- What are Homogenous system copy and Heterogeneous system copy and how you will do that?
- How to import the OSS notes?
- What is OCS and How to apply OCS Patches ?
- What is Transport domain and Domain controller?
- Why do we need to apply support package thru client 000? Why can't we do it thru some other client?
- What is Consolidation route and delivery routes?
- How to define Logon groups? And what is Logon load balancing?
- For an ABAP only system, do we have to SSL?
- What is the procedure involved in doing a system-copy?
- How to handle the situation where-in SAP* isn't available?
- What is the difference between Synchronous and asynchronous transports?
- How to configure regular transactions such as MM01 to view archived data?
- How to set the trace level for file dev_rd?
- How to increase tables space, resizing, backups and in what situation are these done?
- How to schedule background jobs at OS level?
- How to define instances and operation modes?
- How to trace the user who moved the transport request from DEV to QUA?
- Explain the upgrade process.
- What is the information derived from OSS notes?
- What is the procedure to lock a client?
- What is the procedure to delete a client?
- What is the importance of early watch client?
- What are the steps to configure TMS?
- How to prevent other users to send mails from SAP?
- What is transport domain?
- How to determine the authorization a user-required for executing particular transaction(s)?
- What is the difference between Set deletion flag and set deletion indicator?
- What is SAPS?
- What is the database backup strategy?
- What is the procedure to apply Patches?
- What are the .sca files and their importance?
- What is the importance of the clients 000,001 and 006?
- How to monitorUser accessed transactions (Tcode) day wise?
- What are common transport errors?
- If a background job runs more than the time it should be completed normally then what are the actions to be performed?
- What are the differences between application server and central instance?
- How to make security authorization reports?
- What SAP tools you use to install SAP patches?
- What JAVA tools to install JAVA Patches?
- What is early watch report?
- Why https is considered safer than http?
- What is supplementation language?
- ABAP Service Pack level can be found in SPAM, but how to find the Java Stack Level?
- How to install multiple Central Instances on the same physical machine?
- What is the relevance of the Deletion Flag/Indicator in the archiving process?
- Can SAP Patches be installed when other users are online?
- What is the importance/need of Virtual system?
- How to transport users from one client to another?
- What are the differences between system refresh and client refresh?
- How to know whether a system is Unicode or non Unicode?
How to Earn Rs.25000 every month in internet without Investment?
BASIS Interview Questions
ABAP Classes in Workflow
1. ABAP Classes and Business Workflow:
We can use ABAP classes in the definition and runtime components of SAP WebFlow Engine in the same way as object types defined in the Business object Repository (BOR).
Before proceeding further we need to know where to create and maintain ABAP Classes and ABAP Interfaces.
2. What is Class Builder and its purpose?
The Class Builder allows us to create and maintain global ABAP classes and interfaces. Both of these object types, like global data types, are defined in the ABAP Repository, thus composing a central class library. Together, they form a central class library and are visible throughout the system. We can display existing classes and interfaces in the class library using the Class Browser.
We can define local classes as well as global classes. They are defined locally in programs, function groups or as auxiliary classes of global classes of the class pools. Local classes are only visible within the defining module.
ABAP classes are processed using the Class Builder.
3. How to reach Class Builder?
To reach the initial screen of the Class Builder, choose Development à Class Builder from the initial screen of the ABAP Workbench or enter transaction code SE24.
4. How does it integrate?
The Class Builder allows us to create Web development objects within the ABAP Workbench. We can use the Class Browser to display and maintain existing global object types from the class library.
The diagram below illustrates the architecture of the Class Builder and the relationships between its components (including the Class Browser)
From here, we can either display the contents of the class library or edit a class using the Class Editor. Once we have defined an object type, we can implement its methods. From the initial screen or the Class Editor, we can also access the Class Builder’s test environment. We can define the object types immediately after implementing the method in the ABAP Editor. It is also possible to access the test environment from the initial screen or Class Editor.
5. How to use the Class Builder?
Use the Class Builder to:
-
Display an overview (in the Class Browser) of global object types and their relationships.
-
Maintain existing global classes or interfaces.
-
Create new global classes and interfaces.
-
Implement inheritance between global classes.
-
Create compound interfaces.
-
Create and specify the attributes, methods, and events of global classes and interfaces.
-
Define internal types in classes.
-
Implement methods.
-
Redefine methods.
-
Maintain local auxiliary classes.
