saptechnicalguru – Page 34 – Saptechnicalguru.com

Workflow initial configuration (before S4HANA)

This blog will explain the steps need to make the SAP workflow engine to work. If you have to set up the SAP workflow engine in S4HANA, please read this dedicated blog.

Questions that will be answered are:

How to execute the automatic workflow configuration?
What are common issues with workflow configuration?
How to test the automatic workflow configuration?
What other settings are to be done for custom workflow building?

Automatic workflow configuration

To setup workflow configuration start transaction SWU3. This brings you to the Automatic Workflow Customizing screen.

If the system is new then you see most of the icons are red. Hit the Automatic Customizing button.

Depending on your version all actions might be completed. In this step in the background the user WF-BATCH is created along with the RFC connection WORKFLOW_LOCAL_<CLIENT>.

In the newer versions of SAP netweaver this automatic step might end up with this status:

Status after automatic workflow customizing

Zooming in on the RFC connection issue:

Configure RFC workflow local destination

You will see as analysis that the user WF-BATCH is not yet created. In the newer SAP versions SAP expects you to create WF-BATCH first, before you run the automatic workflow configuration. If you have done the auto configuration and get this message, just create WF-BATCH user in SU01. Then restart SWU3 and repeat the step for automatic customizing. It will be correct:

Testing the workflow setup

On the SWU3 screen hit the Start Verification Workflow button (if needed accept the event linkage activation). Be patient now for at least 5 minutes, since in the background normally a lot of code is compiling. Then go to the inbox to check if you validation workflow was properly launched. In S4HANA the button is no longer there on the SWU3 screen to jump to the inbox. You still can use the inbox button on the SAP start screen or use transaction code SBWP.

In the inbox you should see an item. Open it and make a decision:

This will end the verification.

Common issues

Most common issue is to execute the automatic customizing without sufficient authorizations.

Best practice from SAP basis: execute SWU3 directly after installation with SAP_ALL still attached to your user ID. Then only hand over the system to the authorization team. After activation, you can remove SAP_ALL and provide the authorizations as explained in OSS note 1574002 - WF-BATCH and SAP_WFRT Authorizations.

For further troubleshooting and more background information on SWU3 SAP has released OSS note 2366252 – Transaction SWU3 explained.

Further explanation OSS notes:

Settings for workflow development

For custom workflow development you need to execute one additional step in SWU3 to maintain the Prefix Numbers:

In the number range screen add the 900 series for custom developed workflows:

Workflow development setup 900 number range

This setting will be transported, so you only execute this action on development system.

More workflow

For workflow tips and tricks: read this blog.

Setup of FIORI my workflow inbox: read this blog.

For deletion and archiving of workflow: read this blog.

ABAP code metric tool

There are many static code analysis tools. Long list can be found on Wikipedia. At some point in time a manager or developer might come to you with one of these tools like “hey, at my previous customer we used SonarABAP for code measurements”.

This blog will explain the ABAP code metric tool built into netweaver. Together with the ATC tool the code metric tool covers most of the functions that such tools deliver.

Questions that will be answered in this blog are:

How can I count the amount of lines of Z code in my SAP system?
How to run ABAP code metric tool?
What output will the ABAP code metric tool deliver?
Use cases of the ABAP code metric tool?

Test program

The test the code metric tool write a small ABAP program like this:

This program has nested IF statements (3 levels deep), one ELSE statement and a nested DO.

Code metric tool

Start the custom code analysis tools with transaction /SDF/CD_CCA:

The code metric tool is the tool on the bottom of the screen.

On the start screen select the package and extra checks (selecting more packages and checks will increase the runtime of the tool):

Result for our test program:

The output is giving:

LoC: lines of code
NoS: number of statements
NoC: number of comments
COM: complexity of conditions
TOTAL DD: complexity weighted by decision depth
etc
IF: 3 (this was in our test program)
ELSEIF: 1
DO: 2
etc like amount of loops, selects, updates, deletes, modifies, case statements.

Use cases of Code Metric Tool

Use case 1: complex programs

Complex programs are normally source of most productive issues. You can use the code tool to check if the program is not too overly complex (like many nested if and case statements).

Use case 2: the procedural versus OO discussion

Sometimes you have managers wanting you to count the amount of Z objects. If you have switched from procedural coding to OO coding you will find the amount of objects to have increased. The code metric tool can help you here by counting the amount of statements and complexity. The amount of objects in OO is typically higher, but due to re-use and better setup, the total amount of statements and the total complexity decision depth should be smaller.

