is the Editor Lock tickbox.

When this is set only the author can change the program.

Change user for editor lock

In some cases you have a valid reason to lift the editor lock. If the person has left, or you need to change the program for bug fixing emergency and you can’t wait until the owner is back.

Change editor lock via SE03

As basis administrator you can change the owner of the editor lock in transaction SE03:

Change via SU01 usage

When person left: alter the password for this user in SU01. Log on as this user and remove the editor lock.

Via table editing of table PROGDIR

Goto table PROGDIR and view the content (via SE11). Search for your program and edit the entry:

Remove the EDTX flag and save. Editor lock is gone.

Via program

You can use Z program below to remove the lock:

REPORT  zedit_lock_remove.

TABLES: trdir.

PARAMETERS: p_prog LIKE trdir-name OBLIGATORY.

START-OF-SELECTION.
  SELECT SINGLE * FROM trdir WHERE name = p_prog.

  IF sy-subrc = 0.
    IF trdir-edtx = 'X'.
      MOVE ' ' TO trdir-edtx.
      MODIFY trdir.
      WRITE: /'Editor Lock was removed from', p_prog.
    ELSE.
      WRITE: /'Program', p_prog, 'does not have an Editor Lock'.
    ENDIF.
  ELSE.
    WRITE: /'No match found for program', p_prog.
  ENDIF.

SAP kernel patching

SAP kernel is the central software for the ABAP netweaver stack. It also contains bug and needs patching/updating from time to time.

Unlike support packages and OSS notes, the kernel patching has to be handled with more care.

Questions that will be answered in this blog are:

  • What is the SAP kernel deployment strategy?
  • When should I patch the SAP kernel?
  • What are known pain point in SAP kernel updates?
  • Where can I find kernel OSS notes updates?
  • Where can I find regressions on kernel updates?

SAP kernel deployment strategy

The full SAP kernel deployment strategy can be found as document on this link. Practical powerpoint for 2022 patches, use this link.

The basic strategy:

  • Update kernel with support package upgrade or main version upgrade
  • Apply kernel updates only when you experience issues

This is a sound approach. The kernel is quite black and white in updating. It is fully updated or not. Each new kernel might contain new bugs or unwanted side effects. If not properly tested you need to roll back the kernel update.

SAP kernel versions and SAP kernel patch levels

Versions and levels can be found in OSS note 2083594 – SAP Kernel Versions and SAP Kernel Patch Levels.

Known pain points in kernel updates

If you upgrade your SAP kernel, please pay attention to the following items:

  • Use of ITS webgui
    • Use of handheld scanners using the ITS webgui
    • Portal and other external integration of ITS webgui
    • Browser applications using ITS webgui
    • Logon issues for RFC
    • Logon issues for SNC
    • Logon issues for SSO
    • Logon issues for SAML2
    • Logon issues for LDAP connector
    • Logon issues for http(s)
  • SAP screen personas and other screen scraping tools like robotics process automation tools
  • ACF framework (do not use if possible, see blog)

Best practice is to assemble these test scenarios in your company. This way you know next time which tests to perform when applying a kernel patch or kernel update. The tests you execute on an acceptance or quality system before applying the kernel update to your productive system.

Kernel regression OSS note

SAP OSS note 1802333 – Finding information about regressions in the SAP kernel describes how to find the needed regression note for your SAP kernel. The regression notes describe the unwanted side effects and bugs in the kernels.

Kernel roadmap OSS notes

Roadmap OSS notes:

Business suite EHP8 and S4HANA till 1710: 1969546 – Release Roadmap for Kernel 74x and 75x.

S4HANA 1809, 1909 and 2020: 2907361 – Release Roadmap for Kernel 77x and 78x.

Kernel update information

News update on kernel are published on SAP wiki for kernel.