-
Test classes or interfaces in a simulated runtime environment.
6. What are the constraints?
We cannot define object types on the basis of graphical object modeling.
7. Note before creating global classes and interfaces:
Global classes and interfaces that we create in the Class Builder are stored in the class library and administered by the R/3 Repository: they therefore have the same namespace as all other Repository objects. It is therefore necessary to have naming conventions for object types and their components and to use them uniformly within program development.
8. Naming Conventions in ABAP Objects:
The following naming convention has been conceived for use within the SAP namespace. If we do not observe the naming conventions for object types (classes and interfaces), conflicts will occur when the system creates persistent classes, since it will be unable to generate the necessary co-classes.
9. Conventions for Object Types:
Class in the class library | CL_ |
Interfaces in the class library | IF_ |
Local classes in programs | LCL_ |
Local interfaces in programs | LIF_ |
10. Conventions for Components:
Method name | |
Events | |
Local type definitions within a class | TY_ |
Data definitions (variables) | |
Data definitions (constants) | CO_
|
11. Local Conventions within Methods:
For parameters:
IMPORTING parameters | IM_ |
EXPORTING parameters | EX_ |
CHANGING parameters | CH_ |
RESULT | RE_ |
12. Using ABAP Classes in Workflow:
Within the SAP WebFlow Engine we can use ABAP classes that support the IF_WORKFLOW interface. Classes that have implemented the IF_WORKFLOW interface are recognized as workflow-enabled in the Class Builder.
13. How to create ABAP Classes that support IF_WORKFLOW interface?
- Go to transaction SE24 and create a customized class.
- Next the pop up appears where we need to mention the detail as follows:
- Save it and the class is created.
- Now the class is to implement IF_WORKFLOW interface. For this go to the tab and declare the IF_WORKFLOW as the interface there and press Enter; two sub-interfaces appear: BI_OBJECT and BI_PERSISTENT. Save the Class.
- The ZCL_TEST class now contains the existing methods of IF_WORKFLOW interface.
The key attributes are used to define the object key. There can also be other defined attributes other than key attributes. The SAP WebFlow Engine can access all public attributes of a class.
Key Attributes:
In the Class Builder there is an additional column Key Attributes on the tab page as shown below:
We need to check this box when we are defining any attribute as the Key Attribute.
All key fields must be character-type fields (elementary types: CHAR, NUMC) and have a defined length. The maximum length allowed for all key fields is 32 characters. The length of the key field for the persistent display is 32 characters.
In the case of persistent ABAP objects we can use the GUID, which is generated automatically by the object manager when an instance is created.
Attributes:
In addition to all the other data types that the Class Builder supports, we can also define attributes with reference to an object from the Business Object Repository (BOR). To do this, we have to use the structure SWOTOBJID as the data type. The BOR object is determined using the corresponding value.
To assign a BOR object instance to an attribute we need to use the corresponding BOR macros. Normally, this is implemented within the CONSTRUCTOR of a class.
To use the BOR macros in a class, two INCLUDES must be included.
Ø Include
Ø Include
11. Local Conventions within Methods:
For parameters:
IMPORTING parameters | IM_ |
EXPORTING parameters | EX_ |
CHANGING parameters | CH_ |
RESULT | RE_ |
12. Using ABAP Classes in Workflow:
Within the SAP WebFlow Engine we can use ABAP classes that support the IF_WORKFLOW interface. Classes that have implemented the IF_WORKFLOW interface are recognized as workflow-enabled in the Class Builder.
13. How to create ABAP Classes that support IF_WORKFLOW interface?
- Go to transaction SE24 and create a customized class.
- Next the pop up appears where we need to mention the detail as follows:
- Save it and the class is created.
- Now the class is to implement IF_WORKFLOW interface. For this go to the tab and declare the IF_WORKFLOW as the interface there and press Enter; two sub-interfaces appear: BI_OBJECT and BI_PERSISTENT. Save the Class.
- The ZCL_TEST class now contains the existing methods of IF_WORKFLOW interface.
The key attributes are used to define the object key. There can also be other defined attributes other than key attributes. The SAP WebFlow Engine can access all public attributes of a class.
Key Attributes:
In the Class Builder there is an additional column Key Attributes on the tab page as shown below:
We need to check this box when we are defining any attribute as the Key Attribute.
