If you set this to 1 then only people with the right privilege can log on to the system. The parameter is immediately effective. All non-privileged users will get this error when they try to log on to the system:
After the system maintenance you can set the parameter back to normal and everybody can log on again. User history is not touched.
Be aware this is a dynamically switchable parameter. If you set the value to 1 and need to restart the system during your maintenance the value after restart is back to 0, which means everybody can log on again.
How to assign the privilege to log on to basis administrators?
First you need to create or extend the user security policy for basis admins using transaction SECPOL. Add the policy attribute SERVER_LOGON_PRIVILEGE and set it to value 1.
Now you can add this security policy to all basis team members in SU01:
All persons with security policy ADMIN are now still allowed to log on during the maintenance when parameter login/server_logon_restriction is set to 1 in RZ11.
Other use of security policies
Security policies can also be used to enhance security of specific user groups (like basis team). See this blog for more on this feature.
This blog will explain how to get text on the SAP logon screen before users logon and on the screen after users logon.
If you want to load a picture after the logon screen, please read this blog.
Questions that will be answered are:
How to add a text to the logon screen?
How to include icons?
How to put a text after the logon screen in stead of a picture?
How to put a clickable URL in the text after the logon screen?
Setting text before logon
The text to be shown before logon is maintained via transaction SE61. Select General text and for the name select ZLOGIN_SCREEN_INFO.
Now press change:
Enter the text you want to show to the users.
If you want to show SAP icons in the text start transaction SE38 and run program RSTXICON. Run it as ABAP list. Look for the icon you want and lookup the code. Please it between 2 @ symbols.
After the logon screen you can either add a picture or a web url. But no text or text with hyperlink. To achieve this we will do a small development trick. We put the text on a web dynpro page and add the web dynpro page as URL for the start screen.
First develop the web dynpro in SE80:
We will call the web dynpro ZSTARTPAGE. In our example there is a text (caption) and a LinkToUrl. The LinkToUrl has a text and a hyperlink and will show as a clickable element to the user. Save and generate the web dynpro. Test the web dynpro and note down the URL of the web dynpro.
Start transaction SM30_SSM_CUST to maintain the customizing for logon screen and other items. In the parameter SESS_URL fill out the web dynpro URL. If the parameter SESS_URL does not yet exist, just create it.
This blog will explain how to setup SAP batch job interception.
Questions that will be answered in this blog are:
How to activate SAP batch job interception?
How does an intercepted job look like?
Activating SAP batch job interception
Before you can begin the setup of the batch job interception you must run program INITXBP2 in SE38:
Next you have to start transaction CRIT and create the profiles.
First create the default SAP profile by clicking on the SAP logo. Activate it. Next step is to create the profile in which you want to do the interception. In the screen above click on the create profile button. Now enter a criteria. For simplicity we have called it interception. In our case we intercept all except a list of authorized users. In the user list we include the basis users and the background users (in this example WF-BATCH). Save the data.
Next step is to activate this profile:
Working of interception
When a batch job is planned the interception checks if the job should be intercepted or not. As a test logon as end user and launch a job. In our case the user ENDUSER tries to launch a job from SLG2 transaction to delete application logs. This jobs is intercepted and shows like this in SM37:
The job does not start immediately, but shows in intercepted state. If user with release rights now goes to SM37 for this job, he can release the intercepted job.
This blog focuses on SAP mail sending tips and tricks.
Questions that will be answered are:
How can I add a disclosure to the mails I send form non-productive systems?
How do I restrict access to transaction SOST?
Which batch job to plan for sending mails?
How can I send encrypted or signed mails?
Is there a display only version of SCOT available?
How to send hyperlink in mail using ABAP?
Adding disclosure from to mails from development and test systems
If you want to send mails from development and test systems, but don’t want any risk that it looks like a productive mail, you can add a disclosure to the mail.
In SOST mail settings go to the disclosure function:
Or you can go directly there using the SODIS transaction.
In SODIS you key in the disclosure text:
If you want you can test for any mail address if the disclosure will be shown or not by using the Routing Test function:
When sending mails from the SAP system the receiver now gets the disclosure. The real mail is pushed as text in the attachment of the mail (see OSS note 2842085 – Email body becoming to attachment in receiver side). You need to open the attachment to see the body of the text. Hyperlinks in the body will still work.
Restricting access to SOST transaction: give SOSG access
As admin you might want to restrict access to SOST transaction. This transaction is also often used by functional consultants to see if their mail is sent or not. When having access to SOST all functions like deletion and stopping of mails is also granted. What you can do is fully restrict access to SOST and grant the functional consultants access to transaction SOSG to display the mail status. It looks same as SOST, but has additional authorization checks. See also OSS note 2351372 – User access to transactions SOST, SOSV, SOSG and SOSB.
SAP mail sending can also use mail receipts. This might be wanted, but most of the times it is not wanted. More about read receipts is explained in OSS note 2161462 – How does Read Receipt work in SAPConnect?
This blog will give technical tips & tricks on embedded search. Embedded search can run on both HANA directly or on separate TREX server. It is assumed you know how to set up search in ESH_COCKPIT and know how the end user transaction ESH_SEARCH work.
Questions that will be answered in this blog are:
How do I set HANA default connection as embedded search location?
What to do after a system copy with embedded search?
How to reset the complete embedded search to initial state?
How to reset the embedded search buffer?
How to recreate the embedded search joins?
How to influence the package size of the search extraction?
How to check backend part of search?
How to deal with full text search issues?
How to deal with authority index issues?
How to deal with high load issues on TREX?
Activating search in S4HANA
If you are running S4HANA, you can use an STC01 task list to fully setup the search function. Read this blog on technical activation and this blog for FIORI search for full instructions. The remainder of the blog below can be used in case of issues.
Setting the search connection to use HANA default database connection
If you are running HANA database for ECC you can use the HANA default primary database connection for search setup. This is easier in maintenance: no extra TREX needed, no extra secondary DB connection. Search will consume extra memory and CPU off course on the HANA database.
To set this up run program ESH_ADM_SET_TREX_DESTINATION and select the Use HANA Primary DB connection option.
When things gone really beyond repair, you can log on to client 000 and start transaction STC01 and run task list SAP_ESH_RESET.
Important: write down (or make screen shots) on the connectors and settings that were active before running this task list. It will really wipe out all connectors and settings.
With program ESH_SET_INDEXING_PACKAGESIZE you can set the package size for indexing per object. You can lower the size for large objects to avoid memory issues while indexing. Issues can be dumps on SYSTEM_NO_ROLL / LOAD_NO_ROLL / TSV_TNEW_PAGE_ALLOC_FAILED / SYSTEM_NO_SHM_MEMORY.
To check if a search issue is related to application coding or is related to search setup, you can run program ESH_TEST_SEARCH (with same transaction code ESH_TEST_SEARCH). This program gives you options to test the search independent of any programming of search front end.
If you are having issues with full text search, please check OSS note 2280372 – How to check Full Text search issues. This note is focusing on full text search issues in relation to solution manager CHARM, but the methods described can be used as well for analyzing other full text search issues.
While indexing you might get authorization indexing issues. First step is to repeat with sufficient rights attached to your user ID. Then run program ESH_ADM_RECALC_AUTHS to force the recalculation of the authorizations.
In newer versions this tool is available. Otherwise apply OSS note 2690982 – TrexViaDbsl Analysis Tool in ABAP. Then in SA38 you can launch program RHANA_TREXVIADBSL_ANALYZER for the analysis tool:
Main versions are delivered in new netweaver releases and/or support packages. There is a special blog written on the subject of last digit patching.
You can also check the main SAP UI component in the ABAP part with System/Status:
Per version you can look up upcoming ABAP UI component support pack stack information and planning at this SAP site.
Finding version of a specific standard SAP app
If you want to know the version information of a standard SAP app, you simply click on the Information button in the personalization when you in the app:
Recalculation of app indexes is needed after an upgrade or support package installation with new apps. Also when you install extra addon this is needed. Another use case is when you have deployed your own new app via transport or when you applied a large OSS note with new app code via transport. Program to run is: /UI5/APP_INDEX_CALCULATE. You can run for single app. Or after support package: run in full. It is wise to have this program run in delta mode at least daily.
If you have a custom theme created you can set it as default for everybody. For instruction see this blog. This blog also describes how to reset a users’ theme setting in case of issues a user might have after upgrade (garbled screen).
/UI2/FLP start issues
Transaction code /UI2/FLP can be used to start the FIORI launchpad. There can be issues using Internet Explorer. The best browser to develop and test issues is Chrome.
For user measurement and use of the ODATA calls, you can use the FIORI ODATA metering functions in the Netweaver Gateway component. Read more in this blog.
