saptechnicalguru – Page 39 – Saptechnicalguru.com

This blog is about the new and too much unknown new Swiss knife for idocs: the WLF_IDOC transaction.

The blog will answer questions like:

What are the new features of the WLF_IDOC transaction?
Which transactions does WLF_IDOC replace?
Why should I start using the WLF_IDOC transaction?
How can I search in idoc content?

Idoc listing

The first function WLF_IDOC replaces are the idoc listing transactions WE02 and WE05.

Starting up WLF_IDOC will give you first screen to enter selections for idocs:

This will give you the output screen with the list:

So far nothing new.

The new part is the single idoc view:

The idoc segments are shown on the left hand side and the idoc statuses top right.

The main new difference is when you select a segment on the left hand side, the right hand side bottom view will show you ALL the segments of that name in the idoc. This will give you a more complete overview of the idoc content. There is no need any more to scroll through the segments one by one: you see all in one shot.

Compare content of 2 idocs

If you are in the list screen of the idocs in WLF_IDOC, you can select two idocs and then use the idoc compare icon to compare the content of the selected idocs:

End result:

This output screen now shows you the differences in the two selected idocs.

Idoc reprocessing

From the list overview you can start the idoc reprocessing for idocs with status 51. If you select and idoc and press the Process button:

you will be given following choices:

You can do online, background or jump to the classical BD87 idoc reprocessing transaction.

In the overview screen you can select multiple idocs as well for mass processing.

Change idoc status

If you have selected idocs in the overview screen you can use this button to change the idoc status:

You can use this for example to change status 51 (error in processing) to status 68 (error – no further processing) to avoid the idoc from ever being processed again.

Search in idoc content

In the selection screen of WLF_IDOC content there is a tab called criteria for data record.

idoc processing — WLF_IDOC search in idoc content

This tab can be used to filter idocs based on content of the idoc for a field fo the segment. You can select based on 1 filter (just leave the second one empty). Or you can use it to have and / or selection of the content of 2 segment data fields.

This can be used for example to fast select all the idocs for a certain material number inside the idocs.

Do keep in mind that the idocs are still filtered based on the data in the first tab (status, date, idoc type, etc.).

Alternative transaction for search is WE09.

Editing idoc content

To be able to edit idoc content, there are 2 ways:

Classic BD87 and WE19 test tool approaches (BD87 can be used also in production, but WE19 should not be used in production): from WLF_IDOC you can go to BD87 by selecting an idoc and press Process (then select BD87 dialog), or go to WE19 by selecting an idoc and selecting menu option Utilities/Idoc Test Tool.
Allowing some idoc fields to be edited directly

To allow some idoc fields to be edited, you first have to customize this. In SPRO go to the menu path Cross-Application Components, then select Idoc Monitor for Agency Business and Retail (yes, it is a strange place), finally select Idoc Maintenance Settings.

Now enter the message type and segment you will allow editing. And in the details specify the fields that should be editable. Example is given below:

In the WLF_IDOC transaction, you can now select and idoc from the main screen and press the change button. In the details these fields have become editable (and only these fields):

Make the changes and save the idoc. Go back to the main screen in WLF_IDOC and you can reprocess the idoc via the Execute/reprocess idoc button.

You have to indicate the editing per message type/segment/field. It is not suitable for mass processing or test functions. This is really meant for a limited amount of fields in a productive system where business needs to correct idocs (most likely wrong reference numbers or dates).

Running in productive systems

This section requires intermediate SAP knowledge

When you run WLF_IDOC in a productive system (in SCC4 system is set to productive) some functions are restricted:

Change control record
Copy IDOC and delete segment
Change status

If you still want to use these functions, you must have proper authorizations. Next to that add parameter RWLFIDOC_NEW_EXPERT with value X in your user defaults (transaction code SU3).

If you are in WLF_IDOC, key in &expert into the transaction code area and you will be switching to Expert Mode where these functions are available.

See OSS note 2455691 – Missing functions in productive systems in WLF_IDOC.

Bug fixing OSS notes

Please apply following notes to fix bugs get up to date functionality:

Why SAP standard users and which ones are there?

