Comparing locally managed and dictionary managed tablespaces

What is the difference between locally managed and dictionary managed tablespaces, and what are the benefits of using a locally managed tablespace?

When Oracle allocates space to a segment (like a table or index), a group of contiguous free blocks called an extent is added to the segment. Metadata regarding extent allocation and unallocated extents are either stored in the data dictionary or in the tablespace itself. Tablespaces that record extent allocation in the dictionary are called dictionary managed tablespaces, and tablespaces that record extent allocation in the tablespace header are called locally managed tablespaces.

Locally managed tablespaces have the following advantages over dictionary-managed tablespaces:

  • Local management of extents avoids recursive space management operations, which can occur in dictionary-managed tablespaces if consuming or releasing space in an extent results in another operation that consumes or releases space in a rollback segment or data dictionary table.
  • Local management of extents tracks adjacent free space, eliminating coalescing free extents.
  • Reliance on data dictionary is reduced. This minimizes access to the data dictionary, potentially, improving performance and availability.

Due to these improvements, Oracle recommends using locally managed tablespaces for all new tablespaces if fragmentation is expected to be an issue The only drawback with locally managed tablespaces is that 'used-extent' information is not kept in the data dictionary. It must be read from the segment header blocks (and additional extent map blocks if any) whenever it is required, including queries against DBA_SEGMENTS and DBA_EXTENTS. If a tablespaces with a large number of mostly small segments is locally managed rather than dictionary managed, then access to these views can cause a lot more physical I/O and thus impact the cache retention of user data. Furthermore, if the segments are mostly constant in size then the risk of the tablespace contributing to ST enqueue contention if dictionary managed is low. Thus, there is little motivation to make such a tablespace locally managed and a minor performance risk in doing so.

How to monitor update processes and update records

With an HP-UX RISC 64 bit database how we can monitor the update process and the update records?


You can use Update Management for checking update statuses and analyzing and correcting problems .To access the update management from the SAP initial screen choose Tools > Administration > Monitor >Update, or enter '/nsm13' in the 'OK' code field.

Update management is used for the following:

  • Displaying update requests
  • Analyzing problems pertaining to the update
  • Testing and debugging canceled update requests
  • Displaying and resetting the status of update requests
  • Deleting update requests
  • Displaying statistics on updates

List of deletable SAP system files

Our SAP file system is filling up because initially it was defied too small. What are the non-required files that can be deleted from the SAP system? We are using HP-UX NetWeaver2004s on an Oracle database.
The files that can be deleted are mentioned below.

  1. Offline Redo log files
    Backup them and then delete
  2. Old spool and log files
    They are not necessary for R/3 functions and should be deleted regularly by scheduling a periodic batch job.
  3. File name "CORE" (Unix only)
    The R/3 System work directory (e.g. /usr/sap/c11/D00/work ) often contains a file called 'core' from previous program terminations. This file may be deleted at any time.
  4. Old ABAP/4 trace files.
    Use Transaction SE30 to delete the files
  5. Old output requests
    They are stored on the data directory as files SP*.

Remember that deleting these files is not a permanent solution. You should increase the file system sizes.

SAPgui disconnection problem

We are having a problem with clients disconnecting from the SAPgui. They are attempting to connect to a Solaris/Unix server through a firewall. We have found that the connection to the Wintel server is fine, but not the UNIX server. Clients on the local network (no firewall) are also fine. We receive the error:

NiPRead: recv (131: Connection reset by peer) [niuxi.c 928]

You should probably install SAPRouter (see http://service.sap.com/saprouter). It redirects incoming SAPGUI connections to the correct SAP systems. It has many connection and security configuration settings (see the online documentation for more information). SAPRouter listens by default to port 3299. You will have to open this port on your firewall.

Upgrading from SAP kernel 6.20 to 6.40

How would you upgrade SAP kernel 6.20 to 6.40 in an MSCS Environment on Windows 2003?
Proceed as follows:

Stop the SAP R/3 resource in the cluster. Leave the SAP disk online.

Replace the kernel in the executable directory. Don't forget the extra executables in the c:windowssapcluster or c:winntsapcluster (on both nodes) Start the SAP R/3 Resource in the Cluster again

All ABAP programs need to be re-compiled after the kernel upgrade to 6.20. Take the following steps to only recompile the ABAP programs in use;

To create a consistent status of ABAP sources and loads, proceed as follows:

Before the kernel upgrade, specify the available loads

  • Call transaction SGEN and choose: Regenerate the available loads -> Continue -> Generate all objects with available load
  • On the next screen, define the servers that should be included during the generation and choose 'Continue' The Job Monitor screen appears. Since the programs for which loads have already been generated are now stored in the GENSETC database table, you can exit transaction SGEN.

