Author: saptechnicalguru

Table logging

Table logging captures all table changes. This blog will answer the following questions:

  • How to activate table logging in general?
  • How to check if for specific table the logging is active?
  • How to check table changes for a specific customizing action?
  • How to check general table change?
  • How to delete table logging?
  • When not to use table logging?
  • How can I review table logging for audit purposes?

Table logging activation

In RZ11 system parameter Rec/Client determines the table logging for the complete system. Make sure the value is set to ALL.

See also OSS note 2437986 – SCU3 | How to enable logging in the system. And explanation note 3000730 – Impact on enabling table logging with profile parameter rec/client.

As of new S4HANA 2021 installations or upgrades the activation is done by default: 3093760 – Table Data Change Logs In ABAP Platform.

Table logging per table

In transaction SE11 enter the table you want to check and then go to the technical settings. As example table T000:

At the section Data Changes you can see that Log Changes has been activated.

Mandatory table logging

In OSS note 112388 – Tables with obligatory logging the mandatory table logging is explained. Which tables are logged is explained in OSS note 2543478 – SCU3 | Which tables are logged?.

How to view table changes?

The common way to view table changes is via transaction SCU3. At the start screen press the button analyze logs:

In the next selection screen enter the table to analyze. In this example we analyze table T000:

Make sure to set the radio button to Tables. Output of the changes to table T000 then looks as follows:

Here you can see changes done by user ILLEGALUSER. At which date and time they were done, and the old and new value.

See also OSS note: 3311577 – SCU3 | How to find out, if table change logs exists for a specific time interval.

Bug fixes:

Checking table changes from customizing

If you are in a customizing action and you want to see who did perform changes, select the menu Utilities and then option Change Log. Select date and time frame to analyze and press Execute. As example here changes to Plant Definition (table T001W):

See also OSS note 3195801 – SPRO | SM30 | How to check the result of a customizing transport and 1834956 – SCU3 | How to enable logging for importing to the system via tp (or R3trans).

Custom tables and standard SAP tables

By default a lot of SAP configuration and important setting tables have the log changes activated. But not all. It is not uncommon to activate table logging for standard SAP configuration tables important for your business. For important custom configuration Z tables you might want to activate table logging.

Table logging is not a replacement for change documents. Standard SAP generates change documents for changes to documents that must be kept for tracking and audit purposes. This is common for all major transnational objects and its underlying tables. That is why for example for an important table like VBAK (sales order header) the table logging is off: change documents are already generated.

It is very bad practice to make use of table logging for business data reasons. Table logging is used for recording changes to configuration and if all theses logs are deleted there should be no business impact.

Background OSS note: 3153906 – SCU3 | How to enable logging for tables in customer name space.

Deletion of table logging

Table logging can be deleted with transaction SLG2.

Make sure only very limited amount of people have access to SLG2 and the below program SBAL_DELETE.

SLG2 can run for a long time. For background read OSS note 2507213 – SBAL_DELETE runs too long

Please be aware the deletion is cross client! See OSS note 3000914 – SCU3 | RSTBPDEL | Caution: The table is cross-client.

Other bug fix notes:

Review of table logging for audit

OSS note 112388 – SAP system audit | Tables requiring logging explains the audit relevance of table logging and explanation about program RDDPRCHK.

Table logging can be reviewed with program RDDPRCHK:

Bug fixes for RDDPRCHK:

SAT ABAP runtime analysis for ABAP web applications

SAT ABAP runtime analysis is a great tool for analyzing performance issues. This tool can also be used to analyze ABAP web dynpro and FIORI applications. For more background on SAT tool itself, read this blog.

Questions that will be answered in this blog are:

  • How to run SAT tool for ABAP web applications?

Running SAT tool for ABAP web applications

Start transaction SAT, and press the button Schedule in the block For User/Service.

You now reach the measurement overview screen:

Now select the Schedule Measurement button. In the next screen fill out the user to trace and very important: switch the object type to URL and process type to HTTP:

Do not press the schedule measurement button yet. First go to the ABAP web application to the part you want to measure for performance. Afterwards delete the browser, since it will keep on sending data.

No you have to go back to the SAT start screen and click on the tab Evaluate:

Double click on your measurement line. The system will now read the measurement log files and process them. This can take some time. The end result screen looks again like a normal SAT result screen:

SAT ABAP runtime analysis

The SAT ABAP runtime analysis tool can be used to identify performance problems in ABAP programs.

Questions that will be answered in this blog are:

  • How to run the SAT tool?
  • How to read the results of the SAT tool?

Starting the SAT tool

The SAT ABAP runtime analysis tool can be started with transaction SAT:

Top left there is a Tips & Tricks button. This will bring you the to the following tool:

Here you can compare the optimal and not optimal way of coding. By hitting measure runtime button you can actually compare in real time the difference between the 2 methods.

The performance issue program

To test the tool, we first write a simple test program:

REPORT zperftest2.