Use case 3: count the amount of Z code lines in your SAP system

Every now and then there is discussion on Z code. Sometimes the question will popup: “How many lines of Z code do we have in our SAP system?”. This question you can answer as well with the code metric tool explained above.

For reference: SAP standard has 238 million lines of code (source is this SAP blog).

ABAP clone finder

This blog will explain the use of SAP clone finder.

Questions that will be answered in the blog are:

What are clones?
How to run the clone finder tool?
How to analyze the difference between the original and the clone?

What are clones?

Standard SAP offers lot of out-of-the-box functions and reports. But in many cases the standard report only offers 95%. What to do? In many cases developers copy the standard SAP program to Z copy and add the needed 5%. When upgrading the system to higher version or when applying support packages or OSS notes, the Z clone will not be upgraded to latest version. Maybe the clone needs updates as well, or can be deleted now after upgrade (if SAP added the missing 5%).

The clone finder tool is able to find the clones made in the past.

When you are doing a S4HANA conversion project (see blog) you will have to look again at these clones if they are still relevant or not.

Running the clone finder tool

The clone finder is part of the Custom Code Analysis workbench. Start the workbench with transaction /SDF/CD_CCA or transaction CCAPPS:

Clone finder is on top of the list.

Start screen of clone finder:

Pending on the size of your system you can run online or in batch.

Test result of standard SAP copy made as example:

As example program RSUSR003 and its includes were copied to Z programs. 3 are shown as identical copies. 1 is altered.

In the function link column you can hit the Version Compare button to see the differences:

Differences: the name of program and includes are different. And the authorization check was removed.

Relevant OSS notes

Useful OSS notes:

Operation modes

This blog will explain about SAP operation modes.

Questions that will be answered are:

What are operation modes and when to use them?
How to setup operation mode?
How to use changes in operation mode during runtime issues?

Operation modes explanation

In SM50 you can see the overview of work processes (in SM66 for all servers if you have more). The work processes are divided into online DIA, background BTC, update UPD, etc. The number of work processes is limited. During a working day normally more dialog processes are need for end-user usage. During the night typically more background batches are running.

This is where the operation modes come into the picture: you can setup these different modes and assign them to a timetable. The system will then have for example less dialog and more batch processes available during the night.

Operation modes setup

Start transaction code RZ04 for setting up the operation modes screen. Hit the create operation mode button:

Give a short key name and description for the operation mode. In our example we will set up simple DAY and NIGHT.

The initial screen after creation is empty:

You now need to maintain the instance data and assign the created operation modes:

It is import to check if this is active or not. When in doubt select the menu Instance and entry Set to active.

Also in these screens: press the save button locally and on the top of the screen.

Later on you can always change the work process distribution:

Put the cursor on the type (example Background) and use the plus and minus to increase or decrease the amount.

Make sure both DAY and NIGHT are properly setup now. Check in RZ04 start screen.

Amount of DIA versus non-DIA processes

To avoid issues, make sure the amount of DIA work processes is always greater than the amount of non-DIA work processes. See point 4 of the SAP OSS note 1970757 – Outbound qRFC scheduler with status RES_LACK. This note explain issues you can get in your system if you don’t apply this rule.

Time table assignment

Now that we have the two operation modes DAY and NIGHT, we need to tell the system when to use which one.

In the RZ04 main screen choose menu Operation Mode and then Timetable (or transaction SM63 directly). You reach the initial time table screen:

Choose the normal operation. Here you assign the operation mode to the time table:

This UI is bit unfriendly: double click on first time, then on last time, then assign operation mode. When done save the input.

Result in RZ04:

Activation of operation mode

Now this is done, you might check in SM50 to see nothing has changed. This is because the operation mode is defined, but not activated yet to run.

Go to transaction RZ03 and choose the operation mode you want to go to by selecting the Choose operation mode button.

In the menu select Control, Switch Operation Mode, All servers. Confirm the switch.

Now if you check in SM50 you see the switch is almost immediately effective.

Change of operation mode during system issues

During system issues you might want to use the switch in operation mode or change the work process distribution.

Use case 1: project team needs to do conversion on the fly in the system and did not notify basis team. All batch processes are filled up. Temporary quick solution: switch to NIGHT profile.

Use case 2: somehow the update processing is slow and you see bottleneck in UPD processing. Temporary quick solution: change the DAY profile to have 1 or 2 more UPD processes and less of something else. Save DAY profile and goto RZ03 to activate. After issue is resolved, don’t forget to revert back to normal. In this case it might be due to growth that anyhow more UPD processes were needed in the system.

