ANST: automated notes search tool

This blog will explain one of the most useful new tools from SAP when having to find bugs in standard SAP coding. The ANST (automated notes search tool) is not receiving the recognition that is should get. In usability it is same ease as the SNOTE tool.

If you love SNOTE you will also love the ANST tool! Just try it out.

Questions that will be answered in this blog:

  • What is the ANST automated notes search tool?
  • How does is work?
  • Why should I always use this tool before submitting an incident to SAP?

ANST (advanced notes search tool)

The ANST tool can help you in:

  • Quickly finding OSS notes for your issue
  • Check if you Z code is causing the issue or dump, or it is a standard SAP issue

OSS note 1818192 is the ANST FAQ note which also has the minimum version. This note also has an extensive explanation. The how to use below is just a summary.

OSS note 2605555 also contains an excellent PDF inside as attachment, that gives a step by step manual.

How to use the ANST tool?

Start transaction code ANST.

ANST start screen

If you launch it for first time you might get an error "ANST001 Fatal Error. Customizing table is not filled". If this is the case follow the solution steps in OSS note 1909768.

In the transaction code box key in the transaction where you have the issue. As example we will use tcode S_BCE_68001417 (search for authorizations by complex criteria). The user admin is complaining about an incorrect number of selected authorizations that are shown in that transaction.

So key in the transaction code and description (you can keep it same).

Now press execute: the transaction will be called. In the authorization object screen fill out S_DEVELOP and execute again to get the results:

Initial S_BCE_68001417

Now leave the transaction recording.

In the left bottom of the screen you can see the recording being written into the trace file:

Create trace file

Depending on the complexity and amount of screens you have passed this can take up to 1 to 10 minutes.

The result is shown after the trace file. The result is sorted per SAP module. If you open the details, you can also see the exact program blocks that were hit during the recording.

ANST trace result list per module and program block

Now you can select the modules (if wanted specific code blocks) where you thinks is the issue. After selection hit the Note Search button. The SAP system will now connect to SAP service marketplace and look for the most recent notes for your version, which have not yet been implemented.

Note search result

The middle note seems to be very relevant. From this screen you can can already link to the note (click on note number) and start download to SNOTE already.

Tips on the selection of the components:
1. Never select more than 1000 components: ANST will reject this
2. The less components you select the faster you get results, and shorter list of potential notes as well
3. If you want you can later retrieve the recording and make a different search on different components: no need to re-record
4. Most of the times you can ignore the basis and cross application and basis notes
5. Run the recording and the result together with your functional consultant: he can help filter the components and select useful notes

Changing settings for maximum amount of notes

Especially in the basis or core ABAP area you will notice that ANST cannot read more than 1000 notes at once. This is a default setting you can easily change. In the main ANST screen hit the Settings button and scroll to the right to increase the maximum notes number:

Using ANST to analyze short dumps

The ANST tool can be used as well to analyze short dumps. Just start the ANST tool and run the steps including the step where the dump occurs. After the dump the ANST tool will trace the modules including the point where the dump occurs.

Make sure OSS note 2535278 is applied: this contains bug fix for the short dump case.

Checking for customer code issues

After the trace file is generated and you have searched for OSS notes, it can be there is still an issue caused by your own customer code. To exclude this (or to check it anyhow), you have to use the button Customer Code from the trace result screen with all the components. Be a bit patient while the tool is scanning for modifications, user-exits, BADI implementations and enhancement spots it came across in the recording.

If you want to analyze implicit and explicit enhancements as well with ANST you must apply OSS note 2408785 first.

ANST clickable demo

SAP has made a nice clickable demo to show you how it works: link to demo.

Use of ANST tool before submitting incident to SAP

Even if the ANST tool does not help you search for the correct OSS note for your issue, the ANST tool can help you in speed up of the incident solution for SAP.

If you want to report the issue to SAP as an incident download the ANST trace file. If you report the incident mention:

  • ANST tool is used and add the recording
  • Add list of already implemented OSS notes
  • You already checked for customer code

With this information the first line processor will have a quick job assigning the incident to the real issue solvers in Walldorf. This will save you valuable time, since the first line normally come with simple list of notes, or also run the ANST tool themselves, and then come with obvious notes.

Increasing the maximum number of objects limit

If you are using the ANST tool on a transaction with many objects (for example ME21n purchase order), you will notice that you cannot search for more than 1000 objects at the same time. Then you have to open subsection and select subtree and run it more than once with different selections. But sometimes one node really expands into more than 1000 objects. In this case, you best increase the maximum object limit. In ANST start screen choose the Settings button can increase the Max.Object counter on the far right of the settings (scrolling required)

ANST max notes search settings

Needless to say, more objects do take more time to analyze. But it is worth the wait.

Relevant OSS notes

Some interesting OSS notes to review:

When analyzing very large transactions, you might face CX_SY_CONVERSION_OVERFLOW dump. For workaround read this OSS note: 2921867 – ANST: Dump “CONVT_OVERFLOW” “CX_SY_CONVERSION_OVERFLOW”.

Other errors and bug fix notes:

While switching to new SAP support backbone you might get a connection error. Follow the instructions from OSS note 2781045 – ANST / ST22 note search “Connection cannot be established” to solve it. Also apply OSS notes 2730525 – Consuming the Note Search Webservice and 2818143 – SEARCH_NOTES- Implementing SOAP Based Note Search.

And: 2829951 – Error while calling ANST Note Search WebService.

ANST for web applications and FIORI

ANST can also be used for web applications and FIORI. See this blog.

Retrieving actual detailed SAP component information

This blog will explain you how to retrieve actual detailed SAP component information.

Questions that will be answered:

  • How do I get detailed system component information?
  • How do I download these to compare them across the landscape?

System / Status

The most simple way of getting installation component information is by using the menu System/Status. Then click on the Status details button:

System status details

Now the installed software components and product versions will be shown:

In S4HANA systems, you might not be getting all the details or an authorization error. The information display in S4HANA requires extra authorizations for object S_SYS_INFO. Background is explained in OSS note 2658772 – System -> Status: Restriction of the available information.

Getting the details as download

The system status details cannot be downloaded. If you want to compare the software components in detail across your system landscape (sandbox, development, test, acceptance, productive, training etc environments), you are in need of these details in downloadable format. With the downloaded data it is easy in Excel to compare all details.