DATA: zlt_vbak TYPE TABLE OF vbak.
DATA: zls_vbak TYPE vbak.
DATA: zlt_vbap TYPE TABLE OF vbap.
DATA: zls_vbap TYPE vbap.
DATA: zls_vbap2 TYPE vbap.

SELECT * FROM vbak INTO TABLE zlt_vbak UP TO 100 ROWS.

LOOP AT zlt_vbak INTO zls_vbak.
  SELECT * FROM vbap INTO zls_vbap.
    DO 10000 TIMES.
      zls_vbap2 = zls_vbap.
    ENDDO.
  ENDSELECT.
ENDLOOP.

Now we start the SAT tool, enter the program name. Make sure the tick box evaluate immediately is on and press Execute.

Now the measurement will start.

Result of the trace tool

The result of the trace tool is as follows:

On the left side you see the split in where the program spends it time. Here you can see that most of the time is spend on internal processing and not on SQL statements. SQL statement can be analyzed from the SAT tool or from the ST05 SQL trace tool.

By double clicking on the the internal access the right hand side of the screen is filled. Here you can see in which code blocks the most net and gross time is spent. It does not always point you to the exact statements that are not ok, but it can point you to the program that is causing the biggest delay.

In our case the DO 10000 TIMES loop is the performance killer. With only SQL tracing this cannot be found.

Runtime analysis for web applications

For runtime analysis for web applications, read this dedicated blog.

Relevant OSS notes

Check and if needed you can apply these OSS notes to solve bugs in the SAT tool:

ST05 SQL performance tracing

Performance issue solving is an important job for ABAP and basis consultant. One of the helpful tools is ST05 SQL performance trace tool.

Questions that will be answered in this blog are:

  • How to switch on ST05 SQL trace?
  • How to read the results from the ST05 SQL trace?
  • How to use the ST05 SQL trace with multiple application servers?

The test program

First we create a small test program for our performance analysis.

REPORT zperftest.

DATA: zlt_vbak TYPE TABLE OF vbak.
DATA: zls_vbak TYPE vbak.
DATA: zlt_vbap TYPE TABLE OF vbap.
DATA: zls_vbap TYPE vbap.

SELECT * FROM vbak INTO TABLE zlt_vbak UP TO 1000 ROWS.

LOOP AT zlt_vbak INTO zls_vbak.
  SELECT * FROM vbap INTO zls_vbap.
    DO 10 TIMES.
      CALL FUNCTION 'BAPI_MATERIAL_EXISTENCECHECK'
        EXPORTING
          material = zls_vbap-matnr+0(18).
    ENDDO.
  ENDSELECT.
ENDLOOP.

Off course this program is written very badly to be really slow and making performance issues.

ST05 SQL trace

Start the ST05 SQL trace tool with transaction code ST05.

You can activate the trace for all users with the button Activate trace. But this is usually not needed and will only give you a long trace to analyze.

The usual method is to activate the trace with a filter, mostly on user name to trace a specific user action:

If the authorization team already started on ST01 authorization trace, you cannot start the SQL trace. First stop the ST01 trace.

Now you can start the performance test program in a different session. Just wait until it is finished. It is important the user you are tracing is only doing this action and does not perform any other action, since these other actions are also recorded and will make the analysis harder to read.

When completed go back to the ST05 and click Deactivate trace.

Trace analysis based on duration

Now press the Display trace to see the results. If your trace is large you will get this screen:

This is quite common and click yes. If your result is really too big, change the 5000 on the first screen in to a good maximum, or try to record a smaller time frame.

Result now looks like this after sorting on the column duration:

You can see that the total SQL commands took 48 seconds in total. The longest SQL single command took 78 milliseconds (which is very fast, so long running SQL’s are not the issue in this example).

In your case you might find very large single SQL commands. By selecting the line and pressing the button Display ABAP call location, you can jump to the place in the coding that fired the SQL command.

Summarized trace analysis

Since we have many records and many small ones, we need to use the summary tools. In the trace analysis select menu path Trace and then Structure Identical statements. This will give the following surprisingly short overview:

In the third column you can see that there are 100 identical calls, and also a high number of redundant calls.

If you now click on the second line to the ABAP call position you jump to our badly performing program and see that the majority of the delay is coming from the do 100 times loop. The first line is coming from standard SAP in the BAPI call.

This happens in real live as well that not all calls will point you into the right program. You might have to check multiple lines to find the right program causing the issue.

Multiple application servers

Development systems normally have only 1 application server. Productive servers can have more. If you have to analyze a performance issue directly on production with ST05, you have to be aware that the performance trace is per application server. If needed, you can select in ST05 as specific server, or you can select all. The trace display is still per server.

Relevant OSS notes

Notes to check or to apply:

Delete ABAP developer keys

This blog will answer the following questions:

  • How to delete old ABAP developer keys from my system?

ABAP developer keys clean up

If ABAP developers leave their key is still in your system and could potentially misused. Also when SAP comes to measure licenses they might peek in table DEVACCESS to see which developer keys are present.

