S4HANA security parameter baseline changes

If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.

Questions that are answered in this blog are:

  • Where can I find information on security parameter changes after S4HANA conversion or upgrade?
  • How can I check if the changed security parameter are properly implemented in my S4HANA system?

Security parameter changes S4HANA

OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.

This note is also referring to OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background.

Checking implementation of security parameter changes in the system itself

After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:

S4HANA conversion preparations

You are going for S4HANA conversion if your start release is ECC6.0. Then you are not only upgrading your system, but actually a large part of your data (financial data, stock data, customer data, vendor data, etc) is converted from the ECC 6.0 to the S4HANA data model.

A great amount of preparations are required for a conversion to S4HANA. If you are on a S4HANA start release and want to upgrade to a higher version, the steps are far less. In that case read the blog on upgrading in stead of the blog below, which focuses on the conversion.

Summary of preparations to consider:

Readiness check and pathfinder

A good first step is to run the S4HANA Readiness Check 2.0. This tool will give you a first insight into the use of your current system and potential blocks and work for the S4HANA conversion. How to run the check is explained in this blog.

The readiness check is more based on existing functionality. The pathfinder tool is a tool that can help you more into new and innovative scenarios. Read more about pathfinder in this blog.

Sizing

You need to switch your system from your current database to a HANA database. This has impact on both your database size and your system sizing. Read more about in this blog on S4HANA system sizing, based on your current system usage.

A database migration can be done before the S4HANA conversion, but in most cases the database migration and S4HANA conversion are combined in one step.

Data archiving

To speed up the data migration, data archiving and data deletion is required to execute in many cases. The archiving and deletion can already be done before your S4HANA conversion project starts. For information on deletion of technical data read this blog. For data archiving, you first start with the business discussions on retention times (read this blog). After the discussions are done, you execute the technical execution according to this blog.

Remove unused clients

Unused clients must be removed. Removal of clients 001 and 066 are mandatory and to be removed before the conversion starts. Read more in this blog.

Add-ons

Add-ons can be the worst nightmare in a S4HANA conversion. If an add on is no longer required, first check if it can be uninstalled.

See OSS note 2011192 – Uninstallation of ABAP add-ons for SAP delivered add-ons, and OSS note 2911053 – Uninstallation configuration for 3rd party delivered add-ons.

If you do need to convert your system to S4HANA including the add-ons, please read OSS note 2214409 – SAP S/4HANA: Compatible Add-Ons. This note refers to the list of compatible SAP and 3rd party add-ons for each S4HANA version.

The SAP add-ons will normally be ready within few months after release of new S4HANA version. 3rd party add-ons differ per supplier. Some are really fast and can deliver you the needed ACP file within a week. Some take months or longer than 1 year. If you have such a poor add-on supplier, your complete conversion will block until the supplier has done its work. Best to impose pressure via management (best is via CIO or head of IT procurement) on the supplier to speed up.

Custom code adjustments

During the S4HANA conversion process all custom code must be validated and adjusted in these cases:

  • Changes due to HANA database change
  • Changes due to S4HANA data model changes

You can already change in the existing ECC 6.0 system parts of the code before the actual conversion. To see what you need to change, you need to set up an extra ABAP netweaver stack and run remote ATC checks for S4HANA readiness of the custom code. Read the details in this blog.

Next to S4HANA readiness, you can also scan your custom code for use of unsupported SAP objects. Read the details in this blog.

Custom code performance

You can use the SQLM and SWLT tools on your current productive system to determine your code points that already eat up most of your system performance now. These points are an opportunity to improve in the S4HANA conversion.

Use of Eclipse for custom code

On S4HANA many new developments are possible in custom code, like CDS views. For these tools the ABAP developers need on their front end the ABAP Eclipse tool. Read these blogs: installation of ABAP Eclipse and backend activation.

S4HANA simplification items

The S4HANA simplification items must be dealt with. Already before starting the conversion, you can run the simplification items checks and assess their impact. Read this blog on how to run the S4HANA simplification items check.

CVI integration / BP integration

The CVI (customer vendor integration), also known as BP (Business Partner) integration can be a very time consuming piece of the S4HANA conversion preparation. More on this topic can be learned on the OpenSAP training dedicated to the Business Partner conversion in S4HANA.

FICO changes

In S4HANA new general ledger and new asset management are mandatory to be used. If your current system does not yet use new general ledger and/or new asset management, you need to plan a lot of time for the FICO consultants and FICO business for the FICO data conversion.

SLT triggers

If you are using SLT triggers, also check this OSS note carefully: 2755741 – Potential Impact of SLT During SAP S/4HANA System Conversion / Upgrade of S/4HANA System. In some cases it is better to drop the triggers and recreate after the upgrade.

Set up of parallel landscape

Most likely your ECC system has a lot of topics to be dealt with. This also means that the conversion project will take between 6 and 12 months in duration. During this time more or less changes must continue to be implemented for diverse business and legal reasons.

For most support packages and upgrades a parallel landscape might be over the top. But for a S4HANA conversion it is definitely not a luxury item.

Best to start your planning and implementation directly with a parallel landscape in mind.

More about parallel landscape in this blog.

Security parameter changes

After the conversion to S4HANA you need to consider new and updated security parameter recommendations from SAP. You can prepare yourself already for this step. Read more in this blog.

Downtime reduction

An S4HANA conversion can take a long time to implement, but also a long time to run in productive system. It can take a complete day, weekend or even extended weekend (including Friday and Monday) to execute the conversion on production.

During your S4HANA conversion you should really spend time on downtime minimization.

First step is to determine the maximum downtime you are allowed to have by the business. If you have this timing, use the first sandbox and development system conversions to measure the expected downtime as first estimate. You can use the downtime recording from the SUM tool. But you have to add time for many more elements:

  • Graceful shutdown
  • Data checks after the migration
  • Transport imports after the migration
  • System validation after the imports
  • Graceful startup

Test the actual downtime on your acceptance system. If required, you can also create extra copy of production to a special conversion upgrade dress rehearsal system to practice the downtime and your optimizations.

Tips for downtime reduction:

  1. Check the SUM options for downtime reduction
  2. Check the downtime optimization app from SAP: see this blog
  3. Consider to include customer transports in SUM: see this blog
  4. Consider to contact SAP if your system is very large and you outage window requirements are not met by the actual times. SAP can offer tailored services to further reduce your downtime. These services are expensive, but can be worth the money to help your project meet the business maximum downtime requirements

FIORI app recommendations

The FIORI app recommendations tool can already be used before the start of your S4HANA conversion project. You can use the current ST03N data in your ECC system and upload it to the FIORI app recommendation tool. This can give you insights into parts where you can support the user better with FIORI apps. More information on the FIORI app recommendations tool can be found in this blog.

Use of embedded LiveCache

In case your ECC system is connected to SCM APO system, you might consider to start using the embedded LiveCache in S4HANA as a replacement of the SCM APO system livecache.

This can only be done if:

  • SCM is not used by other ECC systems as well
  • You validated you can replace all functions
  • You have sufficient time in your project for the replacement

If yes, it will save you a complete SCM landscape.

More background on embedded LiveCache setup is in this blog.

SAP best practices

SAP has an excellent best practice document “Upgrading SAP S/4HANA: Why, How, and Best Practices”.

S4HANA upgrade preparations

When you are already using S4HANA, you will still want to regularly upgrade to the newest version. This blog will explain the preparation steps for a next upgrade.

If you are looking for information about S4HANA conversion (from ECC to S4HANA): read this dedicated blog on S4HANA conversion preparations.

Questions that will be answered are:

  • What do I need to check as part of an S4HANA upgrade?
  • Where do I find information on the HANA database revision upgrade?
  • Do I need to run the simplifications check again?
  • Do I need to check my addons again?
  • How can I reduce downtime for my S4HANA upgrade?
  • How can I know about changes to security parameters after the S4HANA upgrade?

HANA database revision

For each S4HANA upgrade, first you must apply the minimum revision published by SAP before you can start the upgrade.

You can apply this revision already in your running system as well.

HANA DB revision usage for S4HANA can be found in this OSS note: 2655761 – SAP S/4HANA – restrictions and recommendations regarding specific revisions of SAP HANA database for use in SAP S/4HANA.

Add ons

For each upgrade, you need to validate that the addons you use are already released for your target upgrade version.

Generic OSS note is 2214409 – SAP S/4HANA: Compatible Add-Ons. This will refer to version specific OSS note you must read.

Simplification items

For each upgrade, you must update the TCI note for the simplifications items and run the checks. See blog.

For an ECC to S4HANA conversion this list is long to very long (can contain over 100 items). For an upgrade from S4HANA lower to higher version, the list is typically only 10 or less items.

SLT triggers

If you are using SLT triggers, also check this OSS note carefully: 2755741 – Potential Impact of SLT During SAP S/4HANA System Conversion / Upgrade of S/4HANA System. In some cases it is better to drop the triggers and recreate after the upgrade.

Custom code checks

A quick check on the use of unreleased SAP objects in custom code can help to avoid upgrade issues. To execute the run, check this blog.

Downtime reduction

An S4HANA upgrade can take a long time to run in productive system. It can take a complete day to execute the upgrade on production.

During your S4HANA upgrade you should really spend time on downtime minimization.

First step is to determine the maximum downtime you are allowed to have by the business. If you have this timing, use the first sandbox and development system conversions to measure the expected downtime as first estimate. You can use the downtime recording from the SUM tool. But you have to add time for many more elements:

  • Graceful shutdown
  • Transport imports after the upgrade
  • System validation before startup
  • Graceful startup

Test the actual downtime on your acceptance system. If required, you can also create extra copy of production to a special conversion upgrade dress rehearsal system to practice the downtime and your optimizations.

Tips for downtime reduction:

  1. Check the SUM options for downtime reduction
  2. Check the downtime optimization app from SAP: see this blog
  3. Consider to include customer transports in SUM: see this blog
  4. Consider to contact SAP if your system is very large and you outage window requirements are not met by the actual times. SAP can offer tailored services to further reduce your downtime. These services are expensive, but can be worth the money to help your project meet the business maximum downtime requirements

Security parameter changes

After S4HANA upgrade, there are new and updated security parameters. Read more on this topic in this blog.

SAP best practices

SAP has an excellent best practice document “Upgrading SAP S/4HANA: Why, How, and Best Practices”.

S4HANA upgrade preparation steps for simplification items

This blog will explain on the S4HANA upgrade preparation steps for the simplification items.

Questions that will be answered are:

  • How to prepare for the S4HANA upgrade?
  • How to get an overview on the S4HANA preparation items that need action?
  • How to re-run a single S4HANA preparation item check?

For more information on other preparation steps:

  1. For S4HANA conversion (start is ECC): read this blog
  2. For S4HANA upgrade (start is lower S4HANA version): read this blog

Upgrade pre-check OSS notes

Before you can start the upgrade install the pre-check OSS notes. First install OSS note 2399707 – Simplification Item Check. This might seem an old note, but it is constantly updated. If you did do the S4HANA readiness check before this note is already installed. But still always download and install the most recent version of this note. The second OSS note is 2502552 – S4TC – SAP S/4HANA Conversion & Upgrade new Simplification Item Checks.

These are TCI notes. During the implementation, you might need to clear all BI queues.

Per S4HANA version there is a third OSS note to apply. This note is different per S4HANA and feature pack version.

The OSS note for S4HANA 2020 is 2910131 – SAP S/4HANA 2020 Initial Shipment Stack Conversion & Upgrade – TCI Note #9. For S4HANA 2021: 3028788 – SAP S/4HANA 2021 Conversion & Upgrade checks – TCI Note #10.

Also these are TCI notes.

Running the pre-checks

Start program /SDF/RC_START_CHECK. First update the catalog:

And check that the OSS notes are up-to-date:

After updating the OSS notes all lights should be green:

Then select the right Target SAP S/4HANA Version and run the program.

This run might take a while based on the performance of your system and the size of your database.

You now get an overview list of the items:

The top one is the famous CVI (Customer Vendor Integration). Now select all the items and press the button Check Consistency for All, to get all the details (again this might take a while). Per item you get the details on the fixes required:

The red items need to be fixed.

There are some items you can exempt. Judge carefully first before applying the exemption. This exemption function is only available in the first overview screen.

Check single item again

You can use program /SDF/RC_TROUBLE_SHOOT to run a single check again. As input you need to provide the full text of the Simplification ID:

This way, you don’t need to wait for the complete run to finish.

Client 001 and 066

Some of the checks might return items in clients 001 and 066. For an S4HANA upgrade these need to be deleted. In stead of fixing the issues in these clients, delete them. See more about this deletion in this dedicated blog.

The real S4HANA upgrade

The SUM tool will execute the real S4HANA upgrade. It will call the same /SDF/RC_START_CHECK program. SUM tool will abort if even a single item is not ok.

S4HANA blacklist

With S4HANA SAP has deprecated some parts of their old code. In some weird cases this old code might still be required.

This blog will explain on the S4HANA blacklist. Questions that will be answered are:

  • How do I see a dump is caused by the S4HANA blacklist?
  • Where to find more background information on the S4HANA blacklist?

The S4HANA blacklist dump

If for whatever reason the S4HANA system gives an ABAP dump with the error SYSTEM_ABAP_ACCESS_DENIED, this is a S4HANA blacklist dump. See note 2476734 – Runtime error SYSTEM_ABAP_ACCESS_DENIED. Or a reference to OSS note 2295840 – Outbound / Inbound calls from external to RFC FM are blocked when the FM is blacklisted and the UCON-Check is active.

Blacklisted RFC calls

When calling a blacklisted RFC from an external application you can get similar dump with reference to OSS note 2295840 – Outbound / Inbound calls from external to RFC FM are blocked when the FM is blacklisted and the UCON-Check is active. This note itself is old and refers to newer OSS note 2416705 – Outbound / Inbound calls from external to RFC FM are blocked when the FM is blacklisted using Blacklist Object. You can run program RS_RFC_BLACKLIST_COMPLETE to see which function modules are blacklisted:

What to do when you hit a blacklisted item?

The best approach is to avoid doing what you did and look for the functional alternative provided by SAP. Search for the correct simplification item OSS note. In almost all cases SAP provides a solution.

Activating a blacklisted item

OSS note 2249880 – Dump SYSTEM_ABAP_ACCESS_DENIED caused through Blacklist Monitor in SAP S/4HANA on premise, contains the procedure to activate a blacklisted item. For the RFC calls follow the instructions of OSS note 2408693 – Override blacklist of Remote Enabled Function Modules.

Please make sure you have both the clearance from SAP and the system owner in writing before executing this procedure. Support can be lost and system upgrade in the future can be facing severe blocks. Only execute as last resort after explicit approval.

Include usage data in S4HANA custom code migration FIORI app

With the new S4HANA custom code migration FIORI app you can include system usage data (from productive system) to see which code blocks are used and which ones are not.

This blog will give answers to the following questions:

  • How to collect usage data from productive system?
  • How to include the usage data in the S4HANA custom code migration FIORI app?

This blog assumes you have already setup the S4HANA custom code migration FIORI app. If you have not done this, follow the instructions in this blog.

Collecting usage data in production with transaction SUSG

General recommendations for the use of transaction SUSG can be found in OSS note 2701371 – Recommendations for aggregating usage data using transaction SUSG. SUSG assumes you have already activated the SCMON ABAP call monitor. If that is not done, read this blog.

In your productive system start transaction SUSG and activate the usage data aggregation:

If you don’t have sufficient authorizations, you might get this weird screen:

If you see this screen, first check your user authorizations.

SUSG performance impact

SUSG performance impact is negligible. SCMON might have an impact. See the blog on SCMON.

Background: 3100194 – Memory Requirement and Performance Impact of transaction SUSG.

SUSG installation

If SUSG does not start in your productive system it needs to be installed first. To install SUSG apply OSS note 2643357 – Installation of Transaction SUSG. This is a TCI based OSS note (see blog).

After the TCI note also apply these OSS notes:

Creating the snapshot

Now that the data collection and aggregation is activated, you will need to be patient. Let the system collect the data for the next few days. Now goto transaction SUSG and check the log that the aggregation went fine:

Now you can create a snapshot in the Manage Snapshots section:

Create the snapshot and download it to a file on your desktop or laptop. If wanted you can setup RFC connection as well.

The security and basis team normally does not like any RFC going from production system to non-production system. So the file option is normally the best way.

Loading the data into your upgraded S4HANA system

In your S4HANA system where your custom code analysis runs now start transaction SUSG and make sure it is active. Now you can upload the snapshot from the productive server you have downloaded in the previous step.

Please make sure that the OSS notes on both your productive system and your S4HANA system are identical. The notes have changes to file format of the download file. If the notes are notes identically applied, you will have file format upload issues. Recommendation is to apply all recent SUSG note to both your productive server and the S4HANA system.

S4HANA custom code migration app with usage data

Now you can finally launch the S4HANA custom code migration app. Create a new analysis. In the usage data part of the app, you can assign the snapshot you have uploaded in the previous section:

Now start the custom code analysis and let it run.

The end results of code being used or not can be seen in the column Usage Information in the Analyze Findings section:

Background information

More background on SUSG setup can be found on this blog.

Activating workflow in S4HANA

This blog will explain how to activate workflow in S4HANA. If you have to activate workflow in classic ECC system use this blog.

Questions that will be answered in this blog are:

  • How to activate workflow in S4HANA?
  • What do I need to do with the workflow activation in case of an upgrade to S4HANA?
  • Where to find more background information on workflow activation in S4HANA?

Workflow activation in S4HANA

First make sure you have created system user SAP_WFRT. Start with assigning SAP_ALL to this user. You can replace it with lower rights after the activation is done properly.

Start transaction SWU3:

Select the Edit Runtime Environment and press the button Execute Activity. This will activate all the actions below.

After it is done you can press the button Start Verification Workflow to check if the workflow runs properly. After 1 minute (it needs compilation in the background) start transaction SBWP.

All background information regarding SWU3 can be found in OSS note 2366252 – Transaction SWU3 explained.

Activating workflow after upgrade to S4HANA

After upgrading to S4HANA workflow will not work any more. You first need to create system user SAP_WFRT and redo the SWU3 setup.

Background user SAP_WFRT will replace background user WF-BATCH.

For more background on this replacement see oss note 2568271 – Change of workflow system user and workflow system jobs with S/4HANA On-Premise 1709 and oss note 2637240 – Error in SWU3 – System user ‘SAP_WFRT’ does not exist.

If you have issues with the workflow batch jobs after the upgrade, please check OSS notes:

After the user and RFC activation you need to schedule the new workflow jobs in SJOBREPO:

Read OSS note 3109917 – How to change the step user of workflow system jobs while keep the other technical jobs in job repository unchanged for instructions on the job user for workflow.

More workflow

For workflow tips and tricks: read this blog.

Setup of FIORI my workflow inbox: read this blog.

For deletion and archiving of workflow: read this blog.

Activating embedded BI in S4HANA

This blog will explain how to activate embedded BI in S4HANA.

Questions that will be answered are:

  • How to activate embedded BI in S4HANA?
  • Where to find more background information about embedded BI activation in S4HANA?

Setting up embedded BI in S4HANA

To start setup of embedded BI in S4HANA go to transaction STC01 and start task list SAP_BW_SETUP_INITIAL_S4HANA:

The task list will ask you to confirm that you have read OSS note 2303900 – Latest Information about BW Setup in S/4HANA Systems. You should really read the note before and apply the known issue notes listed in this note.

Then you need to set the BI client: best to use the same client as your data client. Withe BW content option, just choose all.

Now run the task list and be patient. If the task list finishes correctly you are done. You can use transaction RSA5 to check the content activation.

OSS note 2636754 – Configuration steps for embedded Analytics in ABAP based Applications contains detailed explanation of all the steps in this task list.

Bug fix OSS notes:

Full list is in OSS note 2303900 – Latest Information about BW Setup in S/4HANA Systems.

Known issues

EQ_RS_AUTOSETUP: you might run into an issue with this program.

First apply OSS notes 2704713 – Report EQ_RS_AUTOSETUP: improvements and enhancements and 3005612 – Report EQ_RS_AUTOSETUP: improvements and enhancements (2) to get the latest patches for this program. Then run the program EQ_RS_AUTOSETUP manually:

Transaction RSTCO_ADMIN: this one might not have gone right.

Re-install the content if required.

Background information

Good background information can be found at:

The configuration of embedded analytics is also part of the SAP best practices:

Download the full configuration guide.

S4HANA standard batch jobs

In S4HANA standard jobs are scheduled in a different way.

This blog will answer the following questions:

  • How to see then new standard jobs via transaction SJOBREPO?
  • Where to find more information on more advanced functions?
  • Which background OSS notes can I read on the S4HANA stand batch job repository?
  • I have done a change to SJOBREPO and it is not visible? (it takes up to 1 hour!)

Viewing the job repository

Start transaction SJOBREPO to view the job repository:

The jobs running are different per release. Check the corresponding note. Example for S4HANA 2020: 2992214 – Jobs in the Technical Job Repository (SJOBREPO) in SAP S/4HANA 2020.

Use transaction SWF_JOBREPO_SLG1 to see logs of potential job issues.

To assign a standard user to job steps use transaction SJOBREPO_STEPUSER to set standard job step user:

See OSS note 2449125 – Create and assign job step user for Technical Job Repository. And 3109917 – How to change the step user of workflow system jobs while keep the other technical jobs in job repository unchanged.

Checking the activation status of SJOBREPO

With program R_JR_UTIL_1 you can check the current status of SJOBREPO or activate it:

See OSS note 2790150 – Automatic Job Scheduling is switched off.

Activation and monitoring

In SJOBREPO, more background information can be found by clicking the button Monitor help:

A very important remark is made here that it can take up to 1 hour before changes to SJOBREPO are visible in the monitoring overview. This is a very annoying feature.

Advanced functions in SJOBREPO

All the advanced configuration functions of the S4HANA job repository can be found as PDF attachment to OSS note 2190119 – Background information about S/4HANA technical job repository.

Activation of server group for technical job repository

Apply OSS note 3057980 – Targetservergroups in SJOBREPO in Release 7.55 to get the function for server groups for the technical job repository.

Scope dependent jobs

In customizing you can activate scope dependent jobs:

See also OSS note 3085988 – Technical job is not getting schedule in S/4HANA SJOBREPO because the job is showing as ‘Not in Scope’.

Background OSS notes

Useful background OSS notes:

Bug fix notes:

Activating search in S4HANA

This blog will describe the steps in activating search in S4HANA. We will explain both new fresh installation and upgrade from system which has search already activated.

Questions that will be answered in this blog are:

  • How to activate search in S4HANA for an initial installation?
  • How to activate search in S4HANA after upgrade when search was already active?

Activating search in S4HANA new installation

To activate search goto transaction STC01 and select task list SAP_ESH_INITIAL_SETUP_WRK_CLIENT:

Open the details:

Make sure that you set the TREX destination to SAP HANA DB:

Then select the search model. For most use cases this will be SAPAPPLH:

Now run the task list and be patient. This can take quite some time. If the task list finishes correctly start transaction ESH_COCKPIT to check that all search connectors are correctly activated.

Search after upgrade to S4HANA

If you upgrade your existing system and have search already active, you get this message after launching ESH_COCKPIT:

Run report ESH_CDSABAP_ACTIVATION with default parameters:

This might be a long run:

If you run into issues, check that the following OSS notes are applied:

For some search connectors based on CDS you might see this error message:

In this case you need to goto transaction SFW5 and activate the needed switch for Enterprise Search for the specified object:

After the activation is done, rerun the search activation again.

Background: 2905864 – ESH_COCKPIT errors: ESH_DB037 – No activation of CDS-entities for Enterprise Search ESH_DB027 – Mandatory Data Source is missing.

More background information

More background on search can be found in the Search section of this blog. Also read OSS note 2626107 – How to execute task list SAP_ESH_INITIAL_SETUP_WRK_CLIENT.

Relevant OSS notes: