DB01 Oracle Lock monitor

This blog will answer the following questions:

  • How does a deadlock look like in DB01 Oracle lock monitor?
  • How can I solve the issue?

Deadlocks

A database deadlock can occur when 2 or more processes are trying to update each other and are also waiting for each other. This process will lead to infinite waiting.

DB01 Oracle lock monitor

With the use of transaction DB01 you can get overview of Oracle locks. A deadlock is observed when the status is on HOLD and more processes are in status WAIT.

Solving the deadlock can be done by the Oracle DBA on database level.

Background: 745639 – FAQ: Oracle enqueues.

Shared objects memory

ABAP programs (standard SAP and custom) use the shared memory objects technology.

Questions that will be answered in this blog are:

  • How to set the shared objects memory size?
  • How to monitor usage of shared objects memory?

Monitoring shared objects

Shared objects can be monitored with transaction SHMM:

In the start screen you can see the objects now loaded and how much memory they consume. In the start screen you can also delete and invalidate the shared memory objects.

The deletion can lead to short dumps. Only use this in emergency cases and when you are really sure

In the second tab you can see the total memory overview:

Setting shared memory objects memory size

In RZ11 with system parameter abap/shared_objects_size_MB you can set the shared object size in MB. A restart of the system is required to activate any change.

Older documentation says 500 or 1000 MB is sufficient. In newer systems a value of 3000 to 5000 in not uncommon.

Useful OSS notes

Note on memory consumption: 1322182 – Memory consumption of ABAP Shared Objects.

Dump with shortage of shared objects memory: 972757 – Occurence of the SYSTEM_NO_SHM_MEMORY runtime error.

Guided answer note: 2474021 – [Best Practice] How to solve SYSTEM_NO_SHM_MEMORY runtime error – Guided Answer

Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

  • How can I directly edit tables?
  • How can I prevent direct table editing?
  • How can I detect direct table editing?

Overview of methods

  1. Function module SE16N_INTERFACE
  2. Debug & replace
  3. SE16N_EMERGENCY mode
  4. Re-enable &sap_edit for SE16N

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: audit logging. In audit logging you can see the user started SE37 and then used report RS_TEST_FRAME_CALL, but you cannot see which module was done, neither is the data change logged.

Prevention of this method:

  1. Debug/replace is needed to change the data: don’t hand out debug/replace.
  2. Deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.

And configure the audit log for detection: 3226223 – How to monitor debug activities in SAP Netweaver.

Direct table editing method 3: SE16N emergency mode

In newer SAP netweaver releases there is a new SE16N emergency mode which can be started with transaction SE16N_EMERGENCY. Read all the details in this special blog on this topic.

Direct table editing method 4: re-enable &sap_edit again in SE16N and use it

Apply OSS note 1468636 – CO-OM tools: SE16N: Use of &SAP_EDIT. This seems old, but it is still valid for all S4HANA releases as well. After the note is installed run program RKSE16N_EDIT and activate the function:

Now start SE16N and select your inputs. Before hitting the execute button, enter the command &sap_edit:

Only now press execute. The result is fully editable table.

Audit log detection

Apply/configure OSS note 3140539 – SAL | New event definition for change access in SE16N for detection of table changes in the audit log.

Also check these notes:

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

  • How to run the new STAUTHTRACE tool?
  • What are the major improvements in STAUTHTRACE tool?

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the transaction code is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

  • All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
  • Specific user only, but errors only: this will reduce your logging footprint to errors only
  • Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE.

Extra functions:

3256212 – STUSERTRACE: Additional selection criteria for evaluation

Bug fix notes:

Generating substitution and validation rules

In the FICO module the consultant can define substitution and validation rules. These rules must be generated before they are active.

Questions that will be answered in this blog are:

  • How can I generate substitution and validation rules?
  • Where can I find more background on substitution and validation rules?

Substitution and validation rules generation

Go to SE38 and start program RGUGBR00:


Substitutions and validations

Simple select the correct application are indicated by the FICO consultant (this area can be FI, CO, etc). Select Generate validations and Generate Substitutions. Now execute.

Transport and system copies

You will need to run program RGUGBR00 locally on the system after the transport import is done.

Also after a system copy program RGUGBR00 must be run again.

See OSS note 1793212 – Transport validation or/and substitution.

Background on substitutions and validations

The full functional background on substitution and validation can be found this SAP wiki.