Configure backend system to jump to FIORI frontend server
In some use cases, you want to jump from the ABAP backend system to the FIORI frontend server. This is possible, but requires setup. The setup is described at sap help files online.
FIORI search
To activate FIORI search, please read this dedicated blog.
FIORI notifications
FIORI can sent push notifications to the end-user:
To set up these push notifications, read this dedicated blog.
FIORI app support is a powerful tool to find out what the source of issue there is for your FIORI app. It can check missing ODATA activation, missing SICF activation, authorization issues. Log files can be downloaded to SAP for further analysis. Read more on FIORI app support in this blog.
FIORI apps impacted by an S4HANA upgrade
FIORI apps can change between versions. Older apps are replaced by new ones. You might need to act on this if the apps are used by the business. To get a list of SAP FIORI app differences, follow the instructions from this SAP blog.
Testing FIORI tiles for slow network or high latency
FIORI tiles and web developments might be slow with users further away from the server. If the application has many round trips built in the increase network latency will definitely kill the end user performance.
Read more in this blog on how you can simulate a distant user in Chrome to analyze the issue.
Manage KPI tiles
SAP FIORI comes with a powerful tool to setup KPI tiles based on embedded HANA views. Read more about the manage KPI tiles in this blog.
A system refresh of a netweaver gateway hub system is not needed in most cases. In case of embedded gateway: if the system is refreshed (for example from productive system towards acceptance system), running the cache refresh and UI5 app indexing is sufficient. See OSS note 3111069 – Task list clarification post System copy/System Refresh in Embedded deployment.
Monitoring FIORI gateway system
You can monitor FIORI gateway system using SAP Focused Run. Read this dedicated blog on monitoring Gateway systems.
ODATA V2 versus ODATA V4
SAP is moving from ODATA V2 towards ODATA V4. Read more on ODATA V4 activation in this blog.
FIORI 3D visualization demo
For a demo on 3D visualization using FIORI element goto SAP web page and load the attached file: SAP Pocket Knife (unzip before use):
The advantage of using the FIORI element to show 3D visualization is that you don’t need to install the fat client for 3D viewer on your laptop or desktop.
This blog explains how to mass stop and mass start batch jobs as admin. This especially useful putting the SAP system in maintenance mode. Maintenance mode can be needed for upgrade, support package patching or data conversion.
Questions that will be answered are:
How to mass stop batch jobs?
Can I plan new jobs I need during the suspend mode?
Downloading and implementing new versions of OSS notes
SAP regularly updates its own OSS notes. To check in your system if there are new updates for OSS notes relevant to you go to transaction SNOTE. Then choose “Goto -> SAP Note Browser ->Execute (F8)”, and then choose “Download Latest Version of SAP Notes” in the application toolbar. This will download all the latest versions. Check for the status “Obsolete version implemented” in the implementation state column.
Issues with OSS note downloads
In rare cases OSS note download and extractions might fail.
Activation of inactive objects after implementing OSS note
In rare cases after implementing an OSS note some of the ABAP objects are in an inactive state. To activate them, select the menu SAP note and then Activate SAP note manually.
Or you can run program SCWB_NOTE_ACTIVATE to activate the coding of the note:
Transport based correction instructions contain notes that are larger than normal OSS notes. This tool leverages the SPAM transaction to apply these large packages.
Start with reading the PDF document attached to OSS note 2187425: TCI for customer. This contains the exact instructions to enable TCI based correction instructions.
The TCI only recently has a rollback function. Please check if you can update/patch to the version where the rollback works. See the PDF document in OSS note 2187425 on the undo function.
Applying TCI note
There are 2 ways to upload TCI note.
Basis way: you will need SPAM access rights and 000 actions are involved. Upload the TCI file in SPAM in client 000. Then apply the note via SNOTE in main client. The note tool will ask you to confirm to use the TCI mechanism.
ABAP way: you will need SPAM access rights. In transaction SNOTE use menu option Goto / Upload TCI. After uploading the file, choose Decompress. Now apply the note via SNOTE. The note tool will ask you to confirm to use the TCI mechanism.
During the implementation, it can be that you are forced to delete all BI queues.
Transporting obsolete TCI packages
When you upgraded earlier to S4HANA or other recent version, some of the TCI notes might be obsolete. There is an issue moving this through the landscape. Read and apply the solution from OSS note 3116396 – How to Adjust Obsolete TCI Notes in Downstream Systems for the fix.
For digitally signed oss notes see the special blog.
