Basis – Page 28 – Saptechnicalguru.com

Preparation for SAP upgrade or support package

This blog explains about preparation you can do for SAP upgrade of support package.

Questions that will be answered are:

Where to find support package schedule?
Where to find version information on upgrades?
Do I need to do delta sizing for upgrade?
Do I need to perform extra preparation steps for an S4HANA upgrade?
Determining the version: why not to use the latest minus one?

Latest available main version for upgrade

For the latest available version you can check the SAP product availability matrix site. This is also know as the SAP-PAM.

After finding the right product on the first tab you can see the current release details and end of support date.

On the second tab you see the upgrade paths that are supported:

In the middle the target version. On the left hand the versions from which you can upgrade. To the right are even higher versions you can upgrade to.

Also check here the support Linux versions. You might be surprised: you often need to upgrade the operating system first before you can upgrade your application.

Same for the HANA database or database version: newer releases of functional software will force you to upgrade your database as (or upgrade database first).

Latest available versions of support packages

The latest available versions of support packages are published by SAP on the SAP support package stacks page. On this page click on the SAP support package stack maintenance schedule link to download the latest version of the schedule.

Support package version: minus one or latest?

In many companies there is a policy to never take the latest version of a support package. The line of thinking is: let other people solve the bugs of SAP first.

Current delivery of ABAP support packages is quite good. And the frequency is not so high as in the past. For ECC about 2 to 3 support packages per year are released (as compare to 6 to 9 in the past in the 4.6 ages).

In stead of taking minus one, you can also consider this rule: at point of go-live make sure that the support package is at least released 3 months ago. This will counter the risk of having an issue which is not discovered by anyone else before.

People using the rule minus one without thinking should not be trusted. It is like going to Apple and insisting on Iphone 11, because you don't trust Iphone 12 and use the rule minus one...

OSS notes in a support package

How to find the OSS notes in a support package? Follow the instructions listed in OSS note 2015094 – How to Find which Notes are in a Support Package. The unfortunate thing is that lists all the OSS notes, including the notes of functionality your are not using (which is most likely 80% or more).

Delta sizing

Delta sizing for support packages is not needed. Delta sizing for an upgrade might be required if:

Upgrade crosses multiple versions (for example upgrade from Netweaver 6.20 to Netweaver 7.51)
Upgrade is including a new database (for example migration to HANA database)
Specific upgrade manual is specific about delta sizing (for example the upgrade from SAP solution manager 7.1 to 7.2 is specific enough to carry out delta sizing)
For ECC to S4HANA conversion

Custom code

For analyzing custom code before the upgrade you can use the CDMC toolset. For more information read this blog.

Also use the clone finder to find clones. You might need to delete the clones or adjust them after the upgrade. More information on the clone finder tool can be read in this blog.

Releasing transports and cleaning up transport pipeline

For both support package and upgrade releasing transports is a technical must. It is wise to start a few months before already cleaning up the transport pipeline (transports that are old and not released in development system, transports that are imported into quality environment, but no imported in productive system).

Check the clients

Check if you still have client 001 or 066. If yes, consider deletion. See dedicated blog.

BI queues

During the upgrade all BI queues must be empty. Check it upfront and/or delete them. For more information on BI queue deletion, read this dedicated blog.

Inactive code and data dictionary objects

Before upgrade or support pack can start all code and data dictionary objects must be activated or deleted.

In some rare cases there are inconsistencies in the data dictionary objects. Check table DWINACTIV in this case.

See also OSS note 538167 – Active objects are displayed as inactive. Inconsistencies can be cleaned up with program RS_WORKING_AREA_CONSISTENCE.

Side effect report for support packages

Per support package SAP keeps track of the unwanted side effects. OSS note 2388572 explains you how to retrieve them for your support package. Best to scan the side effects and apply the ones you think are needed.

For upgrades the side effects list is too large: here you simply need to test and fix any issues encountered.

New functions

After the upgrade you can start to use new functions. Some main functions are listed in the SAP help pages. The more unknown small features are listed by SAP in the SAP improvements finder xls. This xls has 2 tabs: first with the most recent and second with the long list of improvements since 2014. Per improvement you need to check pee-conditions of release and support package, but if you upgraded to recent version, most of the improvements will be installed. Some improvements are always active, some need extra activation steps. This is documented per improvement item.

New security parameters

After an upgrade (not support packs) new security parameters can be introduced to SAP. Prepare already which ones might impact you. For S4HANA upgrades and new security parameters read this dedicated blog.

S4HANA upgrade preparations

If you are upgrading your existing S4HANA upgrade, read this dedicated blog on S4HANA upgrade preparations. And run the readiness check: read this blog.

S4HANA conversion preparations

An upgrade from ECC to S4HANA requires a different approach. In this upgrade also the simplification items and custom code migrations must be done. Read more in this dedicated blog.

For more S4HANA conversion preparations, read this blog.

Aftercare after upgrade

For aftercare after upgrade or support package read this blog.

ANST: automated notes search tool

This blog will explain one of the most useful new tools from SAP when having to find bugs in standard SAP coding. The ANST (automated notes search tool) is not receiving the recognition that is should get. In usability it is same ease as the SNOTE tool.

If you love SNOTE you will also love the ANST tool! Just try it out.

Questions that will be answered in this blog:

What is the ANST automated notes search tool?
How does is work?
Why should I always use this tool before submitting an incident to SAP?

ANST (advanced notes search tool)

The ANST tool can help you in:

Quickly finding OSS notes for your issue
Check if you Z code is causing the issue or dump, or it is a standard SAP issue

OSS note 1818192 is the ANST FAQ note which also has the minimum version. This note also has an extensive explanation. The how to use below is just a summary.

OSS note 2605555 also contains an excellent PDF inside as attachment, that gives a step by step manual.

How to use the ANST tool?

Start transaction code ANST.