All key fields must be character-type fields (elementary types: CHAR, NUMC) and have a defined length. The maximum length allowed for all key fields is 32 characters. The length of the key field for the persistent display is 32 characters.
In the case of persistent ABAP objects we can use the GUID, which is generated automatically by the object manager when an instance is created.
Attributes:
In addition to all the other data types that the Class Builder supports, we can also define attributes with reference to an object from the Business Object Repository (BOR). To do this, we have to use the structure SWOTOBJID as the data type. The BOR object is determined using the corresponding value.
To assign a BOR object instance to an attribute we need to use the corresponding BOR macros. Normally, this is implemented within the CONSTRUCTOR of a class.
To use the BOR macros in a class, two INCLUDES must be included.
Ø Include
Ø Include
Enabling security audit alert in CCMS
In this blog I'll show how to configure security audit alerts in CCMS, with security audit alerts you can keep close eye on security related issues of your system.
Following is step by step approach to enable security audit alerts in CCMS
- Goto RZ20->SAP CCMS Monitoring Templates and copy Security template to your custom monitoring node (if you configured any), refer to above mention blog for reference.
- To enable alerts in CCMS you need to activate security audit in your system.
- Goto SM19 -> dynamic configuration.
- Select Audit Class for alerts like "Dialog logon", "RFC/CPIC logon", "RFC call" etc.
- Chose Events when you want alert:
- All: on all events
- Severe and Critical: only for important and critical events.
- Only Critical: you want alert only for critical events.
- Click on "Detail configuration" to see detail of important, critical and non-critical events.
- Activate configuration (don't forget to click on "Filter Active" checkbox).
- Goto CCMS and security template and refresh it now.
Other important transactions related to Security Audit:
- - SM18 - delete old audit logs
- - SM20 - analysis of audit log.
Will a Customer Get Support When Recompiling the Linux kernel or Using 3rd-party Software that Modifies It?
Usually there should be no need for recompiling the Linux kernel when using SAP software on Linux, since the supported Linux distributors are shipping optimized kernels for the respective hardware architectures with revised and tested drivers. Any modification to the tested environment would furthermore make it nearly impossible for the Linux distributor to track a problem down. The same applies to 3rd party software that modifies the Linux kernel and is distributed only in a closed, binary-only, way. Therefore the following can't be supported: If you already are an SAP customer, you can also have a look at SAP note 784391 (login required) for further, more detailed, information.
Is Linux Supported as a Front End Platform?
The "SAPGUI for the Java Environment" can be downloaded from the SAP ftp servers. This project (formerly known as PlatinGUI - platform independent GUI) started in spring 1998 with the following objectives:
Where Do I Get Support?
Support of SAP solutions on Linux meets the same high standards as for any other platforms. SAP is offering installation and migration tools and paths, and support staff trained for SAP on Linux matters. For porting and highly technical issues, SAP has the SAP LinuxLab, where hardware and software partners are working closely together to “bring you the best SAP on Linux experience". Standard SAP support covers SAP related problems as on other platforms too. During message processing, if the problem turns out to be caused by a non-SAP part of the installation/system, it might become necessary to involve further expertise, as of the hardware- or software partner and its support organization. Therefore it is strongly recommended for SAP customers, running SAP software on the Linux platform, to maintain a support contract for both, hardware and operating system, so a seamless support process chain can be ensured. Support for the operating system can either be covered directly by the vendor itself, like Red Hat or Novell/SUSE, or by a 3rd party company offering equivalent support, like all our Linux hardware partners do in combination with their products. Our Linux hardware and our database partners provide the same degree of support for Linux with their products as they already do for the respective Unix - if the necessary support contracts are given. Red Hat and SUSE offer direct operating system support contracts as well. Please get in contact with your hardware or software vendor for more information. This practice helps all involved parties to solve any possibly arising problem as fast as possible. If the support coverage is incomplete, it can lead to avoidable delays in problem solving - and please keep in mind: extraordinary expenses by SAP or our partners, caused by missing support coverage, may get billed to the customer afterwards!
What Are the Main Reasons for SAP Customers Choosing Linux?
Each SAP customer has a unique set of reasons for running SAP on Linux, depending on the very specific customer's SAP scenario. Among many reasons customers decide for Linux as the operating system of choice, because they seek increased:
How Many SAP Customers are Using the Linux Operating System?
Right now, there are more than 5000 (DB-) installations.
Is there a Different Price for SAP Business Suite for Linux?