To get the details goto transaction SE37.

For the installed software use function module OCS_GET_INSTALLED_SWPRODUCTS. Execute it and click on the ET_SWPRODUCTS outcome table.

Installed products via OCS_GET_INSTALLED_SWPRODUCTS

For the details on all installation components and support pack status use function module OCS_GET_INSTALLED_COMPS. Execute it and click on the TT_COMPTAB:

Installed components via OCS_GET_INSTALLED_COMPS

In an ECC system this list will be very long. Use the option System / List / Save as / local file to download the complete list in text format.

Warning: don't rely on the content of table CVERS. In the past this used be reliable, but currently it is not any more. Warning from SAP not to rely on this is written in OSS note 2464887. The routines above read the PAT03 table, which holds all the installs, and then determine the most recently installed patch to show. S4HANA systems have both table CVERS and CVERS_ACT for activated components......

Retrieving component information via SQF

You can also retrieve the component information via the Support Query Framework (SQF). Start transaction SQF and launch the Installed Components and Support Packages query:

Query runs fast and double click the line to see the results:

SPAM clean up

In some cases inconsistencies can be removed by running RSSPAM15 (SPAM clean up program). This program does multiple cleanups. Some part is CVERS updates.

SAP GUI patching

This blog will zoom in on SAP GUI patching.

Questions that will be addressed are:

  • Where can I find the latest SAP GUI patch availability status?
  • Where can I find the planning for SAP GUI patches?
  • What should be my SAP GUI patch and upgrade policy?

SAP GUI latest patch availability overview and future planned patches

One of the best places to check the latest available is on the SAP blog: SAP GUI latest patch. This site also contains the planning for the next upcoming patch.

Current SAP GUI support overview

The SAP GUI support dates are published by SAP in OSS note 147519.

Corresponding NWBC backend OSS notes

When patching the NWBC front end, or when using NWBC html client, you should also check for server side corrections. The list of most recent note(s) to be applied is kept in OSS note 1353538 – NWBC -Patch Collection- SERVER SIDE (ABAP)+NWBC for HTML. To retrieve your current NWBC backend server patch version follow the instructions in OSS note 1864151 – How to determine the version and Patch Level of NWBC Runtime Environment.

SAP GUI patching policy

SAP GUI and its patches tend to have very short support timelines. An SAP GUI version nowadays is only supported up to max 2 years after release. Reason behind this: the SAP GUI builds on top of windows component which have very short support cycle.

If your company policy is to always have support IT software, you will have to plan and execute an SAP GUI upgrade almost yearly to stay within full SAP support. Put it on your yearly budget and execution calendar as a recurring item.

If you don’t want to go into this yearly effort of testing, packaging and deploying the SAP GUI to your end users, you can opt for this, as long as you are aware of the consequences. Just make sure of the following two main items:

  1. Inform your IT management and service managers that you run the GUI without support, and they approve it.
  2. Check with your windows team that they will still have the libraries in windows desktop/laptop that the SAP GUI needs.

SAP system hacking using RFC jump

This blog will explain the SAP system hacking using RFC jump method. It will show the simplicity of the hack, and tell you what to do in preventing this method to be used on your SAP system.

Question that will be answered:

  • How does the RFC jump SAP system hack work?
  • How do I check all my RFC’s for this weakness?
  • What can I do to prevent this hack from happening on my system?

RFC jump hack background

SAP uses RFC connections between SAP systems to send and received business data. For example the BI system will pull data from the ECC system via an RFC connection. The SAP solution manager system is fed from the ECC system via an RFC connection. Or a SAP netweaver gateway system serving SAP FIORI tiles.

In the RFC setup the system admin will have to set the connection details and its logon method. The logon methods can be:

  • Current user via logon screen
  • Current user via trust logon screen
  • Fixed user ID: dialog user ID or background user ID

The first method with logon screen will prompt for user ID and password and is not useful for hacking.

The trusted connection will check the rights in the other SAP system using your own user ID and privileges.

The RFC’s with fixed user ID’s will use the user ID and privileges of the user ID in the RFC connection and also using password entered by the admin. So you don’t even need to know the password…..

3 methods of misusing the RCF jump

3 methods of misusing the RFC jump will be explained. All of the scenario’s start from a already compromised system.

RFC jump explained

You have gained access to an SAP system, which in first instance is less important. For example by using standard SAP passwords (see blog on this topic).

1. Using the weakness to jump from one system to another: named dialog users in RFC

Now you start to scan the RFC’s of this server in SM59.

RFC with admin password

You notice that there is an RFC to another system which has the user ID and password of the system admin. You now simply click the remote logon button and you jump to the other system.

Remote logon button

You are logged on now into this system with the user ID and privileges of this other user ID. From this system you can even jump further.

This way you could go from a development to productive server. Or from a BI to an ECC server. Or from Solution manager to ECC productive server.

2. Using the weakness to jump from one system to another: named background users in RFC

The jump will not work if the user ID in the RFC is a background user ID. One example here is the ALEREMOTE user in ECC, which is used by the BI system to extract data from ECC. Since this user has to pull a lot of data and is needing a lot of privileges this user ID is sometimes given SAP_ALL privileges.

If this is the case the hacker can still misuse this RFC. In the hacked system he goes to transaction SE37 and creates a test function module sequence consisting of 2 calls: BAPI_USER_CHANGE and BAPI_TRANSACTION_COMMIT.

function modules

The first call will have the input to change user ID ALEREMOTE user type from B (background) to type A (dialog). The commit is needed to actually confirm and push the change to the database. Once the sequence is setup the hacker will use the test function to fire the sequence. In the testing the hacker will put in the RFC with the ALEREMOTE user. Now this sequence will be fired with the privileges of the ALEREMOTE user (it has SAP_ALL). So it will then itself change its own user type remotely…. After this is done the dialog jump will work from the remote system and the hacker comes into the system with user ALEREMOTE and the attached SAP_ALL rights.

3. Using the weakness to jump from one system to another: trusted RFC’s

If you have taken over one system and you see a trusted RFC towards another system this can be misused for hacking.