If you launch it for first time you might get an error "ANST001 Fatal Error. Customizing table is not filled". If this is the case follow the solution steps in OSS note 1909768.

In the transaction code box key in the transaction where you have the issue. As example we will use transaction code S_BCE_68001417 (search for authorizations by complex criteria). The user admin is complaining about an incorrect number of selected authorizations that are shown in that transaction.

So key in the transaction code and description (you can keep it same).

Now press execute: the transaction will be called. In the authorization object screen fill out S_DEVELOP and execute again to get the results:

Now leave the transaction recording.

In the left bottom of the screen you can see the recording being written into the trace file:

Depending on the complexity and amount of screens you have passed this can take up to 1 to 10 minutes.

The result is shown after the trace file. The result is sorted per SAP module. If you open the details, you can also see the exact program blocks that were hit during the recording.

ANST trace result list per module and program block

Now you can select the modules (if wanted specific code blocks) where you thinks is the issue. After selection hit the Note Search button. The SAP system will now connect to SAP service marketplace and look for the most recent notes for your version, which have not yet been implemented.

The middle note seems to be very relevant. From this screen you can can already link to the note (click on note number) and start download to SNOTE already.

Tips on the selection of the components:
1. Never select more than 1000 components: ANST will reject this
2. The less components you select the faster you get results, and shorter list of potential notes as well
3. If you want you can later retrieve the recording and make a different search on different components: no need to re-record
4. Most of the times you can ignore the basis and cross application and basis notes
5. Run the recording and the result together with your functional consultant: he can help filter the components and select useful notes

Changing settings for maximum amount of notes

Especially in the basis or core ABAP area you will notice that ANST cannot read more than 1000 notes at once. This is a default setting you can easily change. In the main ANST screen hit the Settings button and scroll to the right to increase the maximum notes number:

Using ANST to analyze short dumps

The ANST tool can be used as well to analyze short dumps. Just start the ANST tool and run the steps including the step where the dump occurs. After the dump the ANST tool will trace the modules including the point where the dump occurs.

Make sure OSS note 2535278 is applied: this contains bug fix for the short dump case.

Checking for customer code issues

After the trace file is generated and you have searched for OSS notes, it can be there is still an issue caused by your own customer code. To exclude this (or to check it anyhow), you have to use the button Customer Code from the trace result screen with all the components. Be a bit patient while the tool is scanning for modifications, user-exits, BADI implementations and enhancement spots it came across in the recording.

If you want to analyze implicit and explicit enhancements as well with ANST you must apply OSS note 2408785 first.

ANST clickable demo

SAP has made a nice clickable demo to show you how it works: link to demo.

Use of ANST tool before submitting incident to SAP

Even if the ANST tool does not help you search for the correct OSS note for your issue, the ANST tool can help you in speed up of the incident solution for SAP.

If you want to report the issue to SAP as an incident download the ANST trace file. If you report the incident mention:

ANST tool is used and add the recording
Add list of already implemented OSS notes
You already checked for customer code

With this information the first line processor will have a quick job assigning the incident to the real issue solvers in Walldorf. This will save you valuable time, since the first line normally come with simple list of notes, or also run the ANST tool themselves, and then come with obvious notes.

Increasing the maximum number of objects limit

If you are using the ANST tool on a transaction with many objects (for example ME21n purchase order), you will notice that you cannot search for more than 1000 objects at the same time. Then you have to open subsection and select subtree and run it more than once with different selections. But sometimes one node really expands into more than 1000 objects. In this case, you best increase the maximum object limit. In ANST start screen choose the Settings button can increase the Max.Object counter on the far right of the settings (scrolling required)

Needless to say, more objects do take more time to analyze. But it is worth the wait.

Relevant OSS notes

Some interesting OSS notes to review:

When analyzing very large transactions, you might face CX_SY_CONVERSION_OVERFLOW dump. For workaround read this OSS note: 2921867 – ANST: Dump “CONVT_OVERFLOW” “CX_SY_CONVERSION_OVERFLOW”.

Other errors and bug fix notes:

While switching to new SAP support backbone you might get a connection error. Follow the instructions from OSS note 2781045 – ANST / ST22 note search “Connection cannot be established” to solve it. Also apply OSS notes 2730525 – Consuming the Note Search Webservice and 2818143 – SEARCH_NOTES- Implementing SOAP Based Note Search.

And: 2829951 – Error while calling ANST Note Search WebService.

ANST for web applications and FIORI

ANST can also be used for web applications and FIORI. See this blog.

Retrieving actual detailed SAP component information

This blog will explain you how to retrieve actual detailed SAP component information.

Questions that will be answered:

How do I get detailed system component information?
How do I download these to compare them across the landscape?

System / Status

The most simple way of getting installation component information is by using the menu System/Status. Then click on the Status details button:

Now the installed software components and product versions will be shown:

In S4HANA systems, you might not be getting all the details or an authorization error. The information display in S4HANA requires extra authorizations for object S_SYS_INFO. Background is explained in OSS note 2658772 – System -> Status: Restriction of the available information.

Getting the details as download

The system status details cannot be downloaded. If you want to compare the software components in detail across your system landscape (sandbox, development, test, acceptance, productive, training etc environments), you are in need of these details in downloadable format. With the downloaded data it is easy in Excel to compare all details.

To get the details goto transaction SE37.

For the installed software use function module OCS_GET_INSTALLED_SWPRODUCTS. Execute it and click on the ET_SWPRODUCTS outcome table.

Installed products via OCS_GET_INSTALLED_SWPRODUCTS

For the details on all installation components and support pack status use function module OCS_GET_INSTALLED_COMPS. Execute it and click on the TT_COMPTAB:

Installed components via OCS_GET_INSTALLED_COMPS

In an ECC system this list will be very long. Use the option System / List / Save as / local file to download the complete list in text format.

