IT/SAP administration and support or Basis projects are pure abstraction for business people. Monitoring? Access management? Backups? These are tasks performed somewhere in the background. But they are essential activities. Although you don’t have to do everything yourself. It’s worthwhile to enlist the constant help of specialists.
At All for One Poland, a team of more than 80 IT/SAP administrators and Basis consultants ensures the availability and continuity of customers’ systems. Divided into teams, specializing in different areas and technologies, they oversee, improve and develop clients’ SAP installations on a daily basis.
Routine daily monitoring tasks, SAP Basis projects, work on migration to SAP S/4HANA or migration to the cloud – consultants carry out work for both multinational corporations, customers with the largest SAP installations in Poland, and SME companies working on single-system environments. Our team supports dozens of installations maintained in SAP Managed Services, as well as systems located on-site or at other cloud providers for SAP.
Managed Services do not remove the responsibility for SAP from the IT head. However, delegating some or all of the tasks to an external partner makes day-to-day work easier and “sifts out" many thankless, repetitive tasks. And you can really relax on vacation.
Below, our consultants talk about ordinary and extraordinary tasks, the daily routine of an administrator, as well as complex projects in multi-system SAP landscapes.
Now TechMon is monitoring
Pawel Janikowski
Some of our customers’ business processes are left to their own devices, and either they work and problems don’t exist, or problems do occur, which we, as SAP system administrators, become aware of when a problem has grown to great proportions and firefighting is necessary. Does this always have to be the case? Can’t we somehow legitimize it? Try to identify the threat before the problem realistically occurs?
It was with this premise that I approached an attempt to find a solution for a request from one of our customers. The problem itself was quite trivial (more on that below), while it required additional configuration that was not available as standard in SAP Solution Manager’s Technical Monitoring.
The first step of the solution was to identify where the business process “sticks". This required understanding the logic of the process itself.
It turned out that the problem the customer was facing was related to simple RFC processing between SAP PO and SAP ERP systems. The nature of the solution and the very large amount of data meant that more time was needed for processing – sometimes about 5 minutes was enough. Only after the processing was completed could the user correct the data and use the functionality.
The waiting time for the result was acceptable to users, only the lack of information about when the delay would occur and how long it might last was a disorganizing factor. For this reason, I made the decision to make an additional configuration in the Technical Monitoring tool, so that if a “snag" occurs at a sufficiently large, predetermined level, the system will inform the technical department via email and SMS about the possibility of a high load on the system. And in case a scheduled task that is responsible for data transfer takes longer than usual, third parties are informed that it will be possible to pull out the data with a slight delay (15 minutes).
This customized solution is still being used successfully at the client today. This is one example of how we can easily at least partially monitor a business process.
IT rescue procedures
Daniel Hahn
In cases of R&R (Restore and Recovery) tests, a common problem is…. their complete absence.
The company develops and implements in IT procedures and standards to ensure security and business continuity in the event of server failure. It then orders an external audit. The auditors checked, issued the appropriate certificates and off they went. The procedures were created correctly.
And then no one verifies them for several more years.
This is unfortunately a fairly common sin in IT organizations. It was also committed by one of our clients. R&R procedures were started once, right after they were created. After that, they were never repeated. New people joined the admin team, the old ones left, and the procedures were forgotten.
And in the meantime, over the years of virtually uninterrupted operation, the database server, specifically the databases, had grown a lot. When finally, with our participation, R&R tests were carried out according to the old procedures, it turned out that the restoration of the server was not possible on the previously indicated resources. We simply ran out of space.
This time it was only a “trial alarm". The customer, following our recommendations, ordered additional equipment and increased the available space. Another of our recommendations was to periodically conduct R&R tests and verify and update them.
IT security procedures are like emergency equipment. It’s worth it if it’s always in working order and readily available.
Mission: centralization
Grzegorz Zielinski
One of our customers, whose SAP systems environment has grown significantly, has seen a significant increase in user support time for creating accounts, managing permissions, and unlocking and changing passwords. With the growing number of systems/mandates, business users have already begun to notice an increase in service time.
The client approached us expecting a solution to a user administration problem.
We proposed a Central User Administration (CUA) solution. Now, with CUA, customer administrators can manage users on all SAP systems in an easier, cheaper and faster way. From one place, they create accounts, manage permissions and can change passwords or unlock accounts. Centralized privilege management is much more efficient. Security has also improved when it comes to access permissions to systems and data.
Well, and one more thing – which our customer really liked – to use CUA, you don’t need to install an additional system or buy new licenses.
One team, one security administrator – from one location can simultaneously execute changes for users on multiple systems. Changes made in the central system are automatically transmitted to satellite systems using SAP application link enabling (ALE) technology. There is no longer a need to log on to each system/mandate separately.
Also, a change in the basic data of a specific user (e.g., phone number, name) is automatically propagated to all systems on which it occurs.
CUA is very useful for managing teams, implementing new solutions, replacing employees, etc. It also facilitates the management of licenses assigned to individual users and allows you to have full control over them.
Mission: Single Sign On
Michal Lorek
SAP systems integration has been a familiar topic for years. SAP integration software vendors offer tools such as Central User Administration or SAP SSO. However, each has its limitations – see CUA, or requires the purchase of an additional license – like SAP SSO.
But what if an enterprise already has a Single Sign On tool and would like to integrate with SAP so as to negate the need for multiple logins?
During the implementation of SAP Fiori, the customer asked us to verify the possibility of using the authorization platform they were using to access other internal systems to log into SAP FIori Launchpad. All it took was a business email address and a one-time password entry and the user was already accessing other systems in the company. The integration allows us to avoid the need to perform re-logins. No doubt about it – this would enhance the user experience of SAP Fiori.
We were helped by the SAML2 protocol, which is used to mediate authentication and automatically transfer user credential information between systems and applications. It is worth noting that any identity provider (IdP) application that allows the use of SAML (e.g. Azure ADFS, Google) can be used for login.
The basic configuration of the solution in the SAP system is limited to the activation of the relevant ICF (Internet Communication Framework) nodes and the creation of the so-called Local Provider on the side of the SAP system and the identity provider, as well as the exchange of provider data via generated *.xml files).
Later, all that had to be done was to configure the field mapping by which the user would be recognized in SAP. This could be, for example, the user’s name, email address, last name or any other field.
And there it is. Now our client’s employees can enjoy a working SSO login.
Think ahead
Joseph Kurnatowski
The life cycle of the SAP environment in all companies is more or less similar. The first and second year after implementation is when the system is running stably and satisfactorily after a successful project. During this time, the customer builds a team that acquires and develops competencies. In the third and fourth year, increasing business awareness provokes a myriad of changes, successive implementations of new functionalities engage the existing team beyond their time capacity. Anything can be done in infinite time. The glitch, however, is that time is the only finite and non-extendable value. Opportunities to expand the team in many ways are often simply physically impossible (lack of specialists, limited budget, etc.).
If you are facing one of these challenges: competence, scale, complexity – the good news is that similar challenges have been faced by others. Admittedly, I don’t know a one-size-fits-all solution. However, I do know that the team we are assembling has dealt with some very interesting and difficult situations. And this is due to continuous improvement at every level.
Competence is a constant arms race. Once we master an issue or technology, we find that SAP has developed it, changed it, improved it or even turned it upside down – mobilizing us to learn more. ADM100 training has had the same name for years, but the content and content are unrecognizable. The content is unrecognizable. So is the infrastructure. And the complexity of implementation projects? A decade ago it was simply SAP ERP. Today we have S/4, CRM, GW, Fiori, WebDispatcher, SAC. Plus HANA, IaaS, SaaS….
The needs of business are going to get bigger and bigger. At this point it is worth focusing on the main question – what is the core of our company’s operations? If it is not IT, then almost by definition it is a waste of energy to try to reinvent the wheel. Of course, it is not that a small, medium or large organization does not need IT specialists. On the contrary, it needs them, they are essential for coordinating work. No one can replace their knowledge of the organization and business processes. It is thanks to their knowledge that cooperation with a service organization like ours is possible at a satisfactory level for everyone.
Gathering experience from my own, but also from many customers, I am convinced that the option in which the IT infrastructure and SAP Basis departments, which are important for the security and optimal operation of the systems, are outsourced, and the energy of key IT professionals is directed to development and coordination, is optimal.
Ready for S/4
Tomasz Czubaszek
Task: upgrade the tri-system landscape of SAP non-unicode systems EHP4 for SAP ERP 6.0 to EHP8 for SAP ERP 6.0. Technical limitations forced the conversion of SAP to the unicode standard as a first step.
The conversion implies performing a migration of systems, so they were migrated to a new operating system (Windows Server) and the latest version of the database (MS SQL Server).
This customer’s SAP systems landscape already had a history – numerous customizations, proprietary solutions and products from other vendors. Consequently, the conversion required the coordination of technical and application consultants, as well as vendors of proprietary solutions that would continue to work after the migration.
The size of the production system’s output database and the length of the service window dictated a parallel export and import scenario. The database fill level oscillated around 1.7 TB. The entire unavailability phase and testing had to fit into the weekend service window. Due to the size of the database, the number of tasks and the parties involved, there was no room for errors and delays.
A major challenge proved to be the migration of a huge table that was part of another vendor’s product in operation. It accounted for almost half the size of the entire system database. Both its size and binary content forced the need to manually optimize its migration process. Thanks to the flexibility in resource allocation made possible by keeping the systems in the Managed Cloud model, optimization was possible on a copy of the system in a separate environment. We were also able to significantly increase machine resources for the migration, without generating additional costs for the customer. In the end, the system was migrated successfully, with plenty of service time.
During the first days of production use, the system was covered by dedicated post-migration support from our consultants. In the next phase, we performed a technical upgrade to EHP8.
Currently, the system meets the requirements for eventual conversion to S/4HANA in a one-step approach model, the basic requirement of which is a unicode source system.
SAP NetWeaver 7.40 was the last release to support the non-unicode standard. For this reason, upgrades of older systems entail a conversion as a step prior to an SAP software version change project.
In 2020, SAP extended standard support for SAP Business Suite systems until the end of 2027, thus giving its customers additional time to migrate to S/4HANA. Given the uncertain times, the annual budget cycles prevailing in companies, the duration of migration projects to S/4HANA and the possible piling up of these projects in the service market, it is worth making good use of this time.
Hit expectations
Szymon Grzegorek
It has become accepted that the main task of a service coordinator is to listen to customer complaints about the quality and handling time of service requests, and then to invoice for tasks completed or resources provided. Not so with us. At All for One Poland, we have created our own definition of the role of the customer coordinator. It is a representative, a customer advocate within our structures, equipped with a range of tools and competencies necessary to hit the customer’s expectations.
First, we rely on regular contact that builds relationships of trust. Regular meetings (although now more in the form of teleconferences) serve this purpose. Secondly, our ambition is advanced knowledge of the customer’s systems environment, gained not only “in battle", when solving problems or facing challenges of environment development. We create and maintain up-to-date documentation of supported systems. We cannot rely on our memory alone.
An experienced coordinator is able to identify the client’s needs before he or she is aware of them, and support him or her in appropriately creating expectations for external partners, and sometimes even reduce the cost of planned investments by pointing out other effective solutions.
But the system is just a tool. What matters is the business. The coordinator, who is in constant contact with the customer, is well acquainted with the specifics of the customer’s work and can reconcile the necessary maintenance work with the requirements of business processes.
Also valuable is an out-of-the-box approach to a problem – and especially the results. One of our clients was experiencing performance problems on SAP in a tool created by his development team. The application was completely independent of the system standard, and for this reason the code analysis process could not be reported to SAP. The client, using our SAP administration services, asked us for this analysis. The coordinator searched the organization for a consultant with the right competence and engaged him for this non-standard task. During the analysis, the consultant concluded that the cause of the performance problem was the SAP Adaptive Server Enterprise database engine. We reported it to the software developer. After less than a week, SAP released a patch for Sybase that eliminated the problem. Initially available only to our customer, the fix was then placed in the official Service Path of that database.
The power of knowledge
Radoslaw Owczarzak
One of our client companies was making organizational changes. This always involves the need to create new authorizations and roles to reflect the new structure. SAP administrators at the client often make minor changes within existing roles on the system, but they do not have experience in designing and creating roles from scratch. This task is also worth doing according to good, tested methods, and their knowledge is not common among SAP admins.
This was also the case, so the client approached us to help create new roles. The task fell to me. I suggested what procedures would be most useful for the smooth creation of the roles and helped with the technical aspects of their implementation.
Administrators often use SU53 transactions. It’s not bad for smaller changes, but when larger changes need to be made or roles need to be created from scratch, I find that this tool is not powerful enough. Instead, I have instructed client administrators on how they can use the trace from STAUTHTRACE transactions. This tool is mainly used to trace what authorization objects are checked by SAP when a user performs their work.
Wanting to create roles with this tool, the administrator creates a test user with full privileges. Then the employee performs his tasks on the test user. Subsequently, the administrator, based on the stored data, is able to create a role corresponding to the position held by the employee. This, of course, requires some experience, as the analysis of trace results can be quite complex.
In this case, I helped the client’s administrators with the analysis and trained them in this regard, so that in the future they will be able to use STAUTHTRACE transactions in their work.
The result of this service request is this: not only did I create the necessary roles in the client’s system, but I also imparted knowledge that will definitely be useful to its administrators in performing their tasks more efficiently.