Monday, November 9, 2015

UFLAG field entries in table USR02

Regular entries of field USR02-UFLAG which refers to domain XUUFLAG are following below. However in many customer systems there are many other values which do not refer to the domain.

0        Not locked
32      Locked Globally By Administrator = Locked by CUA admin (User Admin)
64      Locked Locally By Administrator
128     Locked due to incorrect logon attempts or too many failed attempts

Some of the values in there are sums of two different values which are actually present in the domain. For example value of 192:

192     A combination of 128 and 64: 128 + 64 = 192. The user was locked by itself by entering too many incorrect passwords and later it was locked again by Administrator.

There is also common practice by basis people to increase the value of field for all users in the system by e.g. 1. They do this in events of e.g. upgrades when they need to lock all users in the system. Once such an activity is done they decrease the values again by 1 to get to the state as it was before the activity. In case you encounter some strange values in the table it might be got created by such activity.

More information:
1887820 - Incorrect User Lock Status (UFLAG) in table USR02

Sunday, November 8, 2015

SAP NetWeaver 7.5

On Oct 20th 2015 next version of SAP NetWeaver – 7.5 a successor of 7.4 was announced. Main drivers for the 7.5 version are SAP S/4HANA; SAP Business Suite EhP 8 for SAP ERP (both on premise editions) and so called SAP NetWeaver hubs (SAP NetWeaver Identity Management (IdM), SAP Enterprise Portal (EP), SAP Business Warehouse (BW) and SAP Process Orchestration (PO) ).

From technology point of view the 7.5 supports Java 8, it includes enhancements for integration with SAP HANA Cloud Platform, contains innovations in ABAP, and it supports Internet of Things (IoT), mobile, cloud, big data and analytics.

Of course the NetWeaver 7.5 will soon be followed by other of its components (or hubs) with same version number. Therefore let’s look in more details to just technology – or so called basis components of the 7.5. In case ODATA (SAP Gateway) it supports OData version 4. With regards to HANA there is obvious trend that continues of pushing code down to the database and leveraging the information management capabilities of HANA. Speaking of big data the 7.5 has support for Hadoop and multi tiering. In case of Fiori performance optimization is delivered within the 7.5. Lastly within cloud topic there is integration with SAP HANA Cloud Platform (HCP) and the 7.5.

Looking closer at ABAP of the 7.5 the ABAP engine includes programming model via Core Data Services (CDS) for support for web based communication in real time for IoT use over TCP protocols. This is built on concept of the ABAP channels (already introduced in 7.4)

Currently there are following SP of NW 75:
SAP NetWeaver 7.5 SP0                GA 20 Oct 2015

More information:

Detecting debugger in ABAP program

With relation to my recent post “How to determine simulation mode of DTP” where I was blogging about detecting debugger within BW’s transformation’s routines I was curious how to achieve the same with classic ABAP environment. Within the BW’s transformation it was simple there is a clear variable which simple evaluation get the answer weather the transformation is running in the debugger or not.

In case of pure ABAP environment it is not that simple. There are ABAP system field like SY-DEBUG and SY-BATCH which I immediately thought of. However at least in newer versions of NetWeaver (7.x) they seems not be functioning in case of evaluating whether the ABAP program runs in the debugger or not.

As next I found FM TH_GET_DEBUG_INFO which looked from description that it does the job: get debugging info… I tried to put following code into my report:

DATA: lv_dbg_cnt TYPE i.
DEBUGGING_COUNT= lv_dbg_cnt.
IF  lv_dbg_cnt EQ 2.
   write: / 'dbg is ON'.
  IF  lv_dbg_cnt EQ 1.
   write: / 'dbg is OFF'.

However this didn’t work out either.

As third thing I found FM SYSTEM_DEBUG_BREAKPOINTS. This FM calls C function called 'DEBUG_CNTL' which finally does the job. Actually the breakpoints seem to be stored somewhere within app server memory and the C function provides them. The above mentioned FM needs to be called up with input parameter MAIN_PROGRAM which’s values is the program that we want to evaluate whether it run in debugger.

Down below is simple call of the FM. In case TABLE parameter’s BREAKPOINTS has at least one row then the debugger is set in source code if input’s parameter MAIN_PROGRAM.

This solution will work in cases someone puts breakpoints manually in source code. Therefore I think it should cover all switches to debugger in case the breakpoints are set. However it won’t cover the case if someone just hits /h and continues to debug the code.

DATA: lt_breakpoints TYPE TABLE OF breakpoint.
   main_program                = 'ZMM_TEST'
   breakpoints                 = lt_breakpoints.

Tracing incoming RFC or why SAP user is getting locked?

There are many discussion threads on SCN dealing with issue of SAP user which gets locked frequently and reason of this it not know. I recently faced same issue. My SAP user I’m regularly using in one of my SAP system was locked. As I’m using my cloud provider to host the SAP system for me and every time I needed to write an email to provider to unlock the user. After few times of bothering them I obtained new user which I was using to unlock my regular user. I started to use that new user instead of my regular one however from time to time I needed to use the regular user and it was still locked. I decided to invest some time to hunt a mystery of why my regular user was getting locked.

As mentioned I started with having a look at SCN and elsewhere to get an overview what I should do to get the mystery solved. I came a across posts like:

·         this – suggesting to use tcode STAD
·         this – suggesting to use ST03N tcode
·         this – suggesting to use tcode SM19/SM20 – Audit logs
·         this suggesting to use tcode ST01
·         this suggesting to use CCMS
·         this / this suggesting to use report ZRFC_STATRECS_SUMMARY (or tcode STRFCTRACE in newer versions of NetWeaver see Note 931251)
·         and many others.

I went through all of them however I was not able to figure out what was an issue.
One thing was obvious from reviewing all the posts was that it happens because of some RFC call. I checked with rest of developers who shares the same SAP system with me but none of them was using my regular SAP user to run their automated tests. Only thing which was for sure was that in tcode SM21 I was getting entries like following:

00:51:32 DIA  008 800 MYUSER US  1 User MYUSER locked due to incorrect logon
02:16:58 DIA  001 800 MYUSER US  1 User MYUSER locked due to incorrect logon
17:06:42 DIA  000 800 MYUSER US  1 User MYUSER locked due to incorrect logon

I tried to setup few system profile parameters to increase level of logging. After every such an attempt I unlocked my regular SAP user and I waited to get user locked and I reviewed logs but not a chance to reveal the mystery.

Finally I ran to SCN post which suggested to setup following profile parameter:
rfc/signon_error_log to value 2

The parameter causes that when the RFC logon fails the SAP system create an ABAP dump with all the call’s detail. The ABAP dump is called “CALL_FUNCTION_SIGNON_REJECTED” and it basically provides all information that helps to identify the FCR call causing the issue:

Category               Installation Errors
Date and Time          08.11.2015 18:11:32
 Short text
     You are not authorized to logon to the target system (error code 53).
53   PASSWORD_ATTEMPTS_LIMITED  Lock counter exceeded
Server-Side Connection Information
Client.............. 000
User................ "SAPSYS"
Transaction......... " "
Call Program........."CL_BGRFC_SUPERVISOR_START=====CP"
Function Module..... "BGRFC_CHECK_SCHEDULERS"
Call Destination.... "xxxx_RFC"
Source Server....... "abcserver_SID_sysno"
Source IP Address... ""

Based on “Call Program” I was able to identify the thing which was causing the issue. Once I entered proper password to RFC destination actually used for bgRFC in tcode “SBGRFCCONF - bgRFC Configuration” issue disappeared and the mystery was solved!

Tuesday, November 3, 2015

How to determine simulation mode of DTP

Simulation mode of DTP is quite useful function of BW. When there are some issues with the data in target of transformation we can use it to see how actually the data was transformed. In particular we can see in the debugger what is going on with the data within the transformation.

For debugging of the DTP we use Simulation of the DTP.  While using system basically jumps into debugger. For details how to use it see this wiki or online documentation.

While the DTP is running in Simulation mode no data is uploaded into the data target. This basically means that no data is changed. Sometimes there is ABAP code within the transformation where we manipulate further data e.g. in custom tables. Of course running in the Simulation mode we want to avoid manipulating the data in custom tables. As these are the custom tables by SAP standard it is not guaranteed that data is not saved as it is not saved into the BW data targets. So it is up the BW developer to ensure that no data is changed in in custom tables.

To implement it we can leverage the attributes of Simulation mode of the transformation – means Simulation of the DTP. In custom coding we can easily identify heather the DTP is running in the simulation mode. The attribute of simulation DTP carries value "DTPR_SIMULATION" in the request. Here’s example ABAP coding:

    IF request NE 'DTPR_SIMULATION'.
      MODIFY dbtab …

This fragment of code can be used in any of start/end/expert routines.

Sunday, October 18, 2015

ABAP documentation related tcodes

Being ABAP developer I often need to look up syntax of particular ABAP statement. Similarly as in discussion here I think that coding itself as activity in any of programming language is “state of mind” thing and rest (like in which language is the code written or what syntax it has) is not that important. Therefore I really like features of ABAP IDE either in SAP GUI or in Eclipse which helps me with syntax. Using e.g. auto-completion tool helps me to focus on the code and not on what the syntax of any particular syntax is. Because as said already; the syntax is not that important.

Furthermore often I need to look up some more documentation about the ABAP statements. For this I use couple of t-codes that help me all the time:

ABAPDOCU     Display ABAP Documentation - display popup called “ABAP Keyword Documentation” where I can review documentation from different standpoints like ABAP Reference, ABAP − Release-Specific Changes, ABAP Programming Guidelines, ABAP Glossary, ABAP Index, ABAP Examples, ABAP syntax diagrams, etc.

ABAPHELP           Search ABAP Documentation – display small popup with search term field where it is possible to enter any ABAP keyword and to get an documentation for

ABAP_DOCU_SHOW Call ABAP Keyword Documentation – same as ABAPHELP

Performance: Function Module interface check

In case there is an integration scenario for which a function module (FM) is exposed to external applications an performance point of view is important to be considered. It may happen that the FM with complex interface occurs performance issues.
What is meant by complex interface? Basically if there are any complex or nested data types within IMPORT/EXPORT/CHANGING parameters of the FM.

Complex data types - are made up of other data types. A distinction is made here between structured types and table types.

Nested structures – are structures that in turn contain one or more other structures as components.

To identify the FM which may have performance problem you can use report RSRFCXC. The report should be used before exposing the FM. Output of the report is evaluation of every FM’s parameters whether it may have a problem and also how to correct it.

More information:
744664 - Checking RFC-compliant FMs for complex parameters

Friday, September 25, 2015

Adding BW objects from temporary into development package

This is common issue in BW systems. Especially in systems which are productive or golden ones where no any changes were foreseen. If in such a systems an objects like BW objects of type BEx query, Query Elements, DTP, InfoPacks, etc. were created they were assigned to local package $TMP. These objects in local package are not transportable. In case it is needed to transport thee objects an assignment from $TMP to real development package must take in place.

To do this we usually go into object directory entry and we assign the object into development package. However if the system is closed for an changes this re-assignment of the package is not possible. While doing such an attempt there is error messaged showed as below.

Therefore always plan ahead. If there necessities to re-assign the development package in e.g. productive system make sure that you get your system opened. The opening of the system/client itself takes place in t-code SCC4.

System setting does not allow changes to be made to object ELEM 00O2SPCKTAN9FU9JJTONQD8BW

Message No. TO128


The system and namespace change option set for this SAP System does not allow any changes to be made to object ELEM 00O2SPCKTAN9FU9JJTONQD8BW.

System Response
Editing is terminated, the object can only be displayed.

If you want to edit the object ELEM 00O2SPCKTAN9FU9JJTONQD8BW in this SAP System, have your system administator set the SAP System to "modifiable" for this object.
This can affect the modifiability of the namespace /0CUST/ or the namespaces that correspond to the pattern /0CUST/, as well as the global setting of the system change option.
The system change option is set using the Transport Organizer tools (Transaction SE03). Expand the Administration node and execute the program Set system change option. The options are described there.

Tuesday, September 15, 2015

Maximum attachment size limit for an email sent from SAP

Sometimes it may happen that outgoing emails from SAP instance are not going through. They are stuck in queue and have red status saying following error:

Cannot process message; maximum size exceeded
Message No. XS850

This clearly indicates that email is too big to get it sent over. Case might be that it has an attachment which size is causing this. It is worth to investigate actual size of the email and the attachment. However one may end up having email already compressed and facing this issue. So further compressing of the email attachment makes no sense. Therefore chance is to check what actually the limit of the email size is. Parameters related to the size of email and its attachment are customizable. The customizing table is called SXPARAMS - SAPconnect: Parameter Table. Its maintenance is available t-code SOST -> Utilities -> General Parameters or via SM30 -> SXPARAMS.

Few parameters related to size of email and its components:

Parameter                                        Parameter value

MAXLEN_BODYPART_SMTP             0 ... 999999999999   size for a document
MAXLEN_BODYPART_ALI_SMTP       0 ... 999999999999   lists of the type ALI
MAXLEN_BODYPART_OTF_SMTP      0 ... 999999999999   SAPscript documents

MAXLEN_MIME_MESSAGE_SMTP     0 ... 999999999999   MIME attachment

How to recognize whether SNC is installed in SAP system?

SNC is very often used by SAP customers to secure the data exchange between SAP and external systems. Also communication form SAP GUI to SAP backend by default is not encrypted. To secure communication like these and SNC needs to be implemented in SAP systems landscape.

The SNC or Secure Network Communication is an interface securing communications between two secure SAP systems; it provides application-level, end-to-end level of security. Protection is usually provided by an external security product that is available to SAP system using SNC interface. The interface complies with internet standard Generic Security Services Application Programming Interface (GSS API) version 2. The default product provided by SAP is the SAP Cryptographic Library, which you can use for SNC between SAP System server components.

Sometime there is a question form customers whether they do have the SNC in place. How to quickly check this? There are couples of ways…

1. By running Function Module SNC_CHECK_ACTIVE: The FM has no import parameters. Therefore just open the tcode SE37 put the name of the FM and run it. In case the SNC is enabled in particular SAP system there is export parameter ACTIVE set to X returned.

2. table USRACL: it stored SNC Access Control List (ACL)for users. In case the SNC is enabled every user recognized in field BNAME has field PNAME populated. In that field a canonical name is stored in format:

3. t-code SU01: in case the SNC is enabled an particular user has following data in tab strip called SNC:
SNC Status: SNC is active on this application server
SNC Data: SNC Name: p:CN=@company_domain

Sunday, September 13, 2015

Can’t set more than 30 breakpoints

Sometimes it is very easy to set many breakpoints while digging into SAP system. Very common case for that is to set a breakpoint into every statement like MESSAGE. Then in case one still needs more breakpoints following messages pops-up:

Can’t set more than 30 breakpoints
Message No. SY407

It is a matter of fact that there is this hard limit on number of breakpoints = 30 per one login into the system. It is not possible to set more breakpoints than that. The breakpoints (session breakpoints) are managed by C function DEBUG_CNTL so it is not possible to tell where the list of the breakpoints already set are stored. Only in case of external breakpoints it is possible to determine no of these. They are stored in table ABDBG_BPS.

Now how to easily get rid of all the breakpoints currently set in the system? Deactivating and also removing the breakpoints can be achieved in following ways:

1. In ABAP Workbench (tcode SE38): while in source code, see menu:
Utilities -> Breakpoints -> Delete
Utilities -> External Breakpoints -> Delete

2. In ABAP Debugger, menu: Breakpoints -> Delete all BPs or Deactivate all BPs

3. tcode RSBREAKPOINTS -> Delete Breakpoints

More information on breakpoints topic:
Remote ABAP Debugging and more (btw: this blog was written almost exactly 6 years back from writing this blog J )

Saturday, August 29, 2015


I recently faced authorization issue. As usually I sent an output of t-code SU53 which is evaluate of authorization check to SAP security team. As colleague from the security had some issues with finding the objects which authorization was missing to be granted for my user we sat together to see the issue. While we were working on it he showed my new interesting t-code of which existence I wasn’t aware before. It is the t-code STAUTHTRACE.

The t-code allows system-wide trace evaluation. This solves very common issue in case of system with multiple application servers. In such a case you need to perform analysis of authorization checks on particular server where user is logged to.
The trace in the t-code is very detailed. It basically shows all trace (similarly to t-code SU22) needed for analyze any kind of AUT issues. The trace so detailed but is limited authorization checks only.

The new t-code is available as of following NW releases: NW Basis 700 SP27, 701 SP12, 702 SP12, 730 SP8, 731 SP5 and NW 74+.

More information:
1707841 - STAUTHTRACE: System-wide trace evaluation
1603756 - Using StAuthTrace to record authorization checks

Saturday, August 8, 2015

Where to find information about SAP Security?

Every day SAP admins are facing many challenges. One of them is related to security. Also someone one may not consider security as an issue. But according surveys like here or here we can see that security is very important in SAP systems as well. Within this post I want to highlight few pages where we can learn about different aspects about security within SAP systems.

SAP Security Notes:

Patch Day MM/YYYY Notes - SAP releases security notes (a fixes of wide range of security issues discovered within SAP software) within SAP Notes that are called Patch Day Notes; search for patch day at -> Help & Support -> Search for SAP Notes and SAP Knowledge Base Articles -> SAP Security Notes -> White Papers or access it via direct link: SAP Security Recommendations


Failed transport contains objects related to new source system

Recently I faced one strange transport issue. I developed a new data flow related to newly created source system. That source system had complete setup from basis point of view in target BW system as well. It correctly appeared under Source Systems area in Modeling of TA RSA1.  Even Check connection functionality (available at right click on source system name) worked for the new source system in the target system. However my transport with had the flow using the source system (so called “source system dependent objects”) failed with following errors:

Transformation 0G2M3XTZUMRNTOQTV4EH6PK6VGDNVHLD inactive; action cannot be executed      Message No. RSBK260
Saving Objects with Type Data Transfer Process
Saving Data Transfer Process DTP_00O2SPBAQDZQZ6KPQH9N4U2NT
Transformation 0G2M3XTZUMRNTOQTV4EH6PK6VGDNVHLD inactive; action cannot be executed
Error while saving Data Transfer Process DTP_00O2SPBAQDZQZ6KPQH9N4U2NT
End of after import methode RS_DTPA_AFTER_IMPORT (Activation mode) - runtime: 00:00:00

As per error I checked TRFN and DTP but they both were fine. I also reactivated the TRFN via report RSDG_TRFN_ACTIVATE but error was still there. I even checked corresponding entries in table RSTRAN and active version was there.

Then I finally got an idea to check table RSLOGSYSMAP. This table contains mapping entries of logical systems. It is used while import phase of transport takes in place. If there is a BW object related to source sys (e.g. datasource) in the transport the table is used to map source system in source BW system to target source system in target BW system. If the source mapping is not maintained then the transport fails as in my case. The problem is that from the error which is shown in the transport log it is not possible to find out this root cause. Notice that the table RSLOGSYSMAP must have the entries for the system conversion in target BW system of the transport.

Tuesday, August 4, 2015

Converting Oracle DB format of date to SAP date format

There are many data flows picking up the data from "external database" based source systems in BW. One of most used DB system is Oracle. To connect BW system to Oracle DB a technology called DB Connect is very often used. As Oracle and SAP are different systems designed by two different companies there are many differences in there while comparing each other. The differences are there as well as from date and time related fields representation.

Therefore there are challenges while integrating data from Oracle DBs into SAP BW. Especially when converting date and time fields in Oracle and into format compatible with SAP BW. Let's take an Oracle date format for example. It has a format as DD-MMM-YY means it has 7 characters (e.g. today's date is represented by: 03-AUG-15). Whereas SAP format is 8 characters long in format YYYYMMDD (see Data Element SYDATUM; Domain SYDATS or Data Type DATS). If we just simply assign Oracle date field to SAP one it won't get proper data because the fields are not compatible.

Now; how to solve this? On SCN there are many discussions (e.g. here or here) on this. Most of it suggest parsing value as they come from Oracle and concatenate it at the end to field in SAP format of date. However this is not proper approach. The way how Oracle produce the format of the data field depends on national language settings (NLS) used with the database connection. Therefore the date field can come in many different flavors as per many configuration settings. What actually needs to be done is to force Oracle to produce the date field in desired format. This can be achieved by adding function TO_CHAR into e.g. SELECT statement while we extracting the data. E.g. a separate view can be created in Oracle to add TO_CHAR function. Such a SELECT statement would look like:

select  to_char(,'YYYYMMDD') as dat from where ;

For more information see:

518241 - DB Connect in BW for an external Oracle database

Wednesday, July 22, 2015

How to find the table size in SAP system from SAP GUI

1. t-code DB02 -> Space -> Segments -> Detailed Analysis -> enter values into fields:

Segment / Object = table name
Type = TABLE

2. t-code DBACOCPIT -> Space -> Segments -> Detailed Analysis -> enter values into fields:

Segment / Object = table name
Type = TABLE

3. ABAP report RSTABLESIZE. On it selection screen just specify table into field "Table Name ". Notice this doesn't work for BW objects e.g. starting with prefix /BIC/* for which do DB statistics wasn't calculated yet.

4. Table DBSTATTORA which displays actual size of tables on the database. Just enter the table name into the field TNAME. Table size is shown in field OCCBL - Used blocks of a table in KB. Again to have this value in the table DB statistics must be up2date.

5. t-code TANA. Start first table analysis for desired table. Once it is finished display the analysis with the same t-code. Notice this t-code just gets no of entries of the table instead of table size.

6. Function module GET_TABLE_SIZE_. This is DB specific function. As SAP systems are basically "Any DB" systems which mean several major DB vendors are supported you just need to find proper FM for your DB.

Adabas/SAP DB                  ada/sdb         GET_TABLE_SIZE_ADA
Microsoft SQL Server          mss              GET_TABLE_SIZE_MSS
Oracle                                        ora               GET_TABLE_SIZE_ORA
IBM DB2/390                     db2              GET_TABLE_SIZE_DB2
IBM DB2/400                     db4              GET_TABLE_SIZE_DB4
IBM DB2 UDB                    db6              GET_TABLE_SIZE_DB6
Informix                           inf                GET_TABLE_SIZE_INF
Sybase ASE                       syb               GET_TABLE_SIZE_ALL
HANA Database                  hdb              GET_TABLE_SIZE_ALL

PS: let me know in case you are aware of any other options of how to find out table size form SAP GUI.

Tuesday, July 21, 2015

DB specific BW functions implementations

SAP BW system is similarly to SAP ECC "any" DB system. This means it support several DB platforms. In order to optimize performance of SAP system on particular DB platform some of its functions are specifically written for target DB platform. There can be optimization of SQL statements done in DB specific Native SQL or things that leverage other DB specific features. These "DB specific" codes are delivered in multiple development packages. Below I briefly introduce few main development packages specific for particular DB platforms.

pack:           description:                                        component:

RSSYB - SAP BW on Sybase ASE                           BW-SYS-DB-SYB
RSHDB - BW Porting HDB - HANA DB                    BW-SYS-DB-SDB
RSORA - BW: Oracle Porting                                 BW-BEX-OT
RSMSS - Microsoft SQL Server Porting                   BW-SYS-DB-MSS
RSADA - BW Porting MaxDB                                 BW-SYS-DB-SDB
RSDB2 - BW: Porting DB2-z/OS                            BW-SYS-DB-DB2
RSDB4 - SAP NW BW on IBM i (DB4) - AS400        BW-SYS-DB-DB4
RSDB6 - BW: Port DB6                                         BW-SYS-DB-DB6

SDBA_TERADATA - Teradata Monitoring & Admin  BW-SYS-DB-TD