saptechnicalguru – Page 37 – Saptechnicalguru.com

Security Optimization Service

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

How to run the Security Optimization Service?
How does the questionnaire work?
How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 go to the tile Active Sessions for Service Delivery:

You now arrive in the sessions overview screen:

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

There might be multiple. In that case select this one (the others won’t work):

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Finish the roadmap. After the final step the detailed roadmap will appear:

In the first step select the logon and test the connection:

In the next step you need to assign a questionnaire:

If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:

In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionnaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionnaire and return to the roadmap.

Next step is to start the data collection:

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Authorizations

You need authorizations in the backend system for ST14. If that is missing you get this message:

This refers to OSS note 696478 – SAP Security Optimization: Preparation, additions.

Results

Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes:

Use remote ATC for baselining Z code

In the previous blogs we have explain how to run ATC from central system to remote system. This will enable you to for example run the ATC against an older release, which doesn’t have the ATC tool capability.

But there is one other common issue with older systems: you have lots of existing legacy Z code. If you want to clean up or start with new guidelines the ATC is initially not helpful since it will give you lots of errors.

This blog will explain the concept of baselining the current Z code with an initial run to give you a clean start.

Questions that will be answered in this blog are:

How to setup the ATC baseline?
How to run the ATC baseline?
What are the known limitations of the ATC baseline functionality?

Setting the baseline

To set the baseline, first run a full ATC remote check. This will give many issues. In the ATC results screen select the run and press the button Baseline to mark the current results as baseline.

You can choose that the current results are simply suppressed, are treated as exemptions or are treated as low priority.

If you run ATC tool again, please make sure in your run variant that you now select the consider baseline tick box:

If you don’t change any coding in the remote system the next run of ATC should give you a clean run with no issues (in case you have chosen suppression).

ATC after baseline

In the remote system we now do 2 coding changes:

We had before the baseline a bad program called ZCRAP1. To this program we do a change.
We created a new program called ZCRAP2.

Now we run the ATC tool again with the baseline to ignore the baselined findings.

The ATC tool now finds issues in both the changed and the newly created program.

The unfortunate thing is that for the old program, it does not look at the newly added lines, but it looks at ALL the issued in the analyzed code (also the existing). 
This might lead to some surprise if you add 1 line to a 1000 line existing bad code: this will give lots of errors. It is up to you to decide to fix the existing errors or just exempt the existing ones.

Baseline suppression known issues

The baseline suppression has some known issue situations. These are listed in OSS note 2552932 – ATC: Baseline Does not Suppress all Findings.

Bug fix notes:

- 2609447 – ATC: Baseline seemingly not reliable

- 2609481 – ATC: Similar findings might not all be reported

Using remote ATC for S4HANA readiness checks

In the blog on readiness check 2.0 we explained how you can perform analysis on your system as preparation for the S4HANA upgrade. This blog will explain how to run detailed analysis on your custom code as preparation for S4HANA upgrade. Pre-condition is that you have installed 7.52 netweaver system and done the configuration for remote ATC as described in this blog.

Questions that will be answered in this blog are:

What do I need to do in order to set up the remote S4HANA readiness check in ATC?
How to run the remote S4HANA readiness check?
How to handle the results of the remote S4HANA readiness check?

How to set up remote ATC for S4HANA readiness check?

To run the remote ATC for S4HANA readiness check you must install a netweaver 7.52 system and configure the remote ATC. Instructions can be found in this blog.

In the central 7.52 ATC system you must then apply all the extra OSS notes needed that are listed in OSS note 2436688 – Recommended SAP Notes for using S/4HANA custom code checks in ATC.

In the SAP code inspector (for details see this blog) you can now find the S4HANA readiness variants:

How to run the S4HANA readiness in ATC?

To run the S4HANA readiness variant create in the ATC tool (for all details see this blog) a special S4HANA readiness run series:

In this run it is important to put your analysis system object provider into the variant!

Now start the ATC run and be patient. The run might take a few hours pending on your system size and Z code base sizing.

You can monitor the progress in the ATC run monitor:

You can also see here if any tool issues were reported. If tool issues are present, click on the underlined number and see if you can solve them. Most issues are SAP bugs and you need to apply an OSS note. Before creating new message for SAP make sure you have applied all recent notes for the S4HANA readiness check (2436688 – Recommended SAP Notes for using S/4HANA custom code checks in ATC) and all the remote ATC notes as explained in the remote ATC blog.

How to handle the results?

If the ATC run is finished you can look at the results in the central system:

The results consist of a code point where a potential issue is. If you click on the code point you jump to the analyzed systems code.

There is also a note number which explains what you need to check.

Now basically 3 things can happen:

You can fix the issue directly: nice, the next run the issue is gone.
You read from the OSS note the function has changed or is no longer present in S4HANA. Read the OSS note for alternatives or check with your functional consultant on functional alternatives. Example of change is the way output and pricing is done. You know now it will be changed, but you cannot prepare in the current system. Use the list as input for project management for work estimation.
You read from the OSS note the potential issue and conclude it is not relevant for your situation. Example is material number length handling. If you use material numbers properly this is not relevant for you, but the tool will generate massive amounts of alerts. But maybe in some cases you need to intervene.

To distribute the results, apply OSS note 2499684. This enables you to download the ATC results into xls spread sheet. From here it is easier to follow up if action is needed for long list (like material number length) or not.

Fine tuning the results

OSS note 2865234 – SAP S/4HANA custom code checks show different number of findings in different check runs contains some explanation on differences in numbers.

More important, you need to run the ATC a few times, after every main clean up round. But some notes you might have detected as not relevant and you want to exclude them.

To do this copy the SCI S4HANAREADINESS variant to your own variant. Then change the SCI variant to exclude the OSS notes you don’t want to see any more:

Now rerun the ATC with the new variant. The list you get will be smaller. Repeat this iterations as long as needed.

Don't change the originally SAP delivered SCI variants. New features and bug fixes by SAP will update this variant. If you have an updated SAP variant, simply copy it again to your Z variant and redo the exclusion of OSS notes.

S4HANA 1809 update and beyond

If you previously installed remote ATC for a 1709 check and want to run now for S4HANA 1809 or higher version, there are a few update steps to follow.

First step is to install OSS note 2659194 – Check variant for SAP S/4HANA 1809 custom code checks and carry out the manual aftercare action. This will deliver you the SCI variant for S4HANA_READINESS_1809.

If you now run remote ATC without step 2, you get the issue described in OSS note 2532285 – ATC: Inspection was not executed because target release information cannot be processed.

Step 2 is to update the simplification content to version 1809. You have to download the content from SAP software site and upload it in your ATC 7.52 system. For this step follow the instructions from OSS note 2241080 – SAP S/4HANA: Content for checking customer specific code.

Short summary of these steps in this note: download the most up-to-date simplification database:

In the 7.52 central ATC system use tcode SYCM to upload this file.

Now you are good to go for the S4HANA 1809 readiness check for custom code.

For S4HANA 1909, S4HANA 2020 and S4HANA 2021 the notes have different numbers:

The basic process is still the same.

Bug fix OSS notes

Bug fix OSS notes:

Enabling ATC for remote checks

By using a Netweaver 7.52 server (or newer) you can use that server a central ATC server for running the ATC. For explanation on ATC itself, please check this blog.

Questions that will be answered in this blog are:

What are reasons for running remote ATC checks?
How to set up remote ATC checks?
Which limitations does remote ATC checks have?

Reasons for running remote ATC checks

There are several reasons why you might want to do this:

Run ATC against an old 7.00/7.01/7.02 system, where ATC is not delivered by SAP
Run ATC for S4HANA Readiness checks (see blog)
Run the latest ATC checks and you want to use the new baseline function (see blog)
Run the ATC tool centrally when you have more development systems, but still want to maintain the ruleset only once

Consider very carefully if the benefits you are looking for are worth the setup work below.

The master OSS note for the remote checks is 2375864 – ATC: Remote Checks – Developer Scenario.

Central system

First of all you need a 7.52 or higher system. This might already be big stumbling block if you don’t have this. In past blogs and notes you might find it works for 7.51 as well, but this will have severe limitations. For example the S4HANA Readiness only works properly on 7.52.

Read note 2364916 – Recommended SAP Notes for using ATC to perform remote analysis. Goto the section of the central check system for your version and see which OSS notes you need to apply so solve the known bugs.

Checked system

The master note 2375864 – ATC: Remote Checks – Developer Scenario contains the OSS notes to be applied for the older versions. For the newer versions OSS note 2190065 – ATC/CI: Remote Code Analysis – Object Provider Stub is needed.

This looks like a simple action, but it is not. It will pull in dependent OSS notes. One of these notes is the key OSS note 2270689 – Remote Analysis (for source system). This note contains references to the notes to apply.

Notes referred to in note 2270689 can be HUGE OSS notes. It can take 15 to 20 minutes to download and will result into a time-out dump is you have standard 10 minutes set. Ask basis team to set rdisp/max_wprun_time and rdisp/scheduler/prio_high/max_runtime to 30 minutes for you to able to download this note.

Per checked system you will need an RFC connection from the central system to the checked system.

To initialize the remote check per checked system you must run program RS_ABAP_INIT_ANALYSIS:

Also run this program in the central system!

Configuring the central system

Start transaction ATC and goto the setup menu to set the system role:

Select here the second option to make it a central system:

Then goto the menu for setting up the object providers:

First create a group:

The fill the RFC Object providers:

The vital element here is the RFC connection that you have created from the central system to the local system.

Make sure in the central system by testing in SM59: the connection is properly working. Also make sure that the user in the checked system has sufficient RFC rights to execute the remote ATC checks.

Setup the SCI variant for remote execution

In the central system set up the SCI variant for remote execution.

Be aware here one of the major limitations: you can only select the check which SAP has enabled for RFC based check:

Remote ATC run execution

In the central system now define the ATC to run:

Important here:

The check variant has to be defined in the central system
The variant runs against the selected object provider you have just defined

After the first run you must likely will get check tool failures:

Read the failures carefully and solve them one by one.

End result

The end result is the same as with the local system. By clicking on the code you will jump from central to checked system.

Bug fixes

Bug fix notes:

3022283 – Clear Caches of Static Check Infrastructure (contains instructions on clean up reports RS_ABAP_DELETE_ANALYSIS and RS_ABAP_CLEAN_ANALYSIS)

Keep end users out of the system during maintenance

This blog will explain an elegant new way to keep end users out of the system during maintenance.

Questions that will be answered are:

How does the login/server_logon_restriction parameter work?
How do I assign the right to logon during maintenance?

Traditional ways of keeping users out of the system during maintenance

Traditional ways of keeping users out of the system is by locking the users either via SU10 or custom built program.

Major setbacks of both methods:

Locking and unlocking takes time
In the user history you see constant lock and unlocks that you need to explain to auditors

New login/server_logon_restriction parameter

In more recent SAP systems (7.5 and up) there is a new parameter called login/server_logon_restriction (formal OSS note is 1891583 – Restricting logon to the application server).

RZ11 parameter login server_logon_restriction

If you set this to 1 then only people with the right privilege can log on to the system. The parameter is immediately effective. All non-privileged users will get this error when they try to log on to the system:

After the system maintenance you can set the parameter back to normal and everybody can log on again. User history is not touched.

Be aware this is a dynamically switchable parameter. If you set the value to 1 and need to restart the system during your maintenance the value after restart is back to 0, which means everybody can log on again.

How to assign the privilege to log on to basis administrators?

First you need to create or extend the user security policy for basis admins using transaction SECPOL. Add the policy attribute SERVER_LOGON_PRIVILEGE and set it to value 1.

Now you can add this security policy to all basis team members in SU01:

All persons with security policy ADMIN are now still allowed to log on during the maintenance when parameter login/server_logon_restriction is set to 1 in RZ11.

Other use of security policies

Security policies can also be used to enhance security of specific user groups (like basis team). See this blog for more on this feature.

Text on logon screen before and after logon

This blog will explain how to get text on the SAP logon screen before users logon and on the screen after users logon.

If you want to load a picture after the logon screen, please read this blog.

Questions that will be answered are:

How to add a text to the logon screen?
How to include icons?
How to put a text after the logon screen in stead of a picture?
How to put a clickable URL in the text after the logon screen?

Setting text before logon

The text to be shown before logon is maintained via transaction SE61. Select General text and for the name select ZLOGIN_SCREEN_INFO.

Now press change:

Enter the text you want to show to the users.

If you want to show SAP icons in the text start transaction SE38 and run program RSTXICON. Run it as ABAP list. Look for the icon you want and lookup the code. Please it between 2 @ symbols.

End result looks like this:

Official OSS note is 205487 – Custom text on SAP GUI logon screen.

Adding a text after the logon screen

After the logon screen you can either add a picture or a web url. But no text or text with hyperlink. To achieve this we will do a small development trick. We put the text on a web dynpro page and add the web dynpro page as URL for the start screen.

First develop the web dynpro in SE80:

We will call the web dynpro ZSTARTPAGE. In our example there is a text (caption) and a LinkToUrl. The LinkToUrl has a text and a hyperlink and will show as a clickable element to the user. Save and generate the web dynpro. Test the web dynpro and note down the URL of the web dynpro.

Start transaction SM30_SSM_CUST to maintain the customizing for logon screen and other items. In the parameter SESS_URL fill out the web dynpro URL. If the parameter SESS_URL does not yet exist, just create it.

Also make sure the logon picture is not hidden (see OSS note 1387086 – HTML viewer in SAP Easy Access screen):

The end result will look like this:

Depending on the security settings of the system you might need to tweak the SICF node of the web dynpro to suppress a password popup.

You can also integrate SO10 SAP script text. For more information on how to achieve this, read this blog.

SAP batch job interception

This blog will explain how to setup SAP batch job interception.

Questions that will be answered in this blog are:

How to activate SAP batch job interception?
How does an intercepted job look like?

Activating SAP batch job interception

Before you can begin the setup of the batch job interception you must run program INITXBP2 in SE38:

Next you have to start transaction CRIT and create the profiles.

First create the default SAP profile by clicking on the SAP logo. Activate it. Next step is to create the profile in which you want to do the interception. In the screen above click on the create profile button. Now enter a criteria. For simplicity we have called it interception. In our case we intercept all except a list of authorized users. In the user list we include the basis users and the background users (in this example WF-BATCH). Save the data.

Next step is to activate this profile:

Working of interception

When a batch job is planned the interception checks if the job should be intercepted or not. As a test logon as end user and launch a job. In our case the user ENDUSER tries to launch a job from SLG2 transaction to delete application logs. This jobs is intercepted and shows like this in SM37:

The job does not start immediately, but shows in intercepted state. If user with release rights now goes to SM37 for this job, he can release the intercepted job.

SAP mail sending tips & tricks

This blog focuses on SAP mail sending tips and tricks.

Questions that will be answered are:

How can I add a disclosure to the mails I send form non-productive systems?
How do I restrict access to transaction SOST?
Which batch job to plan for sending mails?
How can I send encrypted or signed mails?
Is there a display only version of SCOT available?
How to send hyperlink in mail using ABAP?

Adding disclosure from to mails from development and test systems

If you want to send mails from development and test systems, but don’t want any risk that it looks like a productive mail, you can add a disclosure to the mail.

In SOST mail settings go to the disclosure function:

Or you can go directly there using the SODIS transaction.

In SODIS you key in the disclosure text:

If you want you can test for any mail address if the disclosure will be shown or not by using the Routing Test function:

When sending mails from the SAP system the receiver now gets the disclosure. The real mail is pushed as text in the attachment of the mail (see OSS note 2842085 – Email body becoming to attachment in receiver side). You need to open the attachment to see the body of the text. Hyperlinks in the body will still work.

Restricting access to SOST transaction: give SOSG access

As admin you might want to restrict access to SOST transaction. This transaction is also often used by functional consultants to see if their mail is sent or not. When having access to SOST all functions like deletion and stopping of mails is also granted. What you can do is fully restrict access to SOST and grant the functional consultants access to transaction SOSG to display the mail status. It looks same as SOST, but has additional authorization checks. See also OSS note 2351372 – User access to transactions SOST, SOSV, SOSG and SOSB.

To allow sending of mail in SOSG, follow instructions from OSS note 2573586 – “Send” function greyed out in transaction SOSG.

Batch job for mail sending

For sending mail, you need to schedule batch job RSCONN01 with variant SAP&CONNECTINT. See OSS note 1912890 – Stuck email messages on SOST – RSCONN01 client dependent.

Mail read receipts

SAP mail sending can also use mail receipts. This might be wanted, but most of the times it is not wanted. More about read receipts is explained in OSS note 2161462 – How does Read Receipt work in SAPConnect?

To suppress it follow the instructions in OSS note 1607686 – Suppressing read notification requests.

Mail send restrictions based on user group

If you want to restrict mail sending based on user group, follow the instructions from OSS note 2623113 – How to limit e-mails by Sender Group in SCOT.

Mail encryption and signature

Start program RSCONN05 to set the mail signature and encryption settings. More background in OSS note 149926 – Secure e-mail: Encryption, digital signature.

Guided answers

See OSS note 3225275 – BC-SRV-COM Guided Answer for guided answers on mail setup.

Sending hyperlink in mail

If you have a requirement to send working hyperlinks in mails coming from SAP, read this blog on how to do this using custom ABAP code.

Increasing value of SMTP password length

See note 2363295 – Password for SMTP authentication is too short for increasing SMTP password length.

Relevant OSS notes for issues in SOST

SAP TREX and HANA embedded search technical tips and tricks

This blog will give technical tips & tricks on embedded search. Embedded search can run on both HANA directly or on separate TREX server. It is assumed you know how to set up search in ESH_COCKPIT and know how the end user transaction ESH_SEARCH work.

Questions that will be answered in this blog are:

How do I set HANA default connection as embedded search location?
What to do after a system copy with embedded search?
How to reset the complete embedded search to initial state?
How to reset the embedded search buffer?
How to recreate the embedded search joins?
How to influence the package size of the search extraction?
How to check backend part of search?
How to deal with full text search issues?
How to deal with authority index issues?
How to deal with high load issues on TREX?

Activating search in S4HANA

If you are running S4HANA, you can use an STC01 task list to fully setup the search function. Read this blog on technical activation and this blog for FIORI search for full instructions. The remainder of the blog below can be used in case of issues.

Setting the search connection to use HANA default database connection

If you are running HANA database for ECC you can use the HANA default primary database connection for search setup. This is easier in maintenance: no extra TREX needed, no extra secondary DB connection. Search will consume extra memory and CPU off course on the HANA database.

To set this up run program ESH_ADM_SET_TREX_DESTINATION and select the Use HANA Primary DB connection option.

Notes:

Task list to run after system copy

After you copy a system the search will not immediately work. In client 000 start transaction STC01 and run task list SAP_ESH_ADJUST_AFTER_COPY. See also OSS note 2479611 – Error message: “Current system is a copy of another system”. See also note 2583055 – ESH_ADM_MSG281 error when run the task list SAP_ESH_ADJUST_AFTER_COPY on client 000 after the system copy. And read note 3243784 – Invalid value 10.000 when assigning values of parameter P_PACKS in report ESH_IX_CRT_INDEX_OBJECT_TYPE.

Resetting all settings to initial

When things gone really beyond repair, you can log on to client 000 and start transaction STC01 and run task list SAP_ESH_RESET.

Important: write down (or make screen shots) on the connectors and settings that were active before running this task list. It will really wipe out all connectors and settings.

More information can be found in OSS note 2626143 – How to execute SAP_ESH_RESET.

Resetting the buffer

Run program ESH_REFRESH_RUNTIME_BUFFER in the working client to reset the trex buffer.

Bug fix note: 2947055 – CDS activation: Runtime error in report ESH_REFRESH_RUNTIME_BUFFER. And 3253863 – CDS: Timeout error during execution of report ESH_REFRESH_RUNTIME_BUFFER.

Recreation of join indexes

Run program ESH_RECREATE_ALL_JOIN_INDICES in the working client to recreate the join indexes. See also OSS note 2112153 – How to recreate ESH join indexes which are corrupted in TREX.

Influencing package sizing per object

With program ESH_SET_INDEXING_PACKAGESIZE you can set the package size for indexing per object. You can lower the size for large objects to avoid memory issues while indexing. Issues can be dumps on SYSTEM_NO_ROLL / LOAD_NO_ROLL / TSV_TNEW_PAGE_ALLOC_FAILED / SYSTEM_NO_SHM_MEMORY.

See these OSS notes:

Check backend part of search

To check if a search issue is related to application coding or is related to search setup, you can run program ESH_TEST_SEARCH (with same transaction code ESH_TEST_SEARCH). This program gives you options to test the search independent of any programming of search front end.

Bug fix OSS note: 2972790 – ESH_TEST_SEARCH – value help for attribute search: Values are not transferred case-sensitively.

Full text search issues

If you are having issues with full text search, please check OSS note 2280372 – How to check Full Text search issues. This note is focusing on full text search issues in relation to solution manager CHARM, but the methods described can be used as well for analyzing other full text search issues.

Setting the extraction user ID

Use program ESH_EX_SET_EXTRACTION_USER or transaction ESH_EXTR_USER to set the user to be used for extraction. This includes the real time indexing. For more information see OSS note 2340298 – User Types and required authorizations for ESH extraction user. For issues see OSS note 2750997 – Error “Logon of user XYZ in client xyz failed when starting a step” in ESH indexing job logs. And 2938916 – ESH extraction user – option “Generate User” – adjustment of password policy.

Bug fix OSS note: 2938916 – ESH extraction user – option “Generate User” – adjustment of password polic y.

Authorization indexing issues

While indexing you might get authorization indexing issues. First step is to repeat with sufficient rights attached to your user ID. Then run program ESH_ADM_RECALC_AUTHS to force the recalculation of the authorizations.

If it does not help, you can read the very extensive OSS note 2472239 – Error message “Authorization indexing unsuccessful” when creating search connectors. And OSS note 2729739 – Error indexing search connectors: “Authorization indexing unsuccessful for object type USER_AUTHORITY”.

New option to partially skip the checks for indexing: 3088737 – Customizing option for completely deactivating authorization indexing for individual ESH authorization indexes.

Index preload

For some TREX issues index preload can be a solution. More information on index preload can be found in OSS note 2115082 – ESH Index Preload.

Python check script

For detailed check on TREX embedded search there is a special Python check script, which is not installed by default. The script can be downloaded as attachment from OSS note 2227741 – TREX 710: check of the TREX settings for the Enterprise/embedded Search scenario. Read OSS note 2344042 – How to execute python script check_esh.py on how to install and run the script.

TREX memory issues

If you are seeing high memory consumption in TREX, please check OSS note 2540240 – High Memory and Indexing problems in TREX.

TREX high load issues

If you are experiencing high load issues, consider increasing the amount of threads. Reference OSS note: 1065406 – BWA: Raise number of TREXRfcServer threads.

TrexViaDbsl Analysis Tool in ABAP

In newer versions this tool is available. Otherwise apply OSS note 2690982 – TrexViaDbsl Analysis Tool in ABAP. Then in SA38 you can launch program RHANA_TREXVIADBSL_ANALYZER for the analysis tool:

A more detailed explanation is given in OSS note 2800048 – FAQ: SAP HANA TREXviaDBSL.

TREX jobs

See OSS note 3169829 – When and how the job ESH<Client>IX_<System SID><Client>_* is created for the jobs TREX is creating on the ECC backend system:

ESH_IX_PROCESS_CHANGE_POINTERS/ESH_FU_DEMON,
ESH_IX_CRT_INDEX_OBJECT_TYPE
ESH_SE_CONNECTOR_MOD_BGD

TREX administration

For TREX administration read this dedicated blog.

Re-indexing and model update after upgrade

After an upgrade or support package, a model update is required. See OSS note 2468752 – Re-indexing after an application Upgrade.

Search speed for ECC

If you run ECC and use HANA as database, you can make use of SFW5 switch BSESH_HANA_SEARCH to speed up the search using HANA based features.

Special use cases

SAP solution manager documentation

If you have search issues with SAP solution manager documentation, there is a special OSS note 2608454 – FAQ: How to handle issues with the (embedded) search functionality in the context of Solution Documentation . This OSS note also contains coding for special test program that will check all relevant settings for the solution documentation search function to work properly.

Use of security policies in user maintenance

This blog will explain the use of security policies in user maintenance.

Questions that will be answered are:

Why to use security policies?
How to setup security policies?
How to assign a security policy to a user?

Why to use security policies?

Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.

How to setup security policies?

Security policies can be setup in customizing under the following node (or by using transaction SECPOL):

On the next screen create the needed security polices as definition (identifier and description):

Select one of the policies, to set the detailed attributes per policy:

In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.

Assign security policy to user

In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:

Unfortunately the Security Policy cannot be made a mandatory field. See OSS note 2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification.

Different use case for security policies

There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.

Background OSS notes

Relevant OSS notes:

2018918 – User-specific settings for password rules, password changes, and logon restrictions
2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification –> it is saying you cannot do it, but you can do this by building a transaction variant: see blog
3075533 – Login parameters (login/*) not effective with Security Policies