Trusted connection

But you need extra information. If you know the user ID of the admin in the system target, set up the user ID in the system already taken over, or if already there reset password. Then logon in the taken over system with the admin user ID. Goto SM59 to the trusted connection. Click remote logon and you jump to the other system without having to logon, but with the user ID and privileges of the admin.

For setup of trusted RFC’s read this blog.

How to detect the jumps which are misused?

The complexity in detection is not to detect the jumps itself, because there is also good use of the jumps (via the trusted RFC’s), but to detect the misused jumps. This is hardly possible.

Detection can be done for the user changes executed by background users. Detection could be done with tracking the terminal ID suddenly switching user ID.

The SAP audit log can help you find traces to what has happened as detective after the fact method. But it will not help you detect or prevent misuse.

How to scan your RFC’s for potential misuse?

SAP provides a program to check RFC’s for weak settings: RSRFCCHK.

Running this program will leave system log messages: 2724967 - Program CL_SAIS_ Reports Security Breach notification when running program RSRFCCHK

If you start the program select all the destinations and optionally the connection test to see if the connections work at all.

RSRFCCHK program

The result will give you a list of potentially dangerous RFC connections and the user ID’s used.

RSRFCCHK program result including connection test

This you can use as a work list for checking.

Read more on RFC security checking in this blog.

Protection measures

Protection is possible by a series of actions (a single action will not be sufficient):

  • Access restriction. Restriction of access to SU01 user management and SM59 RFC setup. Not only on main systems, but also on connected trusted systems.
  • Remove SAP_ALL and user rights from background and RFC users.
  • At least yearly scan systems for wrongly setup RFC’s and delete them.
  • Instruct basis team never to put in their own account into an RFC connection.

The most though misunderstanding is with some security and control teams themselves. They heavily underestimate the danger of the trusted connections. They come with statements like “we focus on production only”, or “that system is not part of our compliance XYZ framework check”.

Basic golden principle:
The trusted system must have same protection level and control measures as the system it is connected to.

More RFC hacking: RFC callback hack

Next to the RFC attack methods above there is also the RFC callback hack, which uses the back direction to execute malicious actions. Read more in this blog.

Direct table maintenance versus transport

Some standard SAP tables are delivered by SAP as customizing tables with transports, but which are logically and business wise application tables and are maintained directly in production by business people. Example is the currency exchange rate table.

This blog will explain the option and best practices to overcome this.

Questions that will be answered:

  • What are current settings and how does it work?
  • When and how to de-customize a standard SAP table?

Current settings

Current settings is bit of hidden feature in SAP systems. Per customizing object you can select if it is using the current settings option or not.

To do this, start transaction SOBJ and select the customizing object or table. The current setting flag is indicated on the example picture below for the currency conversion rate table:

Direct table updates Current settings

The effect of the Current Settings is as follows: if the system client in SCC4 is set to “Productive” the transport flags are ignored, and the user can directly update the table and save the changes without transport request popup.

On a development or quality system the “Productive” setting is not there and the SAP system will prompt you for transport request. Especially on quality systems this can be quite annoying.

The current settings is therefore only a solution for tables that you and the business want to maintain directly on production, and not on a development and quality system.

See OSS note 2442887 – SOBJ | How to assign object attribute Current Settings to a maintenance object for a full instruction.

De-customizing a customizing table

If you want a customizing table to be maintainable directly on development and quality systems, without transport request, you have to de-customize the customizing table.

Always ask for approval for procedure below and document the tables for which this procedure was applied. Pending on your business security and regulatory requirements more approvals and documentation can be needed.
The de-customization procedure

Step 1 starts with transaction SE11 to call up the table. This you have to doc in the development system. In the delivery and maintenance tab the delivery calls normally shows as type C (customizing).

Direct table updates Before customizing

Now edit and change it to type A (application):

Direct table updates After application

In most cases this will do the trick. The change itself you have to put in a transport request.

Step 2 would be to re-generate the maintenance view and de-activate the recording routine. This should look as shown on picture below:

Direct table updates check recording routine

Also this change must be executed on development system and must be put in transport request.

Step 3 is to move the transport request into the quality and later productive system.

Special cases

Below is a list of special cases and exceptions.

CO allocation cycles (KSU1 etc)

Via the procedure described in OSS Note 853601 – “ALLOCATION: Deactivating the automatic transport” you can leave all the allocation tables as-is and don’t need to apply the de-customization procedure or current settings.

RSA1 settings to avoid transport popup for BI objects

Some settings in RSA1 like process chain starters you want to set locally per system. Default SAP asks you for a transport. In RSA1 you can overrule this. Select Transport Connection on the left hand side. Then select the button Object Changeability on top. In the popup right click on the Not Changeable and set it to Everything Changeable for the items that you don’t want a transport popup to come.

RSA1 local settings

Save your data.

SAP reference: click here.

Set up custom IMG node

As customer you will sometime have the need to setup your own customizing tables. These tables you create in SE11 and mark them as customizing tables, which means all updates must be done in development system and are put in transport. This own customizing table can then be called from your custom programs, user-exits and enhancement points.

Managing these custom tables becomes increasingly difficult over the years. An elegant solution for this is to create your own IMG customizing setup and corresponding documentation. This way you can easily track which customizing custom tables you have and for which reason.

This blog will answer following questions:

  • How to set up a custom IMG customizing tree?
  • How to link the tree into the real SAP customizing tree?
  • How to link the IMG entry to your customizing table?
  • How to document your custom IMG entry?
  • How to deal with issues in SAP IMG?

Preconditions for Z table

Your Z customizing table must have the following to be easily integrated into a customer IMG:

  1. Table has technical delivery class Customizing table
  2. Log Data Changes option is set to true in Technical Settings of the table
  3. Table maintenance generation has been done and table can be maintained in SM30

Setting up the custom IMG node as part of the SAP reference IMG

SAP has two ways of setting up extra IMG nodes:

  1. Via transaction S_IMG_EXTENSION
  2. Via transaction SIMGH

Best way is via S_IMG_EXTENSION. After an upgrade IMG is renewed and SAP might overwrite your own entries. When using the S_IMG_EXTENSION option SAP puts your entries aside and you can re-merge them after the upgrade.

After starting S_IMG_EXTENSION, you come into an empty screen. First you select the main IMG structure “SAP Customizing Implementation Guide” you want to enhance.

