Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1
5-1-2(Formula) (Total 8 Years)
5 years of standard maintenance
1 year of extended maintenance + with a free of 2% of standard maintenance
2 years of extended maintenance + 4% Standard maintenance
Navagation
3 types of GUI in SAP
Default
Windows Based GUI - SAP GUI for Windows
HTML Based GUI - SAP GUI for HTML
JAVA Based GUI - SAP GUI for JAVA
SAP Login
- Client:
- User Name:
- Password:
Two Types of Menus in SAP
1. Standard Menu(SAP Menu)
2. Roll Based Menu
Downloading from SAP to desktop as well as Uploading desktop to SAP stepes are:
->System
->List
->Save
->Local file
Shortcut Commands
/n – Takes to new session in session
/o – New window in new session
/nend – Logging of current session
/nex – To close entire system (without saving)
/I – unsaved session logout
Help – SAP
In SAP there are two types of helps
F1 – Technical Help
F4 – It provides possible entries for a particular field. (Maximum 500 entries are
allowed in F4)
2
- Change item
SAP log: Start SAP logon file.
Every System will have a port number 32 with (00-99)
3298 – nipping
3299 – SAP router
SAP Architecture:
Three types of Architecture
- Single Tier -> Presentation Layer
- Two Tier -> Application Layer
- Three Tier -> DB Layer
If P, A, and DB are in one box, it is called Single Tier architecture.
If P and A are in one box and DB in other box, it is called Two Tier architecture.
If P in one box and A in another box and DB in another box is called Three Tier
architecture.
3
- SAND box is used only for R&D purpose. Whatever changes you do
in SAND box will not be transported out of the box i.e. the changes
are stored under $TEMP (local server only).
- Training box is used by end users for training purpose.
- Both SAND and Training box will have the exactly the data as
production box.
Development Box
- MAST
- CUST
- SAND
MAST
000 001 066 – Clients
000 to 999 client number names
Type of Changes in Development box
- In SAP there are only two types of changes.
Workbench change: T.C. is SE09
Customizing Change: T.C. is SE10
Workbench Change: changes made to the default values provided by the SAP in
the tables is called workbench change.
Customizing Change: is a change which a totally new change in a system.ex.
creating a new program or modifying structure of a program.
4
- In SAP there will be always one export and ‘N’ number of inputs.
Ratio of export to imports is E:I; 1:N
- In three system landscape one export and two imports.
- Data moved out of development box is called as export
- Data pulled into quality and production box is called as import.
- The process is called as transportation
-
CTD: is a physical location which has to be configured at the time of
installation.
- CTD in most cases is configured in development box.
- Client number and user name will be same in all boxes
These all are SAP client user ID, Client and Password.
- 6th July 1992 when SAP moved from two Tier architecture to three
Tier architecture.
- R/2 is Mainframe
- R/3 SAP
5
Multi System Landscape
Server:
I) central instance
II) application instance
Presentation Application
DB
Gui web browser D, E, V, B, G, M, S
gui for win html
6
0-99 D
0-99 E
1M
DisPatcher
0-99 B
0-99 V
0-99 G
0-99 S
• Each
work
process
will
have
one
dispatcher
• Dispatcher is called as waiting queue
7
2) Enquee: The instance in which they are Max no of Enquee work process is
called as Enquee instance
Note:
• Enquee work process are used for locking and unlock of sap objects
in a table
• We should have minimum of one enquee work process in an
instance
(By default we have one work process)
3) Background: The instance in which they are Max no of back ground work
process is called as background instance
Note:
• This work process is user for handling the jobs which are scheduled in the
background
Ex: - Jobs like list of financial accounting Data, profit and loss sheets
Production related info etc……
Note: Jobs are of three types
1) Medium :
2) High
3) Low:
These are represent by different colors as well as monitored and
administrated by using third party tools
Update work process: this is of two types
1) Primary update (v) : task critical activities are primary update
2) Secondary update (v1) : non critical activities are secondary update
Note: Max no of job are of secondary update type
Gateway: gateway is used for communication between 2 SAP R/3 system
Note:
• Between SAP R/3 system and non SAP and between R/3 to R/2
• Gateway work process is used for external communications
• Minimum of one work process is needed
Spool: is used for handling request to external devices like printers and fax
machines
Note: A minimum one spool work process is required
Message: They are three functions of message work process
• Handling the input request from the presentation layer
• Communication with dispatcher and the work process
• Logon load balancing
Note:
We will always have only one message work process in any R/3 installation.