Perform the kernel upgrade
Start the SAP system with STARTSAP
Regenerate with the transaction SGEN.

  • Call transaction SGEN and choose:
  • Regenerate objects from last generation -> Continue -> Restart -> Select the servers -> Continue.
  • Start the generation or schedule it. All the programs from which a load existed before the deletion now get a new load.

How to develop an RFI for SAP 4.6c to ECC 6.0 migration

We are planning a migration from 4.6c to SAP ECC 6.0. We are developing an RFI for this. Could you direct me to information regarding this?

The best place to start is the ERP upgrade portal accessible at http://service.sap.com/erp-upgrade. It contains links to many presentations, templates and documentation on the upgrade to ERP ECC 6.0. It is an interesting starting point for both technical and functional people.

SAP installation keys for upgrades or new installations?

Our Basis group is preparing to upgrade from 4.6c to ECC 6.0. I see notes that an installation key is generated using Solution Manager. Another note stated this key was only good for four weeks and I would need to get a key from SAP afterwards. Will I need to get an installation key from SAP for an upgrade or is that only for a new installation?
I was unaware that the upgrade key generated in Solution Manager is only good for 4 weeks. I have never come across this limit.

You do not need a new installation key from SAP for the upgrade. You do need to renegotiate your contract as there is a big difference between 4.6c and ECC from a licensing point of view.

Upgrading R/3 with smallest possible data loss

Currently we run BW3.5; Our OLTP R/3 system is getting upgraded to ecc6 from SAP4.6c. The R/3 downtime for upgrade does not give us time to make entries in LBWQ zero. Is it possible to upgrade R/3 without making queue entries 0 and without suffering data loss for extraction to BW? If there is any alternative to maintain data quality please let me know.


If the structure of the data sources is modified during the upgrade, data loss will occur. Many customers are faced with the problem you are describing. A possible solution could be to schedule as many delta loads as possible during the uptime phases of the upgrade. As such, only the last deltas need to be copied over before the downtime may begin.

Migrating test programs from ECC 4.6 to 6.0

We are currently upgrading from 4.6 to ECC 6.0; in our current DEV environment we have some dev-only and test programs that have not, and will not, be transported. How do we go about migrating them to our new ECC DEV environment which will be a copy of our latest 4.6 production environment?

It is generally considered a very bad idea to replace a development system. You lose all the history of the developments carried out, as well as useful utilities as you mention. If it is deemed absolutely necessary, despite being considered not best practice, then you can safeguard your dev/test programs by putting them into a development class/package, recorded against a transport. When you release the transport, transport files are created on the applications server, which can be later used to re-import the developments.


Building a new PRD system from an online backup

We currently run SAP R/3 on an Oracle 10.2 and are upgrading to ERP 2005 (Unicode conversion).

Our Basis team has now made us aware that they are intending to build the new PRD system from an online backup with two days transactions rolled in using archive logs.

I don't believe we have ever done this before. Is this an approved and 'safe' method of building a PRD system?

I need some more information to get the picture. I assume that you are going to move to new hardware before the upgrade and Unicode conversion and that you are going to use the backup/restore (with roll-forward) to do this move. In case of disaster recovery, you will also restore your backup and apply the archive logs up to the point the disaster occurred.

The only difference, in your case is that you are doing it on new system. This is an approved and safe method. In my opinion, doing a database restore with roll-forward is something which should be practised at least once a year. Many of my customers are doing this type of disaster/recovery exercise as much as twice a year.

Generating an SAP installation key

I am installing a new an SAP NetWeaver, Development Subscription and am at the SAPinst point of requiring the Solution Manager Key. I have read SAP note 805390 but do not understand how to get the key.
You need to generate an installation key in Solution Manager. An installation number is not needed to generate an installation or upgrade key. So you can generate the installation key in any Solution Manager system.

The procedure to obtain the installation or upgrade key is as follows:

  • Log on to the Solution Manager system.
  • Call transaction SMSY.
  • Open Landscape Components.
  • If the system has not been defined yet: place the cursor on the Systems entry • [Right Mouse Button].
  • Enter the System ID and select the SAP product and product version. Press Save when finished.

To generate the key, System -- Other object.

  • Mark System and enter the SID.
  • Press Generate Installation/Upgrade Key (key-shaped icon).
  • Enter the system number and message server host (without domain). Note that in some versions the system changes the host name to upper case, but this is of no importance.
  • Press Generate Key. The 10-character key value is displayed

Go-Live check

First, we need to open a message in component XX-SER-TCC to find out if your installation is scheduled for a Go-Live check which is conducted by SAP and its partners.