Next you need to create a custom Enhancement ID by clicking on the empty Enhancement ID search help. On the subsequent search screen click the Create button:

Custom IMG create enhancement ID

Attention: put the Enhancement ID generation into a real transport and not into $TMP
Tip: after selection of the IMG structure node put it into your favorites list:
Custom IMG set favorite

On the main screen you now can select the new Enhancement ID. Then pushing the Enhance Structure button will bring you to the change screen of the IMG structure.

In here you select the node position where you want to add. Then select to add a structure node:

Custom IMG create new folder

The node is nothing more than a menu entry. You can add nested ones as well. Give the node a good descriptive name.

After the creation of the node, select it. Now you can add an activity as subnode.

On the first screen of the creation of the subnode you have to give the node an ID and a name. On the assigned documents you also give the document a name.

Custom IMG create new entry first screen

If you push the Create button you go to the maintenance of the IMG node help text:

Custom IMG custom help text for IMG node

This is the place to document the reason of your extra customizing table, how to fill it, and for example list all the user-exits and enhancement spots from which the table is called.

On the Maint.Objects tab we finally can link the real table.

Custom IMG img node to customizing table

In the customizing object enter the Z table (in this example case the Z table is called  ZZCUSTLINK). For maintenance type use SM30.

Save this entry and save the changes to the tree enhancement and you are done.

End result

Start the normal SPRO transaction and you can have a look at the end result:

Custom IMG end result

You can launch your customizing and see your documentation.

Tip: do spend time on listing your tables into chapters and also spend time on the help text. This can save you lots of time. After 6 months, you normally would not remember the peculiar things of this Z table and why it was needed and how it should be used. You are happy then you properly documented it.

Using the custom IMG in into customer generated project IMG’s

Some customers create their own project IMG based on the standard SAP IMG. Initially your custom IMG extension only shows in the standard IMG and not in the customer project IMG. To include the custom IMG into the customer project IMG start transaction SPRO_ADMIN. Go to the Scope section and click the Specify scope button. Now include the newly generated custom IMG objects:

Custom IMG include in customer IMG spro setup

After this is done Generate Project IMG button must be pushed to actually update the project IMG with your changes.

How to deal with issues in SAP IMG?

In some cases SAP IMG has issues. Missing nodes, unexpected entries. In most cases a corresponding OSS note can be found.

A common case is for example after installation of Event Management. Standard SPRO is pointing to SCM in stead of Event management.

In this case (and other cases) you can apply the solution from OSS note 2197261. In the attachment of this note you find program ZSLA_SHOW_REFERENCE_IMGS. Install it and run it.

ZSLA_SHOW_REFERENCE_IMGS

Use the correct TREE_ID in transaction SCUSSEQUENCE to make this one the preferred IMG:

Tcode SCUSSEQUENCE

SCI: setup custom checks

The SCI tool is great for analyzing custom code based on SAP delivered checks. For specific reasons you might want to built in your own specific checks that cannot be setup using the out-of-the-box SCI tool.

This blog will answer following questions:

  • When to setup custom check and when not?
  • How to setup custom check?
  • How does my check show up in the SCI and ATC results?
  • How to document the checks so it really fits into the standard framework?
  • How to influence the behavior of the checks and the settings for the checks?

When not to set up a custom SCI check?

If you want to do one of the following things, don’t set up custom check:

  • Change the priority outcome of a check (example from warning to error): use the option to change message priorities for this.
  • Search for specific string: use the Search functions options in SCI (they can even search trough comment blocks)

How to set up a custom SCI check?

Setting up the new category

First thing to do is to setup a new category. This will act as a placeholder for your checks.

To do this goto SE24 and copy the example class CL_CI_CATEGORY_TEMPLATE to your own Z implementation.

Custom SCI copy category

In the copy go to the CONSTRUCTOR method and adapt the description to your needs:

Custom SCI category change constructor

Important here is not to forget to double click on the 000 message and to create the message text: from here the framework will read the description. The quoted description is just for yourself to be able to read the code better.

Implementing the check

Per check you want to have, you need to have an implementation. There are two options here:

  1. Copy one of the two templates (CL_CI_TEST_ROOT_TEMPLATE or CL_CI_TEST_SCAN_TEMPLATE)
  2. Copy one of the existing SCI checks (they all start with CL_CI_) that already resembles the check you want, and modify where needed to make it your own check

The second option is easier to start with.

Hint: first take a good look at the Attributes of an existing check. Some have none (simple check), some have a few tick boxes, and for some you can have a full multiple selection as input. By using a multiple selection which you can fill in the SCI tool, you can avoid hard coding of your checks.

After the copy is done you have to go to the CONSTRUCTOR of your own check:

Custom SCI check change constructor

Important here is not to forget to double click on the message and to create the message text: from here the framework will read the description. The quoted description is just for yourself to be able to read the code better.

The CATEGORY has to refer exactly to the category class you have already created.

On the class level attributes make sure the always present attribute C_MY_NAME has the initial value of the class name of the check you have made.

Custom SCI check attribute fields

Depending on the source class check of template you have copied more constant attributes need to be checked or changed.

The actual implementation of the check is to be done in the RUN method. The advantage of copying template or existing check will be obvious in this part, since the complex coding of scanning through source code or fetching other elements like table attributes is already there. You just need to modify when you want a check to fire.

Firing a check happens within the RUN method by invoking the INFORM method. This can be invoked as many times as needed. If not invoked then the check is passed (result zero).

The inform will pass the following to the SCI report tool:

  • Name of the test (your Z test set in the C_MY_NAME constant attribute you set above)
  • Point to the code line and statement where your check fired off
  • Severity level (error, warning, information)
Activating your category and check

To activate your category and check go to transaction SCI and select the menu Code Inspector / Management of / Tests.

Your test will be fully at the bottom since they are Z checks.

Activation of both category and check will not work in one shot.

First activate the category by selecting it and pressing Save. Next activate the custom check by selecting it and press Save.

Custom SCI check activation

The text in the description is taken from the text element in the DESCRIPTION that you have made in the CONSTRUCTOR.

Testing the check

After the activation the test is available in SCI. You can make new SCI variant for testing your check. Write a small test program where you are sure the check will fire off. Then run the SCI tool with your check variant to see that your check fires off properly. Now solve the issue and rerun the SCI tool to make sure the check does not fire off any more.

