Tag Archives: SAP

Security in depth – or a bug waiting to happen? – CSRF protection on SAP Gateway

What's that - It's the dragon that guards the locked door, we feed people who ask silly security questions to it

What’s that? – It’s the dragon that guards the locked door, we feed people who ask silly security questions to it.

<rant>

So I’ve got my knickers in a twist again. Recently I was playing around with sending some OData to my SAP server when it refused me. Now, I didn’t like that, but at least it was kind enough to tell me why. Apparently I hadn’t fed it a CSRF token. OK, so I looked in the headers of the GET that did work, and lo and behold there was a CSRF token there. I fed that into the POST I was doing, and bingo it worked.

Now it seems to me that many many people have hit the same thing and found the same solution. Indeed, I asked around some people I knew and they told me: “Get over it Chris, it’s in the header of your GET, it lasts all session, just use it!” But me being me, no, I wouldn’t accept that!

Slight aside – they also mentioned “Damnit, I remember when that patch came in, it buggered up my custom Gateway app and I had no warning that it was coming, took me ages to figure out why it wasn’t working.”

 

So I thought – OK? Why? Why do we have CSRF protection in the first place, what on earth is it?

CSRF protection – Cross Site Request Forgery protection, according to the websites I read is supposed to protect against the case where unknown to a user a cookie in the browser used for authentication allows a malicious site to alter data on your system. (And in the case of gateway, your SAP system).

So to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 things.

a) An injection of HTML on the page adds either a form that is going to POST some data (typical type of attack  CSRF protects against) or a link e.g. img tag which GETs data.

b) An injection of some script, e.g. JS on page that is going to do the PUT/POST/DELETE

In the case of (a – POST) the payload will be malformed and Gateway isn’t going to accept that as valid OData – so no security worries anyway. And for (a – GET) CSRF protection isn’t even applied.

In the case of (b) well if I can embed JS, I can just as easily embed a GET pull the header and then do an update with the CSRF token. Indeed the sites that advocate for the CSRF token approach make it clear that it cannot protect you in the case you have malicious Javascript.

In the case that the script is running on a page from a different domain, then CORS will kick in and stop the access – but if somehow the injection is on my own domain, I don’t see how we’re protected.

So I was at a loss. What protection does CSRF actually offer Gateway?

I further researched:

There’s a great explanation, which does better than I have at:

Play Framework

It is recommended that you familiarise yourself with CSRF, what the attack vectors are, and what the attack vectors are not. We recommend starting withthis information from OWASP.

Simply put, an attacker can coerce a victims browser to make the following types of requests:

  • All GET requests
  • POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain

An attacker can not:

  • Coerce the browser to use other request methods such as PUT and DELETE
  • Coerce the browser to post other content types, such asapplication/json
  • Coerce the browser to send new cookies, other than those that the server has already set
  • Coerce the browser to set arbitrary headers, other than the normal headers the browser adds to requests

Since GET requests are not meant to be mutative, there is no danger to an application that follows this best practice. So the only requests that need CSRF protection arePOST requests with the above mentioned content types.

Since Gateway does not support POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain (or if it does there’s your problem right there!) there is no need for CSRF protection.

I then had a fun conversation on Twitter with Ethan

The great thing about chatting with Ethan is you always come out having learnt something.

He makes a good point, and I’ll paraphrase him:

“The best security is deep and many layered and protects not only against the things that you know may happen, but also against those that you’re pretty sure won’t.”

I was wrong –  “to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 3 things. With the third being:

An exploitation of a hitherto unknown browser bug that allows it.

So now I’m confused. Is it worthwhile implementing the hassle that is CSRF protection, including the potential slowdown in speed of response from the solution (a paramount concern in a mobile app) for a situation that might happen.

When I’m writing ABAP code, I’m happy to trade away performance of the code for ease of maintenance. I don’t use pointers (field symbols) to loop over data that I do not intend to change, because some fool could come along later and accidentally do just that. If I instead use a work area, there isn’t that risk.

So in some respects I already do work that makes the solution slower to ensure lower risk, so shouldn’t I just do the CSRF thingy?

However, it is the reason for the risk – I don’t trust that the people maintaining the code after I leave will understand what I have done in my implementation of CSRF protection and won’t make a mistake. Even if I’m using UI5 in my application to update my SAP system, will they remember to call the refreshSecurityToken method every time before a PUT, POST or DELETE? Will they test it? Will they let the session expire in the testing so that they actually need to call the refreshSecurityToken method? I really hope so, but I doubt it. I see applications going into error and data not being updated when it should have been, because of “needless” CSRF protection.

weighing Dodgy Code vs Browser Bug risks

weighing Dodgy Code vs Browser Bug risks

So what I see is this: Security in enterprise is paramount, Gateway is enterprise software, it needs to be secure. So SAP made it so, even if it hasn’t really made a big difference or fixed any known security holes. But, “just in case”. However, custom code (and even standard code 😉 ) will have bugs, ones that rely on sessions timing out are particularly hard to test and will get through. The risk to your Gateway based mobile app is greater by having CSRF protection enabled than it is to your data being maliciously hacked through zero-day exploits. But I guess it depends on what that data is 🙂 .

</rant>

OK, one final bit…

<rant>

Given that I might not actually be using my Gateway for a UI app but for machine to machine transactions, would it PLEASE be possible that if I provide a valid authentication header in the PUT/POST/DELETE that we ignore the CSRF thingy? If I can somehow come up with a valid auth header, then we aren’t protecting anything with a CSRF token, we’re just making transactions slower by requiring multiple round trips that shouldn’t be needed.

</rant>

I feel better now. 🙂

 

Read how this discussion unfolds over at SCN…

http://scn.sap.com/community/gateway/blog/2014/08/26/gateway-protection-against-cross-site-request-forgery-attacks#comment-611490

P.S. my last post from SCN comment thread as I think it’s an important summary:

The thing is, by not implementing CSRF protection, we aren’t making our services insecure. There are no known ways to use CSRF against Gateway currently.

There is the case of protection against unknown attacks, but is that worth the cost, risk, effort?

Not using CSRF protection does not mean you are making your service insecure. It just trading “just in case” against real life complexity, risk and cost.

Depending on the data concerned, that “just in case” might be worth it. It won’t always be.

Architects have a responsibility to their companies to balance these risks and decide. We have the responsibility to inform them clearly and not just pretend that security is the only and overwhelming factor to consider.

Sometimes we put security on a pedestal and everything has to be done to address it. But we should remember that everything should have a risk/reward curve and sometimes NOT coding for a security risk is actually less risk than coding for it.

