Setting FIORI gateway time-out and time-out warning

FIORI user use the browser. For security it is important that the browser session has a limited life time. The end user is normally annoyed by this, since when he clicks after a long time, the user gets a server error, which is difficult to understand.

This blog explains how to set up a more user friendly time-out and warning for the FIORI pages.

Questions that will be answered in this blog are:

  • How can I set a time-out for my FIORI tiles?
  • How can I set a warning time for the end users that their FIORI session is about to time-out?

Time-out settings for FIORI

Start transaction /UI2/FLP_SYS_CONF and enter values for these 2 parameters: SESSION_TIMEOUT_INTERVAL_IN_MINUTES and SESSION_TIMEOUT_REMINDER_IN_MINUTES:

Give these the values that are good for your company and press Save.

Time-out for end user

The end result for the end user is a more graceful warning and choice to continue or log out:

ABAP system license verification program

SAP has a bit of a hidden program to verify licenses on an ABAP system: RSUVM080. You can use this program yourself as well to prepare for license measurement and discussion on licenses.

Questions that will be answered in this blog are:

  • How to set up the User Type validation program RSUVM080?
  • How to use it for validation of your licenses?

Installation of program RSUVM080

In very new versions program RSUVM080 is present already. For older versions implement it by applying OSS note 2339166 – Validation of the user classification.

Also check bug fixes notes:

Use of program RSUVM080

If you start program RSUVM080 you see that a file is required for the validation rules:

The file has a specific format. The picture below is an example we use here:

In XLS format:

The actual definition of the file content, you have to do yourself by using common sense! When having discussions with SAP, they might provide the file and ask you to run it. 

Now run the tool in productive system. Output looks like this:

Explanation of the checks

In the details of the input you can see we have provided several checks:

  1. Authorization checks: first 4 lines (check for * in users management, or change or create. 4th line is check for development rights)
  2. Transaction code checks: check for VA01, SE38 and SE11

The checks are shown in the columns on top.

You can see that transaction codes VA01, SE38 and SE11 were executed by the users. When you click on the green icon in the AC check column you can see the details for the AC (anti cheating) checks (more on the AC checks in this blog):

You can see that the user did not only execute VA01, but also did updates to VBAK table. So the user did execute the transaction and created records. Therefore for this user the right license type should be assigned. If the user has rights for VA01, and started it, but never made a posting, this is off course different.

If a user has a DEVACCESS entry, it is marked in the SSCR column. If the user was involved in transports, the transport column is marked.

In the #steps column you can see what other transactions were performed by the user:

Selection of users

It is important to realize that the program only selects the user as Green if one or more of the criteria was met. This can help you focus on the discussion points you are having with SAP (for example around use of VA01 for sales order creation).

You can start with a limited set of rules, and then expand.

First you can give all users the lowest classification. Then you start. For example: start with only the rule for transaction VA01. Assign the users the correct license type. On the selection screen, don’t select the users you already classified, by excluding them in the selection. Then focus on the AC checks: learn from them and see which transactions lead to them. Add this to the rules, and again classify the users correctly. In the next run the classified users are excluded again. This you can do until no AC check box is there. Then randomly validate that the actions left, which are executed by the other users, are indeed part of the lowest license type.

Setup of LOCL printing

This blog will explain the setup of the LOCL printer in SAP. Any output send to the LOCL printer will use the SAP GUI to call the windows printer list on your laptop or desktop and send the print there.

Setup of LOCL printer

Start transaction SPAD and create printer LOCL (with short name as well LOCL):

And on the access method tab enter this information:

Save now and the LOCL printer is ready to use.

Set up background can be found in SAP help pages.

Use of LOCL printer

If you print, choose the LOCL printer. The screen will refresh and give a dropdown list for the printers installed on you local laptop or desktop:

Restrictions of LOCL printer

LOCL needs a connection to the SAP GUI. It can therefore not be used for:

  • Printing spool in the background
  • Printing in RFC

If you still try to spool to LOCL printer, this is the output:

See oss note 2244868 – Front-end printing spool request is not printed.

SAP support portal security: mail filtering

SAP support portal is used in your company for many items: EWA’s, reporting issues, downloading software.

Protection of the accounts on SAP support portal for your company is required.

This blog will explain the setup of the security feature for mail filtering.

If you don’t set this up, your user overview will continuously show this warning:

Setting up mail filtering

Go to the support page for mail filtering:

Use the Add Domain button to add a new domain.

Domains to add:

  • Your company mail domain(s)
  • sap.com domain (for support from SAP)
  • Domain of your supplier maintaining your SAP system, in case they use their own mail ID

Background

Background of this feature can be found in OSS note 3025172 – How to add or remove email domains for my customer number – SAP ONE Support Launchpad.

Measurement of developer licenses

Every year SAP measures the licenses. The developer licenses are the most expensive licenses and also the ones which are under continuous debate with SAP.