Embedding in SCI and ATC

If your tests all have passed, don’t forget to activate your check in your global SCI variant.

By updating the global SCI variant used in the ATC tool, your check is automatically done as well in the ATC global and local runs.

Finalizing the checks by proper documentation

To make your check look like standard SAP ones you need to spend some time on online documentation of the checks.

First start to document your custom check. To do this start transaction SE61 to create the help text. Switch the Document Class field to Class attribute. Then in the document field put in your Z class for the custom check and for attribute fill out 0000.

Custom SCI help text creation screen

Press create and enter your specific help text:

Custom SCI help text for detailed check

Hint: copy text from standard SAP help text that you like: this saves you lot of time in the lay-outing

Save and activate and your help text is done.

Now you can setup the help text for you own category.

The basic principle of help text is the same, but now you want to hyperlink in the category text to the detailed check help text. This is bit tricky if you don’t know how. To do this select the menu entry Include / Link. The following screen will appear where you can search the referenced check and set up a text for the description:

Custom SCI help text insert link to previous

The end result in the editor is bit ugly since the above nice input screen is translated into technical terms:

Custom SCI help text for complete checks class

In the category help text you can list now all you checks in this way.

End result in the SCI tool help icon will look like this:

Custom SCI help text end result

The detailed check appears light blue like hyperlink: and it is! If you click it you jump from the category help text straight to your custom check help text.

How to activate the attributes?

You can have attributes for your own check which you can fill out on the SCI screen, and that will be passed to your test.

For this feature to work, you must do following:

  • Set the HAS_ATTRIBUTES flag to true in the CONSTRUCTOR
  • Implement the IF_CI_TEST~QUERY_ATTRIBUTES method to define the attributes (tick boxes, fields, multiple selection options) and the text of the attributes
  • Implement both the GET_ATTRIBUTES and PUT_ATTRIBUTES methods
Hint: by copying right SAP SCI check class that resembles your wanted check, you also will also copy the elements above. Just need to modify it to your own needs.

ATC: managing your complete custom code base

This blog will explain you the ATC tool to manage your complete custom code base. The name ATC is bit misleading: officially the name is ABAP Test Cockpit, but the tool has nothing to do with test management. It is a code profiling tool.

This blog will answer questions like:

  • How do I scan my complete custom ABAP code base for issues?
  • Can I scan custom ABAP code for a complete project?
  • What is my state of quality of my complete ABAP code base?
  • The SCI SAP code inspector is nice, but how can I enforce it?
  • How can I use ATC in the peer review process?
  • How can I prevent an ABAP workbench from being released if the coding is not ok?
  • Does the ATC tool replace a peer review?
  • How do I organize the implementation of the ATC tool in my organization?
  • How is ATC used in S4HANA migration?

Setting up the ATC tool

Setting up the ATC is quite simple. Just launch transaction code ATC:

Then choose the Configure ATC entry on the screen.

The ATC tool runs on top of the SAP code inspector (SCI). This must be setup first. Choose the variant you have created here as Global Check Variant.

To enable peer review set ATC exemptions to Yes.

If you want to integrate ATC with transport system: set the behavior on Release to either information or error. Be aware that if you set this setting to Error, the transport mechanism will run the ATC tool and will completely block release and transport if any prio 1 or 2 item is found! Only when the issues are solved or exempted, the transport will be released.

This is a great feature for enforcing code standards, but do not switch it on after you have some experience with the ATC tool and your developers are used to the process. Switching it on should also be clearly communicated to basis team and all consultants working on the system. They should be aware of the block coming when releasing transport in SE10 (the description of the block is bit cryptic):

Running the ATC tool

The ATC tool can be run in two different modes:

  • Globally by development lead for complete custom code base
  • Locally by developer for one or more of his objects
Running ATC tool globally

To run the ATC tool on all custom code you need to select the Schedule Runs in the ATC tool menu.

Before you can run the tool, you have to create a Run variant. In the setup of this variant it is very important to select the right packages. For custom code only put in Z* in the package selection. If you have projects doing development in separate packages, it is possible to setup a dedicated project variant for that Z project package only.

If you have chosen to use the exemptions and allow pragma’s to be used by the developers, do check the help text in Handling of pragma’s carefully before making a selection.

After the variant has been created, you can now select is and press the Schedule button:

In the next screen before hitting execute, please make sure you have checked the number of processes versus your system hardware. The default value of 10 is pretty aggressive and is assuming a large development system. Use transaction SM50 to check the amount of dialog processes on your system. Don’t fill in more than half the amount of DIA processes than your system has. If you do you might find an angry basis admin at your desk asking you why you are completely filling up your system….

After the executing starts a batch job is triggered, which will fire off as many dialog processes as you have indicated. The amount of time the job takes depends on:

  • Amount of Z code in your system and selected in your variant
  • Amount of processes chosen and infrastructure power you have
  • Using HANA or not (complete code base scanning on HANA runs amazingly fast: full code base of 1000 Z objects with 10 parallel processes can finish under 10 minutes. Running same on slow non-HANA system can run over 8 hours in the night.)

You can use the ATC run monitor to see if your run has finished:

Result of ATC run

When the run is finished go to the Manage Results entry in the ATC menu.

Here you can see the results and the statistics of the results of your run.

If you are working in an agile devops environment this overview screen is very nice. If you run the ATC tool daily or weekly, this can immediately provide you with the needed code quality KPI statistics for the ongoing sprint.

If you select the run results you get a list sorted by priority. Selecting one of the findings will give you the details of the finding (code positing, explanation of reason of the finding):

Double clicking on the object name will immediately jump you to the code program point where the finding is found.

Running the ATC tool locally

The other option is to run the ATC tool locally. In each editor you can call Program/Check/ABAP test cockpit to run the ATC for you specific program.

If you work in Eclipse, you can also run ATC by selecting Run/Run as/Abap test cockpit.

Fixing ATC issues

The easiest way of fixing ATC is simply taking away the root cause. In some cases this simply isn’t possible. Reason can be: you have to select data without full key and ATC is detecting this as error. If agreed upon, you can use the corresponding pragma to suppress the finding in the results. Best practice here is to add a comment line why the pragma was used.

