000 client is standard client and contain client independent setting. 000 client contain simple organizational structure of test company and include all parameter for application, standard setting
001 client is copy of 000 client. It is reserve for the activity for preparing the system for production system.
Homogenous- Same OS +Same DB
Heterogeneous- Different OS+ Different DB or Same DB.
SAP_REORG_JOBS
SAP_REORG_SPOOL
SAP_REORG_BATCHINPUT
SAP_REORG_ABAPDUMPS
SAP_COLLECTOR_FOR_JOBSTATISTIC
SAP_COLLECTOR_FOR_PERFMONITOR
RSPO1043
Central instance have message server and dialog, update, spool, enque, gateway, background work processes.
Application server has only Dialog, update, spool, gateway and Background workprocess.
Note: SAP server has only one message server and Enque server.In a 3 system landscape, transports from development and quality is called Consolidation Route (this can have target groups & CTC).
Transports route from Quality to production is called delivery route.
Our SAP file system is filling up because initially it was defied too small. What are the non-required files that can be deleted from the SAP system? We are using HP-UX NetWeaver2004s on an Oracle database.
The files that can be deleted are mentioned below.
Remember that deleting these files is not a permanent solution. You should increase the file system sizes.
We are using an inspection plan for QM, SAP R3 4.6 and we are trying to restrict only particular users to release the created inspection plan, how we can achieve this? Also, is there a standard methodology available to do an impact analysis of SAP support packages?
The most fulfilling part of a security job is the research required to solve a particular problem and the rewards that come from continually expanding the breadth of one's understanding of SAP's delivered functionality.
I suggest that you consider turning on a trace while releasing an inspection plan and see if SAP provides an authorization check. You may also try to determine if SAP uses Status Management -- a cross-application functionality -- in relation to inspection plans.
There are authorization objects for status management that allow you to control who can change the status for an object. This may require that status management with user statuses be configured.
Suppose I want to allow 10 SAP users onto the system at once, how can I restrict a 11th user from logging into SAP? Can I send him a message that he cannot log in now?
 | ||
I have a batch of users that are set up with profiles only that have too much access. I want to build roles that give them access to the transactions they need to do for their job. I have asked these users' managers to give me information on what these users need; my new manager says that is not the way to do it.
| |
 |
How do I assign roles to a specific group, not to a specific user, and apply the roles to all users in that group? This particular group has four users.
This is possible in the SAP portal for portal roles but I defer to others for more specific guidance for SAP portals. Assigning roles to groups in the ABAP stack is a concept that SAP abandoned. It cannot be done in current versions of Netweaver. It may be possible in some earlier versions but the functionality was always problematic and ultimately SAP withdrew it from support.
I have one question about the SAP R/3 architecture: What distinguishes BASIS from the Application Server? What is the role of Basis doing vs. the role of an Application Server? How are these two linked & finally are ABAP/4 programs interpreted or compiled or both? Please give me an insight into this.
Basis is part of the application server. But, think of Basis as the foundation of the SAP system. "Basis" has to do with the installation and configuration of components that make the system work. About the ABAP/4 language: programs are compiled to a program code that runs interpretively. The compilation process is referred as "generation".
1. Why do we require a support package and why it is not incorporated with the new version of SAP R/3?
2. What are add-ons and why do we require add-ons?
3. What is CRT and why we require it?
4. Who should decide which patch should be applied and when?
Support packages are a collection of fixes that have come out after the official release of an SAP software solution.
Notice, though, that some support packages are preloaded with the system. R/3 Enterprise SR1 is a good example of that.
An add-on is a component that can be loaded into an SAP software solution.
Examples: PI, PI_BASIS, SOA 1.0 (CGVMIC).
The CGVMIC is the Management of Internal Controls add-on, which is part of the Sarbanes & Oxley Compliance Tool. New SAP releases come with some add-on preloaded, too. PI (Plug-In) is a good example. It's used to exchange data with other applications such as BW and APO.
A CRT (Conflict Resolution Transport) is used when you have installed an Add-on and Support Packages that conflict with each other.
Who decides about what patch should be applied and when? That's a good question. The answer is: You, the customer.
1. Why do we require a support package and why it is not incorporated with the new version of SAP R/3?
2. What are add-ons and why do we require add-ons?
3. What is CRT and why we require it?
4. Who should decide which patch should be applied and when?
Support packages are a collection of fixes that have come out after the official release of an SAP software solution.
Notice, though, that some support packages are preloaded with the system. R/3 Enterprise SR1 is a good example of that.
An add-on is a component that can be loaded into an SAP software solution.
Examples: PI, PI_BASIS, SOA 1.0 (CGVMIC).
The CGVMIC is the Management of Internal Controls add-on, which is part of the Sarbanes & Oxley Compliance Tool. New SAP releases come with some add-on preloaded, too. PI (Plug-In) is a good example. It's used to exchange data with other applications such as BW and APO.
A CRT (Conflict Resolution Transport) is used when you have installed an Add-on and Support Packages that conflict with each other.
Who decides about what patch should be applied and when? That's a good question. The answer is: You, the customer.
Hi, When I launch SAPGUI from a command line with ...&user &passs and &trans filled in I just get the login screen (even though the login and p/w are in the launch command line). What am I doing wrong?
| |
| |
Can you please give your views on the following:
The structure of SAP is such that the privilege to create a user and to allocate the role/activity to perform any function is given through a single transaction code.
The inability to allocate roles and create users or resetting their passwords through two different channels (transaction codes) is a structural weakness within SAP which can only be addressed by the technical people of SAP AG.