Bug fix OSS notes

Please check following bug fix notes in case of issues:

Setup parallel processing

This blog will explain about setting up parallel processing groups.

Questions that will be answered are:

How to set up parallel processing group?
How to test parallel processing group?

Setup parallel processing group

In transaction RZ12 you can setup parallel server groups. Or change existing.

Within a server group you can set with percentages how much of the available work processes the parallel group can consume:

RZ12 explanation and bug fix notes:

Testing the parallel server group

Transaction SBPT brings you to the parallel background test environment:

SPBT parallel background task test environment

Here you can evaluate your settings.

Real live use

Some SAP transaction use parallel execution. Example is transaction code FAGL_MM_RECON.

More on load balancing

Parallel processing is an important part of load balancing across multiple application servers. More on load balancing can be read in this dedicated blog.

Digitally signed SAP notes

In the previous blog on SAP security notes you will see that security notes popup around “Digitally signed SAP notes”.

This blog will explain more on how to implement this.

Questions that will be answered in this blog are:

Why switch over to the new way?
How to implement the feature to download digitally signed SAP notes?
How to make the relevant settings?
Where to find more information?

Why switch over to the new way?

SAP keeps improving their security in all ways. Including OSS notes. There is no direct benefit. After downloading the OSS notes, the handling is identical for old and new way.

Switching over from current way of working to digitally signed SAP notes can be done any time.

SAP has announced the following: "Post January 1, 2020, the download and upload process will stop working unless Note Assistant (SNOTE transaction) is enabled in ABAP systems to work with digitally signed SAP Notes".

How to implement digitally signed SAP notes?

There are 2 basic ways to implement (you have to do only one):

Apply OSS notes 2508268, 2408073 and 2546220.
Apply TCI based OSS note 2576306, which contains all the notes (and manual work) in the notes mentioned in point 1. Your system needs to be able to handle TCI based OSS notes (see this blog on how to do this).
Follow the guided procedure

Guided enablement procedure

The guided procedure is the easiest way to apply and check the digitally signed OSS notes way of working.

Follow the instructions from OSS note 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes. Attached this note is an explanatory PDF document that describes all steps in detail. After installation of the OSS note (and prerequisite notes), you can run program RCWB_TCI_DIGITSIGN_AUTOMATION, which will guide you through the steps and verifies the results at the end:

Settings after implementation

If you have done the TCI based import a new customizing node is available:

The first one (direct program in SE38 is called RCWB_SNOTE_DWNLD_PROC_CONFIG) is to set the way of downloading:

The second one (direct program in SE38 is called RCWB_UNSIGNED_NOTE_CONFIG) is to allow only digitally signed SAP notes:

How to validate if the notes now are digitally signed?

To see if all is ok, download and implement a new OSS note. In the note log you can now see the digital signature download in the note log (in nice German words):

Known issue notes

Please read OSS note 2721941 – Download of digitally signed note – changes to configuration report and other minor changes carefully. It contains last minute fixes and changes.

Where to find more information?

More information can be found at the following sources:

2537133 – FAQ – Digitally Signed SAP Notes
Presentation on handling digitally signed SAP notes
SAP notes assistant page, section for digitally signed SAP notes
Full implementation presentation (including changes in RFC)

Security OSS notes via System Recommendations

This blog will explain how you can optimize your process of security notes via System Recommendations.

Questions that will be answered are:

What is the System Recommendations tool?
How do I set up the System Recommendations tool?
How do I deal with the results of the System Recommendations tool?
Where to find even more information on the System Recommendations tool?

What is the System Recommendations tool?

System Recommendations is a tool that runs in SAP solution manager. It weekly check SAP for new security notes and compares it with your own system. New notes will be alerted as new in the System Recommendations list. Notes you have applied will be removed from the list.

This automated procedure save you a lot of time checking for and follow up on security notes.

Alternative in SAP Focused Run

SAP Focused Run has a superior alternative for checking security notes with it’s Configuration and Security validation tool. Read more in this blog.

Setting up System Recommendations

If solution manager is properly setup, system recommendations is already enabled.

To verify if the system recommendations job is running start transaction SOLMAN_SETUP and select Mandatory Configuration and then Basic Configuration. Then select in the roadmap on top step number 2 and look for the system recommendations job, which will typically run every week:

Adding a system to System Recommendations

In SOLMAN_SETUP goto the managed system configuration of the system you want to add to system recommendations.

