Technical Articles
Remote Code Analysis in ATC – Working with Exemptions
This is the sixth blog of the blog series about Remote Code Analysis in ABAP Test Cockpit (ATC).
See also blogs:
Motivation
In case an ATC finding cannot be corrected e.g. if this finding is a false-positive result or can be accepted currently from the quality perspective, you as developer can suppress it from the ATC result list with the next run by requesting an exemption from your quality expert.
Depending on the check, exemptions can be requested for the entire object or for single findings. If you request an exemption for a single finding, this exemption will be valid as long as you don’t change the coding or the relevant context of that finding. As long as you only change coding that does not affect the finding (for example you change something in line 20 of an INCLUDE and the finding marks code in line 200), the finding will be recognized as the same and thereby also the exemption stays valid.
Prerequisites
The prerequisites for managing exemptions are that central ATC check system is set up and configured in your system landscape: see Remote Code Analysis in ATC – Technical Setup Step by Step and that the ATC in the central check system is configured to enable exemptions (Setup ->Configure ATC in the ATC transaction):
Developer: Requesting Exemptions
To request an exemption in your local development system position the cursor on the ATC finding and choose Request Exemption from the context menu.
On the first page of the dialog you see the information about the finding you request an exemption for and you can choose the scope of the exemption. Click Next.
On the second page of the dialog enter an Approver and Reason and add the Justification. Additionally you can specify if and how you want to be notified about the status of your requested exemption (on rejection, on approval or on rejection, never).
Quality Expert: Approving or Denying Exemptions
To approve or deny your exemption, the quality expert needs to logon to the ATC central check system and use ATC Exemption Browser (ATC Administration->Exemption Browser in the transaction ATC) to display a list of exemptions.
Double-clicking an exemption will display its details. The quality expert can see the exemption category and justification provided by the requesting developer and can also check the object and change the settings for the scope of the exemption. See F1 help if you need information on these options.
After toggling the Edit mode (click Edit button) for the exemption, the quality expert can approve or deny the exemption:
Developer: View Exempted Findings
If you now run ATC again for this object, the finding will be marked as exempted and by default will no longer show up in the ATC Result Browser View. You can show exempted findings by selecting Include Exempted Findings in the view menu:
Hi Olga,
Any chances of ATC Administration->Exemption Browser for reviewing and approving/rejecting ATC exemptions to be included in Eclipse ADT in future?
Currently NW 7.5 with ADT 2.71
Hi Sudipta,
in principal this is possible but not yet in our backlog.
Thanks for the feedback.
Regards,
Thomas.
Hi Olga,
If customer has exemptions raised and being approved/rejected locally in the development system before enabling the ATC central check, can the existing exemptions including their status be replicated to the central ATC system? If yes, what are the prerequisites to realize it?
Thanks and best regards,
Yuankai
Hi Yuankai,
developers request exemptions at central ATC system (ATC master system or consolidation system). Approved/rejected exemptions are stored on the ATC master system and can be propagated to the development systems. Please take a look at ATC concepts in general.
Best regards,
Olga.
Hi Olga,
Thanks for your input, actually my questions is, if there were existing exemptions already approved and saved in the local developer system or consolidation system, sometime later the ATC central system is setup, can those existing exemptions be seamlessly replicated from the development system or consolidation system to the ATC central system and in the same time the exemptions remains valid (assume no change in the context of exempted coding)?
Thanks!
Best regards,
Yuankai
Hi Yuankai,
no, currently it is not possible.
Regards,
Olga.
Hi Olga,
Does this mean all exempted findings need to be exempted again in the central ATC system, once migrate from local ATC check to remote ATC check? It will save many effort for the customer when there is the capability to migrate the existing exemptions, will this feature be in the roadmap of ATC?
Thanks and best regards,
Yuankai
Hi Yuankai,
as possible workaround you can use Baseline concept (see my blog linked above) and include the exempted ATC findings into Baseline.
Regards,
Olga.
Hi Olga
I'm getting a bit confused with how to replicate central runs from the Central ATC to a satellite system. I've taken a look at the info in the help portal but cannot seem to find the option. Have I misunderstood and the intent is that the developers login to the Central ATC to see the results rather than the results get replicated back to the satellite system?
Regards
Ian
Hi Ian,
you’ve understood it correctly: at central ATC quality checking the central ATC result gets replicated to the satelite systems to be viewed there by developers. See also in the SAP Help Replicating an ATC Central Result to Satellite Systems and also the blogs Getting started with the ABAP Test Cockpit for Developers (SAPGUI-based), the chapter “Where do I find central ATC results and the current active result?” or ATC for Developers in Eclipse (Eclipse-based), the chapter “Access ATC results from the central Q system“.
Hope this helps.
Best Regards,
Olga.
Hi Olga
Thanks for the reply.
To confirm.
If all of the above is true, the only thing I am missing is is how to replicate the results as I don't have this option in the Manage Results section
Also, assuming I can get the button, is this always a manual task? Can't I auto replicate?
Regards
Ian
Hi Ian,
setting up central ATC checking (master/satellite) is the admin task. See also Authorizations for ABAP Test Cockpit. Then you will be also able to see the "Replicate" button for manual replications.Yes, you can (as admin) configure the ATC to replicate central ATC result to satellite systems automatically during scheduling of ATC run series. See the blog Getting Started with ATC for QMs and Admins.
Regards,
Olga.
Hi Olga
Sorry, I am still baffled. Previously I had SAP_ALL in my central ATC system and have now added the ATC admin role explicitly. However, I still do not get the Replicate button, or the auto option when scheduling.
If I log into the satellite systems however, where I also have the same ATC admin role, I do get the replicate button and auto option when scheduling.
Are there any system settings that I need to change? The Central ATC system role is obviously set up for ATC Checks by Object Providers only and satellite systems are setup to have a master system of my Central ATC system.
I've checked the SATC_CI_CFG_SERIES_SCHEDULE program to see why the Post processing section on the selection screen was invisible and it is because the hide_local variable is set to 'X'.
Should it be?
Thanks
Ian
Hi Ian,
your master system is configured as central ATC system for remote code analysis ("ATC checks by Object Providers Only" checkbox). For the ATC remote code analysis use case, the findings from the central system can not be transmitted to connected development systems. Unfortunately, this functionality is not supported for technical reasons.
Regards,
Olga.
Hi Olga
Thanks for the reply.
So I understand that in my Central ATC I can remote scan systems and hold the results centrally BUT I cannot push the findings down to the satellite systems.
Are we expected to enable the developers to login to the Central ATC in order to view the findings and request for exemptions?
Regards
Ian
Hi Ian,
developers can check their code on their local system using remote analysis and the check variant of the central ATC system, view the findings and request exemptions on their local system. See Remote Code Analysis in ATC for Developers. The activities on the ATC central system are mainly for admins and QMs.
Regards,
Olga.
Hi Olga
Ok. Understood. The central check run is ok using the remote check variant and I can view the findings in SE80. However, when I try to create an exemption I get the message 'Screen output without connection to user'. I assumed this was due to it trying to login to my Central ATC system and debugging confirmed this.
I haven't added the destination but it is my Central ATC system.
Checking on my Central ATC system I am getting dumps with 'DYNPRO_SEND_IN_BACKGROUND'.
Can you advise?
Thanks
Ian
Hi Olga
I’m now testing the exemptions in ADT in an attempt to see if my issue above will be resolved in the Eclipse client. Unfortunately the dialog box for Run as>ABAP Test Cockpit With.. does not appear, the default check is just used and when I try to right click on an error to request an exemption, the option is not there. Exemptions are switched on in the system in question. This occurs whether I use the Central ATC RFC based variant or a variant local to the system I am working on.
Also, the ATC Problem view is not populated, the generic Problems view is.
[Update1] I think this is because the systems I am connecting to are 731 systems and 7.4 SP8 is required.
I'll configure a 7.51 system and check that one.
[Update2] Checked a 7.51 system and yes both the ABAP Test Cockpit With... appears, the ATC Problem view is populated and the context menu shows the Exemption option.
Ian
Hi Olga!
Thanks much for this series of blog posts about setting up a central ATC-system (which we are getting close(r) to actually do!).
I have a question regarding approver(s) of exemptions:
In your screenshot it looks as if the developer has to select a named user as the approver for a exemption. Is it also possible to define and then pick a group of approvers like e.g. a "QA team"? We have many developers working around the globe and they won't know who of the potential approvers is currently available to grant/reject exemptions, so routing it to a group would be a much better option for us.
Is there a means - or at least a workaround - to set this up?
Thanks & Cheers
Baerbel
Hi Baerbel,
yes, it's possible to Maintain the list of ATC approvers
Best Regards,
Olga.
Thanks for the quick response, Olga!
I was aware that more than one person can be defined as an approver but what I'm not clear about is if the developer always has to decide who of the potential approvers to ask for an exemption or if this could also be done "anonymously" so that the notification goes to an "approver group" instead of an individual. Reason being, that the developer will not really know who is available, so the notification may go unnoticed if s/he picks the wrong name.
Cheers
Baerbel
Hi Bärbel,
sorry, it is currently not possible to notify the "approver group" , the developer needs to choose one approver. I've addressed this at ATC development.
Best Regards,
Olga.
Hello Olga,
Any update on notifying "Approver group". We also have same concern as mentioned by Baerbel, we want to notify to set of users for exemption approval. But in current setup, developer can select only one Approver and it is possible approver is unavailable on the day. Good to have option of selecting a group or multiple approvers.
Also, another query is about exemption approval. As per current role and authorization setup , anyone can approve any exemption if they have the required role for exemption browser. They can see all developer requests. We are setting up central ATC with all kind of systems connected to it, R/3, APO, BW, EWM etc. We would like to keep segregation in exemption approval, R/3 Finance development approver only approve FI objects, SD only SD, EWM only EWM. Is it possible to achieve such scenario setup.
Hi Girwar,
regarding notifying the "Approver group": it is not possible, but you can set up a user with generic email address (as also proposed by Bärbel).
For your second request it is actually so, that you should assign approvers according to the package or development area (e.g. for SD dev packages other approvers as for FI dev packages).
Regards,
Olga.
Hallo Olga,
we also would need a solution for this topic reported by Bärbel. For we will have several development systems connected to central ATC I would prefer also to create several technical users with Mail distribution lists as mail adress to send out the mails to the responsible approvers only.
As you mentionned above you addressed this requirement already to ATC development. Is there a solution for this ?
Thanks a lot and best regards,
Volker
Hi Volker,
you can use an email distribution list that is attached to a "group" user, see the solution proposed by Bärbel below.
Kind Regards,
Olga.
Hallo Olga,
thanks for your fast reply. Sure I saw this comment and I set up several System users which point to a mail distribution list. But to enable them to receive mails this techical users would need to subscibe for mail notifications.
This is the point I'm struggeling with, how to switch on the "Send Notifications for New Exemptions" under "Subscribe for Approver Notifications". I think without subscribing this does not work.
Thanks a lot and best regards,
Volker
We have figured out a way to do this within the current environment:
We already checked and when everybody a) has the required authorizations and b) is listed as an approver in the ATC "Maintain Approver" settings exemption requests can be updated by whoever is available - it doesn't have to be the ID listed as approver. Once the approval or rejection is done, the username switches to whoever actually did it.
Hope this helps!
Cheers
Baerbel
Hi Olga
I am also interested in the reply to Baerbel's question as we have the same situation. Currently I am modifying the job SATC_CI_EXEMPT_NOTIFY_APPROVER to have a step and variant for each approver so we all get notified.
I'm not sure this is the best apporoach though so would welcome comments.
Regards
Ian
Hi Ian,
sorry, not possible (see my reply to Baerbel).
Regards,
Olga.
Hello Olga,
is there a way to navigate to source code from Exemption Browser? I haven't found such possibility in NW 7.40 EhP 7. Maybe it's on the newer releases?
Cheers
Łukasz
Hi Łukasz,
no, it is not possible to navigate to the source code from Exemption Browser.
Regards,
Olga.
Hi Olga,
I have another question regarding the exemption process. Is there a means to prevent a developer from casting too wide a net when applying for an exemption? To me it looks a bit dangerous to have options available via which an exemption could be accidentally or even intentionally requested for more than a particular finding – or at most the same findings in e.g. an include.
Looking at the screen and provided F1-help it does seem possible:
Instead of limiting the scope, developers might be “tempted” to increase it as far as possible.
Is there a means to not have these wide-ranging options displayed, perhaps depending on authorisations (a developer doesn’t see them, but somebody with ATC-auth does)? Or is this something, the ATC approvers have to be mindful of when processing exemptions?
Thanks and Cheers
Baerbel
Hi Olga,
I can see that you are using eclipse to ask for excemptions and you are asking for excemption on a specific finding. In a 7.4 SP19 in SAP GUI with a 7.4 SP19 as central check system, it is only possible to ask for excemption for subobject and check message as lowest level of detail.
If the central check system was moved to a netweaver 7.52 would it then be possible to apply for excemptions on findings. Excemptions should be applied for from the checked system not the central system. And if possible not in the central runs but rather from a developer initiated check in checked system( MENU check -> ABAP test cockpit (ATC) with ....)
Thanks
Steffen
Hi Steffen,
yes, the prerequisite for this scenario is the remote ATC and the central ATC check system 7.52 (see above in the blog in "Prerequisites"). Therefore you need to setup ATC central check system 7.52 in order to be able to request the exemptions from checked development systems in Eclipse within developer initiated ATC runs in checked system (as you want to use it).
Best Regards,
Olga.
Hello everyone and thanks for this post. we have an issue with our exemptions. the exemptions we have entered and have been approved are not coming off the list when we run the new ATC check.
We have a system setup as the central system. From this system we are checking our code on two different systems. Our development system which is EHP 7 and our sandbox system which is upgraded to S4HANA.
We recently changed the name of the RFC used for our ATC check to the sandbox system.
We do have exemptions enabled.
We reran the ATC check for both our DEV system and the Sandbox system. But those objects/errors that have been exempted are still showing in our ATC check list.
Also wanted to add we are doing our exemptions directly on the central system.
Any ideas on what we can check or do to make this happen?
We would also like to get the ATC checklist to our Solman system to use there. can this be done? I am more concerned with the previous question than this one and I know this one does not really deal with exemptions and may be a little detailed so if you cannot answer this questions that is fine.
Hi
I have a general question on exemption reasons and whether many have created their own reasons via the table SATC_CI_REASONS. This will be useful for reporting purposes
I am considering creating one for Legacy Code where the baseline has not been applied but we still want to show the findings are from existing code rather than new code.
Has anyone created other reasons?
Regards
Ian
Hi Olga
When creating baselines for full systems scans, I am expecting that when I view the result list I see the exemption column populated with an icon to say there is an exemption against the finding. However, the column is blank and the only way I can tell an exemption is against the finding is by looking at the finding details and checking whether an exemption can be created.
Regards
Ian
Hi Ian,
indeed there must be an icon in the "Exemption State" column. Please open a ticket to SAP so that the colleagues can take a look at it in your system. For the future: for such erroneous issues please open a ticket. We cannot solve them in the blog. Thank you!
Best regards,
Olga.
Hi Olga
Noted 🙂
Regards
Ian
Ian Stubbings
Hi Ian!
Not sure if it's the same or just a similar issue, but you might want to check Axel Jeben's response providing an OSS-Note and my follow-up to that in one of my Q&A threads:
https://answers.sap.com/answers/12730026/view.html
Cheers
Bärbel
Hi Bärbel
Thanks for the note suggestions. I have tried them and unfortunately no change on the central system where I really need them but the icons do change on the remote system which is still useful.
I have also discovered that for at least one of my systems, the baseline is not being applied when requested so I have raised an OSS Message.
I'll report back when I get a solution.
Cheers
Ian
Hi Olga
We are facing a couple of issues with the email notification program - SATC_CI_EXEMPT_NOTIFY_APPLICNT. It appears that if an RFC destination cannot be reached (satellite system down) the program stops and if an applicant doesn't maintain their email address in the satellite system the program also stops. Both are common occurrences.
Is there another version in the backlog tthat can deal with these situations and continue to process emails for other systems and applicants if these error situations occur?
Regards
Ian
Hi Ian,
no, not yet. We will add this to our ATC development backlog. Thanks for the input.
Regards,
Olga.
Hi Olga
You are welcome!
Regards
Ian
Hi Olga
We had a situation the other day in that the Package, the Object Provider and the System Group was blank. Therefore, when approving, the exemption did not know which system to update and the approval did not actually work.
Has this been seen before by anyone?
Regards
Ian
Hi Ian,
no, it hasn't been seen before. Please open a ticket if you want to investigate it further.
Regards,
Olga.
Hi Olga,
I have integrating the ATC and Code inspector to Charm, and while moving the Transport to the QA , we are getting the ATC and Code inspector errors. Is there any way to ignore the errors and move the TR into QA system instead of exemption from managed system and then moved the TR into QA system?
i have activated the master system as a Development system.
Regards,
Naren
Hi Naren,
first, you should use either ATC or Code Inspector, but not both tools. If you use ATC you can configure in the transaction ATC how it should behave at transport release (under "Configure ATC" or "Basic Settings", depending on the version of your system) and either exclude ATC checks at transport release or not block transport release if ATC findings are there.
Regards,
Olga.
Hello Olga:
We are trying to setup Remote ATC in our ECC system for our custom codes to ensure that they are developed in S/4 compliant way as part of S/4 conversion project to be started later this year.
Note, that the ATC check is initiated by developer in development box for the object by running "ATC with check variant" option.
In our Central Check System (based on ABAP 7.52 SP05):
System Role is "ATC Checks by Object Providers". System Group and Object Provider is setup completely and it is working fine.
Under Basic Settings, have selected the radio button to "Enable ATC exemptions in the system".
Here, I am unable to select any radio button for "For which kind of results?"
By default, it is selecting "For any results". Is there a reason, why this is disabled and why we are not able to restrict it to "For Central Results Only"?
In our Development System i.e. Checked System (based on ABAP 702, SP19)
Under "Configure ATC" of ATC Transaction, have specified the Global Check Variant as the variant which is internally referring to the reference check system i.e. the Central Check System
Over here, should we mention Master System and RFC Destination fields with values referring to "Central Check System"?
If I do not mention this, then the developer is not able to apply exemption and sees below error: "Invalid Setup: connection <> is not available"
If, I maintain the Master System as "Central Check System" and an RFC Destination....then it works correctly. Is this needed? A bit confused as you have not mentioned about ATC setup in "Checked System".
Also, could you please confirm my understanding on below 2 terms in context of ATC Exemptions:
"For Central Results Only": This means that exemptions are allowed only for ATC Checks which were initiated from "Central Check System" as part of "Schedule Runs". Is this correct?
"For Any Results": This means that exemptions are allowed for local checks made by developer and also for the Central Check Results. Correct?
Many Thanks in advance for your reply.
Br,
Vineesh
Hi Vineesh,
regarding exemptions:
Only for Central Results: choose this option if you are doing central ATC quality checking. That way, users in development systems can apply for exemptions only against the official, central ATC results. If you are doing central ATC checking, then there is usually no reason for users to apply for exemptions to local ATC findings.
Your setup is remote ATC and not ATC central quality checking. In this case For Any Result should be used.
For Any Result: users can apply for exemptions to findings in any type of ATC result. Users can apply for exemptions not only against central ATC results, but against local results that they produce themselves in their development systems.
Regarding setup of the check variant. You shouldn't need Master System and RFC Destination fields. Please verify that the prerequisites for local developer scenario (see https://blogs.sap.com/2017/02/27/remote-code-analysis-in-atc-for-developers/) are fulfilled, especially the setup of the remote check variant.
Kind Regards,
Olga.
Hello Olga:
Just made a check again. The check variant has been setup correctly.
The checks are also working fine. However, the only part not working is "Exemptions".
I have debugged and found that "For exemption policy", there exists a call to method CAN_EXEMPT_FINDING.
In this method, it determines exemption policy and checks the table SATC_AC_S_CONFIG for MASTER.SYSTEM.
Since, it does not find any....the code for delegate is not called, due to previous RETURN.
Did we miss anything?
NOTE: "Exemptions" work when I maintain my Remote Central Check system as "Master System" and maintain the "RFC Destination" for it also. It is only without this setting that the developer scenario exemptions do not work.
Thanks in advance!
Vineesh
Hi Vineesh,
I talked to our ATC development and found out the following regarding your question about exemptions. In remote ATC scenario the master system entry under "Configure ATC" on the development system (checked system) is not relevant. Developers should use "Run As -> ABAP Test Cockpit".
But if developers run ATC using local check variant (e.g. with "Run As->ABAP Test Cockpit with ..." and enter check variant) the master system becomes relevant again for local runs. This means that even if the developer scenario is configured by default, a master system must still be stored for the local runs (which are still possible).
Normally, a customer with a remote ATC scenario no longer needs exemptions for local runs. Then the recommendation is simply to enter the checked system itself as the master system. As a result, if someone actually applies for exemptions for local runs, they end up locally in the system and will not be considered.
Kind Regards,
Olga.
Hi Olga,
Perhaps off-topic here, not sure, but couldn't find it anywhere else: exemption process in case of approver resignation
We are using the ATC exemption process productively for some time now. Recently we discovered a lot of open exemption requests. These were due to the respective approver having resigned his function. Unfortunately, the open exemptions were not handed over to the new approver, nor has the substitue approver functionality been used.
Can you assist us on how to best assign all open exemptions to the new approver?
Kind regards,
Dino
Hi Dino,
the assignment of an approver is only of organizational nature, the main purpose is automatic notification. The exemption is not blocked for the registered approver, it can also be edited by any other approver in the Exemption Browser in the ATC transaction. The person who in the end approves/rejects exemption will be entered as approver. Theoretically, you can also adjust the approver, simply open the exemption in the Exemption Browser and change the name in the approver field. Normally, however, a developer is not authorized to use the Exemption Browser, the quality manager must do this.
Kind Regards,
Olga.
Hi Olga,
We have enhanced AFRU table by adding custom fields in CI_AFRU include. Due to usage of AFRU table ATC readiness check throws below P1 observation against note 2326769.
We are seeking the Exemption approval for this issue, which is not getting approved. Getting error message "Requested Operation is not allowed for this exemption".
What could be issue here?
Thank You
Saurabh
Hi Saurabh,
please open the OSS message to the component BC-DWB-TOO-ATF.
Kind Regards,
Olga.
Thanks for the informative blog. Question.. If I have say 3 different findings for one program, as a developer, do I need to request 3 exemptions for each of these findings OR can I select all 3 findings & just have one exemption for all the findings?
Hi Rajesh,
you need to request an exemption for each ATC finding separately.
Kind Regards,
Olga.
Hi Olga,
I am prototyping a scenario for "Maintain exemptions approvers according to their responsibilities" and used Checked system which is on 750 (SP20) and Central Check system on S4HANA 2021. however when I tried raising an exemption from Check system using developer scenario I am getting below error as soon as I choose approver from the drop down list. Can I check if this is something I should work with SAP by raising OSS message or if I am missing anything obvious. I have copied exact roles for RFC id's from our existing systems which are working fine. Appreciate your response.
Not authorized to access object_provider
An exception with the type CX_SCA_DS_NO_AUTHORITY was raised, but was not handled locally or declared in a RAISING clause.
Regards
Kasi
Hello Kasi,
please look for the object provider (for your 750 system) in your central check system (transaction ATC => Object Providers) and make sure that the user assigned to the RFC connection has one of the following authorizations:
Either:
S_DEVELOP: ACTVT = 03 (display)
or
S_Q_ADM: ACTVT = 16 (execute), ATC_OBJTYP = 01 (check run).
In case this does not resolve the issue please open a ticket on component BC-DWB-TOO-ATF and we will analyze it further.
Regards,
Nils
Thanks so much Nils. I already have S_DEVELOP for activity 03 but it worked after I added the role which has authority object S_Q_ADM: ACTVT = 16 (execute), ATC_OBJTYP = 01 (check run).
Appreciate your timely response.
Regards
Kasi