An ideal segregation would require these complementary functions to be performed by two different users. That is, the person who has the ability to create a user should not be allowed to assign the roles at the same time. Moreover, the fact that the structure of SAP enables any user to individually assign the roles without any other users interference does increase a inherent risk in SAP.
Moreover, based on the ideal security level the ability to allocate roles/transaction codes in SAP should not be such that it is executable by a user individually on his own.
A person who has SU01 or PFCG is, in reality, a super user. Can you suggest how to reduce the ability of the super user and especially the ability to individually assign roles to anyone, along with himself?
'm not an authorizations expert, but I assume that it should be possible to split authorization responsibilities. The same is possible with development and customizing. In most organizations, developers and customizers are allowed to do whatever they want in the development and acceptance system. The usage of the transport system is however limited and monitored by the approval concept. In such a setup, the SAP Basis administrator is responsible for transport management.Security and Data Protection with SAP Systems, published by SAP-PRESS in 2001, has an interesting chapter on distribution of roles and authorization maintenance. Unfortunately, the authors limit themselves to the an explanation of the concept. The technical implementation is not discussed. The chapter more or less discusses the issue you are describing and a possible solution.
1. Why do we require a support package and why it is not incorporated with the new version of SAP R/3?
2. What are add-ons and why do we require add-ons?
3. What is CRT and why we require it?
4. Who should decide which patch should be applied and when?
Support packages are a collection of fixes that have come out after the official release of an SAP software solution.
Notice, though, that some support packages are preloaded with the system. R/3 Enterprise SR1 is a good example of that.
An add-on is a component that can be loaded into an SAP software solution.
Examples: PI, PI_BASIS, SOA 1.0 (CGVMIC).
The CGVMIC is the Management of Internal Controls add-on, which is part of the Sarbanes & Oxley Compliance Tool. New SAP releases come with some add-on preloaded, too. PI (Plug-In) is a good example. It's used to exchange data with other applications such as BW and APO.
A CRT (Conflict Resolution Transport) is used when you have installed an Add-on and Support Packages that conflict with each other.
Who decides about what patch should be applied and when? That's a good question. The answer is: You, the customer.
I have one question about the SAP R/3 architecture: What distinguishes BASIS from the Application Server? What is the role of Basis doing vs. the role of an Application Server? How are these two linked & finally are ABAP/4 programs interpreted or compiled or both? Please give me an insight into this.
Basis is part of the application server. But, think of Basis as the foundation of the SAP system. "Basis" has to do with the installation and configuration of components that make the system work. About the ABAP/4 language: programs are compiled to a program code that runs interpretively. The compilation process is referred as "generation".
QUESTION POSED ON: 23 May 2001
I'm updating my users with their correct User Type for the User Audit. Is there any listing that identifies which tcodes are for which User Type? (Example: MM03-Informational, MM02-Operational)
As you know everything is in R/3 tables.
So, you can get a list of "users by type" by querying
table USR02.
The field 'USTYP' indicates the type of user
(Dialog, Background, CPIC).
Once you get a list of users by type, you can use
transaction SUIM to get the list of transactions
assigned to users.
After running SUIM, select Transactions->Transaction Lists
According to Selection With User, Profile or Object->Executable
for user.
You can create your own SQL script to get everything in a
pretty automated way.
Tip: declare cursors
To help you out, see the following SQL queries
(which you can then improve by declaring cursors).
-- This query lists all user accounts that are type Background
in client 400 select * from USR02 where USTYP='B' and MANDT='400'
-- This query lists all activity groups in client 400 assigned
to the user
JOHND
select * from AGR_USERS where MANDT='400' AND UNAME='JOHND'
-- This query lists all transactions assigned to
activity group 'AP_CLERK' in client 400
select TCODE from AGR_TCODES where MANDT='400' and AGR_NAME='AP_CLERK'
I'm confused about what Basis administration entails. Does it involve the J2EE and ABAP engines? Please help me sort out my confusion.
| |
| |
I am a new Basis administrator, and our systems are:
* SAP R/3 4.6C ( support patch: KA47, KB47, KH47 and KE84)
* Kernel 4.6D (Support Patch Level: 988)
* Solaris operating system is 64-bit, and Oracle database is 32-bit.
My questions:
1. How can I find out if our SAP kernel is 32-bit or 64-bit? I found only saposcol file is 64-bit, most of the files are 32-bit.
2. Do I have to download both DB-independent and DB-dependent files in order to upgrade our SAP kernel?
3. Do I have to download all files in DB-independent and DB-dependent into our system? Or just some files:
DB-independent: dw 1969, R3trans 1953, SAPEXE 1747, SAPEXE 1805, SAPEXE 1883, SAPEXE1913 and tp 1967. DB-dependent: SAPEXEDB, SAPEXEDB 1805, SAPEXEDB 1883, and SAPEXEDB 1913).
"For all current releases, the patches are stored in the SAP service marketplace http://service.sap.com/swcenter_3pmain . After choosing Oracle, you have the option to go down the oracle 32-bit or oracle 64-bit path. Please note that in order to decide which of the two to choose the only thing tht matters is what bit version your Oracle software is. No matter whether your OS is 64-bit; as long as your Oracle is still 32-bit you would go down the Oracle 32-bit path."
2. Yes. You need both. Otherwise, the system will not work properly or won't even start at all.
3. You need to download the latest versions or at least one version before the last one.
In the example above, you should download these files: DW_1969, R3trans_1953, SAPEXE_1913, TP_1967 SAPEXEDB_1913 Then, you need to decompress each archive (.SAR) file using SAPCAR -XVF.