Warning: don't rely on the content of table CVERS. In the past this used be reliable, but currently it is not any more. Warning from SAP not to rely on this is written in OSS note 2464887. The routines above read the PAT03 table, which holds all the installs, and then determine the most recently installed patch to show. S4HANA systems have both table CVERS and CVERS_ACT for activated components......

Retrieving component information via SQF

You can also retrieve the component information via the Support Query Framework (SQF). Start transaction SQF and launch the Installed Components and Support Packages query:

Query runs fast and double click the line to see the results:

SPAM clean up

In some cases inconsistencies can be removed by running RSSPAM15 (SPAM clean up program). This program does multiple cleanups. Some part is CVERS updates.

OSS notes

SAP GUI patching

This blog will zoom in on SAP GUI patching.

Questions that will be addressed are:

Where can I find the latest SAP GUI patch availability status?
Where can I find the planning for SAP GUI patches?
What should be my SAP GUI patch and upgrade policy?

SAP GUI latest patch availability overview and future planned patches

One of the best places to check the latest available is on the SAP blog: SAP GUI latest patch. This site also contains the planning for the next upcoming patch.

More on the new SAP GUI 8.0 can be found in this blog.

Current SAP GUI support overview

The SAP GUI support dates are published by SAP in OSS note 147519. Note 66971 – Supported SAP GUI platforms contains the supported platforms. This is important when also a new Windows platform (like Windows 11) is released. The expected release dates for GUI patches and versions for windows are listed in OSS note 1053737 – Expected release dates for SAP GUI for Windows.

GUI integration testing

When upgrading and/or patching of SAP GUI, consider following elements as well:

Chrome or Egde integration and browser support
Office integration
Use of GUI scripting
Use of SAP screen personas
Use of ACF (active component framework)

Corresponding NWBC backend OSS notes

When patching the NWBC front end, or when using NWBC html client, you should also check for server side corrections. The list of most recent note(s) to be applied is kept in OSS note 1353538 – NWBC -Patch Collection- SERVER SIDE (ABAP)+NWBC for HTML. To retrieve your current NWBC backend server patch version follow the instructions in OSS note 1864151 – How to determine the version and Patch Level of NWBC Runtime Environment.

SAP GUI patching policy

SAP GUI and its patches tend to have very short support timelines. An SAP GUI version nowadays is only supported up to max 2 years after release. Reason behind this: the SAP GUI builds on top of windows component which have very short support cycle.

If your company policy is to always have support IT software, you will have to plan and execute an SAP GUI upgrade almost yearly to stay within full SAP support. Put it on your yearly budget and execution calendar as a recurring item.

If you don’t want to go into this yearly effort of testing, packaging and deploying the SAP GUI to your end users, you can opt for this, as long as you are aware of the consequences. Just make sure of the following two main items:

Inform your IT management and service managers that you run the GUI without support, and they approve it.
Check with your windows team that they will still have the libraries in windows desktop/laptop that the SAP GUI needs.

SAP system hacking using RFC jump

This blog will explain the SAP system hacking using RFC jump method. It will show the simplicity of the hack, and tell you what to do in preventing this method to be used on your SAP system.

Question that will be answered:

How does the RFC jump SAP system hack work?
How do I check all my RFC’s for this weakness?
What can I do to prevent this hack from happening on my system?

RFC jump hack background

SAP uses RFC connections between SAP systems to send and received business data. For example the BI system will pull data from the ECC system via an RFC connection. The SAP solution manager system is fed from the ECC system via an RFC connection. Or a SAP netweaver gateway system serving SAP FIORI tiles.

In the RFC setup the system admin will have to set the connection details and its logon method. The logon methods can be:

Current user via logon screen
Current user via trust logon screen
Fixed user ID: dialog user ID or background user ID

The first method with logon screen will prompt for user ID and password and is not useful for hacking.

The trusted connection will check the rights in the other SAP system using your own user ID and privileges.

The RFC’s with fixed user ID’s will use the user ID and privileges of the user ID in the RFC connection and also using password entered by the admin. So you don’t even need to know the password…..

3 methods of misusing the RCF jump

3 methods of misusing the RFC jump will be explained. All of the scenario’s start from a already compromised system.

You have gained access to an SAP system, which in first instance is less important. For example by using standard SAP passwords (see blog on this topic).

1. Using the weakness to jump from one system to another: named dialog users in RFC

Now you start to scan the RFC’s of this server in SM59.

You notice that there is an RFC to another system which has the user ID and password of the system admin. You now simply click the remote logon button and you jump to the other system.

You are logged on now into this system with the user ID and privileges of this other user ID. From this system you can even jump further.

This way you could go from a development to productive server. Or from a BI to an ECC server. Or from Solution manager to ECC productive server.

2. Using the weakness to jump from one system to another: named background users in RFC

The jump will not work if the user ID in the RFC is a background user ID. One example here is the ALEREMOTE user in ECC, which is used by the BI system to extract data from ECC. Since this user has to pull a lot of data and is needing a lot of privileges this user ID is sometimes given SAP_ALL privileges.

If this is the case the hacker can still misuse this RFC. In the hacked system he goes to transaction SE37 and creates a test function module sequence consisting of 2 calls: BAPI_USER_CHANGE and BAPI_TRANSACTION_COMMIT.

The first call will have the input to change user ID ALEREMOTE user type from B (background) to type A (dialog). The commit is needed to actually confirm and push the change to the database. Once the sequence is setup the hacker will use the test function to fire the sequence. In the testing the hacker will put in the RFC with the ALEREMOTE user. Now this sequence will be fired with the privileges of the ALEREMOTE user (it has SAP_ALL). So it will then itself change its own user type remotely…. After this is done the dialog jump will work from the remote system and the hacker comes into the system with user ALEREMOTE and the attached SAP_ALL rights.