KBA notes
Some notes don’t contain coding updates, but are KBA’s: Knowledge Base Articles. You have to read the note which contains manual instructions or explanation in detail.
In newer netweaver versions SNOTE is revamped. You can apply this version earlier if you want to use it. Read more on the SNOTE revamp in this blog.
Applying notes in shadow during upgrade
In rare cases you might need to apply and OSS note in the shadow system during a system upgrade. Basis team will usually use the SUM tool. Applying notes to shadow during upgrade can be needed to solve upgrade stopping bugs.
Always handle with care. If you are not experienced with upgrades, let a senior handle it.
HANA data aging is a method to reduce the memory footprint of the HANA in-memory part without disturbing the end users. It is not reducing your database size.
This blog will answer following questions:
What is HANA data aging?
How to switch HANA data aging on?
How to set up HANA data aging for technical objects?
What about data aging for functional objects?
What is HANA data aging?
HANA data aging is an application method to reduce the memory footprint based on application data logic. It is not a database feature but an application feature. The goal of HANA data aging is not to reduce the database size (which it is not doing), but to reduce the actual memory footprint of the HANA in-memory database.
Let’s take idocs as example: the idocs that are processed ok you need to keep in database for an agreed amount of time before business or audit allows you to delete them. Lets say you can only delete after 1 year. Every action on idocs now means that full year of idoc content is occupying main memory. For daily operational tasks you normally only need 2 months of data in memory and rest you can accept that it will take bit longer to read from disc into memory.
This is exactly what data aging is doing: you partition the data into application logic based chunks. In this case you can partition the idoc data per month and only have last 2 months in active memory. The other 10 months are on disc only. Reading data of last 2 months is still fast as usual. When having to report on the 10 months on disc, the system first needs to load from disc into memory; will be slower.
To reduce database itself, you would still need to do data archiving.
Advantage of the data aging is that the more expensive memory footprint costs can be reduced in such a way that the end users are not hampered. Data aging is transparent for them. With data archiving the users will always need to select different transaction and data files.
How to switch on data aging?
To switch on data aging on system level you need to do 2 things:
Set the parameter abap/data_aging to on in RZ11
In SFW5 switch on the switch called DAAG_DATA_AGING
This only enables the system for data aging.
Data aging switch on for technical object: example for application logging
With transaction DAGADM you can see the administration status of the data aging object. You first see red lights that the objects are not activated for data aging.
Per object you have extra transactions (which unfortunately differ per object…) to set the retention times. For application logging this is transaction SLGR. Here we choose in this example to data age all log after 180 days:
The advantage of this tailoring is that you could only age some of the objects if you want.
The transaction and OSS note for each of the objects can be found on this SAP blog.
Next step is to setup partitions for the object. To do this start transaction DAGPTM and open the object you want to partition:
Initial screen is in display mode. Hit change button. On the bottom right side hit the Period button (Selection Time Period). In the popup enter the desired start date, time buckets (months, years) and amount of repetitions:
Now the partitions are defined. To execute the partitioning hit the execute button to start the partitioning in the background. Wait until the job finishes. Before running this on productive system check the runtime first on non-productive system with about same data size if possible.
After partitioning the screen should look like this:
Now we can activate the object in transaction DAGADM. Select the object and press the activate button. Popup appears to assign the object to existing data aging or new group:
The data aging run will be done per group.
To start the actual data aging run start transaction DAGRUN.
Here you can schedule a new run with the Schedule new run button.
To see the achieved results of the data aging go to transaction DAGADM and select the object. Then push the button View current/Historical data.
Functional data aging objects
Functional data archiving objects exist as well for Financial documents, sales orders, deliveries, etc. The full list and minimal application version can be found on this SAP blog.
Words of caution for functional archiving:
The technical archiving objects are more mature in coding and usage. They are used in productive system and are with lesser bugs than the technical objects
Before switching on a functional data aging object you need to prepare your custom ABAP code. If they are not adjusted properly to take the partitions with the date selections (or other application selection mechanism) into account all benefits are immediately lost. A Z program that reads constantly into full history will force a continuous read of historical partitions….
This blog focuses on technical data objects archiving and clean up by performing deletion. If you want to setup functional archiving, start reading this blog.
Using SM36 you can plan all SAP standard jobs (which include a lot of clean up jobs for spools, dumps, etc) via the button Standard Jobs.
By hitting the button Default scheduling in an initial system, or after any upgrade or support package, the system will plan its default clean up schedule.
S4HANA has different set up of standard jobs. See blog.
