Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

ATC: Is it possible to approve exemption in the Development System

former_member183804
Active Contributor
0 Kudos

Created on behalf of Jigar Vani

Hello,

In our landscape, I want the development lead to perform the one of the roles of Quality Manager which is approving or rejecting exemptions. I also want this to be happening in the Development system for all the deve,lopments being carried out.

Is it possible in ATC? - Yes, I have made the Master system same as Development system.

My questions are,

1) Is it bypassing the ATC fundamentals of two tier architecture?

2) Can these exemptions be available for review in any other system apart from the development system?

Thanks,

JV

1 ACCEPTED SOLUTION

former_member183804
Active Contributor
0 Kudos

Hello Jigar,

the ATC exemption browser is remote enable and usually operates on the repository content of the central system. So it shall be possible to approve, reject or review exemption from any system. Provided that authorizations and RFC connections have been provided accordingly.

In transaction ATC, option SETUP one will find online documentation regarding the setup and recommedation on the authorizations.

Best Regards

  Klaus


16 REPLIES 16

former_member183804
Active Contributor
0 Kudos

Hello Jigar,

the ATC exemption browser is remote enable and usually operates on the repository content of the central system. So it shall be possible to approve, reject or review exemption from any system. Provided that authorizations and RFC connections have been provided accordingly.

In transaction ATC, option SETUP one will find online documentation regarding the setup and recommedation on the authorizations.

Best Regards

  Klaus


0 Kudos

Hello Klaus,

Thanks for creating a separate thread. I think I was not able to explain the query correctly. Let me rephrase,

I have configured the Master system as the Satellite system during configuration. So the system id within the Master system (ATC Administration -> Setup -> Configure ATC) is the same as that of the Satellite system. With this configuration, I am able to achieve the exemption workflow in the Satellite system itself. Now my questions are,

1. What Impact does the above configuration have on any other ATC functionality (process) apart from Exemption workflow?

2. I want the list of exempted findings (approved by Managers) to be available in Master system. Is it possible? And How?

Thanks,

Jigar V

0 Kudos

Hello Jigar,

possible there is some confusion regarding terminology. The master system is the system that hosts the exemptions as original. Satellite systems are systems that also contain the exemptions, but say as copy. Regular batch jobs synchronize the exemption repository by transferring recently changed exemptions from the master system to the satellite systems.

=> Therefore a system cannot be master system and satellite system at the same point in time.

=> The master system hosts the originality of the exemptions and their most recent state.

=> Satellite systems get changed exemptions with some delay (frequency of batch job)

In case the setup of the satellite system has defined a proper RFC connection to the master system, requesting and approving exemptions appear to happen in the local satellite system, but actually these activities operate on the repository of the master system.

=> Provided a consistent setup and proper permission the ATC exemption browser shall have the same reporting capabilities in both master and satellite system.

Hope this clarifies.

0 Kudos

Hi Klaus,

Thanks for the detailed explanation. Now I understand that for ATC to be used thoroughly we need to have 2 separate SAP systems viz. Development and Test/Quality/Consolidation system.

Now the problem that we have is as below,

1. In our organization, we want developers to apply exemption for false positives on the developments that they are working on. For e.g.  Incident fixes, code bugs, new projects etc. We want Development Leads to become the Quality Manager to reject or approve the exemptions. Both the Developers and Development Leads works in Development systems. They don't have access to Test and Pre-Production systems. So we want the approval process to be within the development systems itself. The workflow should not go outside of the Development systems for approval. Moreover, ABAP objects which are freshly developed as part of New Project are not available in any other systems apart from Development.

How can we achieve it?

2. However, Development Managers who works in the Consolidation system, needs to have access to all the exempted findings against each and every ABAP object that Developer has applied for and have been approved by the Development Leads. This is a requirement from Audit perspective so that no Development Leads are approving the real ATC findings as exemptions and masking them.

Is it possible to have the exempted findings copied from Development systems to Consolidation system using RFC connection and how?

Thanks,

Jigar V

0 Kudos

Regarding the 1st Question "Workflow of Developers requesting Exemptions"

Exemptions can get requested from a finding by clicking on the according link in the detail area of a finding. This is possible:

  • in the master system out of the box
  • in a satellite system in case of a proper RFC configuration.

In case developers do no have user accounts in the remote master system you may consider the use of technical users for the RFC connections. You will finding in transaction, activity 'Setup' more information how to achieve this.

The user interface / the workflow can take place in both system types master and/or satellite. The difference is that the input is stored locally in the master system scenario and the input of the satellite system scenario the data is stored remotely.

This difference should not drive the decision wether the dev box get master or satellite system.

I suggest to consider the following criteria:

- same transport landscape, (identical ATC software, same checked objects)

- gets system refreshed from time to time (necessity of backup/restore)

- likelyhood of manipulation on exemption repository (e.g. custom code to establish 2 eye principle)

Best Regards

  Klaus

0 Kudos

We have tried the option of having the Master system same as Satellite via ATC->Setup->Configure ATC. We have also tried to apply for Exemption for a new ABAP object being developed. We have also been able to successfully approve or reject it. All this happens locally in Development systems.

We don't know whether the exemptions that have been approved in the Development systems will be available for review / audit in Consolidation system. Is it possible to upload these exemptions in the Consolidation system via RFC destination? Is there any scope of Customization?

Now for your recommendations,

1. We have same ATC configuration in all development systems. I have same Code Inspector variant to check ABAP objects via ATC in all the development systems.

2. We have all the Development systems in sync with production based on the builds and merges that are scheduled.

3. We did not understand this point. What is a 2 eye principle? How different it is to a 4 eye principle? Are there any standard user exits, enhancement spots, BADi etc. for customization?

Thanks,

Jigar V

0 Kudos

Regarding the 2nd Question "Review by Development Managers"

Review of the raw findings and exemptions is possible in any system. Please note that the role master systen / or satellite system can get applied to development/consolidation/test systems. Regarding originality of exemptions the role master/ satellite system is the major driver.

In any case your Development Managers can review findings and exemptions in your consolidation box regardless wetherit has the role master system or satellite system.

Things get a little bit more complicated in case review also covers investigation into details of the code. A finding contains only a weak reference into the code. Therefore investigation on code is only fully defined for the same version of code that has been analysed. Consequently code review is fully defined in the system short after a result has been computed. In case of aged results or results of other systems a recheck would yield findings as of now.

In case a check run has been carried out in a dev box, this dev box is the natural candidate for code review. In case the check run has been carried out in a q box, this q box would be the natural candidate. In any other system or after some delay a recheck is advisable in most situations.

Best Regards

   Klaus


0 Kudos

That depends.

  • Results and thus findings get transferred by explicit operations via RFC.
  • Exemption requests are stored in master system (regardless if UI in  satellite/master has been used)
  • Request approval/rejection is stored in master system (regardless if UI in  satellite/master has been used)
  • Changed Exemptions get transferred by regular jobs using RFC from master to satellites

Code Reviews / Exemption approval typical requires access to the code, ideally the same version. The code review works best in the system where the check run has been carried out. Approval or rejection of a request is possible from this system regardless of its role of master or satellite.

2 eye principle is just one person. Consider a report with an update on the repository of exemptions. No, this not intended to be a BadI, but to be a worst practice.

Best Regards

  Klaus

0 Kudos

Hello Klaus,

Apologies for a late reply. I was trying out various things in the Sandbox. We have followed your suggestions and tried to come up with a workable solution.

1. Developers -> write code, execute ATC, fix Priority 1 and Priority 2, apply exemptions, re-run ATC, release transport

2. Development Leads (ATC QM role) -> Review/Approve the exemptions

Both Developers and Development leads work in Development system.

In Consolidation system,

3. Quality Manager (ATC QM role) -> Schedule Mass Quality checks, Replicate the results, Schedule the mail notification jobs

Now, I don't think we are having a 2 eye principle right? And no customization is required for the exemption browser,correct?

Do you find any inconsistencies/loopholes/bottlenecks with the above setup?

Thanks,

Jigar V

0 Kudos

Hello Klaus,

Any thoughts on reverse replication of exemptions (provided for fresh Abap developments) from the Development systems to Consolidation system?

I have one workaround where I make the Master (Consolidation) system as one of the Satellite system temporarily and push the data from all the other Satellite (Development) systems using the Schedule Exemption Replication. Is it good enough?

Thanks,

Jigar V

0 Kudos

Hello Jigar,

if really required such a strategy might work for a short time. But it lacks for two reason.

As the development systems are now the master they won´t accept exemptions from the outside. In case identical software is analysed in the development systems, for each development system you need to request exemptions again and again. Alternatively you alter their state, which bears the risk of mistakes over the time.

Exemption replication does not cover exemption history but just the exemption state.

Therefore I advocate to have one and only one master system within a landscape of common development objects.

Best Regards

  Klaus

0 Kudos

Hello Vigar,

that role distribution works fine. Whereas the key question of the 4eye principle seem not to explicitely named.

  • Is the consolidation system the master system, than noone will be able to bypass the 4 eye principle with a piece of temporary custom code.

  • Is a development system temporary custom code can be used to alter exemption content. On the other hand if you can´t trust person with development authority you are in trouble anyway.

The perfect situation in general is if ATC is regarded by q experts and developers as valuable tool to avoid issues in production. With a strong emphasizes towards governance over development the ATC tool and process will tend to get merely a KPI. And if one asks for zero findings, he might get zero findings, which is not identical to zero laws.

Best Regards

  Klaus


0 Kudos

Hello Klaus,

I completely agree with your views about the shortcomings with the approach of scheduled exemption replication. But if we think of having only one consolidation system then how can we achieve the below,

1. Development leads who approve/reject the exemption don't have access to Consolidation system. Moreover, a Development lead can also be a developer in case of critical code fixes. I am aware of the concept of technical user in ATC configuration but am not thorough about it. Is it applicable in our scenario?

2. There are multiple long term projects going on in the Development system which are not yet transported to Consolidation system. So how can the development lead approve/reject the exemption without having access to the development object?

Thanks,

Jigar V

0 Kudos

Hello Klaus,

We had thought about this risk while designing. And yes I must admit, it is purely at the discretion of the developer that he can choose the bypass the ATC checks.

I am quite keen to have one ATC master but there are couple of scenarios (which I have asked you in another reply) becqause of which I am little less confident about separate Master and Satellite systems.

Thanks,

Jigar V

0 Kudos

Hello Jigar,

using technical users within the request/approve RFC connection to the master implies no need of a personal user in the master system.

In such scenario the RFC definition (SM59) in the satellite systems store the name and password of the technical user. Thus in the master system only the technical users exist. By further means in the satellite systems the use of these RFC connections by natural users can be restricted in the satellite systems by another authorisation. For details please refer to the ATC/Setup online documentation.

Hope this clarifies

  Klaus


0 Kudos

Hello Klaus,

Thank you for the solution. It made me work with my BASIS team member to get this through. But the outcome was positive.

Fortunately, I was able to answer the 2nd question as part of testing the solution. This became an added bonus.

Now there are 2 issues which I found with my testing the Exemption process,

1. The Approval->Assessment text box for a QM is not mandatory for approving or rejecting the exemption. Is there any way, I can make it mandatory as part of some configuration?

2. By adding Psuedo and Pragma comments, I can get the ATC to not report the findings. I want ATC to check the code and report findings even for code which has psuedo comments. Is it possible through customization?

Thanks,

Jigar V