Select the full configuration for the system. On the roadmap select step 5: Enter System Parameters. On the screen below tick the box for Enable System Recommendations:

Now the system is added you need to wait until the weekly job runs.

System recommendations result

In solution manager goto the System Recommendations tile:

Upon clicking you get the list of systems and OSS notes per category:

Now you can zoom in for example on the security notes:

Per OSS note you can keep track of the status:

Dealing with the list

Some notes you can implement via SNOTE automatically. After they are implemented (normally via transport import if you run System Recommendations against productive system) they will be gone with the next run of system recommendations.

Some notes depend on kernel patch: also here, you can mark the status as to-be-implemented and wait for the actual implementation of the kernel patch.

Some notes might be non-relevant: you can mark them and they will no longer show in the open list of security notes.

DB and OS versions

The security notes will pickup all the database and OS versions for security notes, even if you don’t run them. To reduce the list goto transaction SM30 and maintain the content of table AGSSR_OSDB:

Flag the unused Databases and OS to Inactive and they will be filtered away next run.

More features

System recommendations function has more features. If you want to read all of them, please read the SAP full document. You need to use transaction SM30_DNOC_USERCFG_SR to configure these settings.

OSS note backbone settings

If you have issues updating most recent notes, or anything at all, please check in transaction SM30_DNOC_USERCFG_SR. Make sure there is no entry there for SYSREC_RFC_CALL. If it is there delete it. This is due to the SAP technical backbone change.

More background information

More background information can be found at the SAP pages on system recommendations and in SAP oss note 2554633 – System Recommendations configuration guide for SAP Solution Manager 7.2.

Bug fix OSS notes

Please check these notes for potential bug fixes:

Security Optimization Service

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

How to run the Security Optimization Service?
How does the questionnaire work?
How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 go to the tile Active Sessions for Service Delivery:

You now arrive in the sessions overview screen:

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

There might be multiple. In that case select this one (the others won’t work):

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Finish the roadmap. After the final step the detailed roadmap will appear:

In the first step select the logon and test the connection:

In the next step you need to assign a questionnaire:

If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:

In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionnaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionnaire and return to the roadmap.

Next step is to start the data collection:

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Authorizations

You need authorizations in the backend system for ST14. If that is missing you get this message:

This refers to OSS note 696478 – SAP Security Optimization: Preparation, additions.

Results

Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes:

Use remote ATC for baselining Z code

In the previous blogs we have explain how to run ATC from central system to remote system. This will enable you to for example run the ATC against an older release, which doesn’t have the ATC tool capability.

But there is one other common issue with older systems: you have lots of existing legacy Z code. If you want to clean up or start with new guidelines the ATC is initially not helpful since it will give you lots of errors.

This blog will explain the concept of baselining the current Z code with an initial run to give you a clean start.

Questions that will be answered in this blog are:

How to setup the ATC baseline?
How to run the ATC baseline?
What are the known limitations of the ATC baseline functionality?

Setting the baseline

To set the baseline, first run a full ATC remote check. This will give many issues. In the ATC results screen select the run and press the button Baseline to mark the current results as baseline.

You can choose that the current results are simply suppressed, are treated as exemptions or are treated as low priority.

If you run ATC tool again, please make sure in your run variant that you now select the consider baseline tick box:

If you don’t change any coding in the remote system the next run of ATC should give you a clean run with no issues (in case you have chosen suppression).

ATC after baseline

In the remote system we now do 2 coding changes:

We had before the baseline a bad program called ZCRAP1. To this program we do a change.
We created a new program called ZCRAP2.

Now we run the ATC tool again with the baseline to ignore the baselined findings.

The ATC tool now finds issues in both the changed and the newly created program.

The unfortunate thing is that for the old program, it does not look at the newly added lines, but it looks at ALL the issued in the analyzed code (also the existing). 
This might lead to some surprise if you add 1 line to a 1000 line existing bad code: this will give lots of errors. It is up to you to decide to fix the existing errors or just exempt the existing ones.

Baseline suppression known issues

The baseline suppression has some known issue situations. These are listed in OSS note 2552932 – ATC: Baseline Does not Suppress all Findings.