• The server in which M + enquee work process available that server is
called central instance or central server.
• The servers in which other type of work process available except
message(ie D,E,V,B,G,S) such server is called as application server or
application instance
• The transaction code to monitor the type of servers or instance is
SM51
• In SM51 we can see only active servers or instances
• The transaction code to monitor both active and inactive instance is
SM66
• SM66 is also called as global process overview
• Transaction code to monitor the list of work process present in
particular SM50
Note:
Each work process required around 75 to 115 MB of memory to be configured
• We can set the execution time for each and every work process by using
profile parameters
8
• Default execution time for a work process is 60 sec
Note: we need to enter the target system OS and DB to generate this key
SAP Data is segregated into three layers
1) SAP standard objects
2) Cross client objects
3) Client specific objects or Data
9
1) SAP standard objects: These are nothing but repository objects which
includes functions, transaction, programs, screens etc………..
• All these are in the name space of A to X
Note: never try to change the repository objects unless and until it is required
2) Cross client objects : These are cross client tables which can be
modified
Ex: currency table, measurement table, client administration table
etc…...
• what ever changes we make of type cross client will effect all the
users present under that clients
3) Client specific objects (or) Data: a change which are specific to a
particular client is called client specific Data..
Ex: user master Data, application Data, customized Data
These are three types
1) User master Data:
2) Application Data:
3) Customized Data:
Starting and Stopping of SAP
When we start SAP the following sequence is executed
Database
Central instance
Dialog Instance or any other Instance <Optional>
The starting and stopping from windows can be done using SAP Microsoft
Management Console. In MMC right click on <SID> will give the following options
Start
Stop
View Start Profile
View Instance Profile
Trace
The color-coding for the status of the sap server
Yellow
Green
Red Error
Start Stop
Three types of profiles
Start/Stop of SAP systems at the background is controlled by set of profiles which
are located at \USR\SAP\DEV\SYS\Profile where DEV is the SYSID
Never edit the startup profile because this profile is related with
starting/stopping of SAP system.
First profile which is read while staring SAP system is start profile and is
followed by instance profile.
All work processes are configured in instance profile. This profile is specific
to the instance in which the SAP is installed. Any changes made to the
startup profile will affect only that particular instance.
All changes made to default profile will affect the entire instances, which
are configured.
10
SAPGLOBALHOST
Startdbs.cmd DB
Msg_server.exe Central Instance
Disp+work.exe Dispatcher
Igswd.exe Java
Start/Stop in Unix:
Commands used to start and stop at OS level in Unix environment.
StartSAP
StopSAP <DB>
<R3>
<ALL>
Note: How to start/stop java engine will be covered later?
Directory Structure:The directory structure for SAP installed files will be
\USR\SAP\<SYS_ID>\
PRFDOG
TMP
TRANS
One of the most important directories is Trans. Inside is the following sub
directories are present.
Before stopping SAP system we need to check the status of the following
• Check if there are any logged on users. Use Transaction Code – SM04
• Check if there are any Background process is to define – SM36
• Check if there are any Background processing is going on. Use TC – SM37
• Check if there is any Batch input session. Use TC – SM35
• Check if there are any update processes running. Use TC – SM13
Note:
1) After verifying the above status we need to send a message to all the
users stating the shutdown time using Transaction Code SM02.
2) All transaction codes that we monitor are executed in the central Instance
only.
3) To view the users who are logged into all the instances we can use
Transaction code AL08 (Global User Overview)
4) Transaction code to view profile parameters RZ11.
5) Trans Code to edit or change the profile parameters is RZ10.
6) Report “RSPFPAR” is used to provide the same functionality as RZ11.
There are two types of of profile parameters
1) Static Parameters
2) Dynamic Switchable
For dynamically switchable parameters, we need not restart the SAP system after
making the changes. For static parameters, we need to restart the SAP system to
make the changes effective.