After initial installation of SAP there is only one way to login: is via the standard user SAP* with password PASS. After logon, create your own user and disable user SAP* by giving it a new password and lock it. SAP* can be there without profiles and roles. Also set parameter login/no_automatic_user_sapstar to 1 to avoid automatic re-creation of SAP*. SAP has new way of dealing with superuser SAP*; read this dedicated blog.

To set up the SAP ABAP system code the standard user DDIC is used. This user compiles the ABAP code.

For software deployments the initial setup must be done by user TMSADM (TMS = transport management system, ADM = admin).

For historical reasons also the EARLYWATCH and SAPCPIC user are still present.

How to check standard SAP user settings and how to solve issues?

SAP delivers standard program RSUSR003 to check for correct setting of these users ID’s and passwords. Transaction code for this program is also RSUSR003.

End result should look like:

If any item has a red or yellow color you should act: link to solution.

How to check if standard users are being unlocked?

You can use SAP Focused Run to have a custom metric to detect when a standard user is unlocked. You can configure an alert mail to be sent 5 minutes after the unlock happens. More information on this: read this blog.

How to detect if somebody is trying to hack a system by trying to log in using standard SAP users?

There are 2 main ways of finding if standard SAP users are being tested for system access:

Somebody runs report RSUSR003 (whitebox method)
Somebody tries to use the users and passwords from outside (blackbox method)

Detection of running RSUSR003

Two ways of detection of running RSUSR003:

SM21 system log will show similar entry:

In this log you can see the user of the program and by double clicking you can also retrieve the terminal ID from which the user ran the program.

More background in OSS note 2248319 – Program RSUSR003 reports “Security violation” in SM21 system log.

SM20 audit log can show similar entry (provided the start of report is configured properly):

Also here you can see the user who ran it and from which terminal.

The exact scope of program RSUSR003 is described in OSS note 2481566 – Functional scope of report RSUSR003.

Bug fix note: 3224200 – SUIM | RSUSR003 displays lock by unsuccessful logon.

Detection of black box standard SAP user testing

SM20 audit log can show similar entry (incorrect logon attempts configured properly):

User DDIC in client 000

In many blogs there is a lot of discussion on how to deal with DDIC in client 000. There is no one size fits all approach here.

SAP standard recommendation is:

“To make sure everything runs smoothly, give DDIC the authorizations for SAP_ALL during an installation or upgrade and then lock it afterwards. Only unlock it when necessary.”

This is fine for smaller systems on which little maintenance is ongoing. If more frequently support packs, upgrades and/or installations are happening this is more annoying.

The main issue is when a system is using third party solutions which are provided by external parties in transports. When DDIC is locked in client 000 and the foreign transport is imported, this import will not finish and continues forever until DDIC is unlocked.

That is why on systems with more maintenance, and less strict regimes (business without SoX and FDA, etc), DDIC will not be locked on client 000 and the password is known to basis team. DDIC should be locked in all the other clients.

DDIC unlock in main client is needed only when implementing a TCI based OSS note (see blog on OSS notes).

Background OSS note on DDIC: 1998382 – User DDIC for Transport Activities.

Also read this note: 3035580 – Job RDDIMPDP running as DDIC to replace DDIC with different job user for import dispatchers.

User TMSADM

User TMSADM needs to exist in client 000. It can be deleted in all the other clients (including the main data client). Background on SAP help.

Password change instructions for user TMSADM: 1568362 – TMSADM password change.

User SAPSYS

SAPSYS is used for OS jobs, CCMS monitoring, running the background processing scheduler, and performing other system-internal operations (most of them executed as so-called AutoABAP programs). Don’t lock SAPSYS otherwise you get big issues.

Reference OSS note: 3195498 – SAPSYS user modifying background jobs.

Cross client hacking

See this blog on how a hacker can jump from one client to the other.

Client 001 and 006 deletion

To reduce the attack surface, you can also delete clients 001 and 066. See this blog for more background information.

Standard users in the Early Watch

Standard users are also listed in the early watch. Sometimes with a little different logic. The explanation of standard users in the EWA is kept in OSS note 1610103 – EWA : Default Password of Standard Users – Detailed overview for T/S.

Author: saptechnicalguru

Swiss knife for idocs: WLF_IDOC transaction