Bug fix notes:

- 2609447 – ATC: Baseline seemingly not reliable

- 2609481 – ATC: Similar findings might not all be reported

Using remote ATC for S4HANA readiness checks

In the blog on readiness check 2.0 we explained how you can perform analysis on your system as preparation for the S4HANA upgrade. This blog will explain how to run detailed analysis on your custom code as preparation for S4HANA upgrade. Pre-condition is that you have installed 7.52 netweaver system and done the configuration for remote ATC as described in this blog.

Questions that will be answered in this blog are:

What do I need to do in order to set up the remote S4HANA readiness check in ATC?
How to run the remote S4HANA readiness check?
How to handle the results of the remote S4HANA readiness check?

How to set up remote ATC for S4HANA readiness check?

To run the remote ATC for S4HANA readiness check you must install a netweaver 7.52 system and configure the remote ATC. Instructions can be found in this blog.

In the central 7.52 ATC system you must then apply all the extra OSS notes needed that are listed in OSS note 2436688 – Recommended SAP Notes for using S/4HANA custom code checks in ATC.

In the SAP code inspector (for details see this blog) you can now find the S4HANA readiness variants:

How to run the S4HANA readiness in ATC?

To run the S4HANA readiness variant create in the ATC tool (for all details see this blog) a special S4HANA readiness run series:

In this run it is important to put your analysis system object provider into the variant!

Now start the ATC run and be patient. The run might take a few hours pending on your system size and Z code base sizing.

You can monitor the progress in the ATC run monitor:

You can also see here if any tool issues were reported. If tool issues are present, click on the underlined number and see if you can solve them. Most issues are SAP bugs and you need to apply an OSS note. Before creating new message for SAP make sure you have applied all recent notes for the S4HANA readiness check (2436688 – Recommended SAP Notes for using S/4HANA custom code checks in ATC) and all the remote ATC notes as explained in the remote ATC blog.

How to handle the results?

If the ATC run is finished you can look at the results in the central system:

The results consist of a code point where a potential issue is. If you click on the code point you jump to the analyzed systems code.

There is also a note number which explains what you need to check.

Now basically 3 things can happen:

You can fix the issue directly: nice, the next run the issue is gone.
You read from the OSS note the function has changed or is no longer present in S4HANA. Read the OSS note for alternatives or check with your functional consultant on functional alternatives. Example of change is the way output and pricing is done. You know now it will be changed, but you cannot prepare in the current system. Use the list as input for project management for work estimation.
You read from the OSS note the potential issue and conclude it is not relevant for your situation. Example is material number length handling. If you use material numbers properly this is not relevant for you, but the tool will generate massive amounts of alerts. But maybe in some cases you need to intervene.

To distribute the results, apply OSS note 2499684. This enables you to download the ATC results into xls spread sheet. From here it is easier to follow up if action is needed for long list (like material number length) or not.

Fine tuning the results

OSS note 2865234 – SAP S/4HANA custom code checks show different number of findings in different check runs contains some explanation on differences in numbers.

More important, you need to run the ATC a few times, after every main clean up round. But some notes you might have detected as not relevant and you want to exclude them.

To do this copy the SCI S4HANAREADINESS variant to your own variant. Then change the SCI variant to exclude the OSS notes you don’t want to see any more:

Now rerun the ATC with the new variant. The list you get will be smaller. Repeat this iterations as long as needed.

Don't change the originally SAP delivered SCI variants. New features and bug fixes by SAP will update this variant. If you have an updated SAP variant, simply copy it again to your Z variant and redo the exclusion of OSS notes.

S4HANA 1809 update and beyond

If you previously installed remote ATC for a 1709 check and want to run now for S4HANA 1809 or higher version, there are a few update steps to follow.

First step is to install OSS note 2659194 – Check variant for SAP S/4HANA 1809 custom code checks and carry out the manual aftercare action. This will deliver you the SCI variant for S4HANA_READINESS_1809.

If you now run remote ATC without step 2, you get the issue described in OSS note 2532285 – ATC: Inspection was not executed because target release information cannot be processed.

Step 2 is to update the simplification content to version 1809. You have to download the content from SAP software site and upload it in your ATC 7.52 system. For this step follow the instructions from OSS note 2241080 – SAP S/4HANA: Content for checking customer specific code.

Short summary of these steps in this note: download the most up-to-date simplification database:

In the 7.52 central ATC system use tcode SYCM to upload this file.

Now you are good to go for the S4HANA 1809 readiness check for custom code.

For S4HANA 1909, S4HANA 2020 and S4HANA 2021 the notes have different numbers:

The basic process is still the same.

Bug fix OSS notes

Bug fix OSS notes: