In the previous blog on SAP security notes you will see that security notes popup around “Digitally signed SAP notes”.
This blog will explain more on how to implement this.
Questions that will be answered in this blog are:
Why switch over to the new way?
How to implement the feature to download digitally signed SAP notes?
How to make the relevant settings?
Where to find more information?
Why switch over to the new way?
SAP keeps improving their security in all ways. Including OSS notes. There is no direct benefit. After downloading the OSS notes, the handling is identical for old and new way.
Switching over from current way of working to digitally signed SAP notes can be done any time.
SAP has announced the following: "Post January 1, 2020, the download and upload process will stop working unless Note Assistant (SNOTE transaction) is enabled in ABAP systems to work with digitally signed SAP Notes".
How to implement digitally signed SAP notes?
There are 2 basic ways to implement (you have to do only one):
Apply TCI based OSS note 2576306, which contains all the notes (and manual work) in the notes mentioned in point 1. Your system needs to be able to handle TCI based OSS notes (see this blog on how to do this).
Follow the guided procedure
Guided enablement procedure
The guided procedure is the easiest way to apply and check the digitally signed OSS notes way of working.
Follow the instructions from OSS note 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes. Attached this note is an explanatory PDF document that describes all steps in detail. After installation of the OSS note (and prerequisite notes), you can run program RCWB_TCI_DIGITSIGN_AUTOMATION, which will guide you through the steps and verifies the results at the end:
Settings after implementation
If you have done the TCI based import a new customizing node is available:
The first one (direct program in SE38 is called RCWB_SNOTE_DWNLD_PROC_CONFIG) is to set the way of downloading:
The second one (direct program in SE38 is called RCWB_UNSIGNED_NOTE_CONFIG) is to allow only digitally signed SAP notes:
How to validate if the notes now are digitally signed?
To see if all is ok, download and implement a new OSS note. In the note log you can now see the digital signature download in the note log (in nice German words):
In the previous blogs we have explain how to run ATC from central system to remote system. This will enable you to for example run the ATC against an older release, which doesn’t have the ATC tool capability.
But there is one other common issue with older systems: you have lots of existing legacy Z code. If you want to clean up or start with new guidelines the ATC is initially not helpful since it will give you lots of errors.
This blog will explain the concept of baselining the current Z code with an initial run to give you a clean start.
Questions that will be answered in this blog are:
How to setup the ATC baseline?
How to run the ATC baseline?
What are the known limitations of the ATC baseline functionality?
Setting the baseline
To set the baseline, first run a full ATC remote check. This will give many issues. In the ATC results screen select the run and press the button Baseline to mark the current results as baseline.
You can choose that the current results are simply suppressed, are treated as exemptions or are treated as low priority.
If you run ATC tool again, please make sure in your run variant that you now select the consider baseline tick box:
If you don’t change any coding in the remote system the next run of ATC should give you a clean run with no issues (in case you have chosen suppression).
ATC after baseline
In the remote system we now do 2 coding changes:
We had before the baseline a bad program called ZCRAP1. To this program we do a change.
We created a new program called ZCRAP2.
Now we run the ATC tool again with the baseline to ignore the baselined findings.
The ATC tool now finds issues in both the changed and the newly created program.
The unfortunate thing is that for the old program, it does not look at the newly added lines, but it looks at ALL the issued in the analyzed code (also the existing).
This might lead to some surprise if you add 1 line to a 1000 line existing bad code: this will give lots of errors. It is up to you to decide to fix the existing errors or just exempt the existing ones.
In the blog on readiness check 2.0 we explained how you can perform analysis on your system as preparation for the S4HANA upgrade. This blog will explain how to run detailed analysis on your custom code as preparation for S4HANA upgrade. Pre-condition is that you have installed 7.52 netweaver system and done the configuration for remote ATC as described in this blog.
Questions that will be answered in this blog are:
What do I need to do in order to set up the remote S4HANA readiness check in ATC?
How to run the remote S4HANA readiness check?
How to handle the results of the remote S4HANA readiness check?
How to set up remote ATC for S4HANA readiness check?
To run the remote ATC for S4HANA readiness check you must install a netweaver 7.52 system and configure the remote ATC. Instructions can be found in this blog.
In the SAP code inspector (for details see this blog) you can now find the S4HANA readiness variants:
How to run the S4HANA readiness in ATC?
To run the S4HANA readiness variant create in the ATC tool (for all details see this blog) a special S4HANA readiness run series:
In this run it is important to put your analysis system object provider into the variant!
Now start the ATC run and be patient. The run might take a few hours pending on your system size and Z code base sizing.
You can monitor the progress in the ATC run monitor:
You can also see here if any tool issues were reported. If tool issues are present, click on the underlined number and see if you can solve them. Most issues are SAP bugs and you need to apply an OSS note. Before creating new message for SAP make sure you have applied all recent notes for the S4HANA readiness check (2436688 – Recommended SAP Notes for using S/4HANA custom code checks in ATC) and all the remote ATC notes as explained in the remote ATC blog.
How to handle the results?
If the ATC run is finished you can look at the results in the central system:
The results consist of a code point where a potential issue is. If you click on the code point you jump to the analyzed systems code.
There is also a note number which explains what you need to check.
Now basically 3 things can happen:
You can fix the issue directly: nice, the next run the issue is gone.
You read from the OSS note the function has changed or is no longer present in S4HANA. Read the OSS note for alternatives or check with your functional consultant on functional alternatives. Example of change is the way output and pricing is done. You know now it will be changed, but you cannot prepare in the current system. Use the list as input for project management for work estimation.
You read from the OSS note the potential issue and conclude it is not relevant for your situation. Example is material number length handling. If you use material numbers properly this is not relevant for you, but the tool will generate massive amounts of alerts. But maybe in some cases you need to intervene.
To distribute the results, apply OSS note 2499684. This enables you to download the ATC results into xls spread sheet. From here it is easier to follow up if action is needed for long list (like material number length) or not.
More important, you need to run the ATC a few times, after every main clean up round. But some notes you might have detected as not relevant and you want to exclude them.
To do this copy the SCI S4HANAREADINESS variant to your own variant. Then change the SCI variant to exclude the OSS notes you don’t want to see any more:
Now rerun the ATC with the new variant. The list you get will be smaller. Repeat this iterations as long as needed.
Don't change the originally SAP delivered SCI variants. New features and bug fixes by SAP will update this variant. If you have an updated SAP variant, simply copy it again to your Z variant and redo the exclusion of OSS notes.
S4HANA 1809 update and beyond
If you previously installed remote ATC for a 1709 check and want to run now for S4HANA 1809 or higher version, there are a few update steps to follow.
Step 2 is to update the simplification content to version 1809. You have to download the content from SAP software site and upload it in your ATC 7.52 system. For this step follow the instructions from OSS note 2241080 – SAP S/4HANA: Content for checking customer specific code.
Short summary of these steps in this note: download the most up-to-date simplification database:
In the 7.52 central ATC system use tcode SYCM to upload this file.
Now you are good to go for the S4HANA 1809 readiness check for custom code.
For S4HANA 1909, S4HANA 2020 and S4HANA 2021 the notes have different numbers:
By using a Netweaver 7.52 server (or newer) you can use that server a central ATC server for running the ATC. For explanation on ATC itself, please check this blog.
Questions that will be answered in this blog are:
What are reasons for running remote ATC checks?
How to set up remote ATC checks?
Which limitations does remote ATC checks have?
Reasons for running remote ATC checks
There are several reasons why you might want to do this:
Run ATC against an old 7.00/7.01/7.02 system, where ATC is not delivered by SAP
First of all you need a 7.52 or higher system. This might already be big stumbling block if you don’t have this. In past blogs and notes you might find it works for 7.51 as well, but this will have severe limitations. For example the S4HANA Readiness only works properly on 7.52.
This looks like a simple action, but it is not. It will pull in dependent OSS notes. One of these notes is the key OSS note 2270689 – Remote Analysis (for source system). This note contains references to the notes to apply.
Notes referred to in note 2270689 can be HUGE OSS notes. It can take 15 to 20 minutes to download and will result into a time-out dump is you have standard 10 minutes set. Ask basis team to set rdisp/max_wprun_time and rdisp/scheduler/prio_high/max_runtime to 30 minutes for you to able to download this note.
Per checked system you will need an RFC connection from the central system to the checked system.
To initialize the remote check per checked system you must run program RS_ABAP_INIT_ANALYSIS:
Also run this program in the central system!
Configuring the central system
Start transaction ATC and goto the setup menu to set the system role:
Select here the second option to make it a central system:
Then goto the menu for setting up the object providers:
First create a group:
The fill the RFC Object providers:
The vital element here is the RFC connection that you have created from the central system to the local system.
Make sure in the central system by testing in SM59: the connection is properly working. Also make sure that the user in the checked system has sufficient RFC rights to execute the remote ATC checks.
Setup the SCI variant for remote execution
In the central system set up the SCI variant for remote execution.
Be aware here one of the major limitations: you can only select the check which SAP has enabled for RFC based check:
Remote ATC run execution
In the central system now define the ATC to run:
Important here:
The check variant has to be defined in the central system
The variant runs against the selected object provider you have just defined
After the first run you must likely will get check tool failures:
Read the failures carefully and solve them one by one.
End result
The end result is the same as with the local system. By clicking on the code you will jump from central to checked system.
After starting transaction ST22 select menu item Goto / Overview. Fill out the dates and you now get the overview including the statistics on the occurrences:
Detecting Z code in a dump is normally easy if it is a Z program. Some dumps you can have due to the fact that Z code is there in a user-exit, which again is calling SAP code. This dump will appear as looking 100% standard SAP, but when you scroll down in the Call Stack you will see Z code:
Before raising OSS message to SAP: make sure the call stack does not contain custom Z code.
RFC_NO_AUTHORITY dump
The RFC_NO_AUTHORITY is special kind of dump and typically looks like this:
First thing to get from the dump is the user ID and the calling system (is it an internal call or call from different system). And if the user ID is a human user or system user.
Second thing to determine is: is this a valid call or not a valid call?
In case of valid call, look in the dump which authorization is missing and what needs to be added. If the addition is done: do keep an eye on the dumps, since a new dump might come for a different new authorization object.
In case of an invalid call, you need to determine how the call was initiated and take action to avoid the initiation. This is not always a simple job.
Why is checking this dump important? Complete business flows might be disrupted if this happens. It is hard to detect for the end users what is going on. It will take them time to raise an incident and for functional people to determine what is going on. This way a lot of valuable time can be lost.
What can also happen: people try to connect via RFC methods to read data. This will give lot of dumps which are hard to follow up.
If you get too many of these dumps and you can’t solve them, you can switch parameter rfc/signon_error_log to value -1. Then the dumps are no longer there in ST22, but in stead moved to SM21 system log with less detail. If you need to have the details again, switch the parameter again (it is dynamic). Background on the parameter rfc/signon_error_log can be found in OSS note 402639 – Meaningful error message texts (RFC/Workplace/EBP).
CALL_FUNCTION_SINGLE_LOGIN_REJ dump
A bit similar to the above dump is the CALL_FUNCTION_SINGLE_LONG_REJ dump. Here a user tries to login via RFC to the SAP system, from a different SAP system, or from a JCO based connector.
Again: first determine if the call is valid or not. If not valid, determine the calling source (can be hard!).
If it is a valid call, scroll down in the details section for this dump and look for the part below:
There are two codes: T-RC code and the L-RC code. Check both the codes. In this case above the user ID validity was no longer ok.
Depending on the codes different solution needs to be applied.
Why is checking this dump important? Complete business flows might be disrupted if this happens to system user. If it happens to single user he might get grumpy. It is hard to find for the end users what is going on. It will take them time to raise an incident and for functional people to determine what is going on. This way a lot of valuable time can be lost.
TIME_OUT dumps
If an online query takes longer than the timing set in parameter rdisp/max_wprun_time a TIME_OUT dump will happen. By default and best practice, this time out parameter is set to 10 minutes. This is also the case in most system.
This dump will look like:
If you scroll down (or click in the left section) to the User and Transaction section, you can see the ID of the user who caused this and the transaction.
First reaction of the average basis person is: call/mail the user and ask him to run this in batch mode. This is indeed one of the solutions.
Alternative potential solutions:
Analyze with the end-user if he can fill out more selection criteria (hence reducing the time needed to select the data)
Analyze with the end-user if he can run the report in multiple smaller sets
Check if there are known performance OSS notes for the transaction the user is running (the root cause might simply be an SAP bug)
Check if the database statistics of the tables queried is up to date
In some cases both the selection criteria are ok, and the output of the list in batch only give a few results: in this case the creation of special index might be the solution. This can happen in case of check reports that look for business exceptions.
Why is checking this dump important? Users tend to get very frustrated by the system if they hit this dump. They have to wait 10 minutes and have no result. Sometimes you see this dump a couple of times in a row. Imagine yourself being the user with a boss demanding report which crashes after 10 minutes…
MESSAGE_TYPE_X dumps from program SAPLOLEA
The MESSAGE_TYPE_X can be pointing to very serious issue. But the ones generated by program SAPLOLEA point towards one type: the SAP GUI server interaction.
This dump typically look like this: a main dump MESSAGE_TYPE_X and calling program SAPLOLEA.
This dump can have 3 main root causes:
Issue in ABAP code (hit the SAP correction notes button to search for solutions)
Issue in local SAP gui installation of the end user
Issue in the SAP kernel
If you see many dumps with the same user ID: this typically points towards an old local SAP gui installation. Solution is to update the local SAP GUI for that user to the latest version that is supported in your company.
In rare cases the SAP kernel causes these kind of dumps. These are hard to find and detect. The only remedy here is to update the kernel at regular intervals.
To find which users use which SAP GUI version: go to transaction SM04 and add the field SAP GUI version:
From ABAP code: use function module TH_USER_LIST to get list of sessions. The GUI version is in the field GUIVERSION of output table USRLIST.
For more background on SAP GUI patching read this dedicated blog.
These dumps are caused by missing callback positive listing. See OSS note 2981184 – What to do in case of CALL_FUNCTION_BACK_REJECTED short dump. The solution is to add the function module to the positive list in RFC. In no way reduce the RFC security by lowering the RFC callback security parameter rfc/callback_security_method. Read this blog on how to hack using callback RFC, and why not to lower the security.
Coding and table generation dumps
Dumps can happen due to coding and tables not generated properly. When it happens during transport import, it is normal. If it persists after the import, you need to act. Best practice notes:
This blog will provide technical tips and tricks for Adobe Document Server (ADS) used from ABAP stack.
Questions that will be answered are:
How to retrieve ADS version information from ABAP stack?
How to test if the technical and functional connection from ABAP stack to ADS is working?
Where to find information on Adobe LifeCycle Designer?
Where to find more information on further issue analysis?
Reading the Adobe Document Server version from the ABAP stack
Run program FP_PDF_TEST_00 (unfortunately no transaction linked, so you need to run it from SE38 or SA38). Result is the ADS server version information.
ADS link test programs
There are two main test programs to run to check the connection from the ABAP stack to the Adobe Document Server.
First run program FP_PDF_TEST_00 (unfortunately no transaction linked, so you need to run it from SE38 or SA38). The output will be the version number of the Adobe Document server. If this check works, the connection from ABAP to ADS is working at network level and low basis level.
The second test program is called FP_CHECK_DESTINATION_SERVICE (unfortunately no transaction linked, so you need to run it from SE38 or SA38). The output is just number of bytes sent. If this check works, the connection from ABAP to ADS is working for functional forms connection as well.
For developing the forms you need to install Adobe LifeCycle designer on your developer laptop or desktop. The most recent list of versions and patches is kept on dedicated SAP wiki page.
Further issue analysis on setup
Follow the step in this SAP blog for further issue analysis. If this blog does not help, you can use the details from the very extensive OSS note “944221 – Error analysis for problems in form processing”.
SAP has delivered many ADS forms to replace existing SapScript and SmartForms. Unfortunately these are not default turned on. Also not on newly installed systems. To unlock all the standard SAP delivered ADS forms, goto SFW5 and activate the switch ERP_ALL_FORMS:
After this is done, run report RERP_EHP_SHOW_FORM_LIST. This list will give you pointer for each form what to change in customizing to point to new ADS form.
SICF services
Adobe document server connection requires these 2 SICF services to be active:
The general use to print output via ADS is included in the SAP license. If you want to use the advanced interactive form capability: this is subject to extra license. See oss note 750784 – SAP Interactive Forms: Licenses.
This blog will explain one of the most useful new tools from SAP when having to find bugs in standard SAP coding. The ANST (automated notes search tool) is not receiving the recognition that is should get. In usability it is same ease as the SNOTE tool.
If you love SNOTE you will also love the ANST tool! Just try it out.
Questions that will be answered in this blog:
What is the ANST automated notes search tool?
How does is work?
Why should I always use this tool before submitting an incident to SAP?
ANST (advanced notes search tool)
The ANST tool can help you in:
Quickly finding OSS notes for your issue
Check if you Z code is causing the issue or dump, or it is a standard SAP issue
OSS note 1818192 is the ANST FAQ note which also has the minimum version. This note also has an extensive explanation. The how to use below is just a summary.
OSS note 2605555 also contains an excellent PDF inside as attachment, that gives a step by step manual.
How to use the ANST tool?
Start transaction code ANST.
If you launch it for first time you might get an error "ANST001 Fatal Error. Customizing table is not filled". If this is the case follow the solution steps in OSS note 1909768.
In the transaction code box key in the transaction where you have the issue. As example we will use transaction code S_BCE_68001417 (search for authorizations by complex criteria). The user admin is complaining about an incorrect number of selected authorizations that are shown in that transaction.
So key in the transaction code and description (you can keep it same).
Now press execute: the transaction will be called. In the authorization object screen fill out S_DEVELOP and execute again to get the results:
Now leave the transaction recording.
In the left bottom of the screen you can see the recording being written into the trace file:
Depending on the complexity and amount of screens you have passed this can take up to 1 to 10 minutes.
The result is shown after the trace file. The result is sorted per SAP module. If you open the details, you can also see the exact program blocks that were hit during the recording.
Now you can select the modules (if wanted specific code blocks) where you thinks is the issue. After selection hit the Note Search button. The SAP system will now connect to SAP service marketplace and look for the most recent notes for your version, which have not yet been implemented.
The middle note seems to be very relevant. From this screen you can can already link to the note (click on note number) and start download to SNOTE already.
Tips on the selection of the components:
1. Never select more than 1000 components: ANST will reject this
2. The less components you select the faster you get results, and shorter list of potential notes as well
3. If you want you can later retrieve the recording and make a different search on different components: no need to re-record
4. Most of the times you can ignore the basis and cross application and basis notes
5. Run the recording and the result together with your functional consultant: he can help filter the components and select useful notes
Changing settings for maximum amount of notes
Especially in the basis or core ABAP area you will notice that ANST cannot read more than 1000 notes at once. This is a default setting you can easily change. In the main ANST screen hit the Settings button and scroll to the right to increase the maximum notes number:
Using ANST to analyze short dumps
The ANST tool can be used as well to analyze short dumps. Just start the ANST tool and run the steps including the step where the dump occurs. After the dump the ANST tool will trace the modules including the point where the dump occurs.
Make sure OSS note 2535278 is applied: this contains bug fix for the short dump case.
Checking for customer code issues
After the trace file is generated and you have searched for OSS notes, it can be there is still an issue caused by your own customer code. To exclude this (or to check it anyhow), you have to use the button Customer Code from the trace result screen with all the components. Be a bit patient while the tool is scanning for modifications, user-exits, BADI implementations and enhancement spots it came across in the recording.
If you want to analyze implicit and explicit enhancements as well with ANST you must apply OSS note 2408785 first.
ANST clickable demo
SAP has made a nice clickable demo to show you how it works: link to demo.
Use of ANST tool before submitting incident to SAP
Even if the ANST tool does not help you search for the correct OSS note for your issue, the ANST tool can help you in speed up of the incident solution for SAP.
If you want to report the issue to SAP as an incident download the ANST trace file. If you report the incident mention:
ANST tool is used and add the recording
Add list of already implemented OSS notes
You already checked for customer code
With this information the first line processor will have a quick job assigning the incident to the real issue solvers in Walldorf. This will save you valuable time, since the first line normally come with simple list of notes, or also run the ANST tool themselves, and then come with obvious notes.
Increasing the maximum number of objects limit
If you are using the ANST tool on a transaction with many objects (for example ME21n purchase order), you will notice that you cannot search for more than 1000 objects at the same time. Then you have to open subsection and select subtree and run it more than once with different selections. But sometimes one node really expands into more than 1000 objects. In this case, you best increase the maximum object limit. In ANST start screen choose the Settings button can increase the Max.Object counter on the far right of the settings (scrolling required)
Needless to say, more objects do take more time to analyze. But it is worth the wait.
Some standard SAP tables are delivered by SAP as customizing tables with transports, but which are logically and business wise application tables and are maintained directly in production by business people. Example is the currency exchange rate table.
This blog will explain the option and best practices to overcome this.
Questions that will be answered:
What are current settings and how does it work?
When and how to de-customize a standard SAP table?
Current settings
Current settings is bit of hidden feature in SAP systems. Per customizing object you can select if it is using the current settings option or not.
To do this, start transaction SOBJ and select the customizing object or table. The current setting flag is indicated on the example picture below for the currency conversion rate table:
The effect of the Current Settings is as follows: if the system client in SCC4 is set to “Productive” the transport flags are ignored, and the user can directly update the table and save the changes without transport request popup.
On a development or quality system the “Productive” setting is not there and the SAP system will prompt you for transport request. Especially on quality systems this can be quite annoying.
If you want a customizing table to be maintainable directly on development and quality systems, without transport request, you have to de-customize the customizing table.
Always ask for approval for procedure below and document the tables for which this procedure was applied. Pending on your business security and regulatory requirements more approvals and documentation can be needed.
The de-customization procedure
Step 1 starts with transaction SE11 to call up the table. This you have to doc in the development system. In the delivery and maintenance tab the delivery calls normally shows as type C (customizing).
Now edit and change it to type A (application):
In most cases this will do the trick. The change itself you have to put in a transport request.
Step 2 would be to re-generate the maintenance view and de-activate the recording routine. This should look as shown on picture below:
Also this change must be executed on development system and must be put in transport request.
Step 3 is to move the transport request into the quality and later productive system.
RSA1 settings to avoid transport popup for BI objects
Some settings in RSA1 like process chain starters you want to set locally per system. Default SAP asks you for a transport. In RSA1 you can overrule this. Select Transport Connection on the left hand side. Then select the button Object Changeability on top. In the popup right click on the Not Changeable and set it to Everything Changeable for the items that you don’t want a transport popup to come.
The SCI tool is great for analyzing custom code based on SAP delivered checks. For specific reasons you might want to built in your own specific checks that cannot be setup using the out-of-the-box SCI tool.
This blog will answer following questions:
When to setup custom check and when not?
How to setup custom check?
How does my check show up in the SCI and ATC results?
How to document the checks so it really fits into the standard framework?
How to influence the behavior of the checks and the settings for the checks?
When not to set up a custom SCI check?
If you want to do one of the following things, don’t set up custom check:
Change the priority outcome of a check (example from warning to error): use the option to change message priorities for this.
Search for specific string: use the Search functions options in SCI (they can even search trough comment blocks)
How to set up a custom SCI check?
Setting up the new category
First thing to do is to setup a new category. This will act as a placeholder for your checks.
To do this goto SE24 and copy the example class CL_CI_CATEGORY_TEMPLATE to your own Z implementation.
In the copy go to the CONSTRUCTOR method and adapt the description to your needs:
Important here is not to forget to double click on the 000 message and to create the message text: from here the framework will read the description. The quoted description is just for yourself to be able to read the code better.
Implementing the check
Per check you want to have, you need to have an implementation. There are two options here:
Copy one of the two templates (CL_CI_TEST_ROOT_TEMPLATE or CL_CI_TEST_SCAN_TEMPLATE)
Copy one of the existing SCI checks (they all start with CL_CI_) that already resembles the check you want, and modify where needed to make it your own check
The second option is easier to start with.
Hint: first take a good look at the Attributes of an existing check. Some have none (simple check), some have a few tick boxes, and for some you can have a full multiple selection as input. By using a multiple selection which you can fill in the SCI tool, you can avoid hard coding of your checks.
After the copy is done you have to go to the CONSTRUCTOR of your own check:
Important here is not to forget to double click on the message and to create the message text: from here the framework will read the description. The quoted description is just for yourself to be able to read the code better.
The CATEGORY has to refer exactly to the category class you have already created.
On the class level attributes make sure the always present attribute C_MY_NAME has the initial value of the class name of the check you have made.
Depending on the source class check of template you have copied more constant attributes need to be checked or changed.
The actual implementation of the check is to be done in the RUN method. The advantage of copying template or existing check will be obvious in this part, since the complex coding of scanning through source code or fetching other elements like table attributes is already there. You just need to modify when you want a check to fire.
Firing a check happens within the RUN method by invoking the INFORM method. This can be invoked as many times as needed. If not invoked then the check is passed (result zero).
The inform will pass the following to the SCI report tool:
Name of the test (your Z test set in the C_MY_NAME constant attribute you set above)
Point to the code line and statement where your check fired off
Severity level (error, warning, information)
Activating your category and check
To activate your category and check go to transaction SCI and select the menu Code Inspector / Management of / Tests.
Your test will be fully at the bottom since they are Z checks.
Activation of both category and check will not work in one shot.
First activate the category by selecting it and pressing Save. Next activate the custom check by selecting it and press Save.
The text in the description is taken from the text element in the DESCRIPTION that you have made in the CONSTRUCTOR.
Testing the check
After the activation the test is available in SCI. You can make new SCI variant for testing your check. Write a small test program where you are sure the check will fire off. Then run the SCI tool with your check variant to see that your check fires off properly. Now solve the issue and rerun the SCI tool to make sure the check does not fire off any more.
Embedding in SCI and ATC
If your tests all have passed, don’t forget to activate your check in your global SCI variant.
By updating the global SCI variant used in the ATC tool, your check is automatically done as well in the ATC global and local runs.
Finalizing the checks by proper documentation
To make your check look like standard SAP ones you need to spend some time on online documentation of the checks.
First start to document your custom check. To do this start transaction SE61 to create the help text. Switch the Document Class field to Class attribute. Then in the document field put in your Z class for the custom check and for attribute fill out 0000.
Press create and enter your specific help text:
Hint: copy text from standard SAP help text that you like: this saves you lot of time in the lay-outing
Save and activate and your help text is done.
Now you can setup the help text for you own category.
The basic principle of help text is the same, but now you want to hyperlink in the category text to the detailed check help text. This is bit tricky if you don’t know how. To do this select the menu entry Include / Link. The following screen will appear where you can search the referenced check and set up a text for the description:
The end result in the editor is bit ugly since the above nice input screen is translated into technical terms:
In the category help text you can list now all you checks in this way.
End result in the SCI tool help icon will look like this:
The detailed check appears light blue like hyperlink: and it is! If you click it you jump from the category help text straight to your custom check help text.
How to activate the attributes?
You can have attributes for your own check which you can fill out on the SCI screen, and that will be passed to your test.
For this feature to work, you must do following:
Set the HAS_ATTRIBUTES flag to true in the CONSTRUCTOR
Implement the IF_CI_TEST~QUERY_ATTRIBUTES method to define the attributes (tick boxes, fields, multiple selection options) and the text of the attributes
Implement both the GET_ATTRIBUTES and PUT_ATTRIBUTES methods
Hint: by copying right SAP SCI check class that resembles your wanted check, you also will also copy the elements above. Just need to modify it to your own needs.
This blog will explain you the ATC tool to manage your complete custom code base. The name ATC is bit misleading: officially the name is ABAP Test Cockpit, but the tool has nothing to do with test management. It is a code profiling tool.
This blog will answer questions like:
How do I scan my complete custom ABAP code base for issues?
Can I scan custom ABAP code for a complete project?
What is my state of quality of my complete ABAP code base?
The SCI SAP code inspector is nice, but how can I enforce it?
How can I use ATC in the peer review process?
How can I prevent an ABAP workbench from being released if the coding is not ok?
Does the ATC tool replace a peer review?
How do I organize the implementation of the ATC tool in my organization?
How is ATC used in S4HANA migration?
Setting up the ATC tool
Setting up the ATC is quite simple. Just launch transaction code ATC:
Then choose the Configure ATC entry on the screen.
The ATC tool runs on top of the SAP code inspector (SCI). This must be setup first. Choose the variant you have created here as Global Check Variant.
To enable peer review set ATC exemptions to Yes.
If you want to integrate ATC with transport system: set the behavior on Release to either information or error. Be aware that if you set this setting to Error, the transport mechanism will run the ATC tool and will completely block release and transport if any prio 1 or 2 item is found! Only when the issues are solved or exempted, the transport will be released.
This is a great feature for enforcing code standards, but do not switch it on after you have some experience with the ATC tool and your developers are used to the process. Switching it on should also be clearly communicated to basis team and all consultants working on the system. They should be aware of the block coming when releasing transport in SE10 (the description of the block is bit cryptic):
Running the ATC tool
The ATC tool can be run in two different modes:
Globally by development lead for complete custom code base
Locally by developer for one or more of his objects
Running ATC tool globally
To run the ATC tool on all custom code you need to select the Schedule Runs in the ATC tool menu.
Before you can run the tool, you have to create a Run variant. In the setup of this variant it is very important to select the right packages. For custom code only put in Z* in the package selection. If you have projects doing development in separate packages, it is possible to setup a dedicated project variant for that Z project package only.
If you have chosen to use the exemptions and allow pragma’s to be used by the developers, do check the help text in Handling of pragma’s carefully before making a selection.
After the variant has been created, you can now select is and press the Schedule button:
In the next screen before hitting execute, please make sure you have checked the number of processes versus your system hardware. The default value of 10 is pretty aggressive and is assuming a large development system. Use transaction SM50 to check the amount of dialog processes on your system. Don’t fill in more than half the amount of DIA processes than your system has. If you do you might find an angry basis admin at your desk asking you why you are completely filling up your system….
After the executing starts a batch job is triggered, which will fire off as many dialog processes as you have indicated. The amount of time the job takes depends on:
Amount of Z code in your system and selected in your variant
Amount of processes chosen and infrastructure power you have
Using HANA or not (complete code base scanning on HANA runs amazingly fast: full code base of 1000 Z objects with 10 parallel processes can finish under 10 minutes. Running same on slow non-HANA system can run over 8 hours in the night.)
You can use the ATC run monitor to see if your run has finished:
Result of ATC run
When the run is finished go to the Manage Results entry in the ATC menu.
Here you can see the results and the statistics of the results of your run.
If you are working in an agile devops environment this overview screen is very nice. If you run the ATC tool daily or weekly, this can immediately provide you with the needed code quality KPI statistics for the ongoing sprint.
If you select the run results you get a list sorted by priority. Selecting one of the findings will give you the details of the finding (code positing, explanation of reason of the finding):
Double clicking on the object name will immediately jump you to the code program point where the finding is found.
Running the ATC tool locally
The other option is to run the ATC tool locally. In each editor you can call Program/Check/ABAP test cockpit to run the ATC for you specific program.
If you work in Eclipse, you can also run ATC by selecting Run/Run as/Abap test cockpit.
Fixing ATC issues
The easiest way of fixing ATC is simply taking away the root cause. In some cases this simply isn’t possible. Reason can be: you have to select data without full key and ATC is detecting this as error. If agreed upon, you can use the corresponding pragma to suppress the finding in the results. Best practice here is to add a comment line why the pragma was used.
Another sample program:
REPORT zpragma.
DATA: zgs_mara TYPE mara.
* need all for demo, suppress with pragma
SELECT MATNR FROM mara INTO zgs_mara. "#EC CI_NOWHERE
ENDSELECT.
The corresponding ATC result looks like this:
As you can see the error for having no selection clauses is not shown. It is suppressed with the #EC CI_NOWHERE pragma.
The ATC is still throwing issues: there is no check on SY-SUBRC. If needed the ATC tool suggests to use the #EC CI_SUBRC pragma.
Practical use of pragma’s
If you want to allow the pragma’s or not is up to you. The ATC result list can be configured to simply ignore the pragma’s. Best practice is to allow the use of pragma’s, but to demand comment line with explanation. Some pragma’s (like the previous example of not checking sy-subrc) you might suggest not to use at all.
If the issues in ATC cannot be solved by changing the code or using the pragma, the last resort it to request an exemption.
This can be done on the detailed screen of the ATC finding:
Upon requesting the system will ask you to fill out why the exemption is needed:
The approver need to be configured in the ATC overview screen. Only the exempters in that list will be shown here.
Unfortunately the ATC tool forces you now to enter a fixed name here. You cannot send the exemption to the group of approvers.
Judging the exemption
If the admin allows to setup mail on your development system you are lucky and get a mail (if configured in the ATC main configuration screen). If not, you either have to check regularly or ask the developers to tell you if they have submitted and exemption.
In the ATC main screen select the Exemption Browser select the exemptions for which you are the approver:
You get a list of items for you to approve, reject or return to the requester.
Again here: if you don’t have mail system, send a signal to the requester that you did an action.
Dealing with old ABAP code
If you have to perform a change to ABAP code that is created before you implemented the ATC tool, the tool might highlight a lot of issues that are in the old section of the code. Should you fix these issues as well? This depends on the size of the coding and the organizational agreements you make. Typically if the coding is very small (user exit with 20 lines) it is common just to fix it. If the coding is large, best practice is to ignore the findings of the ‘old’ code: it is simply too dangerous and too much work to fix it. Or you can work with the baseline option (see this dedicated blog).
ATC tool versus peer review
The ATC tool does not replace a peer review. It is a tool to speed up the peer review, since the tool takes away the burden of the more technical checks like naming conventions, checks of use of SY-SUBRC, are hard coded text replaced by text symbols etc.
Peer review tasks that cannot be done by the ATC tool:
Judgement if the development itself makes any sense
Judging use of comment lines (sufficient?)
Judging if the coding is structured in readable way: future maintenance can be done easily
Correct use of pragma’s
….
Implementation of the ATC tool in your organization
The ATC tool can be implemented in every organization.
Steps to do:
Organize your code standards: have them documented and approved. This is the basis for the setup of the SCI variant you want to run in the ATC tool.
Deploy the SCI tool in your developer community and make sure they understand and run the tool consistently. This is also the time you can fine tune the outcomes of the SCI tool.
Now setup the ATC tool without Exemptions and without transport block. First run the tool globally only yourself to see and understand the ATC tool results and statistics. This will get you a feeling on how long the tool runs on your system and how many exceptions it will report.
Consider if you want to use the pragma’s fully, partially or not.
Set up the Exemption users and organizational agreements (like dealing with old code).
Start to communicate the use of the ATC tool to your developers. If you didn’t think about the pragma’s and the exemption process you will very soon receive many questions from the developers.
If the ATC process with exemptions is running stable, if you want you can now turn on the transport block to avoid any bad code from being released.
From step 1 to step 7 can take several months depending on the speed you can organize, agree and communicate the usage of the standards and tools. Don’t rush it without having the proper communication and organization.
Reorganization of ATC data
If you have large custom code base and run ATC often, the results table SATC_RT_RUN_EXE might get large and your system admin might complain to you about it. If this is the case you can schedule clean up program SATC_AC_REORG_REPOSITORY on weekly basis.
Running ATC central for more systems or against older versions: remote ATC
If you want to run ACT centrally for more development systems, or against an older SAP version not yet enabled for ATC: please read this blog on remote ATC.
ATC settings logging
The ATC setting changes are not logged. The logging is needed if you have a large crew of ABAP developers and apply the rules strictly (for example if you use the option to give an Error on transport release with ATC). To achieve this, switch on table logging for table TRCHECK.