Go-Live Functional Upgrade Analysis -- ideally six months before Go-Live. This basically checks your hardware requirements. It will ascertain that you'll be able to accommodate the increase in the functionalities caused by the Go-Live, also some parameter recommendations to fine-tune your system.

Go-Live Functional Upgrade Verification -- This is normally done two months after the Go-Live which checks that everything is fine after the upgrade.

Then you have the normal Earlywatch session. Each installation is entitled for 2 free earlywatch sessions in a year. In these sessions, performance tuning is done for your system, while hardware, memory and I/0 bottlenecks are identified.

Reports of all these sessions carried out by SAP is then sent to you in form a Word document and you can follow the guidelines mentioned and call up SAP or mail the person who has done the session for you for any clarifications.

SAP will contact you to open the connections for them, so that they can prepare the system before the actual session takes place. In the session, they will see if the SDCC version is good enough so that they can download the data from your system into their internal system on which they carry out the analysis. Then they see if SAPOSCOL is running and enough history data is there in ST03n for them to carry out reasonable analysis. If everything is set, a download is scheduled on your system using SDCC for a day prior to the actual session. Finally, on the day of the session you open the connections for them again and provide them with userid and password. Normally, it is earlywatch in 066 client.

Close a hung session in SAP

If you have multiple SAP sessions open from one system and one of them gets hung up on a transaction or program and you would like to stop that one session without closing them all, you can use this transaction to end the one session.

Let's say you want to end session three. You can go to either session one or two and enter this command in the transaction box: /i3
This will immediately close the hung up session (session three in this case).

Or you can do this the long way by going to SM04 and double-click your userid, select a session and hit 'end session'.

Display locked and unlocked SAP transactions

Transaction code SM01 -- Lock/Unlock Transactions -- cannot be configured for display-only authority and is not easily used for that purpose anyway. Check your SAP system for the SAP report RSAUDITC or RSAUDITC_BCE (they both contain the same code.) This report can easily be added to a menu tree and provides various display only options for you and your auditors.

Code

Tcode:se38
Report: RSAUDITC or RSAUDITC_BCE
Select display options and execute.

How to reinstall the Support Package Manager from the command line in SAP Basis

1. Introduction
As of SAP Basis Release 3.0D, SAP delivers Support Packages to remove any error that appears in important transactions. A Support Package is a bundle of corrections that fixes errors in the ABAP repository. They are available for download through the Software Distribution Centre at the SAP Service Marketplace (http://service.sap.com/PATCHES).

Support Packages are installed using the so-called Support Package Manager (transaction SPAM). As with all software components, newer versions of the Support Package Manager are made available on a regular basis. Their installation processes might look strange at first sight. The old Support Package Manager, available in the system is used to install the new. During the procedure, the old one is replaced with the newer version.

What if something went seriously wrong during the installation of the Support Package Manager? In a best-case-scenario, SPAM offers the option to re-start the installation. In a worst-case-scenario, the failure occurred during a critical phase of the installation process. The installation cannot be repeated, as the tool to install it is no longer there. A full database restore is an option, but not realistic. A database restore just to retrieve the Support Package Manager is a little bit too much to ask for.

As an alternative, the Support Package Manager might be installed from the command line. This is what this tip is all about.

2. Upload and disassemble the SPAM upgrade
During the upload, the support package archive is copied to the transport directory. It is converted to a transport request during the disassemble process. The disassembling is automatically done when the support package is being installed. This cannot be done on the target system because transaction SPAM is no longer there.

However, SAP systems which reside in the same system landscape share the transport directory. Another system can be used to upload and disassemble the SPAM package.
1. Connect to one of the other SAP systems in your landscape. Remember, SPAM is operated from within client 000.
2. From within the Support Package Manager, upload the SPAM archive from the front-end (in the menu 'Support Package' --> 'Load' -- > 'From the front-end').
3. Disassemble the Support Package. In the menu, go to 'Utilities', 'Disassemble Support Package'. Choose the SPAM archive and confirm.


Figure 1: Transaction SPAM, disassemble the archive manually

3. Install the Support Package Manager manually
Install the Support Package Manager using the command line.

1. As user adm, connect to the server.

2. Open a DOS box or Telnet session.

3. Go the transport directory:
# cd H:\usr\sap\trans\bin

4. Use tp to add the transport to the buffer:

# H:\usr\sap\trans\bin>tp addtobuffer SAPKD62018  U1 pf=TP_DOMAIN_.PFL
sapparam: sapargv( argc, argv) has not been called.
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
This is tp version 340.15.01 (release 640)
Warning: Parameter DBHOST is no longer used.
Warning: Parameter DBNAME is no longer used.
Addtobuffer successful for SAPKD62018
tp finished with return code: 0
meaning:
Everything OK

NOTE: The in TP_DOMAIN_.PFL is the of the Transport Domain Controller. This is not necessarily the same as the system into which you wish to import the SPAM transport request.