Unfortunately SAP does not deliver a standard program delete an unused ABAP key. See OSS note 1710320 – How to delete SSCR Object and/or Developer Keys – SAP ONE Support Launchpad.

So you simply have to write your own customer program with a code that looks like:

DELETE FROM DEVACCESS WHERE UNAME EQ '<USERNAME>'.

Maintenance view on DEVACCESS

Alternative solution is to create a maintenance view on table DEVACCESS. This will require a once off modification key. Then you can delete and insert developers keys via the normal SM30 table maintenance transaction.

Developer key hack

The developer keys are not safe, so don’t rely on them. See this blog.

S4HANA

S4HANA does not have the developer key principle at all any more. You can delete all keys in S4HANA. Read more in this blog.

Analyzing code before upgrade or support package: CDMC toolset

This blog will explain on the use of the CDMC toolset you can run analyzing your custom code, before starting upgrade or support package.

CDMC toolset

Start transaction CNV_CDMC to goto the CDMC overview.

Goto ad hoc analysis:

Start SAP modification run

Wait for run to finish. If done, click the Display Results.

View results:

Setback of the modification overview: also OSS notes are marked as modifications.

Other useful runs: Syntax check and Inactive customer objects.

If you run these checks before an upgrade you can save quite some annoying issues during the upgrade itself.

OSS notes

Relevant OSS notes:

DB01 Oracle Lock monitor

This blog will answer the following questions:

  • How does a deadlock look like in DB01 Oracle lock monitor?
  • How can I solve the issue?

Deadlocks

A database deadlock can occur when 2 or more processes are trying to update each other and are also waiting for each other. This process will lead to infinite waiting.

DB01 Oracle lock monitor

With the use of transaction DB01 you can get overview of Oracle locks. A deadlock is observed when the status is on HOLD and more processes are in status WAIT.

Solving the deadlock can be done by the Oracle DBA on database level.

Background: 745639 – FAQ: Oracle enqueues.

Shared objects memory

ABAP programs (standard SAP and custom) use the shared memory objects technology.

Questions that will be answered in this blog are:

  • How to set the shared objects memory size?
  • How to monitor usage of shared objects memory?

Monitoring shared objects

Shared objects can be monitored with transaction SHMM:

In the start screen you can see the objects now loaded and how much memory they consume. In the start screen you can also delete and invalidate the shared memory objects.

The deletion can lead to short dumps. Only use this in emergency cases and when you are really sure

In the second tab you can see the total memory overview:

Setting shared memory objects memory size

In RZ11 with system parameter abap/shared_objects_size_MB you can set the shared object size in MB. A restart of the system is required to activate any change.

Older documentation says 500 or 1000 MB is sufficient. In newer systems a value of 3000 to 5000 in not uncommon.

Useful OSS notes

Note on memory consumption: 1322182 – Memory consumption of ABAP Shared Objects.

Dump with shortage of shared objects memory: 972757 – Occurence of the SYSTEM_NO_SHM_MEMORY runtime error.

Guided answer note: 2474021 – [Best Practice] How to solve SYSTEM_NO_SHM_MEMORY runtime error – Guided Answer

Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

  • How can I directly edit tables?
  • How can I prevent direct table editing?
  • How can I detect direct table editing?

Overview of methods

  1. Function module SE16N_INTERFACE
  2. Debug & replace
  3. SE16N_EMERGENCY mode
  4. Re-enable &sap_edit for SE16N

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: audit logging. In audit logging you can see the user started SE37 and then used report RS_TEST_FRAME_CALL, but you cannot see which module was done, neither is the data change logged.

Prevention of this method:

  1. Debug/replace is needed to change the data: don’t hand out debug/replace.
  2. Deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.

And configure the audit log for detection: 3226223 – How to monitor debug activities in SAP Netweaver.

Direct table editing method 3: SE16N emergency mode

In newer SAP netweaver releases there is a new SE16N emergency mode which can be started with transaction SE16N_EMERGENCY. Read all the details in this special blog on this topic.

Direct table editing method 4: re-enable &sap_edit again in SE16N and use it

Apply OSS note 1468636 – CO-OM tools: SE16N: Use of &SAP_EDIT. This seems old, but it is still valid for all S4HANA releases as well. After the note is installed run program RKSE16N_EDIT and activate the function:

Now start SE16N and select your inputs. Before hitting the execute button, enter the command &sap_edit:

Only now press execute. The result is fully editable table.

Audit log detection

Apply/configure OSS note 3140539 – SAL | New event definition for change access in SE16N for detection of table changes in the audit log.

Also check these notes:

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

  • How to run the new STAUTHTRACE tool?
  • What are the major improvements in STAUTHTRACE tool?

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the transaction code is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

  • All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
  • Specific user only, but errors only: this will reduce your logging footprint to errors only
  • Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE.

Extra functions:

3256212 – STUSERTRACE: Additional selection criteria for evaluation

Bug fix notes:

Exit mobile version