3. Using the weakness to jump from one system to another: trusted RFC’s

If you have taken over one system and you see a trusted RFC towards another system this can be misused for hacking.

But you need extra information. If you know the user ID of the admin in the system target, set up the user ID in the system already taken over, or if already there reset password. Then logon in the taken over system with the admin user ID. Goto SM59 to the trusted connection. Click remote logon and you jump to the other system without having to logon, but with the user ID and privileges of the admin.

For setup of trusted RFC’s read this blog.

How to detect the jumps which are misused?

The complexity in detection is not to detect the jumps itself, because there is also good use of the jumps (via the trusted RFC’s), but to detect the misused jumps. This is hardly possible.

Detection can be done for the user changes executed by background users. Detection could be done with tracking the terminal ID suddenly switching user ID.

The SAP audit log can help you find traces to what has happened as detective after the fact method. But it will not help you detect or prevent misuse.

How to scan your RFC’s for potential misuse?

SAP provides a program to check RFC’s for weak settings: RSRFCCHK.

Running this program will leave system log messages: 2724967 - Program CL_SAIS_ Reports Security Breach notification when running program RSRFCCHK

If you start the program select all the destinations and optionally the connection test to see if the connections work at all.

The result will give you a list of potentially dangerous RFC connections and the user ID’s used.

This you can use as a work list for checking.

Read more on RFC security checking in this blog.

Apply note 3283474 – Adjustment of authorization for program RSRFCCHK to upgrade security of program RSRFCCHK itself.

Protection measures

Protection is possible by a series of actions (a single action will not be sufficient):

Access restriction. Restriction of access to SU01 user management and SM59 RFC setup. Not only on main systems, but also on connected trusted systems.
Remove SAP_ALL and user rights from background and RFC users.
At least yearly scan systems for wrongly setup RFC’s and delete them.
Instruct basis team never to put in their own account into an RFC connection.

The most though misunderstanding is with some security and control teams themselves. They heavily underestimate the danger of the trusted connections. They come with statements like “we focus on production only”, or “that system is not part of our compliance XYZ framework check”.

Basic golden principle:
The trusted system must have same protection level and control measures as the system it is connected to.

More RFC hacking: RFC callback hack

Next to the RFC attack methods above there is also the RFC callback hack, which uses the back direction to execute malicious actions. Read more in this blog.

Direct table maintenance versus transport

Some standard SAP tables are delivered by SAP as customizing tables with transports, but which are logically and business wise application tables and are maintained directly in production by business people. Example is the currency exchange rate table.

This blog will explain the option and best practices to overcome this.

Questions that will be answered:

What are current settings and how does it work?
When and how to de-customize a standard SAP table?

Current settings

Current settings is bit of hidden feature in SAP systems. Per customizing object you can select if it is using the current settings option or not.

To do this, start transaction SOBJ and select the customizing object or table. The current setting flag is indicated on the example picture below for the currency conversion rate table:

The effect of the Current Settings is as follows: if the system client in SCC4 is set to “Productive” the transport flags are ignored, and the user can directly update the table and save the changes without transport request popup.

On a development or quality system the “Productive” setting is not there and the SAP system will prompt you for transport request. Especially on quality systems this can be quite annoying.

The current settings is therefore only a solution for tables that you and the business want to maintain directly on production, and not on a development and quality system. Background note on this side effect is 356483 – In test system, behavior of customizing objects which are editable in production i.e. Current Settings.

De-customizing a customizing table

If you want a customizing table to be maintainable directly on development and quality systems, without transport request, you have to de-customize the customizing table.

Always ask for approval for procedure below and document the tables for which this procedure was applied. Pending on your business security and regulatory requirements more approvals and documentation can be needed.

The de-customization procedure

Step 1 starts with transaction SE11 to call up the table. This you have to doc in the development system. In the delivery and maintenance tab the delivery calls normally shows as type C (customizing).

Now edit and change it to type A (application):

In most cases this will do the trick. The change itself you have to put in a transport request.

Step 2 would be to re-generate the maintenance view and de-activate the recording routine. This should look as shown on picture below:

Direct table updates check recording routine

Also this change must be executed on development system and must be put in transport request.

Step 3 is to move the transport request into the quality and later productive system.

Special cases

Below is a list of special cases and exceptions.

CO allocation cycles (KSU1 etc)

Via the procedure described in OSS Note 853601 – “ALLOCATION: Deactivating the automatic transport” you can leave all the allocation tables as-is and don’t need to apply the de-customization procedure or current settings.

RSA1 settings to avoid transport popup for BI objects

Some settings in RSA1 like process chain starters you want to set locally per system. Default SAP asks you for a transport. In RSA1 you can overrule this. Select Transport Connection on the left hand side. Then select the button Object Changeability on top. In the popup right click on the Not Changeable and set it to Everything Changeable for the items that you don’t want a transport popup to come.

Save your data.

SAP reference: click here.

Set up custom IMG node

As customer you will sometime have the need to setup your own customizing tables. These tables you create in SE11 and mark them as customizing tables, which means all updates must be done in development system and are put in transport. This own customizing table can then be called from your custom programs, user-exits and enhancement points.

Managing these custom tables becomes increasingly difficult over the years. An elegant solution for this is to create your own IMG customizing setup and corresponding documentation. This way you can easily track which customizing custom tables you have and for which reason.

This blog will answer following questions:

How to set up a custom IMG customizing tree?
How to link the tree into the real SAP customizing tree?
How to link the IMG entry to your customizing table?
How to document your custom IMG entry?
How to deal with issues in SAP IMG?

Preconditions for Z table

Your Z customizing table must have the following to be easily integrated into a customer IMG:

Table has technical delivery class Customizing table
Log Data Changes option is set to true in Technical Settings of the table
Table maintenance generation has been done and table can be maintained in SM30

Setting up the custom IMG node as part of the SAP reference IMG

SAP has two ways of setting up extra IMG nodes:

Via transaction S_IMG_EXTENSION
Via transaction SIMGH

Best way is via S_IMG_EXTENSION. After an upgrade IMG is renewed and SAP might overwrite your own entries. When using the S_IMG_EXTENSION option SAP puts your entries aside and you can re-merge them after the upgrade.

After starting S_IMG_EXTENSION, you come into an empty screen. First you select the main IMG structure “SAP Customizing Implementation Guide” you want to enhance.

Next you need to create a custom Enhancement ID by clicking on the empty Enhancement ID search help. On the subsequent search screen click the Create button:

Attention: put the Enhancement ID generation into a real transport and not into $TMP
Tip: after selection of the IMG structure node put it into your favorites list:

On the main screen you now can select the new Enhancement ID. Then pushing the Enhance Structure button will bring you to the change screen of the IMG structure.

In here you select the node position where you want to add. Then select to add a structure node:

The node is nothing more than a menu entry. You can add nested ones as well. Give the node a good descriptive name.

After the creation of the node, select it. Now you can add an activity as subnode.

On the first screen of the creation of the subnode you have to give the node an ID and a name. On the assigned documents you also give the document a name.

Custom IMG create new entry first screen

If you push the Create button you go to the maintenance of the IMG node help text:

Custom IMG custom help text for IMG node

This is the place to document the reason of your extra customizing table, how to fill it, and for example list all the user-exits and enhancement spots from which the table is called.

On the Maint.Objects tab we finally can link the real table.

Custom IMG img node to customizing table

In the customizing object enter the Z table (in this example case the Z table is called ZZCUSTLINK). For maintenance type use SM30.

Save this entry and save the changes to the tree enhancement and you are done.

End result

Start the normal SPRO transaction and you can have a look at the end result:

You can launch your customizing and see your documentation.

Tip: do spend time on listing your tables into chapters and also spend time on the help text. This can save you lots of time. After 6 months, you normally would not remember the peculiar things of this Z table and why it was needed and how it should be used. You are happy then you properly documented it.

Using the custom IMG in into customer generated project IMG’s

Some customers create their own project IMG based on the standard SAP IMG. Initially your custom IMG extension only shows in the standard IMG and not in the customer project IMG. To include the custom IMG into the customer project IMG start transaction SPRO_ADMIN. Go to the Scope section and click the Specify scope button. Now include the newly generated custom IMG objects:

Custom IMG include in customer IMG spro setup

After this is done Generate Project IMG button must be pushed to actually update the project IMG with your changes.

How to deal with issues in SAP IMG?

In some cases SAP IMG has issues. Missing nodes, unexpected entries. In most cases a corresponding OSS note can be found.

A common case is for example after installation of Event Management. Standard SPRO is pointing to SCM in stead of Event management.

In this case (and other cases) you can apply the solution from OSS note 2197261. In the attachment of this note you find program ZSLA_SHOW_REFERENCE_IMGS. Install it and run it.

Use the correct TREE_ID in transaction SCUSSEQUENCE to make this one the preferred IMG:

OSS notes and help

Standard SAP help on enhancing IMG can be found here.

Relevant OSS notes:

Aftercare for SAP upgrade or support package

Discover the complete checklist for SAP system upgrade aftercare, including SPAU/SPAU_ENH processing, embedded search updates, authorization handling, and security checks.

This blog will explain the normal aftercare that needs to happen after an SAP system is upgrade or has been patches with support packages.

Questions that will be answered:

What is the normal processing sequence in SPAU?
What is the new SPAU_ENH transaction?
Which aftercare is needed when using embedded search via TREX or HANA?
Which aftercare is needed for the authorization team?
What are the general sanity checks after an upgrade?
How to regenerate SAP_ALL and SAP_NEW?
How can I check for new or altered security parameters?
What other things to do after upgrade?
SEGW issues after upgrade, how to solve them?
How do I check for new security parameters?

SPAU processing

For extensive explanation on SPAU, read the dedicated blog. The below is a summary.

When starting transaction SPAU in a netweaver 7.50 or higher system the screen will look as follows:

First thing to do is to hit the Reset OSS notes button or Prepare OSS notes button (the name can differ bit per version):

This will download all OSS notes again and automatically mark the obsolete ones and will remove them from the list. Wait until the batch job doing this job for you is finished. This will save you a lot of time.

In a 7.50 or higher system look at OSS note 2532229 that solves a bug with notes in adjustment mode.

Second step is to process all the OSS notes. Don’t start the other activities until the OSS notes are done.

Third step is to process the tab With Assistant. Only when this is done continue with the tab Without Assistant.

The steps Deletions, Migrations and Translations are optional, but best to do as well. Deletions can be many, but here you can select all and reset to SAP quite quickly.

SPAU_ENH to process enhancements

Often forgotten is the post processing with transaction SPAU_ENH.

If there are changes in enhancements made by SAP conflicts with customer implementations can occur. SPAU_ENH will list them, and you can process them. If forgotten the customer implementation might not be called, which can lead to functionality giving errors.

In rare cases you will need to regenerate the enhancement spots via program ENH_REGENERATE. See OSS note 2507482 – ENHO: After System Upgrade, BADI_SORTER for BAdI Implementation is not being triggered:

RTCCTOOL post processing

After any upgrade/support package the basis person must run the RTCCTOOL program. This will check and list any needed updates.

In almost all cases the actions behind the button Addons&Upgr must be triggered by the basis person.

DMIS plug in OSS notes

If you are using the DMIS plugin for SLT, then you need to run the DMIS note analyzer program(s) again after the support package or upgrade. More information: read this blog.