5. Import the transport request:

H:\usr\sap\trans\bin>tp import SAPKD62018  U26 pf=TP_DOMAIN_.PFL
sapparam: sapargv( argc, argv) has not been called.
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
This is tp version 340.15.01 (release 640)
Warning: Parameter DBHOST is no longer used.
Warning: Parameter DBNAME is no longer used.
This is R3trans.exe version 6.09 (release 640 - 03.12.04 - 10:34:00).
R3trans.exe finished (0004).
sapevt.exe=>sapparam(1c): No Profile used.
sapevt.exe=>sapparam(1c): No Profile used.
sapevt.exe=>sapparam(1c): No Profile used.
This is R3trans.exe version 6.09 (release 640 - 03.12.04 - 10:34:00).
R3trans.exe finished (0004).
sapevt.exe=>sapparam(1c): No Profile used.
sapevt.exe=>sapparam(1c): No Profile used.
sapevt.exe=>sapparam(1c): No Profile used.
sapevt.exe=>sapparam(1c): No Profile used.
tp finished with return code: 4
meaning:
A tool used by tp produced warnings
6. In SAP, try transaction SPAM. Voila, after a few compiles the Support Package Manager reappears!

New security features in ECC 5.0?

Our client has SAP ECC 5.0. We set up all the parameters including the password expiration date and minimum password characters. Unfortunately, it turns out these parameters are affecting the communications users (RFC users), prompting them to change their passwords and so forth.

In my experience, these parameters in the past excluded the communications and background users. Are you familiar with this? Are you aware of this change in ECC?

I have not observed this behavior. Perhaps you should report this to the SAP online support system.

SAP security audit log setup

1. Introduction
The Security Audit Log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP system. By activating the audit log, you keep record of those activities you consider relevant for auditing. This information is recorded on a daily basis in an audit file on each application server. You can then access this information for evaluation in the form of an audit analysis report. Statistical information can easily be retrieved on transactions and reports. Although it was not designed for this purpose, the information it generates is invaluable when estimating the number of resources needed for the next upgrade project and when you want to know to which transactions or reports most attention and effort should go to.

The following information can be recorded in the Security Audit Log:

  • Successful and unsuccessful dialog and RFC logon attempts
  • RFC calls to function modules
  • Successful and unsuccessful transaction and report starts

2. Activating the audit log
The following instance profiles must be set in order to activate audit logging (use transaction RZ10 to do so).

rsau/enable: Set to 1 to activates audit logging
rsau/local/file: Name and location of the audit log file
rsau/max_diskspace/local: Max. space of the audit file. If maximum size is reached auditing stops.
rsau/selection_slots: Max. number of filters

The settings are activated after the instance has been restarted.

3. Defining Filters
To access the Security Audit Log configuration screen from the SAP standard menu, choose:
Tools-> Administration->Monitor->Security Audit Log->Configuration (or transaction SM19).

Filters define what needs to be recorded. The following information can be specified:

  • Which User(s), Client(s) (wildcards can be used)
  • Audit class (for example, dialog or RFC attempt, start of transaction, report...)
  • Importance of the event (critical, important...)

Filters can be static (permanently) or dynamic (temporarily):

  • Static filters are stored inside the database. All application servers use the same filter for determining which events should be recorded in the audit log. After saving (Save) and activating (Profile->Activate) the static profile, it will be loaded at the next restart of the application server.
  • Dynamically created profiles, on the contrary, can be activated at any time to filter for selected events. They are automatically distributed to all active application servers (after saving and distributing them by selecting Configuration->Distribute Configuration).


    Transaction SM19 - Administer Audit Profile

    4. Analyzing the Audit Log
    The Security Audit Log produces an audit analysis report that contains the audited activities. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System.

    To access the Security Audit Log Analysis screen from the SAP standard menu, choose:
    Tools->Administration->Monitor->Security Audit Log->Analysis (or transaction SM20). The Audit Log can be scanned for a period of time, user, transaction, report, ect.


    Transaction SM20 - Analyzing the Audit Log

    Example report:

    Time     Cat No Cl. User       Transaction code   Terminal MNo Text
    12:00:38 DIA 0 100 I004567 SM19 PCIT0012 AU3 Transaction SM19 Started
    12:00:56 DIA 1 100 I003765 SE71 PCIT0054 AU3 Transaction SE71 Started
    12:01:28 DIA 1 100 I003765 SE71 PCIT0054 AUW Report RSTXDBUG Started
    12:01:31 DIA 1 100 I003765 VT03N PCIT0054 AU3 Transaction VT03N Started
    12:01:36 DIA 1 100 I003765 SE71 PCIT0054 AU3 Transaction SE71 Started
    12:01:43 DIA 1 100 I003765 SE71 PCIT0054 AUW Report RSTXDBUG Started
    12:01:45 DIA 1 100 I003765 VT03N PCIT0054 AU3 Transaction VT03N Started
    12:01:58 DIA 1 100 I003765 VT12 PCIT0054 AU3 Transaction VT12 Started
    12:01:58 DIA 1 100 I003765 VT10 PCIT0054 AUW Report RV56TRST Started
    12:01:58 DIA 1 100 I003765 VT10 PCIT0054 AUW Report RV56TRSL Started
    12:02:49 DIA 1 100 I003765 VT03N PCIT0054 AU3 Transaction VT03N Started

    T r a n s a c t i o n S t a t i s t i c s

    Transaction Number of entries

    VA01 17 5%
    VA02 13 4%
    SE71 13 4%
    SE16N 12 3%
    ZV01 9 1%
    SM19 9 1%
    SE38 8 1%
    SA38 7 1%
    MB51 7 1%
    CO03 5 1%
    VT03N 5 1%
    SE37 4 1%
    SE91 4 1%
    LX03 4 1%
    VA01 3 1%
    SE09 3 1%
    SM18 3 1%
    CO02 2 1%
    BMBC 2 1%


    R e p o r t S t a t i s t i c s

    Report Number of entries
    RSBTCRTE 653 24 %
    ZFIN01 642 23 %
    SAPMSSY4 298 11 %
    ZCO03 297 11 %
    ZFIN09 74 3 %
    SAPLSMTR_NAVIGATION 40 1 %
    RSRZLLG0 39 1 %
    RSDSLAN1 33 1 %
    CSM_LOAD_APPSRV_DATA 33 1 %
    SAPMSSY8 31 1 %
    RSDSBUFF 31 1 %
    RSDSOSCO 31 1 %
    RSDSFSYS 31 1 %
    RSDSUSER 31 1 %
    RSDS_DBMEMBER 31 1 %
    RSDSDEFLOAD 31 1 %
    RSALSUP5 30 1 %
    RSRZLST0 30 1 %
    RSALSUP2 30 1 %
    RSUVM018 30 1 %
    RSDSSPTI 30 1 %
    CCUMEAS 30 1 %
    RSRFCDMN 30 1 %
    RSDSSPNR 25 1 %
    RSDS_BP_FREEWP 16 1 %
    RS_UPDATE_STATUS 14 1 %
    RK_SE16N 6 %

    5. Reorganizing the Audit Log
    The Security Audit Log saves its audits to a corresponding audit file on a daily basis. Depending on the size of your SAP System and the filters specified, you may be faced with an enormous quantity of data within a short period of time.

    Old audit log files can be deleted via Tools->Administration->Monitor ->Security Audit Log->Configuration (or transaction SM18).

What are the industry standards for SAP authentication?

What's the industry standard as far as SAP authentication is concerned? Do most organizations use the native SAP authentication, or do they integrate SAP with external authentication servers such as LDAP and AD?

What's your recommendation on SAP authentication -- and is integration with external authentication servers a major undertaking?

Most companies are using SAP's password security as delivered. A relatively small percentage of companies are using active directory integration to support single sign-on. Some companies are using third-party authentication tools that may be linked to the active directory or other identity management services.

The size of a single sign-on undertaking can vary significantly based on underlying technology. Companies that use Microsoft for their SAP application servers are at a decided advantage, as Microsoft has delivered SSO options that can be quickly integrated to SAP. Single sign-on is an increasingly important opportunity as enterprises expose more SAP functionality to Web-based interfaces and integrate more applications across various platforms.

How do I link user IDs to positions in SAP?

What are the implications when using a position as a user ID and then linking that position to transactional roles?

A user ID and a position are always different entities in SAP. A user ID should always be tied to an individual who uses the SAP system. SAP allows you to link a user ID to a position as long as that user holds the position.

This linkage allows significant additional control opportunity through structural authorizations to control the scope of a user's actions in the HR system, including Personnel Administration and Organizational Management. It also allows you to assign roles for the rest of the SAP system to positions which are then subsequently assigned in a batch process to the user who holds the position. When the user (person) is transferred to another position the security associated with the previous position is removed.

How do I fix user role problems in SAP security?

When I use SU01 to add a bunch of roles to user ID XX, a pop-up window appears and warns the maximum number of profiles has been exceeded for user XX. What can I do now?

A user's profiles (i.e., the objects generated by the profile generator) are all stored in one long field in table USR04. Once that field is filled up a user can have no more roles.

I have never seen your problem before. It seems that you are working with a poor security design that should require so many roles. Ideally users shouldn't need more than three or four roles.

How do I utilize SAP inspection plans and support packages?

We are using an inspection plan for QM, SAP R3 4.6 and we are trying to restrict only particular users to release the created inspection plan, how we can achieve this? Also, is there a standard methodology available to do an impact analysis of SAP support packages?

The most fulfilling part of a security job is the research required to solve a particular problem and the rewards that come from continually expanding the breadth of one's understanding of SAP's delivered functionality.

I suggest that you consider turning on a trace while releasing an inspection plan and see if SAP provides an authorization check. You may also try to determine if SAP uses Status Management -- a cross-application functionality -- in relation to inspection plans.

There are authorization objects for status management that allow you to control who can change the status for an object. This may require that status management with user statuses be configured.

How do I utilize SAP inspection plans and support packages?

We are using an inspection plan for QM, SAP R3 4.6 and we are trying to restrict only particular users to release the created inspection plan, how we can achieve this? Also, is there a standard methodology available to do an impact analysis of SAP support packages?

The most fulfilling part of a security job is the research required to solve a particular problem and the rewards that come from continually expanding the breadth of one's understanding of SAP's delivered functionality.

I suggest that you consider turning on a trace while releasing an inspection plan and see if SAP provides an authorization check. You may also try to determine if SAP uses Status Management -- a cross-application functionality -- in relation to inspection plans.

There are authorization objects for status management that allow you to control who can change the status for an object. This may require that status management with user statuses be configured.

Allowing only a certain number of users in SAP at one time

Suppose I want to allow 10 SAP users onto the system at once, how can I restrict a 11th user from logging into SAP? Can I send him a message that he cannot log in now?


SAP has a user exit that is invoked during a SAPGUI login that allows for some processing logic. SAP discourages use of this for preventing a login. You may consider developing some application functionality (including messages) that exploits this user exit.

How do I restrict transaction access based on user profile?

I have a batch of users that are set up with profiles only that have too much access. I want to build roles that give them access to the transactions they need to do for their job. I have asked these users' managers to give me information on what these users need; my new manager says that is not the way to do it.

I don't want to get in between you and your manager but does he have another way? It is possible to extract data from the SAP system performance logs regarding users and the transactions they use. This probably will require that you obtain the RBE tools from SAP or use appropriate features of solution manager (or get programs from developer who have done this before.

It isn't a bad idea to get information from business managers on what their users do. Even if you get data from the system, you will have to discuss it with managers to actually build the roles correctly.


Blocking a material type in Transaction MM01

In Transaction MM01, I want to block the material type "Non-Stock Material (ie)NLAG." What are the ways to do it?
You can add an authorization group to the material type. An authorization can be added to the material type via transaction OMS2. Users who do not have authorization for M_MATE_MAR for the authorization group on that material type will not be able to maintain it in MM01.

Listing TCODE transactions used to view what users are logged in to SAP

I want to get a list of all transactions used per user in a specific time period. Basically I'm looking for a list of all users logged in SAP and the details of the tcodes they used. Is there any standard report or tcode available to view this info?
There is no standard transaction. The information is available for configurable time periods using transaction ST05N but it is not organized to readily provide a report of users and transactions. Also the information available summarizes a user's use of a transaction. There will be one entry (with count data) per user per time period. Daily, weekly and monthly summaries can be created and they are stored for configurable durations.

The information is summarized into a cluster table called MONI based on the STAT files that are written in the file system and regularly refreshed. MONI cannot be queried via SE16 etc., but SAP delivers a number of function modules that retrieve data from these tables.

It is also possible to configure audit logging via SM19 and read the log files via SM20. This will provide more detail but it also introduces new file management issues and requires a change to system settings.

What is the process for resetting a DDIC password?

How I can reset the DDIC user's password? I have changed it from the delivered default.
DDIC can be handled like any other user id. Reset the password using SAP's user maintenance transactions.

Accessing the SE38 T code with only display authorization

Is there a way to create a profile with access to the SE38 T code with only display authorization (not create/execute/delete)? I have restricted the field to DISPLAY alone in authorizations data, but still, some programs can be executed. The R/3 version is 4.5B.
Place an authorization group on every Type 1 program (except Type 1 type-pools) and give end users authority to execute all the programs using an authorization for S_PROGRAM that has actions BTCSUBMIT and VARIANT. Do not grant access for action SUBMIT. The user will be able to submit reports from any transaction that will start the report but not from SE38 or SA38 or from any other path to a code editor including System/Status.

In some versions of SAP, it is possible to submit a report while viewing the code for an include program for the report. You must make sure that this is not possible in your version, and if it is, you must determine the availability of OSS notes to correct the weakness in your version. Later versions of SAP all allow for executing Type 1 code while viewing an include, but they do enforce the authorization check.



Assigning roles to all users in a group

How do I assign roles to a specific group, not to a specific user, and apply the roles to all users in that group? This particular group has four users.

This is possible in the SAP portal for portal roles but I defer to others for more specific guidance for SAP portals. Assigning roles to groups in the ABAP stack is a concept that SAP abandoned. It cannot be done in current versions of Netweaver. It may be possible in some earlier versions but the functionality was always problematic and ultimately SAP withdrew it from support.

How do I go about creating an authorization group?


This all depends. In some cases authorization groups must exist in a custom table before they can be used. This is true for table authorization groups (authorization group in table TBRG assigned to tables in table TDDAT via transaction SE54) and user groups (created in transaction SUGR). In some cases authorization groups are merely created when they are assigned to the object in a standard maintenance transaction (e.g. vendor master data, customer master data, material master data etc.) In other cases the authorization group has an optional validation table that is used in search helps but no where else (ABAP programs in table TPGP and TPGPT, report writer authorization groups (via table TBRG) etc. Authorization groups are essentially labels that you assign to objects (tables, programs, master data etc.) that allow authorization checks for access to the objects with the label.

What is the difference between Basis and the Application Server?

I have one question about the SAP R/3 architecture: What distinguishes BASIS from the Application Server? What is the role of Basis doing vs. the role of an Application Server? How are these two linked & finally are ABAP/4 programs interpreted or compiled or both? Please give me an insight into this.

Basis is part of the application server. But, think of Basis as the foundation of the SAP system. "Basis" has to do with the installation and configuration of components that make the system work. About the ABAP/4 language: programs are compiled to a program code that runs interpretively. The compilation process is referred as "generation".

Support packages and add-ons, why are they important?

1. Why do we require a support package and why it is not incorporated with the new version of SAP R/3?
2. What are add-ons and why do we require add-ons?
3. What is CRT and why we require it?
4. Who should decide which patch should be applied and when?

Support packages are a collection of fixes that have come out after the official release of an SAP software solution.

Notice, though, that some support packages are preloaded with the system. R/3 Enterprise SR1 is a good example of that.

An add-on is a component that can be loaded into an SAP software solution.
Examples: PI, PI_BASIS, SOA 1.0 (CGVMIC).
The CGVMIC is the Management of Internal Controls add-on, which is part of the Sarbanes & Oxley Compliance Tool. New SAP releases come with some add-on preloaded, too. PI (Plug-In) is a good example. It's used to exchange data with other applications such as BW and APO.

A CRT (Conflict Resolution Transport) is used when you have installed an Add-on and Support Packages that conflict with each other.

Who decides about what patch should be applied and when? That's a good question. The answer is: You, the customer.

SAP R3 Business BluePrint - Planning Your SAP Implementation

Every SAP implementation project goes through pre-defined stages. Some of you might remember my post on the milestones in an ERP implementation project. Normally, the first stage in a SAP R/3 project is the Business Blueprint stage. Business blueprints help in guiding people through complex business processes. SAP R/3 business blueprint uses computer based graphic modeling methods in integrating technology and business processes. In a nutshell,

Business Blueprints in SAP are a definitive description of R/3, providing a comprehensive view of the main business processes and business solutions available in the R/3 system.

Some important points worth mentioning here are:

1. Business blueprints in SAP R/3 help business users understand complex business processes. Infact, the goal of the business blueprint is to streamline business processes.

2. Business blueprints are often the first step in business engineering. Blueprints help in speeding up SAP R/3 implementations facilitating communication among SAP customers and SAP R/3 consultants.

3. SAP R/3 business blueprint stresses on four key areas:
- Events i.e. when should something be done
- Tasks or Functions i.e. what should be done
- Organization i.e. who should do what
- Communication i.e. what information is required to do the right task

4. To summarize what I just said above, SAP R3 business blueprint tells business process owners who must do what, when and how.

SAP R3 EarlyWatch Session

Q). What is SAP Earlywatch Session?

Answer:

SAP EarlyWatch session is the name given to the process whereby SAP AG logs in to your SAP system. During this process, SAP AG goes through the SAP installation, collects performance and other data, and then provides the SAP system administrator with a report of SAP system's overall configuration. The benefit of EarlyWatch is that it highlights problem areas, potential problem areas, and areas that are configured well, thus helping the SAP installation manager to stress on performance and availability of the SAP system. SAP's Earlywatch service is part of the overall Solution Manager SoluManin SAP system.

What is SAP Internet Transaction Server ITS

One question often asked at beginner level SAP interviews is relating to the SAP Internet Transaction Server (ITS). Below, I am explaining the concept of internet transaction server in SAP R/3 ERP.

Q). What is SAP Internet Transaction Server ITS ?

Answer: SAP Internet Transaction Server allows users to access the SAP R/3 system over the internet via a web browser. SAP designed transactions inSAP R3 with a easy user interface to be used over the internet. To put this in other words, SAP ITS is the middleware which integrates the SAP R/3 ERPp with Internet. The ITS browser allows users to access internet application components (IACs) designed by SAP. These internet application components or scenarios can be customized to company specific requirements.

The SAP internet transaction server consists of W-Gate Web Gate and the A-Gate Application Gate components. The web gate component talks to the web server and the application gate component talk to the SAP R3 application servers. The Web gate component of SAP ITS isolates the A-gate component from the web server. Thus, SAP ITS enables users to access mySAP components with the SAP GUI for HTML. Internet transaction server is the portal generator for the mySAP workplace.

SAP Role Maintenance Administration Tool

Role Maintenance and role administration are terms which were used for the first time in SAP 4.6C. The role maintenance tool in SAP is transaction PFCG. It is the most basic tool to control and manage security in all SAP systems. The menu path to access the role maintenance tool in SAP is given below.

Tools > Administration > User Maintenance > Role Administration > Roles

The role maintenance and administration tool in SAP is mainly used by the security administrators. One of the biggest tricks which SAP can play is in the area of security and user access. For this reason it is important to ensure that roles created match the security policies of the company. The role maintenance tool which is transaction PFCG (profile generator) consists of menus, authorizations and users. Menus contain transaction codes, reports, web addresses, and folders. Authorizations contain authorization objects, authorization values and organizational values. Users includes organization plan, time delimited users and so on. All these three together comprise the role maintenance and administration tool in SAP.

SAP Transport Management System Concepts

SAP's Transport management system represents the centralized change and transport system CTS for all R/3 systems. SAP introduced transport management systems TMS from version 4.0 onwards. One of the main
benefits of the new transport management system is that it enables the SAP administrator to manage all SAP R/3 change requests from one single SAP client. Centralization of change request results in streamlined change management.

Earlier the transport of objects was done through transaction code SE06. With the introduction of transport management system, the movement of objects is now controlled through transaction code STMS. SAP TMS allows SAP administrators to define transport routes before hand. This minimizes human intervention in handling transport requests. As a segregation of duties best practice, access to transport management system transactions should only be restricted to the Basis team. Below, I have listed some of the important SAP transactions related to transport management.

Important Transport Management TCodes

SCC1, SCC4 - These are Client Administration transactions which enable user to create a new client SCC1 and copy data from an existing client to a target client.

SE10 - SE10 represents the transport organizer. It is used to manage and verify transport requests.

SE11 - SE11 is the ABAP
dictionary
and is used to manage and release transport requests.

STMS - The transaction for transport management system, controls the movement of objects between various SAP systems.

How to know the kernel version of a SAP R3 system?

From any screen choose System-->Status then click the 'other kernel info' icon (between Navigate and Cancel).

The same information can be found at OS level in the dispatcher trace file: /usr/sap///work/dev_disp.

Goto transaction sm51, and click (not double click) on the the Database
server and then click on release notes. there you will see the SAP R/3
kernel and patch level etc.

You can use the System ==> Status and then Other
Kernel Info button to get the details about the Kernel
Release, Patch levels etc.

I think an even more convenient way to do this is to use SM51. Highlight
the server you are interested in and click on "Release Information". This
provides you a location to view all servers with out logging on to each
one.

The answer below will give you information about the server you are
connected to only.

Also try "disp+work -v" on server.

go to transaction SM51 -->release information

Authorization Concepts

Access control in SAP is composed of several concepts:

Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field

Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:

ACTIVITY: defines the type of activity the user is doing with the data. Possible values are
'DISPLAY', 'MODIFY', 'DELETE', etc.

COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')

Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.

Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:

FIELD VALUE
ACTIVITY *
COMPANY_CODE *

Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]

Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations. It sounds complicated, but once you start working with authorizations, it's pretty easy.

topics