Questions that will be answered in this blog are:

  • What is a developer and why is it so hard to measure?
  • How can I go back to the DEVACCESS measurement on my non-S4HANA systems?
  • What are the complexities on S4HANA with measuring developers?

Developer definition

Most likely the definition in your contract clearly states developer is only for creation and changing custom code (Z code). And not for applying OSS notes. The measurement should follow the definition.

Developer measurement on non-S4HANA system

On a non-S4HANA based system, the developer key concept still exists. This means a developer key needs to be called off at sap support site for keys. This mechanism is hackable, but in the end in the system table DEVACCESS is filled with everybody who has filled in the keys.

SAP has given update notes on the USSM user measurement programs that use the S4HANA logic, which is described below.

By applying OSS note 3038370 – USMM2: Development Workbench Check alte Version wieder herstellen, you can revert back to the original way of working that measures entries in DEVACCESS table and changes to REPOSRC.

The measurement of developers has to run on the development system. For security reasons, you should delete all entries in DEVACCESS table in all non-development systems.

When a developer is leaving, you should also delete the corresponding entry in DEVACCESS table to avoid it from being counted in the license measurement.

Read this blog on the deletions of entries in DEVACCESS table.

S4HANA logic (or better no logic)

In S4HANA SAP removed the developer key (see this blog). In the USMM measurement program SAP has put in logic to measure a developer as everybody who creates a transport entry of type Workbench. Text from the word document attached to note 3038370 – USMM2: Development Workbench Check alte Version wieder herstellen:

"In the current version of the check all users are shown that have made an entry of type K (workbench request) or S (development/correction) in the field TRFUNCTION in the table E070 within the last year."

This means also the following actions are counted as developer:

  • Basis team applying OSS note
  • Consultant making a client independent customizing
  • Many more actions that lead to entries in workbench request

This logic of SAP does not make any sense. As customer you can have big debates with SAP on this.

It is really unclear why SAP is not simply checking the REPOSRC changes on S4HANA system done on Z code last year. This will simply give list of real changes done on custom code by whom. That would be fair measurement.

SAP, if you read this, you can take over this idea.

OSS notes with or without manual instructions

Some OSS notes have manual instructions to create SAP Z programs or to alter SAP objects. To avoid discussions with SAP, it is best if you carry out these instructions by an ABAP developers, rather than a basis consultant. Not only does the ABAP developer has a better clue on what the impact is, it also makes sure that the Z coding and changes to standard SAP are registered in the system and transport on the ABAP developers name. This will avoid discussions on developer licenses.

If basis applies the automatic OSS notes, these are not core custom developments. Check if these are counted by the measurement program. Then check the definition in your contract. Most likely the definition in your contract clearly states developer is only for custom code (Z code). And not for applying OSS notes.

SSCR key listing and developer license

You can run program RSUVM080 to quickly get overview of developer SSCR keys in development system or view in table DEVACCESS. MOre on RSUVM080 in this blog.

LUI: license utilization information

The LUI (license utilization information) is a new tool provided by SAP to help you better manage the insights into your current utilization.

Questions that will be answered in this blog are:

  • How do I use the LUI tool?
  • Where do I find more information on the LUI tool?
  • Does the LUI tool work for on premise systems and cloud systems?

Use of the LUI tool

The LUI tool is part of the support pages of SAP and can be reached using this link.

Open opening the link and logging on, you start with the overview screen:

As you can see the overview is both for On Premise as well as Cloud based solution licenses.

You can zoom into the details per license to see the trend:

This can help you to detect since when (and then you will check why) you are crossing the line of having utilized too much. This enables you to either take actions to go back, or simply procure more licenses.

For the SAP cloud products, the actual usage is automatically added by SAP. If you want to add usage data for the on premise systems, you will need to upload the LAW files.

Background information

Main LUI tool page can be found here.

LUI introduction video can be found here.

LUI FAQ can be found here.

Manual for using LUI can be found here.

Manual for preparation of measurement data for on premise systems can be found here.

SO10 standard text

With transaction SO10 you can maintain standard texts. These texts can be used in SapScript, SmartForms and your own ABAP code.

Questions that will be answered in this blog are:

  • How to create a standard text in SO10?
  • How to set default editor for SO10?
  • How to transport SO10 standard texts?
  • How to call SO10 standard text in ABAP code?

Create standard text

Start transaction SO10, enter the text name and press the create button:

Now enter the text in the editor and save it:

Transporting standard texts

After saving the standard text the tool just saves the text without prompting for transport. This is as designed. The text can be maintained directly in production this way. Either by IT or even by business users.

If you do want to transport the standard texts, use program RSTXTRAN to add the standard text to the transport:

Read standard text from ABAP code

You can read the standard text from your own ABAP code by calling function module READ_TEXT

Example code:

DATA: IT_TLINES type table of TLINE.

REFRESH IT_TLINES.

