Maintain Profiles

In this IMG activity you define authorization profiles or check whether the standard profiles supplied meet your requirements. In addition, you can gather previously defined profiles in composite profiles.

A profile contains authorization objects for a delimited working area.

A composite profile contains several profiles.

With the help of profiles and composite profiles, you can easily structure and manage authorizations.

By entering a profile or a composite profile into the user master, a user receives all authorizations contained in it.

Requirements

• You have the authorization to create or maintain profiles.

• Create authorizations in the IMG activity Maintain Authorizations if the standard authorizations do not meet your requirements.

Standard settings

Profiles for some typical applications are preset in the standard R/3 System, such as:

• SAP_ALL

All authorizations in the R/3 System.

• SAP_NEW

All authorizations for newly created authorization objects.

• Profile in Cost and Revenue Element Accounting

• Profile for Cost Center Accounting

• Profile for Internal Orders

• Profile for Activity Based Costing

• Profile for Product Cost Controlling

• Profile for Profitability Analysis

Activities

1. Check whether the standard profiles meet your requirements.

2. If necessary, create new profiles according to your requirements. To do so, proceed as follows:

a) Enter the name of the required profile.

Keep the naming conventions in mind.

This can be an existing profile or a new profile.

b) Choose "Generate work area".

c) Use "Create" to determine whether it is a simple profile or a composite profile.

d) Enter a short text.

e) Enter authorizations for your profile by proceeding as follows:

• Choose your profile.

• Choose "Insert authorization".

You receive the list of the object classes. Via this list, you choose the necessary authorizations.

• Mark the required authorizations in the value set list and copy them into the profile.

f) Save your profile.

g) Activate your profile.

3. Check whether the profiles are complete, that is, whether all users can carry out the required actions.

Note on transport

You transport profiles as follows:

1. Display the profiles list.

2. Choose "Profile - Transport".

3. Select the profiles you wish to transport.

4. Confirm your selections and enter the correction number.

Importing Profiles

Use

When you first install an SAP System, upgrade to a new SAP release or add a new application server, the system automatically generates or updates SAP instance profiles at operating system level. Unfortunately, the installation program cannot save these profiles directly to the database. You must therefore import the SAP instance profiles before you can then edited them.

You can import profiles at any time, not only when you change profiles for the first time. You can also use the CCMS profile maintenance tool to generate a new operating system copy of all the active profiles that are currently in the profile maintenance database.

Ensure that all application servers (instances) are active before you import profiles.

Procedures

To import SAP profiles from all active application servers (mass import):

1. Call the CCMS profile maintenance tool by choosing CCMS
® Configuration ® Profile Maintenance. Alternatively, call Transaction RZ10.
2. Choose Utilities
® Import profiles ® of active servers. The system imports the default profile and all start and instance profiles that are used by the SAP instances. The system checks the profiles and displays a log. The names of the profiles in the database are taken from the corresponding file names on the operating system.




If you import the instance profile /usr/sap/C11/SYS/profile/C11_D53, then the profile in the database will be called C11_D53.

3. Once you have finished importing the profiles, position the cursor on the Profile field and press
F4. The system displays the names of the profiles that were imported.

To import individual profiles:

You should use this function if you have installed a new application server, or if a profile was modified at the operating system level. You must first create a new profile using the profile maintenance function.

1. On the initial screen of Transaction RZ10, enter the profile name (the version number is generated automatically).

Profile type and status now appear on the screen for your information.

2. Choose Profile
® Create.
3. Maintain the administration data: Short description, the file name in which the profile should be activated (you must specify a reference server and profile type).
4. Once the administration data has been transferred, choose Profile
® Import on the basic profile maintenance screen.
5. The system displays a dialog box in which you should specify the operating system file into which the profile should be imported. You can display all the profile files which are in the global profile directory using the
F4 key.

The system checks the imported profile for errors. You can now edit and/or import the profile into the database as described above. Once the import process is complete, you can decide whether you want to activate the profile.

Where Do Profiles Come From?

Definition

When an SAP instance is installed on a host using the SAP installation program R3INST , a start profile and an instance profile are automatically generated. If it is the first instance of an SAP System, the system also creates a default profile. Otherwise the existing default profile is simply updated.

The SAP installation program ascertains various profile settings. For example, appropriate buffer sizes, important data directories, and the name of the database host.

The profiles are placed in a global file directory so as to have access from every client in the system.

SAP start and stop utilities are also generated during the installation process. Your new installation may not require these utilities, depending on whether two or more instances share the same profile. If so, these redundant utilities can be removed. However, before you delete the utilities, complete the entire installation process and verify its operability.

In R/3 Releases 2.1x / 2.2x, the profiles were generated with the names: START_ and _ . From Release 3.0A, the profiles are generated with the names: START__ and __ . The ‘ startsap ’ script first looks for profiles that end with _ . If these profiles do not exist, the names from the Releases 2.1x / 2.2x are used.

Start Profiles

Definition

When you start an SAP instance on a host, the start profile defines which SAP services are started (message server, dialog, gateway or enqueue process. for example). The startsap program is responsible for starting these service processes, and it uses a start profile to begin the startup process.

The processes that can be started include:

• Application server

• Message server

• SNA Gateway

• System log send demon

• System log receive demon

Apart from the general profile parameters, such as the name of the SAP System ( SAPSYSTEMNAME ), instance number ( SAPSYSTEM ) and name of the SAP instance ( INSTANCE_NAME ), the only parameter names that are permitted in a start profile are:

• Execute_xx (xx = 00-99)
: To start operating system commands, which prepare the SAP System start. For example, you can use this parameter to start the SAP-related database or to set up links to executables on UNIX platforms.

• Start_Program_xx (xx = 00-99)
: To start an SAP instance, for example, on an application server.

• Stop_Program_xx (xx = 00-99)
: To start an operating system command or SAP program after the SAP instance was stopped. For example, the halting or removal of shared memory areas that were used by the SAP System.

The number xx defines the execution sequence. The programs specified in Execute_ parameters are executed before the programs listed in the Start_Program parameters. After the SAP instance has been stopped, the programs specified in the Stop_Program parameters are started. Here is an example of a start profile used to start a message server, an application server and an SNA gateway:

#.***************************************************************

#.* Start profile START_DVEBMG47

#.*

#.* Version = 000003

#.* last changed by = WATT

#.* last changed on = 21.03.1995, 15:05:19

#.***************************************************************

SAPSYSTEMNAME = K11

INSTANCE_NAME = DVEBMG47

#----------------------------------------------------------------

# start message server

#----------------------------------------------------------------

_MS = ms.sapK11_DVEBMG47

Execute_01 = local ln -s -f $(DIR_EXECUTABLE)/msg_server $(_MS)

Start_Program_01 = local $(_MS) pf=$(DIR_PROFILE)/K11_DVEBMG47

#----------------------------------------------------------------

# start application server

#----------------------------------------------------------------

_DW = dw.sapK11_DVEBMG47

Execute_02 = local ln -s -f $(DIR_EXECUTABLE)/disp+work $(_DW)

Start_Program_02 = local $(_DW) pf=$(DIR_PROFILE)/K11_DVEBMG47

#----------------------------------------------------------------

# start SNA-Gateway

#----------------------------------------------------------------

Use

To run a program on the local host, place the word ‘ local ’ in front of the relevant parameter value:

Execute_00 = local sapmsesa 53 remove

To execute a program on a remote host, place the host name in front of the parameter value.

Execute_00 = hs0011 sapmsesa 53 remove

You can choose any name for a start profile. The start profile files generated by SAP are structured as follows: START_ or START__ .

START_DVEBMGS53, START_DVEBMGS53_hs0311

To start the same SAP service processes on several hosts, you can use a single start profile. Each SAP instance does not have to have its own start profile.

Instance Profiles

Definition

Instance profiles provide an application server with additional configuration parameters to complement the settings values from the default profile. Typically, these parameter settings adapt the instance according to the desired resources. They also define the available instance resources (main memory, shared memory, roll memory and so on), and how to allocate memory to the SAP application buffers.

Below is a typical instance profile:

#.*************************************************

#.* Instance profile BIN_DVEBMG53 *

#.* Version = 000005 *

#.* Generated by user = BLOCHING *

#.* Date generated = 04.08.1995, 11:10:35 *

#.*************************************************

INSTANCE_NAME = DVEBMG53

SAPSYSTEM = 53

SAPSYSTEMNAME = BIN

abap/buffersize = 40000

abap/programs = 600

ipc/shm_psize_10 = 15000000

ipc/shm_psize_14 = 0

ipc/shm_psize_17 = 0

ipc/shm_psize_18 = 0

ipc/shm_psize_19 = 0

ipc/shm_psize_40 = 17000000

rdisp/PG_MAXFS = 4096

rdisp/PG_SHM = 1000

rdisp/ROLL_MAXFS = 16384

rdisp/ROLL_SHM = 200

rdisp/btctime = 60

rdisp/wp_no_dia = 5

rdisp/wp_no_enq = 1

rdisp/wp_no_vb = 1

rdisp/wp_no_vb2 = 1

You can choose any name for an instance profile. The SAP naming convention is as follows: _ or __ .

C11_DVEBMGS12.

C11_DVEBMGS12_hs0011

To start application servers on several computers using identical parameter settings, you can use a single instance profile. It is generally not necessary for each application server to have its own instance profile. Instance profiles are also called system profiles.

Substituting Variables in Profile Values

Process Flow

Parameter values in instance profiles can contain the following variables:

$(parameter name) is replaced by the value of the parameter name specified in brackets.

Param1 = ‘/usr/sap/C11/D53/dbg’

Param2 = $(Param1)/stats

Therefore Param2 = /usr/sap/C11/D53/dbg/stats

$$ is replaced by the SAP System number.

Param3 = logfile$$.

SAPSYSTEM = 29

Therefore Param3 = logfile29

You can also define local substitute variables. These values are not used by the SAP programs, their importance lies within a profile. They contain values used for setting up or filling parameter values. The names of these local substitute variables begin with an underscore (‘_’).

_SAP_PROFILE_DEFAULT = /usr/sap/C11/SYS/profile/DEFAULT.PFL

Param4 = _SAP_PROFILE_DEFAULT. Therefore

Param4 = /usr/sap/C11/SYS/profile/DEFAULT.PFL

Checking Active Parameters

You can use the ABAP program RSPARAM to find out which parameters are active for a particular SAP instance.

Procedure

1. Call program
RSPARAM.
2. Start this report on the SAP instance which has the parameter values you are interested in.

The system displays a list that consists of two parts:

• The first part shows the parameter values in "unsubstituted" form, that is, before the substitute variables were replaced.

• The second part displays the actual values of the individual parameters.

Saving, Checking and Activating Profiles

Once you have finished maintaining a profile, you can check it for errors or inconsistencies, save it in the database and then activate it.

The CCMS profile maintenance tool archives profiles as operating system files and also stores a reference copy in the database. The database copy is used to create the profiles at database level. This process is called activating a profile.

The profile maintenance tool ensures that changes to profiles are activated when the corresponding SAP instance is restarted. You cannot make changes to an SAP instance during active operation.

Procedures

Saving profiles

1. Call the CCMS profile maintenance tool by choosing Administration
® CCMS ® Configuration ® Profile Maintenance.

2. Specify a profile name in the Profile field and then choose Profile ® Save.

Checking single profiles:

Enter the name and version of the profile on the initial screen of Transaction RZ10. Then choose Profile ® Check.

Checking all profiles for the active server:

On the initial screen of Transaction RZ10, choose Utilities ® Check all profiles ® on the active server.

Checking all profiles used in operation modes:

On the initial screen of Transaction RZ10, choose Utilities ® Check all profiles ® in operation modes.

Activating profiles:

1. On the initial screen of Transaction RZ10, enter the name of the profile you want to activate. Use the possible entries pushbutton to display the profiles that are available.
2. Choose Profile
® Activate.
3. Stop and restart the SAP instance(s) in which the profile changes should take effect. You can do this using the CCMS
control panel.

The system creates automatically creates a backup file with the extension .bak for active profiles that already exist in an SAP System. You can copy and display this backup file even if the SAP System is not available.

Profiles

SAP profiles are operating system files that contain instance setup information. SAP Systems can consist of one or more instances. Individual setup parameters can be customized to the requirements of each instance. These individual parameters allow you to configure:

• The runtime environment of the instance (resources such as main memory size, shared memory, roll size)
• Which services the instance has available (work processes)
• Where other services can be found (database host).

Features

This profile file is structured as follows:

# This is a comment in a SAP profile:

Parametername1 = Value1

Parametername2 = Value2

Parameter names that logically belong together have a common root. For example, the root of parameters that control the dispatcher within an application server is: rdisp/ .

The parameter rdisp/wp_non_dia specifies how many dialog work processes are started by the dispatcher.

SAP profiles are stored in a special file directory. This directory can be made accessible from all hosts depending on current needs:

UNIX systems : /usr/sap//SYS/profile

Windows NT systems: \\sapmnt\\sys\profile\

( = SAP system name and = name of the NT machine on which the global profile directory is physically located)

All hosts in an SAP System can access these profiles. It is possible for several R/3 instances to use a single profile simultaneously. Separate profiles are not required for each R/3 instance.

You should maintain setup profiles using the Computing Center Management System (CCMS). You should therefore not edit the active profiles directly at operating system level.

Securing User SAP* Against Misuse

The SAP system has a default superuser, SAP*, in the clients 000 and 001. A user master record is defined for SAP* when the system is installed. However, SAP* is programmed in the system and does not require a user master record.

If you delete the SAP* user master record and log on again as SAP* with initial password PASS, then SAP* has the following attributes:

· The user is not subject to authorization checks and therefore has all authorizations.

· The user has the password "PASS", which cannot be changed.

If you want to deactivate the special properties of SAP*, set the system profile parameter login/no_automatic_user_sapstar to a value greater than zero. If the parameter is set, then SAP* has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on.

You should set the parameter in the global system profile, DEFAULT.PFL, so that it is effective in all instances of an SAP system. You should ensure that there is a user master record for SAP* even if you set the parameter. Otherwise, resetting the parameter to the value 0 would once again allow you to log on with SAP*, the password ”PASS” and unrestricted system authorizations.

If a user master record exists for SAP*, it behaves like a normal user. It is subject to authorization checks and its password can be changed.

Deactivating User SAP*

As SAP* is a known superuser, SAP recommends that you deactivate it and replace it with your own superuser. In the SAP* user master record, you should proceed as follows:

· Create a user master record for SAP* in all new clients and in client 066.

· Assign a new password to SAP* in clients 000 and 001.

· Delete all profiles from the SAP* profile list so that it has no authorizations.

· Ensure that SAP* is assigned to the user group SUPER to prevent accidental deletion or modification of the user master record.

The SUPER user group has a special status in the predefined user profiles. The users that are assigned to group SUPER can be maintained or deleted only by the new superuser that you define, provided that:

· you use the predefined profiles, and

· you follow SAP's other user and authorization maintenance recommendations.

Defining a New Superuser

To define a superuser to replace SAP*, you need only give a user the SAP_ALL profile. SAP_ALL contains all authorizations, including new authorizations released in the SAP_NEW profile.

SAP_NEW assures upward compatibility of authorizations. The profile ensures that users are not inconvenienced when a release or update includes new authorization checks for functions that were previously unprotected.

sap Basis Profiles

1.What is an operation mode?

An operation mode describes the number and types of work processes on one or more instances.

2.what is log on group?

A log on group is a logical unit and a subset of all application servers with in the R/3 system.

3.how does the profile generated?

Profile is generated and configured with default setting during installation R/3 set up.

4.what is a profile?

A group of authorizations not more than 150 is called a Profile.

5.How many types of profiles?

Two types

1.System Profiles 2.Authorisation Profiles.

6.What are the System Profiles?

Startup Profile

Default Profile

Instance Profile

7.What is Centralization of profiles?

Where you can maintain and manage all profiles of all instance centrally

8. What is Profile Version Management?

Every saved changed to profile is start as Version in R/3 database. The versions are number consequentially

9. What is Consistency Check?

The system verify logical relationship and basic rule for parameter configuration

10. Comparison between active profile and profile saved in database?

We can analyze variants between the currently active profile the profile saved in the database. This is to check whether profile R/3 system as been modified manually .

11.what are the 3 type of maintaining the profile?

Administrative

Basic

Extend

12.What is the administration profile maintenance?

It will change the descriptions location of the profile.

13 What is the basic profile maintenance?

All the parameters are described have we change the parameter at mouse click level. This is GUI based

14 What is the extend profile maintenance?

This is create and modify the existing parameter. This is used to resolve the issue according at the time.

15. Where did version of profile is created in O/S level?

Usr/sap//sys/profile.

16. when we change profile then what is the extension of that profile in O/s level?

.bak

17. what is the extension of current profile?

.pfl

18. Where we can check parameter currently active?

We check the report RSPARAM in the R/3 system

19. What is the Control panel?

This provides to monitor the functional performance of the instances and operation modes in R/3 system.

20. What is dynamic User Distribution?

In the R/3 system with multiple application servers, it is advisable to distribute the load equally among all the servers.

21.What is Long On Load Balancing?

From the Group of R/3 system assign the user to the application server currently high load between instances.

22. What is load Limit?

We can assign the load limit each instance as upper limit .average response time and maximum number of user.

23.what is the programme at os level user user adm used?

Sappfpar it provides information on the parameters setting of a instance and main memory requirement.

24. what are the options for Sappfpar Programme?

Sappfpar

Sappfpar all

Sappfpar check

25. what is the use of T.code RZ10?

It is used to Maintain the profiles.

26.What is the use of T.code RZ11?

It is used to maintain the profiles dynamically.

27.What is the composite role?

A group of role is composite role.

28. What is the composite profile?

A group of profile is composite profile.

29.what is a derived role?

Which is derived from parents or generic role.

30.what is authorization class?

Group of not more than 150 authorizations objects is referred to as authorization class.