Clean up of old idocs
Idoc data is stored in EDI* tables. Largest tables are usually EDI40, EDIDS and EDIDC.
Old idocs can be deleted using transaction WE11.
In batch mode you can schedule it as program RSETESTD.
In the bottom of the selection screen are the technical options:
The idoc deletion job can fail if there is too many data to process. If they happens remove the 4 tick boxes here and use the separate deletion programs: RSWWWIDE, RSARFCER, SBAL_DELETE and RSRLDREL2. These 5 combined programs will delete the same, but run more efficiently. This procedure is also explained in OSS note 1574016 – Deleting idocs with WE11/ RSETESTD.
Table logging is stored in table DBTABLOG (general information on table logging can be found in this blog). Deletion can be done using transaction SCU3 and then choosing the option Edit/Logs/Delete, or by using program RSTBPDEL.
Application logging (SLG1) is stored in tables BALDAT and BALHDR (for general information on the use of the application log, read this blog). Deletion can be done using transaction SLG2 or by using program SBAL_DELETE.
The last options to fine tune the number of logs per job and the commit counter setting do not appear by default. Select menu option Program/Expert mode first.
Old RFC data can be deleted using transaction SM58, selecting some data, then in the overview screen select the menu option Log File/ Reorganize. Or by starting program RSARFCER.
If you are using MDG: it has its own set of change pointer tables (MDGD_CP_REP_STAT). Clean up transaction code is MDGCPDEL. Program for batch job clean up is RMDGCPCLR.
Workflows are stored in many tables starting with SW*.
You can delete work item history with transaction SWWH or program RSWWHIDE.
This clean up will only do the work item technical history and not the workflow itself. If workflow itself can be deleted or is to be archived is a functionality decision that the depend on the business and audit needs.
The workflow deleting program can create large amount of spools. If this is not wanted use the NULL printer.
If your business is using the GOS (generic object services) to see workflows linked to a business document, and they cannot retrieve the archived work item, please follow carefully the instructions in OSS note 2356250 – Not able to view archived workflows.
If you want to delete the actual workflow you have to run program RSWWWIDE.
Take care that before deleting workflows you have checked that these are not needed for audit or financial proof. Some workflows will contain approval steps with a recording of who approved what at which time.
If you have a large amount of items in your SAP inbox, you can delete them via program RSSODLIN. Background is in OSS note 63912 – SAPoffice: Delete user sessions.
Test this first and check with the data owner that the documents are no longer needed.
For a full explanation on deleting SAP office documents (including all the pre-programs to run) and bug fix notes: read this dedicated blog on SAP office document deletion.
Usually the business will not allow deletion of SAP office document (unless they are very old). You might be ending up with a SOFFCONT1 table of 100 GB or more.
In stead of deleting SAP office documents, you can also migrate them to a content server. Read more in this blog.
Change documents
Change documents do contain business data changes to business objects. If tables CDHDR and CDPOS grow very big, you start with an age analysis. You can propose to business to delete change documents older than 10 years. 10 years is the legal time you need to keep a lot of data. Deletion is done via program RSCDOK99. If business does not want to delete, but keep the data in the archive, you can use data archiving object CHANGEDOCU. Retrieval of archived change documents is via transaction RSSCD100.
If you have large SYS_LOB tables, most likely these are occupied with attachments. Consider setup of SAP content server (see blog) and then migrate the documents from the SAP database to the content server (see blog).
To analyze SYS_LOB tables, follow the instructions in this dedicated blog.
You can schedule program RSAUPURG or program RSAU_FILE_ADMIN with the right variant to delete old Audit log data:
Before deleting audit log data, first agree with your security officer on the retention period. More on audit log in this blog.
Clean up of user role assignment data
If you have an older system, you will find that many users will have double roles assigned, or roles with validity dates in the past. This will lead to large amount of entries in table AGR_USERS. You can clean up by compressing this data with program PRGN_COMPRESS_TIMES. Read more in this blog.
Large WBCROSSGT table
Table WBCROSSGT is used to store the ABAP where used index. Might be large after upgrade. Use program RS_DEL_WBCROSSGT to delete and program SAPRSEUB to recreate the indexes.
For clean up of a solution manager system, read this dedicated blog.
Clean up for SAP Focused Run
For clean up of a SAP Focused Run system, read this dedicated blog.
Updating statistics
If you are running Oracle database it is wise to include in technical clean up job as last step the online reorganization of tables or indexes using program RSANAORA. See blog.