CALL FUNCTION 'READ_TEXT'
      EXPORTING
*       CLIENT                        = SY-MANDT
        ID                            = 'ST'
        LANGUAGE                      = 'E'
        NAME                          = 'Z_DEMO_TEXT'
        OBJECT                        = 'TEXT'
*       ARCHIVE_HANDLE                = 0
*       LOCAL_CAT                     = ' '
*     IMPORTING
*       HEADER                        =
      TABLES
        LINES                         =  IT_TLINES
*     EXCEPTIONS
*       ID                            = 1
*       LANGUAGE                      = 2
*       NAME                          = 3
*       NOT_FOUND                     = 4
*       OBJECT                        = 5
*       REFERENCE_CHECK               = 6
*       WRONG_ACCESS_TO_ARCHIVE       = 7
*       OTHERS                        = 8.

Inserting graphic in SO10

Follow the instructions in OSS note 2918753 – How to insert graphic in SO10.

Changing the editor

Many people don’t like the word tool as editor. It is not precise enough. You can run program RSCPSETEDITOR to change the setting for everybody:

Untick the MS word as editor and press the Activate button.

Relevant OSS notes:

S4HANA security parameter baseline changes

If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.

Questions that are answered in this blog are:

  • Where can I find information on security parameter changes after S4HANA conversion or upgrade?
  • How can I check if the changed security parameter are properly implemented in my S4HANA system?

Security parameter changes S4HANA

OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.

This note is also referring to OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background.

Checking implementation of security parameter changes in the system itself

After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:

Adding critical objects to the transport check tool

The transport check tool is a very good SAP delivered tool to check sequences in SAP transports. It also has a feature on the import timing.

The option for online import criticality check is not always understood. The power of this option will be explained in this blog.

Questions that will be answered in this blog are:

  • How can I check for critical objects in my transport?
  • How can I filter on the settings per system?

Critical object definition

A critical object is content in your transport that you consider as import for live operations. Examples of critical objects:

  • Indexes (upon import of index of huge table, your system will be very slow or halted)
  • Customer extends of tables (upon import the ABAP code will recompile and all current user sessions using that table will terminate with a short dump)
  • Critical user exits like SAP MV45AFZZ
  • Any other object you think basis team should validate before importing to productive system

Critical object check implementation in target system

In the target system for import (normally user acceptance system and productive system), you have to maintain table /SDF/OI_CRITOBJ in SM30 with the transport objects:

This is the implementation for the 3 checks mentioned above. Notice the use of the * wildcard.

You can take the values from a transport in the SE10 transaction.

This table you need to fill per target system. This enables you also differentiate per system. For your ECC productive system the values can differ from the BI productive system, etc.

Also make sure that the Solution manager user in the managed system has sufficient rights to remotely read this data. See OSS note 2257213 – Authorizations for RFC users for SAP Solution Manager 7.2 SP02 and higher.

Running the critical object check

When you run the transport check tool transaction /SDF/TRCHECK select the option for Online Import Criticality:

This will now start the analysis. If a critical object is found it will show like this:

Double click on the line will give the details:

In this case it reports on a table extend to EKPO table and it shows that EKPO is read intensively.

This should warn you not to import this with many users in the system, but on a quiet time or even when all users locked out of the system.

Set up parallel landscape for upgrades and conversions

When doing a conversion from SAP ECC towards S4HANA you will face a long period where the system is frozen for changes. In most cases business changes still need to continue. For this situation setting up a parallel landscape is a good solution. A parallel landscape might be required for other major upgrades or large data conversions.

How does a parallel landscape work?

How does the parallel landscape work? Initially we have a DEV, UAT and PRD system landscape where transports move from DEV to UAT to PRD system.

With a parallel landscape we install a second development and UAT environment of the same version as the production system. Let’s call them DE2 and UA2.

Now we can start to convert and upgrade the DEV and UAT system to the new target version.

Now 3 development moves are happening:

  1. From DE2 to UA2 to PRD the changes that business is needing (automated support via STMS).
  2. From DE2 to DEV system there is manual synchronization required (dual or double maintenance): all code changes and settings need to be redone (or in some cases even redeveloped).
  3. Transport from DEV to UAT (automated support via STMS): here is where you make your future fixes and developments and move these from DEV to UAT system for testing.

Conflicts between points 2 and 3 often need manual resolution.

At the go-live moment, all transports are imported into PRD from the UAT environment. After live the DE2 and UA2 system can be decommissioned.

Costs of a parallel landscape

Don’t underestimate the costs of a parallel landscape:

  • Your infrastructure for Development and UAT system will double.
  • If you are unlucky you also need parallel landscape for connected systems like BI and SCM.
  • You need basis resources to install, setup, monitor and update the extra systems.
  • More transports to monitor and to keep track of.
  • The double maintenance is a lot of work to be done manually. You need also extra person to keep track of administration that the double maintenance is done properly.

Tooling might exist to help, but in practice it cannot cover too many use cases. So don’t get your hopes too high on them.

Alternatives for parallel landscape

There are alternatives for a parallel landscape:

  • Accept the freeze period
  • Set up an emergency repair box: copy productive system to a special system for emergency repairs only

These alternatives can be an option for smaller landscapes and organizations.