 

 

SuccessConnect 2014 – Las Vegas – initial thoughts

Mike Ettling shares SAP/SuccessFactors new commitment to inform customers

(Mike Ettling explains SuccessFactors new commitment to putting customers first)

So I’m in the lounge at LAX – the new OneWorld business lounge – it’s loads better than the old Qantas lounge, they have craft beer on tap for a start, which did lead to rather a few posts:

Which weren’t particularly related to themes I normally post on, but nevertheless probably tell you something, I’ll leave this as an exercise to the reader to speculate on what.

So whilst I’m nice and relaxed after a nice shower and looking forward to heading home, I thought I’d capture a couple of things that happened whilst I was at SuccessConnect this week, and hopefully this will also remind me to expand on them at a later time.

Firstly – customer first

The commitment by SuccessFactors to publish a roadmap to customers is a big win. And It’s not just a win for customers. As a partner it’s much easier to advise a customer when you have a good understanding of what _might_ happen in the near future. By making as much of the solution as possible accessible by the upgrade centre rather than provisioning (an ongoing effort) it removes from customers the need to engage an SI partner for what may well be just an administrative task. Allowing customers to attend the same training that partners can attend is also a great thing – so now there is a real possibility that customers can do some of their support in-house.

Why, you might ask, am I cheering this as a good thing? I am one of those partners who previously customers had to rely on to make these changes. Well, it’s really because I don’t like doing boring stuff. If as an SI all the work I do is very simple, then customers can be a little resentful for paying me as much as I would like to be paid. I see this as an opportunity to get rid of the boring work and instead focus on bringing real value through expertise. We shall see, but I’m hopeful that this is the path SAP envisages as well.

SAP a SuccessFactors company?

With Rob Enslin opening the conference, I got a real feeling of SAP being a full part of the conference, and not it being a SuccessFactors as a separate company anymore. That said, all the “Cloud DNA” was still there and it was interesting to see Lars make a guest appearance. The reaction from the SuccessFactors staff to seeing Lars was remarkable, it was all a surprise, and a nice one for most. However, Fiori making itself felt in the UI development pipeline amongst other “Simple” things shows that the “DNA” exchange isn’t just one way.

Dmitri demoing new features

Phased releases

The public announcement of a phase released of functionality, with updates being released a month earlier on the test instances of a customer is great news. This will help extension developers hugely (although ideally I’d like access to the update another few weeks before the customers get it in their test systems, but can work with this idea!) Customers too have the ability to check out any mandatory (although there are few of those) updates before they get deployed. All in all a great step forward to helping customers manage their solutions – and the spontaneous applause from the audience when it was mentioned shows it’s not just me as a developer that appreciates this.

Righto, that will do for now, Mike Ettling’s flight to Sydney has already left, and mine to Melbourne is going soon. I’ll be catching up with him and the team again for the Sydney version of SuccessConnect, but I’m so glad that I was here this week in Las Vegas, it has been great.

 

Continuous Integration vs Phased Deployment in a SaaS world

I was very interested to read some links that Naomi Bloom posted about how Workday have moved to a continuous integration deployment model rather than a phased release.

As  developer, I love the idea of continuous integration, having a set of tests that can automatically check whether the code I have built will cause an issue in production and then allow me to move it up to prod immediately. It fits with TDD and all the other cool things I want to do. Awesome!

If I were writing code in the internal development teams of Workday or SuccessFactors, I’d want the software to be CI.

However! As a developer of extensions to one of those platforms, I couldn’t think of a worse option! If you look at the “disadvantages” section in the linked Wikipedia article on CI, you’ll notice that one very important thing is to have lots of good automatic test scripts. The problem is, a vendor can only possibly run their own test scripts, they can’t run mine. (Perhaps they could run mine if such an API was built, but could they justify not deploying to prod because a little used partner extension failed a script?) So what if some change that the vendor does breaks a behaviour in my code? Well, that’s bad for me. I’d better hurry up and fix it, because all my customers are now with broken code, and the first I found out about it – when it broke. And likely I’m not going to find out until I have one of my customers complain – unless I have proactively set my test scripts to run every hour and send me a message when something breaks, in which case I’d better be ready to do emergency support 24/7. Yeah, just what I want. NOT!

This would be a huge burden on a extension provider, you wouldn’t have a stable platform to build on.

With SuccessFactors being on a phased release rather than continuously integrated to production, it is much easier for me to join in with the testing of my solution before it hits the market. I know that my customers aren’t going to get a nasty shock because something suddenly breaks/changes behaviour, because I have a window to test that before it impacts them. I also know when that window is going to be, so I can plan around it and allocate my resources. Whilst the solution might be wonderfully cloudy and elastic, my skilled pool of extension developers is definitely less cloudy and more finite and fixed.

Now it might be possible to allow partners to have an early access box, and perhaps delay CI deploys to production by a week or so to allow partners to test their code. But that is one hell of an effort that you’re demanding of your partners to do that. And as one of those potential partners, I can say I’d be thinking very long and hard about the risk you as the vendor are putting me at, and probably would decide not to go there.

I think, that in a world where purchasing 3rd party add-ons for your cloud platform will become the norm (allow me my dreams please). And where the power of the platform is driven by these add-ons/apps, having a phased release makes sense. How cool would an iPhone be without any apps from the AppStore, how good would an S5 be without apps from Google Play? They are both great devices, but they are awesome when enhanced by external developer partners. These mobile solutions have phased releases. It’s not because they couldn’t have constant updates, the tech is easily there for that to happen, but because in order to sustain the applications/application developers that make them so cool they need to provide a stable platform.

I’m really glad that SuccessFactors provides a stable environment for me to build on, as I am convinced that HCM SaaS has a huge potential to be enhanced and extended to the better use and consumption of businesses. It’s a real strength of the solution, and I am very happy to be play a part this story, and that SAP and SuccessFactors are carefully considering the needs of the development partner in this scenario.

All that said, it would be cool to be developing in a continuous integration solution, but just not for the partners building on your solution.

#SAPPHIRENOW what it meant to a developer

I make no secret that I love developing. My favourite job title is “Chief HR Geek”, I adopt others as the need arises, but as a real in the dirt developer, content is always more important to me than flashy styling.

That’s why I was one of the only attendees at SAPPHIRENow 2014 wearing shorts. It’s fricking HOT in Orlando in June, wearing a suit?! Are you kidding me?

But it’s worth noting that to most businesses in the first instance, flashy styling is worth more than content! BUT – flashy styling with content, that’s awesome.

Fiori

With the announcement of Fiori being available as part of standard maintenance (yar boo sucks to those companies who’ve decided to skip SAP maintenance and have a third party do it) there comes the possibility of a double whammy of flashy styling and good underlying content.

The demo of a CFO drilling down in real-time to underperforming or problematic areas of the business and analysing why was compelling. I think Robbo has written about this as the killer app for HANA. I think he might be right.

But the key thing for a developer here, was the front end that this was achieved with, wasn’t a Business Objects add-on, wasn’t some WDA functionality. It was SAPUI5 over an OData layer exposed by Gateway.

If companies are going to be able to adopt these applications – and more and more of them are coming – there is going to be a clear need to support them.

Using tooling to build UI5 apps using ABAP won’t cut it

Whilst there are some amazing frameworks out there to help migrate stuck-in-the-mud ABAP developers across to building UI5 app, this does not help when there is a need to extend a standard Fiori app. Developers will need to learn JavaScript (or more properly ECMAScript, but that’s just me being pedantic.) If you can’t code JavaScript and refuse to learn, start calculating your redundancy payout because that’s what you’re going to be worth to your company. Alternatively, brush up on your SQL skills – and you can start writing some of the pushdown code for HANA. Either way, ABAP is going to be complementary to either DB manipulation or front-end display, but not a stand-alone skill set.

Fiori extension points

Did you know that many (not all!) Fiori apps have built-in extension points? You can use these to substantially alter the behaviour and appearance of the app. But to do so, there is something you should know – guess what? JavaScript!  Whilst the RDE (fingers cross for R to start meaning Rapid in near future) allows for some pretty amazing WYSIWYG modification to apps, the likelihood is that some form of developer intervention will be required. At the very least someone is going to have to figure out if the business requirement can/can’t be met using this simple customisation. And what skill set is going to be needed to figure out what those extensions can/can’t do? Yep you guessed it, JavaScript.

In Summary

For once I’m going to keep to a simple post without the detail that me as a developer I love so much. Because I want to emphasis this message.the future is fiori

I’m eventually learning to understand, unless you have flashy styling (Fiori), it doesn’t matter how good your content is (HANA) you can’t sell it. Combine the two together, and you have something that will change the marketplace and means developers need to change their game.

Perhaps if I ever attend SAPPHIRENow again, I’ll compromise and wear my jeans.

 

Organisational Charts, is there a better way forward?

What does your company’s organisational chart look like?

a) the Eiffel Tower,

b) a bowl of spaghetti?

SuccessFactors Professional Edition – a thought provoking trial

I’ve been trying out the SuccessFactors Professional Edition (SMB market) software recently (and no, this is not a review of it, that’s coming later (maybe).) It gave me a moment’s pause to think. Does the organisational structure at my company actually resemble a tree (an upside down one I guess) at all? The SuccessFactors software has a great organisational structure visualisation tool (far nicer than the Nakisa one IMNSHO), but it’s all about visualising a traditional hierarchical organisational structure.

Different types of structures

At the same time I was thinking about this, I happened to read the supposed “Valve Handbook for New Employees“. On page 4 (I’ve included the link, if you haven’t read it, I can recommend it, fascinating stuff and far more than just the bit I’m talking about here) it describes the structure of the organisation.

valve_org_chart

It makes a point:

 “Hierarchy is great for maintaining predictability and repeatability. It simplifies planning and makes it easier to control a large group of people from the top down, which is why military organizations rely on it so heavily.”

Like Valve, I don’t see the organisation that I work for being particularly militaristic. I grew up as an “army brat” and therefore have a very healthy (in my eyes) disregard for any kind of imposed authority. Someone telling me that I must do something in a certain way, is almost a guarantee that I’ll try to find a different way of doing it. I try to treat the people I work with like I would like to be treated. Telling someone to do something is pointless, explaining to them why they should do something – that’s more like it.

I’ll digress from my main point here for a little bit, because a random memory has just sparked, and it’s sort of relevant. When I was a new grad starting out in the big wide world of SAP HR consulting all those years ago, my boss at the time hauled me out of the clients where I was shadowing and learning, and into the office. For one week I helped the office admin team file expense reports, collate time sheets and put together invoices After that, although I may never have been the best at getting my expenses in on time, when they did get in, they were very clearly and neatly arranged. Why? because I had learnt that doing so was a simple task for me, but made the life of the admin person so much easier. Because someone had taken the time to show me why I should do something in a certain manner, I was very happy to do it.

Hierarchy and innovation, not great mates

In their employee handbook Valve go on to say:

“But when you’re an entertainment company that’s spent the last decade going out of its way to recruit the most intelligent, innovative, talented people on Earth, telling them to sit at a desk and do what they’re told obliterates 99 percent of their value. We want innovators, and that means maintaining an environment where they’ll flourish.”

I’ll put my hand up right now and admit that Discovery is not an entertainment company, despite it sometimes being very entertaining to work here, yet I’ll completely agree with the sentiment of it being an absolute innovation killer to tell people exactly what they must and must not do. To me to provide the sort of environment that people are going to thrive in means everyone having a say and everyone moving forward.

Such a dynamic (yes my description and substitute whatever smanky term you want to use instead) way of doing things cannot, I believe, have a non-dynamic organisational backbone.

So let me try to put that on paper for you

I tried to draw a simple map of the relationships between a few of the employees in our company (disclaimer, I didn’t stop to think too long about who is linked to who very hard here, so if you’re on this chart and I didn’t link you correctly, sorry, it isn’t a real org chart because there wasn’t a whiteboard involved.)

org+structure

when I tried to add just one more employee (Karsten) it just got far too messy:

org+structure2

My point is, that as a small company, we just don’t fit into the traditional hierarchical organisational structure. And to follow on from the point made by Valve, I don’t think it is in the best interests of our organisation or staff that we do.

Scientific interlude to counter excess HR fluffiness

Another digression (sorry) even evolution (Darwin’s tree of life) isn’t consider a tree these days, it has been recognised that due to the transfer of genetic information from and through viruses and bacteria there is an awful lot of our genome that doesn’t come from our direct ancestors, but from other species. It’s called horizontal gene transfer (HGT) and has been found to play a major role in forming species. To use this analogously, I should suggest that who you are working with, who influences you and who you influence are more important to who you are than the person that you supposedly report to.

Back to HR (or HCM, or whatever…)

Now I don’t think that either Discovery or Valve (or Dawin’s web(?) of life)  are unique in this. I think the days of the hierarchy are numbered, and what is more, we are inventing and deploying the tools right now that will be its undoing.

Tooling up for the revolution

Enterprise social networking, whether using tools like Jam, Streamwork, Yammer, Google+ (we use this a LOT internally, it’s free, simple and powerful!) or even going more external with tools like Twitter, LinkedIn, and, so help you, Facebook is clearly in vogue. It should be a simple matter to leverage these tools (along with email ) to find out who is talking to who. From this we would have a clearer picture of who is talking to who, how often and in what formats. We could use this data to help us consult the right people. We already do this in many ways, but imagine having a system that could help us. In the same sort of way that GMail prompts you to include certain people in an email based on your past emails but that would also check the content of your message (I know this sound horrendous to some of you, but I’m just imagining stuff here, not planning for an actual solution, bear with me). The possibilities of how we could capture and utilise the connections between our employees to add value to the business are only just starting to be explored.

I’d push the analogy that I’m trying to make so far as to say that communities of interest are the new org units of enterprise. Although you might not send a leave request to be approved by your local ketchup appreciation group (I used to read the USENET alt.ketchup group at uni for a laugh, how the world has changed! I can’t even find a link to it now.) You are more likely to check that your vacation isn’t going to leave the project teams you are working with in the lurch, rather than checking with the team with whom you are theoretically assigned but haven’t worked with for the last 6 months.

When it comes to handling career goal planning, I think that we need to be encouraging everyone to be part of the process.  (I happen to agree with Prof. Culbert about the usefulness of performance reviews, but strongly believe that goal setting is a great way to understand how to get to the next level, in a positive way.) 360 type reviews (where we reference and review with the people we are working with, rather than an arbitary “manager”) of the goals that we are setting allow ourselves allows us to help ourselves and our teams understand where are heading,  without the soul-sucking negativity associated with most performance reviews. For such a distributed process, there is no benefit to a rigid structure where person A conducts the review for person B, C and D. Again I see great potential in the use of social communication tools to share and organise and optimise these processes.

Full circle

So back to my original musing, what does my organisation look like? I don’t think I know yet, but I think it’s going to be fluid. If I want to be part of a successful innovative company (and who doesn’t) I think it need to be able to change shape depending on how and why I’m looking. And my view of the organisation should be able to change that shape without me needing spend days of constant restructuring.

And to finally relate that to something SAP

Returning to my thoughts about the SuccessFactors Professional Edition product and its use of strict hierarchical structures. I don’t think that these do fit with how many SMB companies are choosing to operate today. Yet, I can see how a SaaS solution that is planning to integrate “social” into everything they do (one of the strong messages from SuccessConnect) will possibly get me there a lot quicker than an onPremise solution will. I hope that by posting this up people will read this and start to think about how we can start to leverage the tooling that SAP is providing to be more creative, dynamic and successful. SuccessFactors people, you have a real opportunity to create something in this space, please let’s build something awesome.

As per always, these are my own personal views, and do not necessarily represent those of the company I work for. I purposely take a line which is at times controversial and contrary to many people’s beliefs. I don’t think I’m correct, it’s just that no-one has convinced me otherwise yet. This blog was originally published at http://scn.sap.com/community/erp/hcm/blog/2012/07/09/my-organisation-looks-like but I thought it really ought to be here too. Partly inspired by Vijay’s blog about talent being unmanageable, and my thoughts on what does that mean about talent being managers. What I’d want to point out is that I see a future coming where out HRIS system may mean the end of people managers as we know then – thus solving the conundrum of how do we manage talent and/or should talent be managers.

 

 

References: in a list to make life easier for you

Valve Handbook for New Employees

http://www.successfactors.com/small-business/professional-edition/overview/

http://www.scribd.com/doc/90526695/Valve-Handbook-for-New-Employees

http://www.quora.com/Social-Media/What-is-a-Smanker (my own adaption)

http://www.newscientist.com/article/mg20126921.600-why-darwin-was-wrong-about-the-tree-of-life.html?full=true

http://www.newscientist.com/article/mg20126923.000-editorial-uprooting-darwins-tree.html

http://mashable.com/2012/06/24/social-media-workplace-study/,

http://apcmag.com/why-social-media-in-the-workplace-is-not-the-enemy-business-benefits-of-staff-usage-.htm

http://byresearch.wordpress.com/

http://gmailblog.blogspot.com.au/2011/04/dont-forget-bob-and-got-wrong-bob.html

http://english.stackexchange.com/questions/1269/is-it-bear-or-bare-with-me

http://en.wikipedia.org/wiki/Community_of_interest

http://www.nytimes.com/2011/03/02/opinion/02culbert.html?_r=1

 

I hate doco

It’s kinda a mantra that I live a reasonable part of my life to. I think the above image is a not unjustifiable representation of my feelings about documentation:

But there are many good reasons that I should be doing doco. Most of them are supposed to save the customer money in the long run. And occasionally by doing the doco, I even find some small errors in my code that I hadn’t seen before.

 InnoJam Sydney 2011

Before InnoJam had any of that fun fluffy design thinking aspect to it, we ran one in Sydney. It was good fun, and people could build whatever the heck they wanted.

In staying true to my aversion for writing doco, I came up with an idea about auto-generation UML diagrams from SAP code.

Here’s a video of the solution we came up with:

here’s a link to the Prezi that I presented in that video:

http://prezi.com/zri5q-ib4vzp/?utm_campaign=share&utm_medium=copy&rc=ex0share

I wrote a blog post about it:

https://scn.sap.com/blogs/chris.paine2/2011/08/10/programmers-are-lazy–innojam-them

But it was long time ago and the move to a new version of SCN has kinda buggered it up.

Anyway, in short – Rui never managed to get the terms and conditions of CodeExchange changed to a level where I’m happy to support it and put code in there. I’m pretty sure he tried though. So I didn’t do anything with the code.

 

Fast forward 3 years

I have a whiteboard in the office covered in post-it notes. They all represent at least one development that I’ve done for the current project I’m working on. At the beginning of the project, I was very good, and did all my doco as I went along. Then the poo hit the fan, and everyone wanted everything done yesterday, and didn’t care about doco.

So I now have a whiteboard full of post-it notes that represent potentially weeks of doco hell for me. So in my “free time” in the evening I decided to see if I could recreate the solution that we’d built in Sydney, and perhaps make it a little nicer.

 

UML output

The first thing I decided, was that I was NOT going to try to build the graphical output myself. Having had lots of fun in Sydney trying to make Gravity do something it really wasn’t designed for I thought I’d research how else I could get my interaction diagrams created.

If in doubt Wikipedia

http://en.wikipedia.org/wiki/List_of_UML_tools

There were loads there, and I’d pretty much decided on UMLet when I discovered something about interaction diagrams. Basically, interaction diagrams are supposed to show interaction between objects. Bit bloody obvious really. However, the thing is, if I’m documenting my code, I’d really like to show the interaction within my objects too. I.e. if I make a call to a private method of my class, I’d really like that to show up in my diagram. Given that interaction diagrams are only supposed to show external interaction it’s not surprising that most of the tools for creating the diagrams don’t really support this idea of internal object calls.

So a bit of browsing later and I found PlantUML. It has some awesome functionality for creating sequence diagrams, actually, most UML diagrams it seems, but it was the sequence diagrams that I was interested in.

Here’s a simple example:simple_example

 

 

See how it’s quite possible to show “internal” calls of an instance and also show the life time of those calls. This feature I didn’t find on the other free UML tools that I looked at. There are a bunch of other formatting features that can be used too. If you’re interested check out their website: http://plantuml.sourceforge.net/sequence.html

 

Intercepting the SAP standard UML generation

So in transaction SAT there is the possibility to generate your own JNet UML sequence diagram (this exists as standard.)

press the button

 

However, it does not allow you to do things like filter out standard SAP routines (as far as I know! If anyone can tell me how to do this (without needing to list every method I call, please let me know!) When I was looking at one of my examples, where I ran a program to generate a performance review document for an employee, there were over 100,000 different routines called. Only about 400 of those calls involved my code, so you can imagine generating a UML diagram for the whole 100,000 calls would be a bit of overkill (not to mention an impossible to read diagram).

In customer systems there is a function module  ATRA_UML_DECIDER  that has been purposely handicapped. One does have to wonder why this has been done, but nevertheless it has.  It allows the user to chose from a list of potential UML extraction routines. All of these routines implement the IF_ATRA_UML_TOOL interface. There are classes for extracting to JNet, Borland Together and Altova. Now, I’m sure that Borland and Altova have good products, it’s just that I don’t really want to spend money on then when there are perfectly good (for my tasks) free and open source products out there.

There is a factory class/method CL_ATRA_UML_FACTORY  that creates an instance of a class implementing the interface. I overrode this method to use my particular extractor if it was me running the code. In the future, I might enhance this to check for a user role, or perhaps a user parameter, that’s trivial, the main point will be to allow others to access this logic too.

The guts of the code

Simply my implementation of the interface reads the table of data that is passed to the interface, removes all calls that aren’t to or from custom code and then builds a PlantUML representation of that code.

Here’s a very simple output that generates the diagram above.

@startuml
hide footbox
autonumber
participant "Instance 1 of Class\nZCL_HR_EMPLOYEE" as 1
1 -> 1: Call method GET_HELD_QUALIFICATIONS
activate 1
1 -> 1: Call method ZCL_HR_OBJECT->GET_RELATIONSHIPS
activate 1
create "Static Methods of Class\nCL_HRBAS_READ_INFOTYPE" as 2
1 -> 2: Call method GET_INSTANCE
activate 2
2 --> 1
deactivate 2
create "Instance 1 of Class\nCL_HRBAS_READ_INFOTYPE" as 3
1 -> 3: Call method IF_HRBAS_READ_INFOTYPE~READ_PLAIN_1001
activate 3
3 --> 1
deactivate 3
1 --> 1
deactivate 1
create "Instance 1 of Class\nZCL_HR_QUALIFICATION" as 4
1 -> 4: Create instance of class ZCL_HR_QUALIFICATION
activate 4
4 -> 4: Call method ZCL_HR_OBJECT->CONSTRUCTOR
activate 4
create "Function Group\nRHS0" as 5
4 -> 5: Call FM RH_GET_ACTIVE_WF_PLVAR
activate 5
5 --> 4
deactivate 5
4 --> 4
deactivate 4
4 --> 1
deactivate 4
deactivate 1
@enduml

 

 A slightly less trivial example

The following code does some pretty simple stuff, it finds who is my manager, and finds out what required qualifications my position/job has.

DATA: lo_emp TYPE REF TO zcl_hr_employee,
lt_managers TYPE ztthr_employee_objects,
lt_required_quals TYPE ztthr_qualifications.

TRY.
lo_emp = zcl_hr_employee=>get_employee_by_user_id( sy-uname ).

lt_managers = lo_emp->get_position( )->get_managers_recursive( ).
lt_required_quals = lo_emp->get_position( )->get_required_qualifications( ).

CATCH zcx_hr_no_managing_pos_found  ” No managing position found
zcx_hr_no_holders_found  ” no holders for position found.
zcx_hr_no_position_found    ” no position found
zcx_hr_user_id_not_found.  ” cannot find user id for employee
ENDTRY.

So I thought I’d trace it:

it works out at around 200,000 different routines being called. 62 of those are my code, the rest standard.

run through 1

First of all, I need to schedule a trace for myself…

run through 2

 

run through 3

 

Need to know which session I will be recording. If I left it as “Any” it will start recording this session, not very useful!

run through 4

 

Session 2 it is!

run through 5

run through 6

actually run it now!

and the schedule status changes to executed.

run through 7

 

I now need to delete the scheduled measurement. Despite the intimidating words, this does not delete my measurement, just the scheduling of it.

run through 8

 

now swapping to the “Evaluate” tab in SAT I can see my measurement, and I can click to output to UML

run through 9

 

 

Clicking on the button triggers a bit of a pause whilst the system code chugs away and does loads of stuff it doesn’t need to do…

 

Then

run through 10

Save the data and PlantUML starts converting it immediately:

run through 11

 

and the result:

example

Would probably have been a little bigger if my employee had a job assigned to their position, but you can see how incredibly easy this now makes documenting the functionality I’ve built.

I’m still considering how to make the code publicly available. I’m sure someone else would be happy to post it to CodeExchange, so perhaps I’ll let them.

Keeping it real

Anti-Social social media

As many of you who might read this know, I like social media. I spend a reasonable amount of my spare time following and trying to keep up with the information that is available about SAP, cloud and HCM topics. Many of these social media discussions (a majority I’d suggest) take place over twitter. Now recently I’ve found a few tweets that have really got me irritated. But before I explain what got my back up, it’s probably worth pointing out that there is a simple option for me, and it’s put the phone/tablet down and walk away. This really isn’t that serious! Secondly, don’t ask me to name names, I won’t and I don’t think it’s helpful anyway, and I’ll get to why not later.

What’s wrong?

I’ve seen two types of behaviour that I’ve disliked. Firstly has been where people have been using social media as a tool to strike up a conversation. But rather than continuing with the conversation, just make a couple of snide remarks and tried to spark up a fire. In some cases these have been extreme storm in the teapot scenarios, where some information misunderstood, or not at all researched or understood has been used to derive wild scenarios that are great link-bait but do not actually help drive the conversation forward. Conversations are two-sided, if you refuse to engage in a manner that engenders discussion then you don’t have a conversation, you have a battle. In battles the only people that win are the arms manufacturers.

The second type of behaviour is where people represent themselves as “individuals” but start broadcasting what can only be described as advertisements for the products that the company that they work for sells. Now this is a fine line as you’d expect people to be interested in and excited about the products that they company that they work for sells. But when it is done across a whole group of employees and sometimes with a common message/format  then it really starts to smell bad. Even worse when people start tweeting info and then add link to some sales website or their company twitter handle when the content of the tweet isn’t about that! It’s like they are branding their tweets! But when they then refuse to engage on the marketing type tweets to clarify details (possibly because some of the marketing bs is actual bs?) it gets really irritating.

The problem.

Well my real issue is that the response I want to give the tweets of the second type would just make me an asinine tweeter of the first type. Keeping it real and respecting myself involves not walking either of these two paths. And that’s tricky. Not to mention frustrating! This is why I don’t what to name, it’s just behaving like a spoilt brat and isn’t doing anyone any favours. Don’t be evil!

My solution – not “the” solution

I believe that I shouldn’t take myself too seriously, it’s one of the reasons I still keep the ridiculous twitter image that I have whilst pretty much all those that I engage with have sensible portraits. To remind myself not to think overly of my skills, abilities or influence, as I’m just a silly looking guy who’s biggest achievement was becoming a father. Remembering what is important and valuable to me then drives my behaviour. Yes I’ll post this up to vent a little, but the anti-social social media that winds me up, hopefully you won’t see that coming from this direction. 🙂

Seriously, don’t take yourself too seriously. Photo was taken at my son’s 1st birthday party.

ABAP Code Naming Conventions

Ok, you can probably guess that I’m not the most conventional person. I probably don’t fit the mould of the stereotypical developer either. I’m certainly not what one would call an introvert.

So please take this with the necessary pitch of salt. (especially if you’re one of the people who writes the code naming conventions that I have to follow from time to time 😉 )A pinch of salt required

<rant>

Why on earth does every SAP project I go to insist on such inane naming standards for the code? The SAP editor is a wonderful IDE (caveat I did not say it was the best IDE) that allows you to see the definition of any variable with a simple double click – so why on earth are you so worried that I should prefix all my local variable definitions with an ‘l’? What on earth potential benefit can this have on the code readability? Perhaps it helps if you’re still one of my nemesis developers who are passing all your variables between methods through the use of global variables and/or singletons. Perhaps one needs to look at a piece of code, see lots of l’s and that gives satisfaction? The use of Hungarian Notation in ABAP code seems to be universal, although never it seems implemented in the same way.

Then when I define a structure, I must prefix it with a “S” just so you can be sure that it isn’t actually a table or a single field, or so help me, a woolly mammoth. When I look in the IDE view of the package I am developing, all of these different things are arranged in a tree so you can easily tell one from the other. Again a single double-click can bring me to the definition if it is ever referred to in a piece of code. Perhaps it might save some time looking at a variable definition to see if it is a table, a structure, object reference or a variable – but if I’m in the code, it should be pretty damn obvious! If I’m appending or inserting into it, it’s a table. If I’m referencing a sub-field of it, it’s a structure. If I’m assigning a value to it it’s a variable, if I’m creating an instance of it, it better be an object reference. There again may be cases of my nemeses developers still using tables with header lines and confusing the heck out of me. But I’m hoping that the code inspector might weed at least that out.

Searching outside of the SAP world the use of Hungarian Notation within code is not universally disliked, but with such a clear list of disadvantages and such luminaries as Uncle “Bob” Martin and Linus Torvalds against it, you’d have to proclaim yourself a pretty die-hard supporter of “doing it the old way” not to just think a little – “is this really useful? Or is it even potentially bad?”.

Then there comes the requirement that every object should reference the area of use it is intended for. Thus the forth and fifth characters of the object name must be “HR” or “PA” or “XX” or whatever. The use of Positional Notation for implicit metadata about a component is, however not something I’ve seen outside of SAP projects except for the COBOL example given in the linked Wikipedia page. At this point when reading the naming convention guide, I casually check if there is any mention of packages and package hierarchies and hope upon hope, package interfaces. When there isn’t, I sigh again and just bite my tongue again. Because SAP has provided a wonderful way of helping us see what use a component is put to – as every component must belong to a package, and that package can (and should) have an application component defined. And to give even more clarity, the package can have a super-package, thus grouping all like component together, whatever types they are and where ever in their object names they have a ridiculous two character code. The package interface can even tell you if the object is safe for use outside of the package. What a great concept!

So instead of spending time thinking about whether the components we are building are truly reusable, and what the scope of that reuse is. We spend hours checking if we have the first n characters of our our objects correct according to the development standard book.

</rant>

One day someone will be silly enough to let me do it my way, I’ll confuse the bejeebers out of all the guys who’ve only been coding ABAP badly for the last 10 year and the project will potentially fail because I’ll spend my entire time looking for enough of a development team that can understand that following a rigid way of doing things isn’t always the best way to do it…. <sigh>

Elasticity

 or   or 

(Hooke’s Law for expressing elasticity of an object in various degrees of complexity)

The equations above get pretty complex pretty quickly! And that’s when we deal with equations that have been known about for hundreds of years. When we start using elasticity to describe cloud computing, it gets even worse.

The topic was brought up the other day when I was looking at purchasing some space on the SAP HANA Cloud to run an application that we’re developing in-house. I was checking the price for this.

http://scn.sap.com/thread/3350483

I got quite confused.

Then the conversation moved to twitter and we started discussing not just the price of going to the cloud but also how it should be priced. And then even onto how it could be made multi-tenant (which is a bit beyond the scope of this post, but it was interesting nevertheless.

I think the conversation is worth preserving so I’ve made a copy of it with a little help from Aaron’s Twitter Viewer and a lot of cutting and pasting so I could do without the CSS (if anyone knows how to add custom CSS to a single WordPress post, I’d be interested.)

Have a read, it’s not a bad collection of thoughts, and interjections (by the one and only Dennis H) and I’ll recap on my thoughts at the end:

wombling
Chris Paine
Feeling slightly confused by SAPStore pricing for #saphanacloud if you understand it pls help me scn.sap.com/thread/3350483

2 days ago
1 retweets
 #

rhirsch
Dick Hirsch
@wombling compare price to other #saphanacloud packages in #sapstore – all have similar structure

2 days ago
 #

wombling
Chris Paine
@rhirsch I understand the free ones but still confused what calculation is for rest, why show pm price when only pa purchase possible?

2 days ago
 #

rhirsch
Dick Hirsch
@wombling a good question for #sapstore and #saphanacloud team – another reason to always read the small print

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@rhirsch @wombling it will get rationalized soon . @aiazkazi has plans for it

2 days ago
 #

rhirsch
Dick Hirsch
“@vijayasankarv: @rhirsch @wombling it will get rationalized soon . @aiazkazi has plans for it” >> hope you guys are working on cloning him

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@rhirsch @wombling hehehe @aiazkazi is one of a kind – but he has a team behind him too to help with scale 🙂

2 days ago
 #

vlvl
Yariv Zur
@vijayasankarv @rhirsch @wombling @aiazkazi Pricing is presented as PM because this is how it was defined in official price list (cont)

2 days ago
 #

vlvl
Yariv Zur
@vijayasankarv @rhirsch @wombling @aiazkazi (cont) however min. Contract length for all cloud subscriptions is 1 yr. hence the mess.

2 days ago
 #

wombling
Chris Paine
@vlvl @vijayasankarv @rhirsch @aiazkazi certainly not the clearest situation. But then again probably simple than onPrem pricing

2 days ago
 #

esjewett
Ethan Jewett
@wombling @vlvl @vijayasankarv @rhirsch @aiazkazi Minimum 1-year subscriptions are not very cloudy. Are add-on resources more flexible?

2 days ago
 #

wombling
Chris Paine
@esjewett @vlvl @vijayasankarv @rhirsch @aiazkazi had one potential customer only needed 3-4 months every yr. They didn’t sign up 🙁

2 days ago
 #

wombling
Chris Paine
@esjewett @vlvl @vijayasankarv @rhirsch @aiazkazi cloud ideal for flexibility, but not so much in this case

2 days ago
 #

esjewett
Ethan Jewett
@wombling @vlvl @vijayasankarv @rhirsch @aiazkazi Really, I’d argue that it’s not even cloud if it requires a 1-year commitment. Hosting.

2 days ago
1 retweets
 #

wombling
Chris Paine
@esjewett @vlvl @vijayasankarv @rhirsch @aiazkazi different times for use-cases SuccessFactors 3yr contract. But wld like more flexible PaaS

2 days ago
 #

esjewett
Ethan Jewett
@wombling @vlvl @vijayasankarv @rhirsch @aiazkazi Indeed, but for IaaS and PaaS I’d argue “cloud” involves elasticity. The NIST agrees 🙂

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @wombling @vlvl @rhirsch @aiazkazi other than on iaaS (rhymes with aiaz) , I doubt perfect elasticity will happen for any vendor

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi Every PaaS I’m aware of provides it. Elastic Beanstalk, Heroku, CloudBees come to mind.

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @wombling @vlvl @rhirsch @aiazkazi maybe PaaS will get there too at some point , but seriously doubt SaaS will

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi Agree though that it’s not as key for applications. But we’re talking about PaaS, I think?

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @wombling @vlvl @rhirsch @aiazkazi PaaS ideally should have no lock in – just a question of how much scale justifies it

2 days ago
 #

wombling
Chris Paine
@vijayasankarv @esjewett @vlvl @rhirsch @aiazkazi GApps, Azure, CloudBees PaaS are monthly, why not #saphanacloud?

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling @esjewett @vlvl @rhirsch @aiazkazi elasticity is definitely something on top of the agenda . Question – is monthly good enough?

2 days ago
 #

wombling
Chris Paine
@vijayasankarv @esjewett @vlvl @rhirsch @aiazkazi Simple fixed CPU/data monthly makes sense, more elastic, then GApps style usage payment

2 days ago
 #

dahowlett
Dennis Howlett
@wombling Isn’t the fundamental qu something like: ‘Why does #SAP find it necessary to invent new ways to confuse?

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi Daily or hourly would be better, but one step at a time.

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi Each decrease in granularity enables different scenarios. E.g. daily helps w/ month-end.

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @wombling @vlvl @rhirsch @aiazkazi what is your absolute best case granularity ? And is monthly a good enough alternative ?

2 days ago
 #

wombling
Chris Paine
@vijayasankarv @esjewett best case is on demand pay as you use eg cloud.google.com/pricing/ low base price (monthly) then as needed – elastic

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi Hourly is kind of industry standard, though monthly is fairly common for PaaS.

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi With PaaS, the case could be made for value in even more granular metering than hr.

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling @vlvl @rhirsch @aiazkazi But I’d say if you can get it to hourly that’d be great.

2 days ago
 #

vlvl
Yariv Zur
@esjewett @vijayasankarv @wombling @rhirsch @aiazkazi one more point – full elasticity is good for techies but hard on the CFO. (Cont)

2 days ago
 #

vlvl
Yariv Zur
@esjewett @vijayasankarv @wombling @rhirsch @aiazkazi they need the ability to forecast expenses. So for DEV we have full elasticity (free!)

2 days ago
 #

vlvl
Yariv Zur
@esjewett @vijayasankarv @wombling @rhirsch @aiazkazi for PROD you pay in advance for 1 yr, becoming acceptable for CFO #hanacloudportal

2 days ago
 #

esjewett
Ethan Jewett
@vlvl @vijayasankarv @wombling @rhirsch @aiazkazi Good point, and I think makes sense for apps but not for the PaaS itself.

2 days ago
 #

vlvl
Yariv Zur
@esjewett @vijayasankarv @wombling @rhirsch @aiazkazi PaaS is for running apps. “How much is the new supplier portal gonna cost me?”

2 days ago
 #

esjewett
Ethan Jewett
@vlvl @vijayasankarv @wombling @rhirsch @aiazkazi But usually PaaS is for dev to run apps. SAP’s take seems to be that cust manages PaaS.

2 days ago
 #

vlvl
Yariv Zur
@esjewett @vijayasankarv @wombling @rhirsch @aiazkazi IT manages PaaS, but the app is for the cust. Not for the DEV guy 🙂

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @vlvl @wombling @rhirsch @aiazkazi there are 2 broad uses – 1. custom development by a customer for their use and ..

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @vlvl @wombling @rhirsch @aiazkazi ..and 2. An ISV or developer building something for selling to others. different needs for them

2 days ago
 #

wombling
Chris Paine
@vijayasankarv @esjewett @vlvl @rhirsch @aiazkazi and don’t forget customers with seasonal/fluctuating demand. (Repeating myself, sorry)

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling @esjewett @vlvl @rhirsch @aiazkazi yes agreed – needs to be solved absolutely, either at IaaS level and/or at PaaS level

2 days ago
 #

rhirsch
Dick Hirsch
@vijayasankarv @wombling @esjewett @vlvl @aiazkazi 2 sides to consider — shop & platform – both need to support diff models

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @vlvl @wombling @rhirsch @aiazkazi Exactly. Much clearer than me :-). I hope SAP covers both. Right now, focus seems on #1.

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @vlvl @wombling @rhirsch @aiazkazi which brings up multi tenancy topic . Do u expect it as platform feature or leave it to apps?

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @vlvl @wombling @rhirsch @aiazkazi Yeah, very good point. Too complicated for twitter, and I need to sleep 🙂

2 days ago
 #

wombling
Chris Paine
@vijayasankarv whilst @esjewett is sleeping 😉 how do you think from a PaaS viewpoint multi-tenancy could be delivered as a feature? (cont)

2 days ago
 #

wombling
Chris Paine
@vijayasankarv @esjewett (cont) by building into the security/roles/authorisations of standard IDM solution? Extend to social login?

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling that could be a solution. but fundamentally a principle need to be agreed whether platform needs to even support multitenancy

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling it could also be that apps might want control of how to implement multitenancy without platform dictating it

2 days ago
 #

wombling
Chris Paine
@vijayasankarv The worry is leaving it to app developers means potential embarrassment < but at least app developers fault not SAP!

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling it is like C++ and Java 🙂 I didnt like java for a long time thinking it took away my ability to fully control what I am building

2 days ago
 #

wombling
Chris Paine
@vijayasankarv Be glad you never had to code Web Dynpro Java then 😉 Or if you did, then I can see yr point very well

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling I was already out of full time dev role by the time WD was widely used – but yes, did a little bit when it came out

2 days ago
 #

esjewett
Ethan Jewett
@wombling @vijayasankarv If SAP is going to certify apps as multi-tenant, it’s going to require a manual audit. No pure tech solution.

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @wombling rather left field question – do u think a model where apps are not certified by platform provider is feasible ?

2 days ago
 #

wombling
Chris Paine
@vijayasankarv @esjewett feasible yes, q: is the value to partner to have SAP logo stamped onto app worth the investment? probably yes

2 days ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling Sure, but then customer has to trust app dev. You can provide tools, but no way to guarantee data isn’t mixed.

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@esjewett @wombling not a lot a platform provider can really certify beyond some minimum things like ” won’t crash, meets usability reqs” 🙂

1 day ago
 #

esjewett
Ethan Jewett
@vijayasankarv @wombling Yup. Multi-tenancy is not offered by any PaaSes as far as I know.

1 day ago
 #

wombling
Chris Paine
@vijayasankarv partners will build multi-tenancy solutions (I’m trying now) but social login means can’t leverage IDM solution anyway

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling yes – but do you think a hybrid of social login and traditional MDM can solve it elegantly?

2 days ago
 #

wombling
Chris Paine
@vijayasankarv personally I find that too many frameworks complicate solutions rather than making them easier. Eg what happened to SOAP

2 days ago
 #

vijayasankarv
Vijay Vijayasankar
@wombling 100% agree – and that is at least partly because very few developers think highly of other developers IMO. Too quick to dismiss 🙂

2 days ago
 #

wombling
Chris Paine
@vijayasankarv still, would not be surprised if logic to allow multi-tenancy was delivered as is natural extension of current user mgt

2 days ago
 #

esjewett
Ethan Jewett
@vlvl @vijayasankarv @wombling @rhirsch @aiazkazi That’s what I mean by different. Bot sure if it’ll work, or the implications. Interesting.

2 days ago
 #

esjewett
Ethan Jewett
@vlvl @vijayasankarv @wombling @rhirsch @aiazkazi Though, SAP seems to take a diff approach to PaaS than other PaaSes. Need to think on it.

2 days ago
 #

rhirsch
Dick Hirsch
@wombling related question would be if whether all the plumbing is there to deal with subscriptions #saphanacloud

2 days ago
 #

 My thoughts

A couple of days later and my question has be answered on SCN, but I’ve also had a few moments to think about this.

Drinking your own Champagne

Firstly, to my own need for a productive license to some very minimal use of the SAP HANA Cloud.

With the reasonably low price point that SAP is putting on Cloud Partner status, it certainly seems that they are trying to attract small companies to develop content for them. If you add to this, the “we drink our own champagne” marketing message that has been broadcast very well by the ex-CIO there is a obvious marketing proposition.

If companies that signed on as partners for SAP then submitted an application to the SAP Store for resale, they could be allowed to use it productively themselves, they would have an excellent sales pitch “we drink our own champagne”. A limit on the sizing of the used solution might be in order (but probably wouldn’t be an issue with small companies), but it would be very cool for small companies to do this. It would certainly encourage companies like the one I work for to go the extra step of putting the application into the SAP Store. A win for both the developers and SAP.

Annual fixed storage/cpu isn’t elastic, isn’t cloudy for a PaaS

Probably the clearest idea in the thread above is that PaaS shouldn’t be billed annually. Where we are talking SaaS (like Yariv Zur’s SAP HANA Cloud Portal (which is kinda SaaS and PaaS, but I’d argue definitely both)) then there is a different view, but for a PaaS, the beauty of the solution is in its ability to scale up as demand dictates.

I was talking to BCO6181 – Tony de Thomasis’ uni course this evening about the use case where you have a wonderfully capable server that has 10 CPUs running at 1-2% utilisation all year. And you have a policy that no-one gets a pay rise unless they complete their annual performance review. Guess what, on the afternoon before the cut-off, the system is running at 100% capacity and people are complaining about how slow and poor performing it is. In the cloud you shouldn’t have to deal with that. But if you have to buy your cloud compute units annually, you are going to be in exactly the same space.

On the plus side, it looks as if this might be addressed soon. I really hope so, as I see a big potential for SAP HANA Cloud to be the next big thing in enhancing SAP’s cloud SaaS solutions, but if it’s just a glorified hosting arrangement, then it starts to loose some of that PaaS shine.

Thanks to all those who posted their thoughts publicly for me to capture in this blog. I hope you don’t mind me reposting, let me know if you’d like anything redacted.