Another sample program:

REPORT zpragma.

DATA: zgs_mara TYPE mara.

* need all for demo, suppress with pragma
SELECT MATNR FROM mara INTO zgs_mara. "#EC CI_NOWHERE
ENDSELECT.

The corresponding ATC result looks like this:

As you can see the error for having no selection clauses is not shown. It is suppressed with the #EC CI_NOWHERE pragma.

The ATC is still throwing issues: there is no check on SY-SUBRC. If needed the ATC tool suggests to use the #EC CI_SUBRC pragma.

Practical use of pragma’s

If you want to allow the pragma’s or not is up to you. The ATC result list can be configured to simply ignore the pragma’s. Best practice is to allow the use of pragma’s, but to demand comment line with explanation. Some pragma’s (like the previous example of not checking sy-subrc) you might suggest not to use at all.

Apply OSS note 3088590 – ATC: Offer default option to handle pseudocomments and pragmas to set default options for pragma handling.

Use of exemptions

If the issues in ATC cannot be solved by changing the code or using the pragma, the last resort it to request an exemption.

This can be done on the detailed screen of the ATC finding:

Upon requesting the system will ask you to fill out why the exemption is needed:

The approver need to be configured in the ATC overview screen. Only the exempters in that list will be shown here.

Unfortunately the ATC tool forces you now to enter a fixed name here. You cannot send the exemption to the group of approvers.

Judging the exemption

If the admin allows to setup mail on your development system you are lucky and get a mail (if configured in the ATC main configuration screen). If not, you either have to check regularly or ask the developers to tell you if they have submitted and exemption.

In the ATC main screen select the Exemption Browser select the exemptions for which you are the approver:

You get a list of items for you to approve, reject or return to the requester.

Again here: if you don’t have mail system, send a signal to the requester that you did an action.

Dealing with old ABAP code

If you have to perform a change to ABAP code that is created before you implemented the ATC tool, the tool might highlight a lot of issues that are in the old section of the code. Should you fix these issues as well? This depends on the size of the coding and the organizational agreements you make. Typically if the coding is very small (user exit with 20 lines) it is common just to fix it. If the coding is large, best practice is to ignore the findings of the ‘old’ code: it is simply too dangerous and too much work to fix it. Or you can work with the baseline option (see this dedicated blog).

ATC tool versus peer review

The ATC tool does not replace a peer review. It is a tool to speed up the peer review, since the tool takes away the burden of the more technical checks like naming conventions, checks of use of SY-SUBRC, are hard coded text replaced by text symbols etc.

Peer review tasks that cannot be done by the ATC tool:

  • Judgement if the development itself makes any sense
  • Judging use of comment lines (sufficient?)
  • Judging if the coding is structured in readable way: future maintenance can be done easily
  • Correct use of pragma’s
  • ….

Implementation of the ATC tool in your organization

The ATC tool can be implemented in every organization.

Steps to do:

  1. Organize your code standards: have them documented and approved. This is the basis for the setup of the SCI variant you want to run in the ATC tool.
  2. Deploy the SCI tool in your developer community and make sure they understand and run the tool consistently. This is also the time you can fine tune the outcomes of the SCI tool.
  3. Now setup the ATC tool without Exemptions and without transport block. First run the tool globally only yourself to see and understand the ATC tool results and statistics. This will get you a feeling on how long the tool runs on your system and how many exceptions it will report.
  4. Consider if you want to use the pragma’s fully, partially or not.
  5. Set up the Exemption users and organizational agreements (like dealing with old code).
  6. Start to communicate the use of the ATC tool to your developers. If you didn’t think about the pragma’s and the exemption process you will very soon receive many questions from the developers.
  7. If the ATC process with exemptions is running stable, if you want you can now turn on the transport block to avoid any bad code from being released.

From step 1 to step 7 can take several months depending on the speed you can organize, agree and communicate the usage of the standards and tools. Don’t rush it without having the proper communication and organization.

Reorganization of ATC data

If you have large custom code base and run ATC often, the results table SATC_RT_RUN_EXE might get large and your system admin might complain to you about it. If this is the case you can schedule clean up program SATC_AC_REORG_REPOSITORY on weekly basis.

Running ATC central for more systems or against older versions: remote ATC

If you want to run ACT centrally for more development systems, or against an older SAP version not yet enabled for ATC: please read this blog on remote ATC.

ATC settings logging

The ATC setting changes are not logged. The logging is needed if you have a large crew of ABAP developers and apply the rules strictly (for example if you use the option to give an Error on transport release with ATC). To achieve this, switch on table logging for table TRCHECK.

Scope of ATC

ATC is capable of analyzing ABAP code.

For analyzing Smartforms, please make sure you have implemented the OSS notes listed in note 2715684 – Smartforms are not being checked by ATC.

For analyzing Adobe forms, please make sure you have implemented the OSS notes listed in note 2617401 – ATC: Enable ATC Checks for Adobe Forms.

It cannot analyze AMDP code. See OSS note 3086517 – AMDP method not checked by ATC.

S4HANA custom code migration

The ATC tool is a cornerstone tool in the S4HANA custom code migration. For more information, read this dedicated blog.

Running ATC on standard SAP or addon

For running ATC on standard SAP or on an addon, follow the instructions in this blog.

ATC bug fix OSS notes

ATC bug fix OSS notes:

SCI: SAP code inspector

SAP code inspector is a SAP delivered tool to quickly inspect your custom built ABAP code.

This blog will answer following questions:

  • Why use SAP code inspector?
  • SAP code inspector versus other source code scanner tools
  • How to setup SAP code inspector?
  • Which SCI checks are recommended in general?
  • Which SCI checks are a must do for S/4 HANA readiness?

Why use SAP code inspector?

SAP code inspector can be used by both ABAP developer or customer who has outsourced ABAP development. The SAP code inspector will check custom ABAP code for:

  • Potential performance issues
  • Potential usability restrictions
  • Robust programming checks
  • Use of ABAP code naming conventions
  • Scan for certain statements if wanted

The code inspector has been given big boost last few years by SAP, since has become primary tool to prepare custom ABAP code for S/4 HANA.

SAP code inspector versus other source code tool scanners?

Several major IT parties have setup their own custom build source code inspector tool. In the past these tools could deliver source code scanning functions that SAP did not provide in SCI.

With the improvements done last years on preparing ABAP code for S/4 HANA the SCI tool is now so mature that there are almost no checks missing any more.

The setback of other source code tool scanners is their lack of integration with the SAP development tools (SE38, SE80, SE24, SE37, Eclipse ADT, etc).

How to setup SAP code inspector?

Setting up SAP code inspector is quite straightforward. Start transaction SCI and you come to the main SCI screen.

In this main screen goto the part for Check Variant. Give it a name and make sure that the icon next to Name is switched to global variant as is shown in the screenshot:

Now press create and the empty variant screen is shown.

By clicking on the i icon you can get detailed information on the checks.

By default no checks are active and you have to select which checks are relevant for you.

Let’s go over a few important ones.

Make sure the performance checks are on:

Under Syntax Check make sure the classical SLIN extended program checks is switched on:

In the robust programming section switch on the SY-SUBRC handling. Here you have to take care (as do some other checks) to fill out the details (click on the green multiple selection symbol):

Finally (this is optional) you can also set the ABAP naming conventions:

Setting the variant as DEFAULT SCI variant

If we want to run the SCI tool from code editor the variant DEFAULT is used. This is different variant then we just created. To set the variant for SCI tooling for our own created variant, goto tcode SE16 and edit the contents of table SCICHKV_ALTER:

In the CHECKVNAME_NEW enter the name of the created SCI variant.

Running the SCI tool

The SCI tool can be run from different places. You can run it from tcode SCI itself by entering object or transport there. Or you can run it from code editor and selecting the menu Program/Check/Code Inspector.

Let’s use this sample program:

REPORT zscidemo.
 
 DATA: zlt_vbak TYPE TABLE OF vbak.
 DATA: zls_vbak TYPE vbak.
 
 SELECT * FROM vbak INTO TABLE zlt_vbak.
 
 LOOP AT zlt_vbak INTO zls_vbak.
   WRITE: / zls_vbak-vbeln.
 ENDLOOP.

And now we run code inspector. Results:

The result shows 3 aspects:

  1. Use of SELECT * on large table
  2. SY-SUBRC is not handled after the read: this is correct and should have been done
  3. Naming conventions of variables are not according to settings

After the run the developer can repair the items and rerun as much as needed.

SAP SCI will determine the severity of the found issue into Critical (error/red), Warnings (yellow) and Information (green).

Fine-tuning the SCI message priority

For several reasons you want to fine-tune the SCI message priority. Some check you regard as less important than SAP and some check you regard as more important then SAP is rating them in the SCI standard settings.

If you are in the main SCI screen choose the menu entry Code Inspector/Management Of/ Message Priorities, you come to the screen to adjust and fine-tune the priorities:

The example show is the increase of the check from warning to error (yes, it is still the German Fehler) for the omission of SY-SUBRC check after direct database update.

SCI tool and S/4 HANA migration

When you are in the process of migrating or thinking to migrate to S/4 HANA, then the SCI tool checks play a central role in preparing the custom ABAP code.

In oss note 1912445 – “ABAP custom code migration for SAP HANA – recommendations and Code Inspector variants for SAP HANA migration” SAP explains the details in the 2 newly delivered SCI variants.

You can run these new variants specifically, but it is best to already incorporate these checks into your existing SCI main variant. Even if you don’t plan to upgrade, the checks are good anyhow.

Most important highlights:

  • Mandatory use of ORDER BY or SORT BY (this check is vital: if not done it can even cause functionality issues!)

  • Unsecure use of FOR ALL ENTRIES (if not checked if table has entries, ALL database entries will be read, which causes both functional issues and kills performance)

  • Don’t use SELECT * (code will work, but in HANA this is a performance killer)

  • Checking for database hints (you rarely see this in custom code, but if done code will not properly work after migration)

This last check is bit hidden: open the multiple selection and in the details make sure Native SQL and DB hints are checked on.

For more details see the blog on S4HANA readiness 2.0 and the blog on setup of S4HANA custom code adjustments.

Checking your complete Z code base

If you want to check your complete Z code base or a larger block for a project, you can use the ATC tool. The ATC tool uses the SCI checks to analyze large blocks of Z code.

Check variant update

In SCI use the menu option Utilities and Import Check Variants to update your check variants. More background in OSS note 2948146 – SCI/ATC check variant is different between systems.

Checking addons and standard SAP

To check standard SAP code or addon ABAP code, follow the instructions in this blog.

Extra custom checks

If you need extra checks in SCI, you can use ABAP code to build your own custom checks. Please follow the instructions in this blog.

Running SCI on standard SAP and addons

If you need to run SCI on standard SAP and/or addons, you will find this is not possible. Follow the trick in this blog to have it done anyhow.

Bug fix OSS notes

List of bug fix OSS notes:

Aftercare for SAP upgrade or support package

This blog will explain the normal aftercare that needs to happen after an SAP system is upgrade or has been patches with support packages.

Questions that will be answered:

  • What is the normal processing sequence in SPAU?
  • What is the new SPAU_ENH transaction?
  • Which aftercare is needed when using embedded search via TREX or HANA?
  • Which aftercare is needed for the authorization team?
  • What are the general sanity checks after an upgrade?
  • How to regenerate SAP_ALL and SAP_NEW?
  • How can I check for new or altered security parameters?
  • What other things to do after upgrade?
  • SEGW issues after upgrade, how to solve them?

SPAU processing

For extensive explanation on SPAU, read the dedicated blog. The below is a summary.

When starting transaction SPAU in a netweaver 7.50 or higher system the screen will look as follows:

First thing to do is to hit the Reset OSS notes button or Prepare OSS notes button (the name can differ bit per version):

This will download all OSS notes again and automatically mark the obsolete ones and will remove them from the list. Wait until the batch job doing this job for you is finished. This will save you a lot of time.

In a 7.50 or higher system look at OSS note 2532229 that solves a bug with notes in adjustment mode.

Second step is to process all the OSS notes. Don’t start the other activities until the OSS notes are done.

Third step is to process the tab With Assistant. Only when this is done continue with the tab Without Assistant.

The steps Deletions, Migrations and Translations are optional, but best to do as well. Deletions can be many, but here you can select all and reset to SAP quite quickly.

SPAU_ENH to process enhancements

Often forgotten is the post processing with transaction SPAU_ENH.

If there are changes in enhancements made by SAP conflicts with customer implementations can occur. SPAU_ENH will list them, and you can process them. If forgotten the customer implementation might not be called, which can lead to functionality giving errors.

In rare cases you will need to regenerate the enhancement spots via program ENH_REGENERATE. See OSS note 2507482 – ENHO: After System Upgrade, BADI_SORTER for BAdI Implementation is not being triggered:

RTCCTOOL post processing

After any upgrade/support package the basis person must run the RTCCTOOL program. This will check and list any needed updates.

In almost all cases the actions behind the button Addons&Upgr must be triggered by the basis person.

DMIS plug in OSS notes

If you are using the DMIS plugin for SLT, then you need to run the DMIS note analyzer program(s) again after the support package or upgrade. More information: read this blog.

ScenarioReport name
Object Based Transformation (OBT)CNV_NOTE_ANALYZER_OBT
ABAP Integration for SAP Data Intelligence (DI)CNV_NOTE_ANALYZER_DI
S4HANA Migration Cockpit (MC)CNV_NOTE_ANALYZER_MC_EXT
SAP Landscape Transformation (SLT) Replication ServerCNV_NOTE_ANALYZER_SLT
Near Zero Downtime Technology (NZDT)CNV_NOTE_ANALYZER_NZDT

Embedded search post processing

With an upgrade or support package SAP will deliver new improved version of embedded search models. If you are using embedded search you have to do post processing to make use of these new improved versions.

By default SAP will keep using the old model to make sure the search function keeps working. The basis administrator can then update the search models at their convenience.

To update start transaction ESH_COCKPIT:

Then from the Other drop down select the option Model modified:

Note: if there are no Model modified present, but you do get the message like "update in background started", then wait until the model update background job is finished. This job can take long time. If finished restart tcode ESH_COCKPIT again.

Select all to be updated (or in case there is a lot a subsection). Then select from Actions menu the Update option:

Then you have to wait (a lot). Even on HANA this will take a long time.

You might get a message that you yourself are locking the update process: in this case, wait until your processes in the background are done (SM66 monitoring) and then try again, or use smaller selection.

Alternative is to delete the search model after the upgrade and redo completely. For setting up search model in S4HANA read this dedicated blog.

Authorization post processing

With any upgrade or support package SAP will deliver new authorization objects. These need to be handled as well.

Regenerate SAP_ALL and SAP_NEW

SAP_ALL needs to be regenerated. This can be done simply by starting transaction SU21 and hitting the Regenerate SAP_ALL button:

See also SAP note 410424 – Customizing for generation of profile SAP_ALL.

SAP_NEW can be regenerated with program REGENERATE_SAP_NEW:

Regenerate SAP_NEW

See OSS note 2606478 – REGENERATE_SAP_NEW | bridging authorizations for input helps.

SU25 profile generator post processing

The authorization team needs to do post processing in the SU25 transaction to update profile generator.

Upon starting this transaction after the upgrade or support packages it will prompt you for having checked OSS note 440231 (SU25 preparation FAQ note).

Do download the most recent version (redownload the OSS note!) and read the content. The note cannot be applied automatically (it will say cannot be implemented). This is because it is a FAQ note. If you open the content scroll to your version and check the OSS notes. Make sure the notes listed there are applied to your system before continuing with SU25.

Then startup SU25 again and process steps 2a, 2b and 2c:

More background information can be found in SAP note 440231 – SU25 | FAQ: Upgrade postprocessing for Profile Generator.

Standard SAP job updates

After any SAP support package or upgrade, SAP will improve and/or change the standard clean up jobs.

To do this: goto SM36 and click the button Standard Jobs. Then select the Default Scheduling job. Then the system will tell you which jobs will be stopped (no longer needed), changed and new jobs there will be planned. See also the technical clean up blog.

For S4HANA standard jobs, read this blog.

Update of IMG nodes

If you use custom IMG nodes, you have to re-integrate your node into the main IMG using transaction S_IMG_EXTENSION. For more information see the blog on setting up custom IMG nodes.

Updating requirements and formulas

After an upgrade or support package the requirements and formulas might need to be regenerated via program RV80HGEN. More details: read this blog.

Updating ABAP where used list

After an upgrade or support package the ABAP where used list must be regenerated again. Read this dedicated blog.

General sanity checks after an upgrade

The basic sanity checks after an upgrade actually start before the upgrade!

Before the system is being upgraded, you should check following items:

  • ST22 short dumps
  • SM37 batch job failures
  • SM13 update failures
  • SM59 RFC failures
  • SM21 system log issues

If you check this at regular intervals before the upgrade you get a good mental picture (you can also take screen shots before the upgrade) of the issues already present in the system.

After the system upgrade and/or support package you check these items again. Because you checked before it is easy for you to see and filter out new items. New items can be analyzed for solution (can be SAP note that is needed, custom code that is not properly updated, changes in functionality, etc).

SGEN code generation

After support pack or upgrade you can use transaction SGEN to generate all ABAP code (standard SAP and custom) and check for errors in code generation. More information in this blog.

SEGW issues on standard SAP after the upgrade

In the past you could solve SEGW FIORI ODATA exposing issues directly in the system. Now SAP has forbidden this. See OSS notes 2734074 – Editing of standard SEGW projects for customers is blocked and 2947430 – Editing Standard OData Service Project throws error: Editing Prohibited SAP delivered projects cannot be edited in your system. The emergency workaround is described in OSS note 3022546 – In Transaction SEGW, Error ‘SAP delivered projects cannot be edited in your system’ is encountered during change of the OData Project PS_PROJFIN_MNTR.

Check for new or altered security parameters

After a support pack most security parameters remain the same. After and upgrade you need to check for new or altered security parameters. For S4HANA upgrade there is special note and program to quickly check for new and altered security parameters including the SAP recommendation: read more in this blog.

Other things to do after an upgrade

After an upgrade you can scan and check for new or enhanced functions you can use.

Examples to check:

  • Update the SCI variants delivered by SAP (see blog)
  • SAP audit logging will deliver new checks, but these are deselected after the upgrade
  • If using enterprise search: check if SAP delivered new search models that might be interesting for the business