In the table “TPFYPROPTY”, the dynamic indicator (X) identifies all dynamic
switchable profile parameters.
Note:
• Use Transaction code SE16 to view the contents of a table.
• To display profile parameters from OS level we need to use the
following
Sappfpar <Parameter Name>
<ALL>
<Check>
11
<Help>
Eg: sappfpar ALL will return the list of all parameters.
Modes of Editing Profile
There are 3 types of edit profiles
1) Administration of Data
2) Basic Maintenance
3) Extended Maintenance
Administration of Data: contains type of profile, short description, path of
profile, Name of instance and the time of last activation. This profile mode is used
only to display the profile parameters.
You can perform the maintenance of parameters using either basic
maintenance or extended.
Basic Maintenance: allows adjusting most important parameters and
provides logical description.
Extended maintenance: display the unformatted content of the profile i.e.
technical names of the profile.
In extended maintenance we can change the values, add values as well as
delete.
Changes are done in 2 steps.
Copy == Changes are temporarily copied
Save == Changes are permanent saved to database
Changes to instance specific profiles takes effect only after a restart of the
corresponding instance.
Profile parameter related to security administration starts with auth* in RZ10
Profile parameter related to work processes starts with rdisp* in RZ10
Steps for tuning Work Processes
• In the command prompt of SAP Execute RZ10.
• In the new screen opened to edit the profile parameters, choose Utilities
option from the Menu
1) Inside Utilities choose the option Import Profile of Active Servers. This
step is used to read 3 profile parameters from OS level to SAP level. Output
of these steps is that it displays profile check log. In which it will show
status of the three profiles i.e. any errors in reading the profiles.
2) Press back button
3) Select profile tab and select instance profile.
4) Goto extended maintenance and select [Change] button
Note: To create a new parameter select [Create Parameter] button.
To change the value of the existing parameter, select the parameter under the
parameter name column and click on change button.
Change the value and select [Copy] button
Select [Back] and again click on [Copy] button
Click on [Back] and click on [save] button.
Operation Modes
There are two types of operation mode 1) Day Mode
2) Night Mode
In real time scenario during day mode, we have maximum number of users
logging into SAP system hence, we need maximum number of dialog work process
to be set.
During night mode, maximum number of background work processes is
scheduled. Hence we need maximum number of background work processes in
the night.
In order to make these changes we need to setup operation mode
Note: During switching operation modes, neither the instance nor the effected
work processes need to be restarted.
Setting up of operation Mode
In the command prompt of SAP execute the Transaction code RZ04
Create operation mode Day, Night
12
Call all active instances of the system
Select work processes that are needed based on the operation mode and
assign to it as default.
Switching up of operation modes should be set in SM63 (Time Table
maintenance)
Click Save
Note:
Work process allocation is made primarily between dialog and background.
Work process type = Dialog, Background, Class A, Update, V2 Update, Enque
and Spool.
Class A work process are allocated primarily for background jobs of priority
high.
Maintain Operation mode and Instances
1) Select [Instance/Operation Modes]
2) Select [create new instance]
3) Enter Hostname, select start profile, and instance profile.
4) Click on [save] button
5) Work process distribution window pop’s up
6) Select type of operation mode and tune the number of work processes and
click on [save].
Note: In live environment we will not be required to perform this step regularly,
and instead we choose Instance Maintain Instance Work Process Distribution.
7) Click on [consistency check] Button. Note: Always use consistency check
button because operation mode switch will not work if there is any
inconsistency.
8) Goto SM63 (Timetable maintenance) and select [Change] button.
9) Choose the following menu Edit Time Period 15 Minutes. Why only 15
minutes?
10) Select start time and end time and select assign and select operation
mode.
11) Repeat these steps for Night mode.
Go to RZ03 to display server status and Alerts.
Note: This step is selected for manual switch of the operation mode.
Select Server name and Choose Operation mode
Select the mode and click on Choose
Go to Control | Switch operation Mode
| All Servers -> Selected Servers -> Simulation
Very important Questions
13
16) What is the transaction code to check whether all my instances are active or
not?
17) What is the transaction code for finding out number of work process present in
a particular instance?
18) How do I do manual switching of operation mode?