Scenario	Report name
Object Based Transformation (OBT)	CNV_NOTE_ANALYZER_OBT
ABAP Integration for SAP Data Intelligence (DI)	CNV_NOTE_ANALYZER_DI
S4HANA Migration Cockpit (MC)	CNV_NOTE_ANALYZER_MC_EXT
SAP Landscape Transformation (SLT) Replication Server	CNV_NOTE_ANALYZER_SLT
Near Zero Downtime Technology (NZDT)	CNV_NOTE_ANALYZER_NZDT

Embedded search post processing

With an upgrade or support package SAP will deliver new improved version of embedded search models. If you are using embedded search you have to do post processing to make use of these new improved versions.

By default SAP will keep using the old model to make sure the search function keeps working. The basis administrator can then update the search models at their convenience.

To update start transaction ESH_COCKPIT:

Then from the Other drop down select the option Model modified:

Note: if there are no Model modified present, but you do get the message like "update in background started", then wait until the model update background job is finished. This job can take long time. If finished restart transaction code ESH_COCKPIT again.

Select all to be updated (or in case there is a lot a subsection). Then select from Actions menu the Update option:

Then you have to wait (a lot). Even on HANA this will take a long time.

You might get a message that you yourself are locking the update process: in this case, wait until your processes in the background are done (SM66 monitoring) and then try again, or use smaller selection.

Alternative is to delete the search model after the upgrade and redo completely. For setting up search model in S4HANA read this dedicated blog.

Background OSS note: 2468752 – Re-indexing after an application Upgrade.

Authorization post processing

With any upgrade or support package SAP will deliver new authorization objects. These need to be handled as well.

Regenerate SAP_ALL and SAP_NEW

SAP_ALL needs to be regenerated. This can be done simply by starting transaction SU21 and hitting the Regenerate SAP_ALL button:

SAP_NEW can be regenerated with program REGENERATE_SAP_NEW:

See OSS note 2606478 – REGENERATE_SAP_NEW | bridging authorizations for input helps.

SU25 profile generator post processing

The authorization team needs to do post processing in the SU25 transaction to update profile generator.

Upon starting this transaction after the upgrade or support packages it will prompt you for having checked OSS note 440231 (SU25 preparation FAQ note).

Do download the most recent version (redownload the OSS note!) and read the content. The note cannot be applied automatically (it will say cannot be implemented). This is because it is a FAQ note. If you open the content scroll to your version and check the OSS notes. Make sure the notes listed there are applied to your system before continuing with SU25.

Then startup SU25 again and process steps 2a, 2b and 2c:

More background information can be found in SAP note 440231 – SU25 | FAQ: Upgrade postprocessing for Profile Generator.

Standard SAP job updates

After any SAP support package or upgrade, SAP will improve and/or change the standard clean up jobs.

To do this: go to SM36 and click the button Standard Jobs. Then select the Default Scheduling job. Then the system will tell you which jobs will be stopped (no longer needed), changed and new jobs there will be planned. See also the technical clean up blog.

For S4HANA standard jobs, read this blog.

Update of IMG nodes

If you use custom IMG nodes, you have to re-integrate your node into the main IMG using transaction S_IMG_EXTENSION. For more information see the blog on setting up custom IMG nodes.

Updating requirements and formulas

After an upgrade or support package the requirements and formulas might need to be regenerated via program RV80HGEN. More details: read this blog.

Updating ABAP where used list

After an upgrade or support package the ABAP where used list must be regenerated again. Read this dedicated blog.

Security parameters

With an S4HANA upgrade, the is a program to run to check for new security parameters: RSPFRECOMMENDED. Read this dedicated blog for details.

General sanity checks after an upgrade

The basic sanity checks after an upgrade actually start before the upgrade!

Before the system is being upgraded, you should check following items:

ST22 short dumps
SM37 batch job failures
SM13 update failures
SM58 RFC failures (for idocs and qRFC)
SM21 system log issues

If you check this at regular intervals before the upgrade you get a good mental picture (you can also take screen shots before the upgrade) of the issues already present in the system.

After the system upgrade and/or support package you check these items again. Because you checked before it is easy for you to see and filter out new items. New items can be analyzed for solution (can be SAP note that is needed, custom code that is not properly updated, changes in functionality, etc).

SGEN code generation

After support pack or upgrade you can use transaction SGEN to generate all ABAP code (standard SAP and custom) and check for errors in code generation. More information in this blog.

SEGW issues on standard SAP after the upgrade

In the past you could solve SEGW FIORI ODATA exposing issues directly in the system. Now SAP has forbidden this. See OSS notes 2734074 – Editing of standard SEGW projects for customers is blocked and 2947430 – Editing Standard OData Service Project throws error: Editing Prohibited SAP delivered projects cannot be edited in your system. The emergency workaround is described in OSS note 3022546 – In Transaction SEGW, Error ‘SAP delivered projects cannot be edited in your system’ is encountered during change of the OData Project PS_PROJFIN_MNTR.

Check for new or altered security parameters

After a support pack most security parameters remain the same. After and upgrade you need to check for new or altered security parameters. For S4HANA upgrade there is special note and program to quickly check for new and altered security parameters including the SAP recommendation: read more in this blog.

Other things to do after an upgrade

After an upgrade you can scan and check for new or enhanced functions you can use.

Examples to check:

Update the SCI variants delivered by SAP (see blog)
SAP audit logging will deliver new checks, but these are deselected after the upgrade

SAP audit log

Learn how to configure and manage the SAP audit log, including privacy settings, reporting tools, and recommended filters. A complete guide for SAP admins and auditors.

This blog will explain the SAP audit log.

Questions that will be answered are:

What is the intended goal of the SAP audit log?
How to switch on the SAP audit log?
What are the recommended settings for the SAP audit log?
What are the common issues with audit logging?
Can I get anonymous access to the audit logging?
How can I get statistics on audit logging?
How can I get a where used list from the audit logging?
How can I archive audit log data for long term storage?
How can I delete audit logging?

Goal of SAP audit log

The SAP audit log is a critical tool for tracking security-relevant actions within your SAP system. It records events such as:

User creation and deletion
Failed logon attempts
Debug & replace actions
Execution of transactions and programs

SAP has notes for the frequently asked questions:

Older versions: 539404 – FAQ: Answers to questions about the Security Audit Log.
Newer versions (as of 7.50): 2191612 – FAQ | Use of Security Audit Log as of SAP NetWeaver 7.50

Also an interesting read is this note: 3352573 – How to check transactions executed by an user in AS ABAP.

Audit log and privacy

The audit log will capture actions performed in the system. It will not only capture the actions, but also the user ID and terminal ID. This makes the tool a bit of a big brother is watching you tool. Auditors are normally used to dealing with sensitive topics. But next to answering audit questions the audit can also be misused to check ‘is this person doing a lot of work in the system’. For this reason access to audit log should only be given to persons who understand the sensitivity and people privacy. This includes in giving information to managers extracted from the audit log.

Anonymous audit log reporting

In the SAP audit log user names and terminal ID’s are visible. This is in many cases privacy information. Due to privacy rules and regulations the audit log access might be very restricted or cumbersome. Especially when the audit logging is to be used for analysis purposes, rather than for audit. If OSS note 2883981 – RSAU_READ* | anonymized display of Security Audit Log data is applied, a new transaction is created. This new transaction, RSAU_READ_LOG_ADM, shows all the information, but now with user ID and terminal ID columns in anonymous mode.

Switching on the audit log

For switching on the audit log first the corresponding system parameters must be set:

rsau/enable: set to 1 to enable
rsau/local/file: set the file location in format “/usr/sap/<SID>/<instno>/log/
audit_<SAP_instance_number>” (yes, unfortunately audit log still uses a file)
rsau/max_diskspace_local: max disk space (set to at least 1 GB)
rsau/selection_slots: default is 2, but typically this is set to 10 slots

Unfortunately these parameters are not dynamic, which means a system restart is required to activate these parameters.

After the activation you can go to transaction SM19 (or in newer version to RSAU_CONFIG) to switch on the audit logging in detail.

First step is to create a profile and activate it.

Next step is to setup the filters.

Audit log filters

The audit log filters are used to filter events. If you select all events this will cause logging shadow and make the function unreliable.

To configure the filters use transaction RSAU_CONFIG (this is replacing old SM19 transaction).

Main client versus 000, 001 and 066 client

SAP has multiple clients. The 000, 001 and 066 client are only used by system admins. For these clients you can setup a special filter and log ALL actions for ALL users. This will not cause too many entries.

If you want to fully avoid SAPSYS entries, follow the instructions from this blog section.

Main client logging settings

In the main client you have to be selective on the checks.

The audit log has 3 classification of checks:

Critical (always switch these on!)
Severe (if possible switch on as well)
Uncritical (be very selective for switching these on)

Key filters recommendations

ALWAYS switch on the critical checks. This will include:

Debug & replace actions
Debug start
Changes to audit log configuration itself
User creation
Failed logon attempts
User locks due to wrong password

From the severe and uncritical sections the following checks are useful:

Logon failed: this can help to detect logon attempts with standard users (see blog on SAP standard users): the audit log will capture the terminal ID from which the attempt happened
Start of report failed: will avoid discussions if people really could start or not
Report started: though in many productive systems SE38 etc is not allowed for directly starting a report outside a transaction code, this still will happen by admins and firefighter. This check will log which direct report is started
Transaction locked and unlocked: capture locking and unlocking of transactions with SM01 in old systems (and SM01_DEV and SM01_CUS in newer systems)
Transaction started: this will avoid discussion if people key in the tcode or not (do remember that audit log captures the start; it can still be user is not authorized to continue with the transaction). And many RBE (reverse business engineering) type of tools rely on this audit log tracing rather than the ST03 logging. Reason is that the audit log is on user level rather then aggregated level and is usually kept longer.
User deleted, user locked and user unlocked
Password changed for user

SE92 audit log details

Using transaction SE92 you can get a more easy overview of the settings definitions as provided by SAP for the audit log details. Read more in this blog.

RSAU_CONFIG configuration overview

Using transaction RSAU_CONFIG you can get a more easy overview of the actual activation and configuration.

Audit log reporting

Transaction codes SM20 or RSAU_READ_LOG can be used to view the audit log results.

Be careful to whom you give the rights to read the audit log.

Audit log settings overview

You can use transaction RSAU_CONFIG_SHOW to get an overview of the audit log settings.

Stay Updated After SAP Upgrades

Audit log settings are not automatically updated after an upgrade. Always review new checks and update your configuration accordingly.

Determining changes to audit log settings

OSS note 2680888 – SAL | Report for determination of differences in event parameters is delivering new report RSAU_READ_LOG_DIFF to show changes done to the audit log configuration:

Delete SAP audit log files

Start transaction RSAU_ADMIN and start the option for log file reorganization:

Or you can run/schedule program RSAUPURG.

Restricted access to this function is a must.

Archiving audit logging

There might be requirements from security or business side that require you to find a solution for long term storage of the audit log data. Deletion as explained above could not be an option for you.

To archive audit logging data, activate the settings for archiving object BC_SAL. Read this blog on the exact technical execution of archiving runs.

OSS notes to be applied for the audit log archiving function:

Issues with audit logging

There are some known issues with the audit logging.

Logging shadow

If too much items are selected in the filters the audit logging will grow very fast. If the audit log is full, it will start to overwrite the earlier entries. The earlier entries are then lost. This is called logging shadow. Depending on your requirements, you have to increase the disk space, and better: check which item in the audit log settings you don’t need, but do cause extensive amount of logging.

Large SAP systems with multiple application servers

On large SAP systems with multiple application servers, the file handling can cause issues. If the system is setup using shared files and the names of the profile configuration per application server for the file name is identical, this will cause nasty issue. The issue is that the audit logging from several application servers will overwrite each other entries. This is hard to detect. Solutions: don’t use shared file, or change the profile parameter per application server to include the application server name into the audit log file name. To do this set the FN_AUDIT parameter to this value: SQL_++++++++.AUD. Upon runtime the +’s will be replaced with the application server name.

See point 25 in the audit log FAQ note 539404 – FAQ: Answers to questions about the Security Audit Log. And point 12 in the new (as of Netweaver 7.50) note 2191612 – FAQ | Use of Security Audit Log as of SAP NetWeaver 7.50.

Audit logging integrity

Based on the settings in OSS note 2033317 – Integrity protection format for Security Audit Log, you can switch on the audit logging integrity. This way you can prove nobody tampered with the audit log. But this also means you cannot read the audit logfile on file level or by any third party tool. Please consider this carefully and read the note about other effects and prerequisites first before switching on.

Where used list and audit log statistics

On newer versions (or via notes below) there are 2 new programs available:

RSAU_GET_STAT for statistical information
RSAU_GET_WUSL for a where used list of security events

To get this function apply these OSS notes:

Audit log self check

To get this function apply the same notes as for the audit log statistics:

Then you can run program RSAU_SELF_CHECK_DIA.

If you want to run the Still Alive Check:

You first have to make sure to activate Audit test event AU0:

Auditing user SAP*

If you need to audit user SAP*, the * is a wildcard. You have to use the escaped version: SAP#*. See SAP help link.

Background OSS notes and blogs

Logging incidents for SAL (SAP Audit Log): 3295213 – Required information for analyzing issues with the Security Audit Log (AS ABAP) within the new SAL environment.

Useful background OSS notes and blogs are:

Known bugs and bug fixing OSS notes

Bug fixing OSS notes:

Swiss knife for idocs: WLF_IDOC transaction

This blog is about the new and too much unknown new Swiss knife for idocs: the WLF_IDOC transaction.

The blog will answer questions like:

What are the new features of the WLF_IDOC transaction?
Which transactions does WLF_IDOC replace?
Why should I start using the WLF_IDOC transaction?
How can I search in idoc content?

Idoc listing

The first function WLF_IDOC replaces are the idoc listing transactions WE02 and WE05.

Starting up WLF_IDOC will give you first screen to enter selections for idocs:

This will give you the output screen with the list:

So far nothing new.

The new part is the single idoc view:

The idoc segments are shown on the left hand side and the idoc statuses top right.

The main new difference is when you select a segment on the left hand side, the right hand side bottom view will show you ALL the segments of that name in the idoc. This will give you a more complete overview of the idoc content. There is no need any more to scroll through the segments one by one: you see all in one shot.

Compare content of 2 idocs

If you are in the list screen of the idocs in WLF_IDOC, you can select two idocs and then use the idoc compare icon to compare the content of the selected idocs:

End result:

This output screen now shows you the differences in the two selected idocs.

Idoc reprocessing

From the list overview you can start the idoc reprocessing for idocs with status 51. If you select and idoc and press the Process button:

you will be given following choices:

You can do online, background or jump to the classical BD87 idoc reprocessing transaction.

In the overview screen you can select multiple idocs as well for mass processing.

Change idoc status

If you have selected idocs in the overview screen you can use this button to change the idoc status:

You can use this for example to change status 51 (error in processing) to status 68 (error – no further processing) to avoid the idoc from ever being processed again.

Search in idoc content

In the selection screen of WLF_IDOC content there is a tab called criteria for data record.

idoc processing — WLF_IDOC search in idoc content

This tab can be used to filter idocs based on content of the idoc for a field fo the segment. You can select based on 1 filter (just leave the second one empty). Or you can use it to have and / or selection of the content of 2 segment data fields.

This can be used for example to fast select all the idocs for a certain material number inside the idocs.

Do keep in mind that the idocs are still filtered based on the data in the first tab (status, date, idoc type, etc.).

Alternative transaction for search is WE09.

Editing idoc content

To be able to edit idoc content, there are 2 ways:

Classic BD87 and WE19 test tool approaches (BD87 can be used also in production, but WE19 should not be used in production): from WLF_IDOC you can go to BD87 by selecting an idoc and press Process (then select BD87 dialog), or go to WE19 by selecting an idoc and selecting menu option Utilities/Idoc Test Tool.
Allowing some idoc fields to be edited directly

To allow some idoc fields to be edited, you first have to customize this. In SPRO go to the menu path Cross-Application Components, then select Idoc Monitor for Agency Business and Retail (yes, it is a strange place), finally select Idoc Maintenance Settings.

Now enter the message type and segment you will allow editing. And in the details specify the fields that should be editable. Example is given below:

In the WLF_IDOC transaction, you can now select and idoc from the main screen and press the change button. In the details these fields have become editable (and only these fields):

Make the changes and save the idoc. Go back to the main screen in WLF_IDOC and you can reprocess the idoc via the Execute/reprocess idoc button.

You have to indicate the editing per message type/segment/field. It is not suitable for mass processing or test functions. This is really meant for a limited amount of fields in a productive system where business needs to correct idocs (most likely wrong reference numbers or dates).

Running in productive systems

This section requires intermediate SAP knowledge

When you run WLF_IDOC in a productive system (in SCC4 system is set to productive) some functions are restricted:

Change control record
Copy IDOC and delete segment
Change status

If you still want to use these functions, you must have proper authorizations. Next to that add parameter RWLFIDOC_NEW_EXPERT with value X in your user defaults (transaction code SU3).

If you are in WLF_IDOC, key in &expert into the transaction code area and you will be switching to Expert Mode where these functions are available.

See OSS note 2455691 – Missing functions in productive systems in WLF_IDOC.

Bug fixing OSS notes

Please apply following notes to fix bugs get up to date functionality:

More on idocs

See the blog on idoc tips & tricks.