Standard pricing for SAP Business Suite applies also to SAP Business Suite on Linux.
Where Can I Get Linux for SAP Business Suite?
Linux distributors like Debian, Mandrake, Red Hat or SUSE offer Linux together with a set of other software packages, installation routines, documentation and support. Whereas there is a de facto standard for the Linux kernel itself, the distributions differ in other areas, especially in the administration area.
Where Can I Get the SAP Business Suite on Linux?
You can order the SAP Business Suite on Linux just like SAP software on any other platform. If you are a SAP customer already, there will be no additional charges. From Release 4.6 onward, the SAP Business Suite on Linux is part of the standard delivery.
What Does "SAP NetWeaver on Linux" Mean?
SAP is the market leader of inter-enterprise software solutions with the world's largest enterprise software customer base. SAP has more than 10 million licensed users, more than 20,000 installations in more than 100 countries and supports 28 different languages. More than half of the world's top 500 companies use SAP software!
SAP supports the SAP Business Suite in a productive environment under Linux. This also includes the database server (IBM DB2/UDB, Informix, Oracle and SAP DB/MaxDB) as well as the application server and the front end. You can run SAP on Linux in homogeneous and heterogeneous environments. The SAP Business Suite is running upon the SAP NetWeaver, which includes components like the SAP Web Application Server or the SAP Enterprise Portal.
What Role Does SAP Play in the Open Source Scene?
We are supporting Open Source when it comes to Linux as an operating system or MaxDB (formerly Adabas/D or SAP DB) as a database. In fact, back in 1999, we were the first business software provider to support Linux as an operating system for running SAP solutions. We work closely with the Linux distributors and our partners to ensure our solutions work smoothly on Linux. Our main focus with SAP on Linux is helping our customers build the IT environment that is right for them. More and more customers are requesting help with SAP on Linux. And we are there to provide them with the high quality support they expect from SAP.
What is the SAP LinuxLab?
The SAP LinuxLab assists in the releasing of SAP software on Linux and drives the porting of SAP software to new platforms, like the Intel Itanium or IBM Power PC. Furthermore it helps other SAP departments with developing on and for the Linux platform and processes Linux-specific support problems - internal ones, as of external - or forwards them to the appropriate hardware or software partner. Currently, developers from AMD. Bull, Dell, Fujitsu-Siemens, HP, IBM, Intel, Novell/SUSE, RealTech, Red Hat, SAP, SUN and a number of temporary "guests" share the same rooms in the LinuxLab. Despite our hardware partners being competitors, the cooperation is excellent and we had a number of very successful projects. The LinuxLab also closely cooperates with (and is located directly next to) SAP's Server Infrastructure department, which is responsible for the development of the SAP kernel, the basis layers on top of the native operating systems, which make SAP's business applications platform independent.
Why Does SAP Support Linux?
SAP's goal is to be able to provide its customers the maximum of flexibility to create the best IT environment for their needs and be able to get the most value out of their business applications driving growth and profit. Openness, flexibility, and integrity of our products have always been part of our product strategy, putting customers in the position to decide what's best for their IT environment. So the main reason is to offer you a free choice. Many SAP customers want to use Intel hardware and at the same time use their Unix know-how. Linux is growing with incredible speed and absolutely meets the quality standards of SAP. And thanks to the platform-independent SAP architecture, the port of the SAP kernel was fairly easy: none of the SAP business applications had to be modified. Another reason is the number of Unix operating systems SAP has to support. Especially when you try to get maximum performance out of your hardware resources, there are significant differences between the different Unix flavors. SAP has to maintain, test and support each possible combination of OS, database, hardware and SAP release. With Intel moving to 64 bit there is a high probability of even more Unix flavors. A consolidation of these Unix derivatives would benefit both vendors and customers. From our point of view Linux has a realistic chance to become the unified Unix running on different hardware platforms. If Open Source continues like this, it is very important for a software company to adapt early to the new situation. We are very proud that SAP was the first software in the world that run mission-critical ERP operations on Linux. We expect Linux to be successful in low and high end installations and SAP, as Trusted Adviser, is helping customers to make the right decisions around SAP on Linux.
What is Linux?
On the one hand, Linux is just another Unix operating system. People like its technical quality, performance, stability (despite the development speed), the wide range of software, worldwide support, comprehensive and easy-to-read documentation, clean design and user-friendly desktops. It's just fun to work with. But the main reason Linux became so popular is: it is Open Source! Basically, the rules of the game are: f
- all users have the right to redistribute the software
- the source code is available to all users
- any publicly distributed modifications/enhancements to Open Source products must be Open Source as well
The development method differs from conventional methods, but there is no difference from the user's perspective; Open Source products have well defined release numbers, and companies offer professional support (which they charge for!). To learn more about Open Source, try opensource.org.
NetWeaver 2004: The System is Suddenly Not Working Anymore?
If you can't log-in to your NW4 system - or everything is suddenly becoming pretty slow - you should check the space left in your system's LOG volume. If you don't have a graphical DBM GUI at hand, you can check this by running the following command as nw4adm: dbmcli -u control,control -d NW4 -USQL c 'sql_execute select logsize - (usedlog) from serverdbstatistics' The output is in 8 KB pages. An easy way to avoid this problem, is to set "Log overwrite on", by executing the following command as nw4adm: dbmcli -u control,control -d NW4 util_execute set log auto overwrite on Please note: With this setting, the database will overwrite its logs circularly, so the database will be unable to recover, if the DATA volume crashed. When developing a lot with the TestDrive, doing a backup or increasing the LOG volume would be a better solution.
Error Message: "No Start Profiles Found" When Starting the Instance?
After rebooting the test drive machine, your SAP system isn't starting anymore, but saying no start profiles found.
The install script configures an alias for your network card, which is then mapped to a so called "virtual hostname" nw4host (or respectively "si4host"), via /etc/hosts. If the 'startsap' can't find this virtual hostname, it can't resolve the paths to the SAP instance profiles.
SUSE versions newer than SUSE Linux 9.1 are using a different startup configuration for network aliases. Therefore the scripts placed in the directory '/etc/sysconfig/network/' won't work anymore. You will find there a script called 'ifcfg-eth0:0', which contains the configuration of your network alias. Normally look like this:
STARTMODE='onboot'
BOOTPROTO='static'
IPADDR='195.155.155.1/24' (same as /etc/hosts used for
DEVICE='eth0:0'
The new SUSE network configuration doesn't look anymore for the eth0:0, but for a script called ifcfg-eth-id-
IPADDR_0='
NETMASK_0='255.255.255.0'
LABEL_0=0
Afterwards you can restart your network by typing 'rcnetwork restart'. Then you should see in the output of 'ifconfig' a new interface eth0:0 using the specified address. This interface eth0:0 should now also appear after a restart of the machine. The SAP system should now be usable again
How to Protect the User Accounts Created by the SAP on Linux Test Drives?
Our test drives create some users on your Linux system, which are needed for running the SAP system or the database, like <sid>adm, sdb or db2.
Since the TestDrives are designed for easy use - not for high security - we strongly discourage using the test drives on productive or sensitive systems, e.g. machines which get directly connected to the Internet or are attached to bigger LANs. Nevertheless, as a safeguard, you should change the passwords of those users, or even lock them, so nobody can log in.
- Changing the default password:
e.g. as user root: passwd and set a stronger password. - Locking the user:
e.g. as user root: passwd -l . Afterwards you can't directly log-in as this user, but you can still switch to this user via su -
My License Has Expired: How Can I Get and Install a New One?
Before requesting a new license, you need your current hardware key. Section (My license key doesn't work, what's up with it?) describes what to do. With this key you can apply for a new license:
Please follow http://www.sap.com/minisap and fill out the form there using that key and a 90-day license should be emailed to you within minutes. This license can be renewed 7 days before expiry, just apply again by using the same form.
How the new license can be installed depends on which version you are using:
- SAP NetWeaver 7.0 or newer based TestDrives:
Starting with SAP NetWeaver 7.0 based versions you have to install the license via transaction "slicense" in the ABAP-stack of the system. Therefore upload the license file, which is attached to the mail, to your Linux system, where it can be accessed by the SAP-system. Logon as user SAP* and run transaction "slicense" in the GUI. Follow the button "New Licenses" at the top of the window and press "Install". A file dialog should open where you can navigate to and select the license file.
Unfortunately the manual way described below isn't working anymore.
- TestDrives based on versions earlier than SAP NetWeaver 7.0:
Logon as user SAP* and run transaction "slicense" in the GUI. Press the button "Install" and answer the questions with the values you received with your license mail and enter "DEMOSYSTEM" as your "Inst. Number".
You can also use the method described in the following.
- For the SAP Basis 4.6D test drive you have to install the license externally:
Become user adm and execute
/usr/sap//SYS/exe/run/saplicense -install
and answer some questions:
SAP SYSTEM ID =
HARDWARE KEY = (listed in the license e-mail)
INSTALLATION NO = DEMOSYSTEM
EXPIRATION_DATE [YYYYMMDD] = (listed in the license e-mail)
LICENSE_KEY = (listed in the license e-mail)
Please note: The database has to be online to install the new license.
My License Key Doesn't Work: What's Up With It?
The license key depends on a hardware ID, system ID and several other variables. Most likely your hardware key has changed after you applied for an evaluation license. This can happen if you You can obtain your current hardware key and change/update your license key without reinstalling the demo at any time: Become user adm and execute /usr/sap/ If your hardware key did not change, please double-check your license key. Probably you entered a zero instead of the letter 'O'.
Difference
Specific difference between SAP R/3 and mySAP ERP
SAP R/3 & mySAP is just brand name ERP pacakage of SAP AG.
SAP R/3 is used until 1997 and from 1998 it became mySAP.com by SAP AG.
The difference is that SAP R/3 has only core modules of FI TR CO MM SD PP while the mySAP.com has core modules & Extended features of ERP as BW,SEM,CRM,APO,etc,.
background job problem
I want to schedule background according to factory calender and within time limit 6:00am to 7:00pm.
I assume you want to schedule a periodic job to run only on workdays as defined in the factory calendar?
Execute SM36. Click on the Job Wizard. Work your way through the screens and you will be given the opportunity to specify hours, periods, restrict weekend and holiday processing, and one screen has a block to specify the factory calendar name.
How to reconciliate two development systems in one Production ?
Hello,
We are upgrading a classical SAP Landscape (Development, Quality Assurance, Production) from 4.6c to ECC6.0.
The problem is that, in parallel, a separate HR project is taking starting to enable payroll on a separate development system.
The standard landscape must remain untouched untill end 2007 (end of use of present external payroll)
On january 1st 2008, we are supposed to merge the standard landscape with the developments made on the separat HR project to include sap payroll.
Classically, parallel development is always a problem. Reconciliation is normally recommended via serial positioning; in other words, the new HR dev system is positioned before the standard dev system in the transport routes to avoid object collisioning.
Does any of you have a practical experience of such a situation which could be shared among us ?
If I understand your question (and I'm not entirely sure I do) I would save all your Transport files from the HR system, then load and apply them to the other system when you merge the two. There could be some technical issues to resolve, but this seems logical to me.
How can i install SAP BW 3.0b
When i'm trying to install BW 3.0b, installer saying that oracle not installed. I think the oracle installer and patches are in the disk 2. do i have to install oracle separately, if not then how do i proceed with the above?
Is there any step by step installation guide available for this?
Yes, you have to install Oracle separately. This is included in the installation guide. Are you not following the installation guide? It is downloadable from the Service Marketplace.
Difference bet. ECC 6.0 & SAP R/3 4.7
Hi,
If you're "Basis/Technical", focusing on the underlying technical "Basis" or "NetWeaver" versions will help you stay on the right track. Technically, ECC 6.0 is 2 "technology" versions higher. Following is the terminology/version information for the last 3 ERP product versions:
SAP R/3 Enterprise (4.7x)
SAP BASIS 6.20
SAP ERP 2004
SAP NetWeaver 2004 (BASIS 6.40)
ECC 5.0
SAP ERP 2005
SAP NetWeaver 2004s (BASIS 7.00)
ECC 6.0
The main technology feature delivered with NetWeaver is the integrated J2EE engine (Web Application Server Java).
Hope that helps!
Transactions
SUIM : various handy reports
· SU10 : Mass user changes
· PFCG: Profile Generator
· PFUD: User master comparison
· SU01: User master maintenance
· ST01: System trace
· ST22: ABAP dumps
· SUCU / SE54: Maintain authorization groups for tables / views
· PPOMW: Enjoy transaction to maintain the HR organizational plan
· PO10: Expert maintenance of Organizational Units and related relationships
· PO13: Expert maintenance of Positions and related relationships
· STAT: System statistics, including which tcodes are being used by which users
5.3. Tables
Table | Use |
UST12 | Authorizations and Tcodes per Profile |
UST04 | Assignment of users to Profiles |
AGR_USERS | Assignment of roles to users |
USOBT_C | Authorizations associated with a transaction |
USR02 | Last logon date, locked ID’s |
AGR_TCODES | Assignment of roles to Tcodes (4.6 tcodes) |
USH02 | Change history for users (e.g. who last changed users via SU01) |
USH04 | Display history of who made changes to which User Ids |
USR40 | Non-permitted passwords |
USR41 | Users with logon information (multiple logons) |
additional tips
OSS and Release Notes
Review all security-related
4.2. Workplan
Given the amount of work and number of steps involved in the security upgrade, it is recommended that a detailed Workplan is defined at the startup of the upgrade project. Key milestones from the security workplan should be integrated and tracked as part of the overall Upgrade Plan.
Clear ownership of activities, including conversion of Report Trees, needs to be established. This function is often perform by the Development team.
4.3. Standards and Procedures
Naming conventions and standard procedures should be established before the manual profiles are reconstructed as activity groups. Each team member should know how the new activity groups should be named to ensure consistency. Other standard practices for the construction of the activity groups should include:
· Transactions are added via the Menu tab and not by manipulating s_tcode.
· Ideally, no end users should have access to SE38, SA38, SE16 nor SE17.
Remember to keep Internal Audit involved where decisions need to be made regarding the segregation of job functions or changes to current authorizations are requested or brought in with new authorization objects / defaults.
4.4. Testing
4.4.1. Resources for testing
Enough resources should be allocated to the security upgrade process as each activity group and profile will require work to some degree or the other. It is important that key users and functional resources are involved in testing the activity groups and that this effort is catered for in the Upgrade Project plan. Clear ownership of each activity group should be established not only for testing purposes, but also for ongoing support and approval of changes. Ideally, the ownership and approval of changes should reside with different resources (i.e. the person requesting the addition of a transaction or authorization should not be the same person responsible for approving the request).
4.4.2. Test Plan
The security team should also establish testing objectives (whether each transaction being used in Production should be tested, whether each activity group should be tested with a representative ID, etc.).
A detailed test plan should then be established based on the approach, to ensure each person responsible for testing knows what s/he should be testing, what the objective(s) of the test is and how to report the status of each test. Both positive (user can do his/her job functions) and negative (user can’t perform any unauthorized functions) testing should be performed.
The Reverse Business Engineering (RBE) tool is very useful in identifying which transactions are actually being using in Production. This can assist with focusing on which transactions to test.
The importance of testing all used transactions individually and as part of role-testing cannot be stressed enough. TEST,TEST,TEST!
Every menu option, button, icon and available functions for all critical transactions need to be checked and tested. There are some instances where icons are grayed out or don’t even appear for certain users, due to limited authorizations. The only way these type of issues can be identified, is through thorough testing.
4.5. Issue Management (tracking and resolution)
Due to the number of users potentially impacted by issues / changes to a single activity group, a perception can quickly be created that the security upgrade was unsuccessful or the cause of many post GoLive issues.
It is therefore recommended that an issues log is established to track and ensure resolution of issues. The log should ideally also contain a description of the resolution, to aid with similar problems on other activity groups.
This log will be helpful during the entire upgrade process, especially where more than one resource is working the same set of activity groups, so set it up at the beginning of upgrade project! You can also use this for a ‘lessons learnt’ document for the next upgrade.
4.6. Status reporting
The security upgrade forms an integral part of the overall upgrade given the sensitivity and frustration security issues could cause. It is important that key milestones for the security upgrade are tracked and reported on to ensure a smooth and on-time cutover.
4.7. Detailed cutover plan
The detailed cutover plan differs from the overall security workplan, in that the detailed plan outlines the exact steps to be taken during each system’s upgrade itself. This should include:
· Transport request numbers,
· Download of security tables prior to the upgrade, especially UST12, USOBT_C and USOBX_C,
· A backup and restore plan, (e.g. temporary group of activity groups for critical functions),
· The relinking of user master records, with details on any CATT scripts, etc. that might be used,
· User comparison, etc.
The security team needs to ensure that enough time is allocated for each action item and that this time is built into the overall cutover plan. The project manager is usually expected to give an indication to end users and key stakeholders as to when the Productive system will be unavailable during its cutover to the new release. This downtime should thus incorporate time required to perform user master comparisons, unlocking of ID’s and all other action items.
4.8. Project team access
The SAP_NEW profile can temporarily be assigned to project team members to provide interim access to the new authorization objects. This provides the security team the opportunity to convert and adjust the IS team’s activity groups. It also eliminates frustration on the functional team’s side when configuring and testing new transactions, etc.
4.9. Training and new functionality
Some support team members (e.g. Help Desk members responsible for reset of user passwords, etc.) might require training and/or documentation on the changed screens of SU01, etc.
It is recommended that a basic Navigation & Settings training module is created for all SAP users and should cover the use of Favorites, etc.
The security team should also review Profile Generator in detail, as several new functions have been added (e.g. download/upload of activity groups, etc.). Remember to review all the different icons, menu options and settings on the authorizations tab, etc.
Lastly, if your company / project does use HR as related to security (activity groups and users assigned to positions / jobs), ensure that you become acquainted with the new enjoy transactions, e.g. PPOMW.
4.10. SU53
A new function with SU53 is the ability to display another user’s SU53 results. (Click on the ‘other user’ button and enter the person’s SAP ID).
4.11. Post Go-live
Remember to establish a support roster, including after hours for critical batch processes, to ensure security-related issues are resolved in a timely fashion.
Dumps should be checked regularly (Objects s_rfc and s_c_funct like making appearances in dumps) for any authorizations-related issues. Transaction ST22 can be used to review dumps for that day and the previous day.
Avoid transporting activity groups at peak times, as the generation of activity groups can cause momentarily loss of authorizations. It’s recommended that a roster for activity group transport and mass user comparison be reviewed with the project manager prior to the upgrade. Exceptions should be handled on an individual basis and the potential impact identified, based on number and type of users, batch jobs in progress, etc.
And, don’t forget to keep on tracking all issues and documenting the resolutions for future reference.
5. helpful reports, transactions and tables
5.1. Reports and Programs
· RTTREE_MIGRATION: Conversion of Report Trees to Area Menus
· PFCG_TIME_DEPENDENCY: user master comparison (background)
· RSUSR* reports (use SE38 and do a possible-values list for RSUSR* to see all available security reports), including:
v RSUSR002 – display users according to complex search criteria
v RSUSR010 – Transactions that can be executed by users, with Profile or Authorization
v RSUSR070 – Activity groups by complex search criteria
v RSUSR100 – Changes made to user masters
v RSUSR101 – Changes made to Profiles
v RSUSR102 – Changes made to Authorizations
v RSUSR200 – Users according to logon date and password change, locked users.
topics
-
▼
2007
(1406)
-
▼
December
(47)
- BASIS Interview Questions
- ABAP Classes in Workflow
- Enabling security audit alert in CCMS
- Will a Customer Get Support When Recompiling the L...
- Is Linux Supported as a Front End Platform?
- Where Do I Get Support?
- What Are the Main Reasons for SAP Customers Choosi...
- How Many SAP Customers are Using the Linux Operati...
- Is there a Different Price for SAP Business Suite ...
- Where Can I Get Linux for SAP Business Suite?
- Where Can I Get the SAP Business Suite on Linux?
- What Does "SAP NetWeaver on Linux" Mean?
- What Role Does SAP Play in the Open Source Scene?
- What is the SAP LinuxLab?
- Why Does SAP Support Linux?
- What is Linux?
- NetWeaver 2004: The System is Suddenly Not Working...
- Error Message: "No Start Profiles Found" When Star...
- How to Protect the User Accounts Created by the SA...
- My License Has Expired: How Can I Get and Install ...
- My License Key Doesn't Work: What's Up With It?
- Difference
- background job problem
- How to reconciliate two development systems in one...
- How can i install SAP BW 3.0b
- Difference bet. ECC 6.0 & SAP R/3 4.7
- Transactions
- additional tips
- Items requiring special attention
- Security upgrade objectives, Process and approaches
- overview
- table of contents
- SAP based the architecture of R/3 on a three-tier ...
- FM
- free download Sales Distribution (SD )
- Live Indian TV and Listen FM
- Technology
- Organization
- History of SAP R/3
- Generating Profiles using Automatic Profile Generator
- free download SAP Web As Implementation
- Finding objects in transports
- How do I prevent my spool request from being delet...
- How can I link Exchange with R/3?
- How can I browse the directories on the applicatio...
- How do you set up SAP documentation available thro...
- What steps are required to configyre the Internet ...
-
▼
December
(47)