19) How many work processes are required in order to login to SAP system? What
are the types?
20) In what sequence does the system read system parameters?
21) What is the transaction code to check the consistency of individual profiles?
22) In which sequence we perform the setting up of operation modes?
23) Which SAP processes are started when the SAP system or an instance is
started?
24) How do I find out which are dynamically switched or static parameters?
25) How do I display current values of system parameters? What are the ways of
displaying current values of system parameters?
26) If I make any change to the startup profile do I need to restart SAP system?
CLIENT ADMINISTRATION
The list of very important transaction codes for client administration
14
Activity Activity Description Transaction Code
Client Creation Create a new client SCC4
Client Deletion Delete an existing client SCC5
Local Client Copy Copying local client data SCCL
Remote client copy Remote client copy SCC9
Client Export Client Export SCC8
Client Import Client Import SCC7
Client Copy Logs Client Copy Logs SCC3
Note:
CATT – Computer Aided Test Tool
Resource Requirements
Copying clients requires large amount of system resources
To avoid any bottlenecks we should ensure that there is enough resources
available by considering the following
1) DB Storage Space
2) Perform a test run before copying a client.
Question) Why do we need to perform a test run?
Ans) Test run determines which tables are to be changed.
Note: What is the amount of storage space a client will occupy?
A client without application data needs approximately 150-200 MB of storage
space in a DB
Implementation Considerations
Question) Why do we need to do client copy?
Ans) To create new clients.
Note: New clients are based on SAP reference client 000 when the R/3
system was first implemented. The new clients are Training, Demo, Test and
Production Clients.
Note: It is strongly recommended when doing client copy to use the profile
SAP_CUST.
Question) Do we need to transport clients between systems (or) what is the
procedure for copying clients between systems?
Ans) We no longer require to transport clients instead we make a remote client
copy.
Features
When copying clients you can select the data that you want to transfer from
source to target client.
Various Types of data are as follows
a) User Master Data: We select this option only if we want to copy
all the users of an existing client with same authorizations into
target client.
b) Client Specific Customizing: We select this option if you want to
setup a new client in an existing system.
c) Client Specific Customizing and Master/Transaction data: We
select this option if we want to setup a test client i.e. identical to
the production client in the same system.
d) Client Specific and Cross Client Customizing: We select this
option if we want to setup a quality Assurance system based in the
production client of another system.
e) Client Specific and Cross Client Customizing and
Master/Transaction Data: This option is selected to setup a test
client based on production client of another system.
Note: When a client copy process is completed the client copy tool automatically
generates all ABAP dictionary objects that we created as a result of a generation
process.
Restrictions:
Background Processing: We can copy clients either online or in background.
Note: SAP recommends scheduling client copies as background jobs. Why?
Answer)
15
• During client copy we must ensure that no users logs on to system (Source
Client)
• Users already working in target client cannot be locked automatically before
the client copy starts and we must ensure that they leave the system.
• In source client we can lock the users.
Note: In normal situations for some technical reasons we should not lock users in
source client. Eg: Production client.
If the source client is production client, this may lead to inconsistency if users
are not logged off. To avoid inconsistencies, the related tables are copied together
with other tables.
During client copy large volumes of data is transferred and hence it may take
several hours for which we need dialog processes.
Note: Client copy tool generally uses minimum of 2-dialog work process even if
you start in background.
Before performing a client copy set the profile parameter MAX_WPRUN_TIME
and it is recommended to set for 30 minutes.
Question) Why should we not transport the client data?
Ans) this is explained with the help of a scenario. In target system, we have set up
clients whose data must not be affected. The cross client data must not be
imported into the system from outside, since the cross client data overwrites
existing data so that customizing data of other clients in the target system no
longer effects.
For client transports RFC connection should be established between the
systems.
Copy Profiles
For copying clients R/3 offers a set of profiles
Copy Profile Description
SAP_USR Copies user master records and profiles only.
SAP_CUST Copies all customizing tables including user profiles
SAP_VCUS Copies all customizing tables, user data and user profiles.
SAP_ALL Copies all data belonging to a client.
Authorizations
To be able to copy and transport clients we need appropriate authorizations
There are two Types of authorizations
1) General Authorizations for client copy
2) