Skip to Content

A few months ago I blogged about “The importance of being trained…” after attending an ABAP training course with SAP’s Education Department which left me regretting not having done it earlier. Different opinions about the cost : benefit ratios of training approaches were voiced in the resulting discussions, and I would like to follow-up with another positive experience of a similar nature which is also not for free – but in my books well worth it if you have made serious investments in your business and SAP technologies to support it. 

I have since attended three specialized customer security workshops as part of the MaxAttention contract option – two of them together with the customer to meet with experts from SAP on an annual basis for information exchange and one representing SAP with a customer wanting specific release dependent upgrade information not included in the standard ADM education scopes.

From the feedback, the SAP experts benefitted from the information gained from these focused workshops as much as the customer did. I can also vouch for the same: discussing customer specific implementation aspects “in the wild”, doing demos of new and improved standard functionality, finding solutions during the sessions which were previously not known and even producing a few SAP note corrections to the standard system. All with a lot of support from the SAP “backbone” behind MaxAttention services. 

There were three aspects to these MaxAttention workshops which I would like to mention in a bit more detail, as they were key ingredients for me: 

 

  • The audience: Including security folks (authorization & user administrators as well as infrastructure security) together with development members, system administrators, solution architects and compliance officers makes a good workshop. Not everyone can go into the same level of detail and others need to be moderated a bit, but certain common denominators start forming for the security aspects of implementing and running good software solutions. For example the “basis folks” were at times impressed with what is possible (or even what should be a baseline policy for them to have) which they were not aware of or did not know the background of and therefore did not pay sufficient attention to. Likewise “compliance folks” gained a better understanding of some constraints and the reasons for them. 

 

  • Sustainable implementations: MaxAttention is not about project Go-Live on time and within budget. It is about doing it consistently in running SAP system landscapes. Although one can use user and role provisioning with an IdM to bring down operational security costs, there is still some tricky security work to be done and important decisions to be made on a day-to-day basis. SAP’s Security Product Management is also focusing on being a part of the “RunSAP methodology” for post Go-Live system support after Elvis has left the building… 🙂 An example of this is the new transaction RSECNOTE (see SAP Note 888889) which automatically scans the systems for important security corrections not included in your patch levels and is integrated into the EarlyWatch service and SolMan. There are many more. 

 

  • Close interaction with SAP: Existing implementations using functionality which is in “maintenance mode” or even custom developments which are encountering previously unthought-of constraints are always tricky. You might need to adjust your concept and possibly even change the code more often than you hoped for. Or it simply does not work and there is no other visible option. You can try the SAP Note 11 route, but that takes time and effort and involves other people’s problems as well (I think this is an intended feature of the note :-). In selected cases where the “spanner in the works” was well thought out and presented by the customer, the direct access to experts from SAP who can be accessed via the MaxAttention contract option can make that little difference you need. As one SAP developer said during a (working) lunch session: “Okay… it has just gone “click” for me now.” Actually, the existing customer modification was requested as a basis for a standard SAP development. 

I left these workshops with a similar feeling as I had at the time after attending my first (and regrettably late) formal ABAP training: Do yourself and your important systems a favour by recognizing the importance of being supported appropriately. 

 

Disclaimer: This blog is in no way a criticism of SAP’s standard support offered via the SMP global support or even the platform enabled by SCN communities, both of which I have very positive knowledge sharing experiences as well. If you know me, then you will know that there is no doubt about that. But for very focused and specialized security support condensed into a three day workshop, you get what you pay for with the MaxAttention contract option. 

Disclosure: SAP is a customer.

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

    1. Julius von dem Bussche Post author
      Hi Michael,

      Some topics had a customer specific context and risk perspective – hence a workshop with an agenda agreed upon in advance.

      Some examples are:
      – Optional profile parameters not used with the default values.
      – Handling shortcut attachments internally and externally.
      – Maintaining SU24 for objects other than S_TCODE.
      – Dual maintenance of roles in upgrade landscapes.
      – Special cases when customers can use SU22 and how to upgrade this special “original” data (SU25).
      – Limitations of Org. Levels and mass derivation of them.
      – Security aspects of SolMan and SLD strategy.
      – SAML 2.0 and electronic signatures in ABAP systems.
      – PIDs vs. Personalization Keys.
      – Mass maintenance tools which can safely be used in PROD:
      – New change document mechanisms.
      – The package concept and table access in future.
      – Data classification, &NC& groups and the symbolic table &SM31&.
      – RFC security using the function module name.
      – RFC security on the client server (S_ICF).
      – Path hooks for access to the file system.
      – Customizing options in the background processing.
      – GUI scripting.
      – New approach to protecting user DDIC.
      – Mimicking downward password compatibility (to eliminate it) and salted hashes.
      – Custom tools for mass maintenance – what not to do next time.
      – etc…

      Cheers,
      Julius

      (0) 
        1. Julius von dem Bussche Post author
          Some of topics are touched on generically by various courses, but the advantage is that you get them all in one session with time to discuss customer specific aspects here. This is often difficult in the training scope where there are 18 different customers on the same course and is not intended to be consulting anyway. I know that some course attendees are a bit disappointed by this sometimes.
          Most of the effort was in the preparation (at least it was for me) but this makes it possible for gurus to spend more focused time away from their normal day-to-day operations and projects.
          Customer tailored training + condensed consulting support = MaxAttention Workshop 🙂

          Cheers,
          Julius

          (0) 
  1. Patel kinjar
    I certainly agree with you Julius,

    However one question in mind!

    Do you think that ADM* courses are more technical oriented, one still needs
    to have good business process understanding to be good support personal from
    SAP security point of view.

    I come across this situation lot specially when functional folks do
    not recognise the compliance and that may impact to the business and you need
    to make them aware about the situation!

    (0) 
    1. Julius von dem Bussche Post author
      Yes, this is certainly an important skill to have – but often takes experience (and time) to accumulate.

      I have given the ADM* training courses as well and discussions are facilitated to think about the impact of security measures and avoid hitting small nails with oversized hammers, etc. 🙂 Folks often bring examples, but there is not time nor intention to make a whole case study out of it in the training, so at some point we need to move on to the course material again.

      In a workshop with an agenda which the customer can define, it is however possible to assign 2 hours to discuss a specific transaction and go through the options and discuss the impact of the choice of transaction and it’s use, if you wish. An interesting example is FB01 vs. subledger transactions; as simple as it sounds it can even have an organizational impact.

      Cheers,
      Julius

      (0) 

Leave a Reply