Tag Archives: rant

On ABAP in the Cloud

ABAP in the cloud

Michael Koch kicked it all off with a tweet,

to which of course I had to reply:

then I was prodded:

and prodded:

and then James beat me to the blog:

and if you haven’t read James’ post, please do, it is excellent.

So whilst I’m waiting to hear how much it’s going to cost me to fix my car of which the engine has decided to stop working whilst on the way to work today, I thought that rather than drinking a bottle of Pinot Gris and attempting to forget about the shitty waste of a day I’ve had, I’d do something useful, productive (this post), and drink beetroot, apple, ginger and celery juice instead.

So here are thoughts upon which I will rant.

  • ABAP is a proprietary language which make its code costly to support.
  • Building for cloud is far more than just supporting cloud systems.
  • If you love ABAP to the exclusion of everything else that’s your bed, you lay in it. I like beetroot juice, I am so going to have pink pee later.
  • Java is the boring enterprise language of choice.
  • A PaaS really should be language agnostic, if not it’s a pretty crappy PaaS.
  • Why on earth have we ended up here? Who is paying for this?
  • Evolve or die.

These are all going to get intermixed in this rant, but I will still try to address them one by one.

Firstly, on the joys of ABAPers. I have discussed and even written about this, and it may just be the particular markets where I play, but it’s damn hard to find a good and excited ABAPer. People don’t learn the language unless they want to work on SAP products. Imagine how quickly that strips out the fun people. But where people have got good ABAP skills, they tend to have far more than that, also great business process understanding (Robbo has recently written about this https://blogs.sap.com/2017/10/02/abap-in-sap-cloud-platform-why/ ) Have a read, especially if you fall into the ABAP diehards camp, it will make you feel much happier than this blog post will.

But because the good ABAP folk have such great depth of business process understanding, they command a reasonable rate – and why not having a BA and a coder in one is a bit of a win is it not? So they are expensive. One hopes because they deliver better, but I find this is not true. They just cost more. But you have to have them to support the huge monolith that is your SAP ERP system. So embedded in companies around the world are these folk who can code ABAP, understand their systems and are if not well paid, expensive to have hanging around.

And you won’t find someone off the street who has just learnt ABAP who is useful, because the skill in ABAP isn’t in the language, it’s in understanding the existing library of  standard code and frameworks that you can use to get things done.

FFS the language still doesn’t have the concept of a Boolean!

The requirement for ABAP support is one of the reasons that SAP costs a decent amount to run. In the future as we move to S/4HANA public cloud (and we will, slowly but inevitably) cost saving will be essential. ABAP costs, so get rid of it in the equation. Out-source your custom development, even better, purchase it as SaaS from someone else, are you a custom software development house? No – they why do you try to build your own software? Concentrate on dishwasher powder, chocolate bars, beer or whatever it is you have as your core.

If we start building cloud extensions in ABAP we are locking down the list of people who could support them. This will cost us extra. Having worked with SaaS for the last few years, I can clearly state, cost of delivery is far more important now than it ever was on-prem. The expectations of customers are different. They will not pay the same amount to build an extension as they paid for the SaaS solution it enhances. ABAP ain’t cheap, and neither are ABAPers.

I don’t think ABAP and it’s whole lifecycle management is really well designed to build cloud apps. James mentioned some great points in his blog around dependency management, and how ABAP doesn’t support non-linear and project based development (hopefully ABAPGit will help here, the official voice of support from SAP is very encouraging.) But having spent the last 5 years build cloud apps that integrate to SAP systems, I have been so impressed by the huge amount of standard tooling and functionality that is available for projects outside of SAP. Like have you used Maven? It’s fricking awesome! To consider even thinking about managing the huge number of libraries that I use in most of my builds to do without this tooling would be unthinkable. Since James was probably more detailed and eloquent on this point I will stop there. But really, even if SAP support ABAPGit there is a hell of a long way to go to even think of being put into an imaginary cloud development language magic quadrant chart, let alone featuring anywhere but bottom left.

#ABAPisntDead. No of course it isn’t, there will be legacy on prem apps that will run and people will make businesses out of it, like those Rimini Street folk. But if you can’t see anything out there other than ABAP, my goodness you are short sighted. Any good programmer out there should be able to code in js (server side or browser), and should have a grasp of at least 2 other languages. If you can only deal with one, you’re not a programmer, you’re a liability for the people you work with. Having multiple skills is important, and it’s also important to know when to use them. Enlighten yourselves people, there is a whole world full of cool shite out there, go and have a look. If my post infuriates you because you believe that ABAP is the best thing ever, awesome, both for you and for me, because you have passion, go and use it, and me because it means I actually got some people who don’t agree with me to read this.

Java is boring, and safe, and commodity. And that is exactly what businesses love. You want something that is reliable, has been proven, does the job. Moreover, you want bucket loads of libraries that other people have built and tested that can do the things you want to do. Whilst I built an implementation of TFA that was compatible with Google’s TFA Authenticator app in ABAP, it was a pain in the arse, and hasn’t been updated since I wrote it and then worried about releasing it as open source because you weren’t allowed to do that with ABAP. There’s a standard lib for Java. Standard boring languages are the bedrock of good enterprise builds. I do like to play with server side js, (aka Node) but i’m still a sucker for strongly typed languages.

But if you don’t like Java, then awesome, choose something else. Indeed it should not matter what you choose, because any PaaS you build on should be language agnostic when it comes to providing services to you to consume. If you’re not consuming any services from your PaaS then you missed the memo about cloud development, please go back to your application server. A PaaS offers micro-services that should be able to be consumed by any application running on that platform. This inherently makes those services consumable in a fashion that is hard to use for ABAP and pretty standard for every other language. I’m sure that SAP could wrap their services into a consumable layer that would be easier to use in the Cloud based ABAP. But this then means we start losing one of the best bits of the PaaS, that it shouldn’t favour any runtime. We’ll see how this story plays out…

Which kinda segues into my next worry/rant/observation. How did we get here that a language that really isn’t suited to cloud extension ends up as an officially supported run time in SAP’s CF PaaS? This goes back to my original tweet.

I believe that it is clearly SAP’s strategy to move to the largest part of their revenue coming from public cloud based SaaS solutions (including ERP). Btw, I think this is a sound strategic vision, because if they don’t pivot to get there, someone else will take that space. The on-prem model will not make as much money in the future, todays small companies are tomorrows giants, and with SaaS solutions they don’t need to migrate/upscale, they will keep the solution they buy today. SAP needs to be in that space, and they need credibility that comes from large customers being there too.

To this end I envisage SAP have been discussing moving some very influential customers to the public cloud. Those customer, I would guess, have responded that they don’t want to loose their current people or custom build investments.

The obvious solution from SAP is to put together an ABAP cloud runtime. I cannot be cheap to do this though. The effort to make ABAP into a secure and lightweight containerizable solution will not be something that a team will do in a week or two. There must be some sound and solid business reasons to do this. For all the reasons I have previously mentioned I believe that if companies want to extend SAP SaaS solutions, they should think about using other languages, not ABAP. But I fear this is not about making a better solution, it is about making a marketable one. If customers believe that they can extend the value of their existing investments and also benefit from moving to SaaS based solution, that is a great sales pitch. It’s having your cake and eating it.

This vision (even if it doesn’t work out to be the reality) of a simple gateway to moving to SaaS ERP is what I believe we are now being sold. This isn’t a story for developers, this is a story for the high level execs that sign the S/4HANA subscriptions.

I hope that a cloud based ABAP will be the gateway that enables some organisations to get off the on-premise mode and head to the cloud. What I fully expect is that once they are there, they will realise that there are better and more supportable ways to extend. That would be great. In the meantime I fear that we start bringing non-cloudy ways of working into the cloud landscape, this will likely cause failed/cost overrun projects. We run the risk of preferring Cloud ABAP as a way to interact with S/4HANA cloud, that would be disastrous.

It has been suggested that Cloud ABAP will potentially be the solution that encourages adoption of the SAP Cloud Platform. I just hope it isn’t the solution that kills it. I would much rather the money being spent of putting ABAP into the cloud is used to handle some of the other issues I see with SAP CP, but clearly there is a view that it will be a return on investment.

Then again, if you’re not trying new stuff and making mistakes, you’re not learning. If you’re not learning, you’re falling behind. So here’s to making mistakes and learning! To steal the excellent closing lines from James’ post:

So buckle up because there’s no turning back at this point. It’s either evolve or die.

I look forward to a lively debate on this topic.

(James Wood – https://blogs.sap.com/2017/10/04/abap-in-the-cloud-is-this-a-good-thing/)

James, I couldn’t say it better mate. Although I would refer to the platform as SAP CP 😉

I think SAP Cloud Platform is and will be a key part of the story of SAP’s  and customers’ evolution to the cloud. If it takes putting an “runs ABAP” badge on it, to get people to see how useful it is, I’ll deal with it. But for sure, it would not be my recommendation to any organisation that it would be best practice. I’ll keep an open mind, perhaps it will be one day, if so I’ll adapt and evolve – because that’s what you should do.

As always, my own thoughts, not my company’s,  please feel free to jump onto SCN and reply to James’ post. I’ll probably read those comments as well as whatever gets posted on twitter.


Further update on SAP Gateway CSRF token farce

So an update on recent rant about CSRF protection that isn’t needed on SAP Gateway.

The folks in the very attentive HCI team have just added functionality into their solution, so if you configure an OData call to an onPrem system via SAP HANA Cloud Connector, it will automatically do the GET with a fetch for the CSRF token for you whenever you configure a data update operation.

That’s kinda cool, but all it does is sweep the offending rubbish under the rug.

https://www.flickr.com/photos/bruce_krasting/7695348682 - Sweep under the rug, credit Bruce Krasting

https://www.flickr.com/photos/bruce_krasting/7695348682 – Sweep under the rug, credit Bruce Krasting

So now we have logic built into an integration platform that is needlessly slowing our integration flow because of a superfluous system requirement. An extra round trip for no reason.

In this case it is truly superfluous, because the original PUT that I was using had the user credentials as part of the header. That alone should make the CSRF token not required.

What this does show, is how SAP Cloud solutions like SAP HCI are able to update and fix stuff far faster than their onPrem partners. Even if it is a work-around to a problem that shouldn’t exist.

Security in depth – or a bug waiting to happen? – CSRF protection on SAP Gateway

What's that - It's the dragon that guards the locked door, we feed people who ask silly security questions to it

What’s that? – It’s the dragon that guards the locked door, we feed people who ask silly security questions to it.


So I’ve got my knickers in a twist again. Recently I was playing around with sending some OData to my SAP server when it refused me. Now, I didn’t like that, but at least it was kind enough to tell me why. Apparently I hadn’t fed it a CSRF token. OK, so I looked in the headers of the GET that did work, and lo and behold there was a CSRF token there. I fed that into the POST I was doing, and bingo it worked.

Now it seems to me that many many people have hit the same thing and found the same solution. Indeed, I asked around some people I knew and they told me: “Get over it Chris, it’s in the header of your GET, it lasts all session, just use it!” But me being me, no, I wouldn’t accept that!

Slight aside – they also mentioned “Damnit, I remember when that patch came in, it buggered up my custom Gateway app and I had no warning that it was coming, took me ages to figure out why it wasn’t working.”


So I thought – OK? Why? Why do we have CSRF protection in the first place, what on earth is it?

CSRF protection – Cross Site Request Forgery protection, according to the websites I read is supposed to protect against the case where unknown to a user a cookie in the browser used for authentication allows a malicious site to alter data on your system. (And in the case of gateway, your SAP system).

So to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 things.

a) An injection of HTML on the page adds either a form that is going to POST some data (typical type of attack  CSRF protects against) or a link e.g. img tag which GETs data.

b) An injection of some script, e.g. JS on page that is going to do the PUT/POST/DELETE

In the case of (a – POST) the payload will be malformed and Gateway isn’t going to accept that as valid OData – so no security worries anyway. And for (a – GET) CSRF protection isn’t even applied.

In the case of (b) well if I can embed JS, I can just as easily embed a GET pull the header and then do an update with the CSRF token. Indeed the sites that advocate for the CSRF token approach make it clear that it cannot protect you in the case you have malicious Javascript.

In the case that the script is running on a page from a different domain, then CORS will kick in and stop the access – but if somehow the injection is on my own domain, I don’t see how we’re protected.

So I was at a loss. What protection does CSRF actually offer Gateway?

I further researched:

There’s a great explanation, which does better than I have at:

Play Framework

It is recommended that you familiarise yourself with CSRF, what the attack vectors are, and what the attack vectors are not. We recommend starting withthis information from OWASP.

Simply put, an attacker can coerce a victims browser to make the following types of requests:

  • All GET requests
  • POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain

An attacker can not:

  • Coerce the browser to use other request methods such as PUT and DELETE
  • Coerce the browser to post other content types, such asapplication/json
  • Coerce the browser to send new cookies, other than those that the server has already set
  • Coerce the browser to set arbitrary headers, other than the normal headers the browser adds to requests

Since GET requests are not meant to be mutative, there is no danger to an application that follows this best practice. So the only requests that need CSRF protection arePOST requests with the above mentioned content types.

Since Gateway does not support POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain (or if it does there’s your problem right there!) there is no need for CSRF protection.

I then had a fun conversation on Twitter with Ethan

The great thing about chatting with Ethan is you always come out having learnt something.

He makes a good point, and I’ll paraphrase him:

“The best security is deep and many layered and protects not only against the things that you know may happen, but also against those that you’re pretty sure won’t.”

I was wrong –  “to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 3 things. With the third being:

An exploitation of a hitherto unknown browser bug that allows it.

So now I’m confused. Is it worthwhile implementing the hassle that is CSRF protection, including the potential slowdown in speed of response from the solution (a paramount concern in a mobile app) for a situation that might happen.

When I’m writing ABAP code, I’m happy to trade away performance of the code for ease of maintenance. I don’t use pointers (field symbols) to loop over data that I do not intend to change, because some fool could come along later and accidentally do just that. If I instead use a work area, there isn’t that risk.

So in some respects I already do work that makes the solution slower to ensure lower risk, so shouldn’t I just do the CSRF thingy?

However, it is the reason for the risk – I don’t trust that the people maintaining the code after I leave will understand what I have done in my implementation of CSRF protection and won’t make a mistake. Even if I’m using UI5 in my application to update my SAP system, will they remember to call the refreshSecurityToken method every time before a PUT, POST or DELETE? Will they test it? Will they let the session expire in the testing so that they actually need to call the refreshSecurityToken method? I really hope so, but I doubt it. I see applications going into error and data not being updated when it should have been, because of “needless” CSRF protection.

weighing Dodgy Code vs Browser Bug risks

weighing Dodgy Code vs Browser Bug risks

So what I see is this: Security in enterprise is paramount, Gateway is enterprise software, it needs to be secure. So SAP made it so, even if it hasn’t really made a big difference or fixed any known security holes. But, “just in case”. However, custom code (and even standard code 😉 ) will have bugs, ones that rely on sessions timing out are particularly hard to test and will get through. The risk to your Gateway based mobile app is greater by having CSRF protection enabled than it is to your data being maliciously hacked through zero-day exploits. But I guess it depends on what that data is 🙂 .


OK, one final bit…


Given that I might not actually be using my Gateway for a UI app but for machine to machine transactions, would it PLEASE be possible that if I provide a valid authentication header in the PUT/POST/DELETE that we ignore the CSRF thingy? If I can somehow come up with a valid auth header, then we aren’t protecting anything with a CSRF token, we’re just making transactions slower by requiring multiple round trips that shouldn’t be needed.


I feel better now. 🙂


Read how this discussion unfolds over at SCN…


P.S. my last post from SCN comment thread as I think it’s an important summary:

The thing is, by not implementing CSRF protection, we aren’t making our services insecure. There are no known ways to use CSRF against Gateway currently.

There is the case of protection against unknown attacks, but is that worth the cost, risk, effort?

Not using CSRF protection does not mean you are making your service insecure. It just trading “just in case” against real life complexity, risk and cost.

Depending on the data concerned, that “just in case” might be worth it. It won’t always be.

Architects have a responsibility to their companies to balance these risks and decide. We have the responsibility to inform them clearly and not just pretend that security is the only and overwhelming factor to consider.

Sometimes we put security on a pedestal and everything has to be done to address it. But we should remember that everything should have a risk/reward curve and sometimes NOT coding for a security risk is actually less risk than coding for it.



Intangibles, appreciating your employees motivates, performance ratings processes don’t

Sorry, here I go again. I just read Steve Hunt’s post: http://www.tlnt.com/2014/08/04/performance-management-we-wont-fix-the-problem-by-ignoring-it/

And of course I’m all worked up. Why? Two reasons.

Firstly, I strongly disagree on the premise that performance management actually achieves improvements for the employees that are being “managed”. This is using Steve Hunt’s own definition of performance management:

Standardized and defined processes used to communicate job expectations to employees, evaluate employees against those expectations, and utilize these evaluations to guide talent management decisions related to compensation, staffing and development.

This has nothing to do with motivating and improving employees. It’s all about figuring out what is the smallest amount you can get away with paying your staff.

A process that can actually help employees improve is by working with them to find out their interests, find out what they want to do and shape their work around that. This isn’t the world of Gen-X and Boomers any more. People are far more interested in making work part of their life and life part of their work. Will they do that if there is a regimented process that is going to measure them against the cookie cutter mould? No, they won’t. Because no employee is exactly alike and no employer that wants to get the best out of their employees is going to manage that by trying to shape an employee to the employers expectation. We need instead to understand the great whole of the employee’s values and use that to motivate them. An employee that is doing what they feel is valuable and feels that the company supports them in this is far more likely to perform well than one that does not.

We have the tools (in a creepy big brother kinda way) to be able to analyse far more than just our employee’s achievement of our stated corporate goals, but also the interests, engagements, networks and influences of our employees. By better understanding our employees, and then aligning our business goals with their goals, we stand so much more chance of motivating and retaining talent.

Remunerate at the market rate for the skills that the employee possesses, if they gain more skills then pay more. Or if those skills have nothing to do with your business, don’t try and hold on to someone who would be happier elsewhere. Likewise, if the desires of the employee do not align with your corporate goals, don’t attempt to force the employee to comply, you are both better off without each other. Have the frank discussion that their desires and your goals don’t align at all. If their goal is to sit and eat chocolate and drink coffee all day and you don’t have a coffee and chocolate tasting role in your company, then it’s probably not going to work out. But it is good to know this – it’s time to move this employee on. Not because they don’t do what they are supposed to do, but because they have no desire to be doing it. Be frank, you can’t get rid of them if they are doing a reasonable job, but they will never be stellar unless _they_ want to do the work.

Now, I’m sure that this approach isn’t going to work in many, if not most, industries. If you have a load of jobs that people will only do if they are paid enough to suffer through, then this approach will not work. In this case fall back on Steve’s approach, just realise you’re very unlikely to develop or retain any talent.

However, if you are in an industry where people (or at least some of them) work because they love doing the work and are enthused about being the best, then I think my approach has some real advantages. Of course you will get and hire bad apples. This is where I believe performance management comes in. You now attempt to manage that person out of the company and ensure that you are not at legal risk by following a clear process. I’m sure there are risks in only performance managing those you’d rather have leave the company, but there are certainly rewards too.

And now to my second point of why I’m unhappy with this article. It was written by someone with the job title Senior Vice President of Customer Value at SuccessFactors/SAP Cloud HCM. 

If this is what SuccessFactors believes will drive more customer value, then I’m very worried that innovative and alternative approaches to making talent management work are not likely to get a great reception.

I strongly agree with Steve that we need to find out and measure how well our people are doing, but that does not need to be against a defined set of company goals, but against an slightly less well defined set of individual personal goals that the company can hopefully align with and benefit from. I believe that the next step for talent management solutions like SuccessFactors is to help employers with the analysis of who their employees are and what they want. Then use that information to help align both the business’s needs and the employee’s desires. It’s a huge technical challenge but we have to start somewhere. By at least acknowledging that there might be better ways of doing things rather than just dismissing them, we’d be making a first step in the right direction.

Companies that start to embrace the holistic view of the employee rather than the company centric one will, I believe, start to reap the rewards.

I could well be just dreaming, but at least I’ll be dreaming with some of the most motivated and enthusiastic people around who are all trying to achieve their goals in my company.



On being a dodgy international business empire

Recently I got an email from a company that I hadn’t heard of with an invoice for a month of electronic fax services that I had supposedly signed up for.

Now normally these sort of emails go directly to my spam folder and never see the light of day. But this one rang a bell and also they claimed to have my credit card details and were going to debit automatically!

You see, I had signed up for a service similar to the one mentioned (the ability to send faxes via email) but I certainly hadn’t agreed on any sort of monthly service fee. What I had signed up for was a pay-per-use fax service. If I needed to send a fax, I sent an email, and the cost of sending the fax would be debited from my credit card. But that wasn’t this company, or the service I was being billed for.

A trawl through the unread emails in my inbox found another email from the company now trying to bill me. It seems that they had purchased the small Australian company that I had previously made an agreement with, and had “upgraded” my account to one with a monthly service fee.

So unilaterally they had changed the terms and conditions of my agreement, and only given me notice of this through an email (that very much looked like spam marketing.) It seems that they also had sent another email which came from the company I had an agreement with, but had spoofed the from address – so I had assumed it was spam.

The biggest problem – the company I had originally had an agreement with had passed on my credit card details to this mega-corporation ( just type email fax into your favourite search engine, they’ll be at the top – and probably own the other top ten results too, it seems they are pretty much cornering this business.) So now they had my credit card details and were going to bill me.

Fortunately for me, the credit card I had used for the original service has been cancelled for some time – somewhere along the line, its details were stolen and it was used fraudulently which HSBC thankfully informed me about and I cancelled the card.

So I’m now having a nice email exchange with mega-corp asking them kindly to stop invoicing me for services I did not sign up for and have no intention of paying for. Also asking them to immediately and retrospectively cancel any service that they believe I have signed up for. Whilst they keep asking me for new credit card details (like that’s ever going to happen!) I’ve read on other forums that they can get pretty nasty about this, bringing in debt collectors and the like whilst not cancelling the service and invoicing more and more. So we’ll see what happens.

This said, the nice lady I spoke to when I phoned their customer service department was quite helpful in apparently arranging cancellation of my account. We’ll see how this pans out.

This raises for me some concerns. How is it that a company can be purchased and the new owner is able to make unilateral changes to existing contracts? Surely that is illegal? If not – it should be!

How can an email sent from a different domain than the purported sender (in this case an email from support@faxmate.com.au was sent from cpro30.com) 1) not automatically be assumed to be spam marketing/phishing 2) allow or justify unilateral contract modification.

Should it be legal that a company that purchases another automatically has access to all the purchased company’s records including customer credit card details? I guess to a certain extent that this has to be the case, but in the case where an Australian company is purchased by an international shouldn’t there be some protection about our personal details suddenly being transferred overseas?

I’m glad my credit card was already cancelled, but I’m sure there are many others out there right now in Australia who are trying to figure out whether or not to just pay a few dollars or fight this seriously dodgy business process.



Stack ranking, one of the worst ways to approach an already flawed idea

There’s a pattern here, Vijay posts up something on HR and I feel compelled to reply but end up writing far more opinionated rubbish than I should…


Nice post Vijay! But I will disagree.

Comparative employee rating (also known as stack ranking, vitality curves, rank and yank…) does not IMNSHO lead to useful or helpful results. In the case where enough employees are available to make bell curves a statistical likelihood (which I think would mean a huge number of employees and a huge variation in management and employee prowess which would most likely indicate a failed recruitment process, rather than a diverse company) then the likelihood that it would be possible to accurately compare one employee with another is very limited, Stack ranking only (doesn’t) works when it is possible to compare the employees. Which means the employees likely know each other, which means it’s probably in their own interests to screw each other’s performance. Check out the well publicised story at Microsoft – http://www.vanityfair.com/business/2012/08/microsoft-lost-mojo-steve-ballmer – under heading “The Bell Curve”.

“If you were on a team of 10 people, you walked in the first day knowing that, no matter how good everyone was, two people were going to get a great review, seven were going to get mediocre reviews, and one was going to get a terrible review,” said a former software developer. “It leads to employees focusing on competing with each other rather than competing with other companies.”

As I have previously mentioned I think the whole idea of performance reviews and ratings does nothing to help the employees, rather it just helps identify where good and bad management is occurring in the organisation. When we start linking review scores to payment, it gets even worse. Why? Because employees then start linking (even more strongly than they do already) their salary with their perceived self worth. Then when for whatever reason a large pay increase is not possible, the employee values themselves less. In the worst cases of this I have come across organisations where the employee contracts state that a performance review rating of 5 equates to n% of salary bonus payment, whilst a 4 is slightly less, and so on. The organisations have fixed salary/bonus budgets, so in order to pay out, they adjust the employees’ performance rating down (very rarely up!) so that the budget is met. Excellent employees are told that they are just “good” because there isn’t the budget to pay them if we tell them that they really are excellent.

I believe that there is a place for strongly objective reviews of employees, it’s the dark side of performance management. It’s that work that you need to do to be able to fire a disruptive or underperforming employee without having your arse hauled through the courts for unfair dismissal. Probably not an issue in the US I hear, but certainly a consideration in countries where the law is a little more friendly to employees. However, to drag all employees through a similar procedure when you don’t intend to fire them in the end, is not ideal methinks.

crystal ball


Peering into the future, short and longer term

Given my thoughts (and of course I haven’t a lot to back that up) that the only real positive value of current performance reviews is to evaluate the effectiveness of the management teams, I suggest that we remove the soul crunching and mainly pointless reviews and replace them with alternative ways of checking manager effectiveness. Google appears to have been doing a good job of this with its Project Oxygen and 360 reviews of managers – read the excellent HBR article http://hbr.org/2013/12/how-google-sold-its-engineers-on-management an excerpt which quotes one of the Google manager which illustrates the value of the program is below:

“I was surprised that one person on my team didn’t think I had regularly scheduled one-on-one meetings. I saw this person every day, but the survey helped me realize that just seeing this person was different from having regularly scheduled individual meetings. My team also wanted me to spend more time sharing my vision. Personally, I have always been inspired by Eric [Schmidt], Larry, and Sergey; I thought my team was also getting a sense of the company’s vision from them. But this survey gave my team the opportunity to explain that they wanted me to interpret the higher-level vision for them. So I started listening to the company’s earnings call with a different ear. I didn’t just come back to my team with what was said; I also shared what it meant for them.”

This approach appears to be working at Google. Perhaps too well! A Google full of managers rather than leaders would be almost as bad a place to work as Yahoo for me. However, the concept of 360 reviews providing actionable areas for improvement, I think, is something that isn’t quite so blue sky. This is an idea we’d be better off implementing right now. I think there is a clear difference between “management” telling you that you could do better in areas compared to the team that you manage telling you that you could improve.

Looking to the longer term, I think it will not be far off where we can use data that we would not have considered analysing previously (social network graphs, semantic and sentiment analysis of work communication, external to enterprise group and social sentiment, etc.) to give us hints as to whether employees are more or less productive, motivated, stretched, likely to leave, etc. What is more, predictive analytics will improve in the HR space (hello HANA and comparing huge sets of data across multiple organisations available due to SaaS set up of the HR tools and therefore comparable data sets). We should start to be able to get that data and the predictions about how an employee is going to act in time to do some real time/preventive management (hopefully). This is going to be far more valuable than the formalised soul destroying performance appraisal process happening once every n months.

I’d go as far as to suggest formal reviews only exist because we have this feeling that we need to have something “objective” to use to manage our people. However, in reality the best/happiest/most productive workplaces are going to be those where the subjective views of the employees are that they are being well and fairly treated. I think we can do an awful lot more in our workplace to help our employees be happy and productive. And most of that improvement isn’t going to come from paying our employees more or telling them where on a scale of 1 to 5 they scored this year. Perhaps we like to think that an objective review feeds a subject view, I don’t think it does (or if it does, it’s rarely going to be positive.)

Edit – to try to clarify a few points here I wrote yet another post  To rank or not to rank, ‘cos that won’t work in the real world will it?


Lies to Children – Simplification for the sake of easy explaination

simplicityI was so close to tweeting this:

The earth & sun orbit around their combined centre of gravity. simply explanation isn’t the same as accurate, just a lot easier to explain

It even fits in 140 characters, but I don’t think it does justice to the point I wanted to make.

Michael wrote:

and I commented:

Michael replied:

I lol’d.

However, it raises a point I’d like to address, we often hear some very compelling stories about how thing are. One of those stories is about the earth orbiting the sun. If you look closely at the details, what the earth orbits is the sum total of gravitational influence in the solar system. It happens that sum total is pretty much smack bang centered on the sun, but it certainly isn’t always.

The simple story is compelling, and it may even be true for most use cases, but were I trying to calculate the trajectory of an asteroid potentially on a collision course with earth it wouldn’t be.

Likewise if Michael took my story about SaaS meaning the end of upgrades to his business it would be a very compelling and simple one. After all, someone else is managing that in a SaaS world aren’t they?

Look into the detail however and you might find things like APIs that you’re using for integration getting depreciated over time, certainly you’ll hope to find that the UI/UX changes, and so your training documentation will need updating. New functionality will come along and you may well adopt it.

Beware any simple and seemingly logical statement – especially if it comes from someone trying to sell you something.



Keeping it real

Anti-Social social media

As many of you who might read this know, I like social media. I spend a reasonable amount of my spare time following and trying to keep up with the information that is available about SAP, cloud and HCM topics. Many of these social media discussions (a majority I’d suggest) take place over twitter. Now recently I’ve found a few tweets that have really got me irritated. But before I explain what got my back up, it’s probably worth pointing out that there is a simple option for me, and it’s put the phone/tablet down and walk away. This really isn’t that serious! Secondly, don’t ask me to name names, I won’t and I don’t think it’s helpful anyway, and I’ll get to why not later.

What’s wrong?

I’ve seen two types of behaviour that I’ve disliked. Firstly has been where people have been using social media as a tool to strike up a conversation. But rather than continuing with the conversation, just make a couple of snide remarks and tried to spark up a fire. In some cases these have been extreme storm in the teapot scenarios, where some information misunderstood, or not at all researched or understood has been used to derive wild scenarios that are great link-bait but do not actually help drive the conversation forward. Conversations are two-sided, if you refuse to engage in a manner that engenders discussion then you don’t have a conversation, you have a battle. In battles the only people that win are the arms manufacturers.

The second type of behaviour is where people represent themselves as “individuals” but start broadcasting what can only be described as advertisements for the products that the company that they work for sells. Now this is a fine line as you’d expect people to be interested in and excited about the products that they company that they work for sells. But when it is done across a whole group of employees and sometimes with a common message/format  then it really starts to smell bad. Even worse when people start tweeting info and then add link to some sales website or their company twitter handle when the content of the tweet isn’t about that! It’s like they are branding their tweets! But when they then refuse to engage on the marketing type tweets to clarify details (possibly because some of the marketing bs is actual bs?) it gets really irritating.

The problem.

Well my real issue is that the response I want to give the tweets of the second type would just make me an asinine tweeter of the first type. Keeping it real and respecting myself involves not walking either of these two paths. And that’s tricky. Not to mention frustrating! This is why I don’t what to name, it’s just behaving like a spoilt brat and isn’t doing anyone any favours. Don’t be evil!

My solution – not “the” solution

I believe that I shouldn’t take myself too seriously, it’s one of the reasons I still keep the ridiculous twitter image that I have whilst pretty much all those that I engage with have sensible portraits. To remind myself not to think overly of my skills, abilities or influence, as I’m just a silly looking guy who’s biggest achievement was becoming a father. Remembering what is important and valuable to me then drives my behaviour. Yes I’ll post this up to vent a little, but the anti-social social media that winds me up, hopefully you won’t see that coming from this direction. 🙂

Seriously, don’t take yourself too seriously. Photo was taken at my son’s 1st birthday party.

ABAP Code Naming Conventions

Ok, you can probably guess that I’m not the most conventional person. I probably don’t fit the mould of the stereotypical developer either. I’m certainly not what one would call an introvert.

So please take this with the necessary pitch of salt. (especially if you’re one of the people who writes the code naming conventions that I have to follow from time to time 😉 )A pinch of salt required


Why on earth does every SAP project I go to insist on such inane naming standards for the code? The SAP editor is a wonderful IDE (caveat I did not say it was the best IDE) that allows you to see the definition of any variable with a simple double click – so why on earth are you so worried that I should prefix all my local variable definitions with an ‘l’? What on earth potential benefit can this have on the code readability? Perhaps it helps if you’re still one of my nemesis developers who are passing all your variables between methods through the use of global variables and/or singletons. Perhaps one needs to look at a piece of code, see lots of l’s and that gives satisfaction? The use of Hungarian Notation in ABAP code seems to be universal, although never it seems implemented in the same way.

Then when I define a structure, I must prefix it with a “S” just so you can be sure that it isn’t actually a table or a single field, or so help me, a woolly mammoth. When I look in the IDE view of the package I am developing, all of these different things are arranged in a tree so you can easily tell one from the other. Again a single double-click can bring me to the definition if it is ever referred to in a piece of code. Perhaps it might save some time looking at a variable definition to see if it is a table, a structure, object reference or a variable – but if I’m in the code, it should be pretty damn obvious! If I’m appending or inserting into it, it’s a table. If I’m referencing a sub-field of it, it’s a structure. If I’m assigning a value to it it’s a variable, if I’m creating an instance of it, it better be an object reference. There again may be cases of my nemeses developers still using tables with header lines and confusing the heck out of me. But I’m hoping that the code inspector might weed at least that out.

Searching outside of the SAP world the use of Hungarian Notation within code is not universally disliked, but with such a clear list of disadvantages and such luminaries as Uncle “Bob” Martin and Linus Torvalds against it, you’d have to proclaim yourself a pretty die-hard supporter of “doing it the old way” not to just think a little – “is this really useful? Or is it even potentially bad?”.

Then there comes the requirement that every object should reference the area of use it is intended for. Thus the forth and fifth characters of the object name must be “HR” or “PA” or “XX” or whatever. The use of Positional Notation for implicit metadata about a component is, however not something I’ve seen outside of SAP projects except for the COBOL example given in the linked Wikipedia page. At this point when reading the naming convention guide, I casually check if there is any mention of packages and package hierarchies and hope upon hope, package interfaces. When there isn’t, I sigh again and just bite my tongue again. Because SAP has provided a wonderful way of helping us see what use a component is put to – as every component must belong to a package, and that package can (and should) have an application component defined. And to give even more clarity, the package can have a super-package, thus grouping all like component together, whatever types they are and where ever in their object names they have a ridiculous two character code. The package interface can even tell you if the object is safe for use outside of the package. What a great concept!

So instead of spending time thinking about whether the components we are building are truly reusable, and what the scope of that reuse is. We spend hours checking if we have the first n characters of our our objects correct according to the development standard book.


One day someone will be silly enough to let me do it my way, I’ll confuse the bejeebers out of all the guys who’ve only been coding ABAP badly for the last 10 year and the project will potentially fail because I’ll spend my entire time looking for enough of a development team that can understand that following a rigid way of doing things isn’t always the best way to do it…. <sigh>

Personal link shortening and tracking


Is it really required to use link shortening services everywhere? In twitter or other places where space is premium – sure, I’m happy. But where it doesn’t matter, the only reason they are being used is so that the publisher of the advice about the endpoint can track the number of clicks that they are getting.

I’m not particularly happy about this sort of tracking. To the extent I’ll use a search engine to find the content rather than click the link. Also I’d prefer not to click on the link if it’s just going to take me to a press release – which is obvious when you see the URL, but not so much when it’s hidden by a click counter (oh I mean link shortening service).

Perhaps I should just get over it and let those people who want to crow over the number of clicks their posts are getting get high on their own self importance. I’d rather just share than worry about that and that should be enough.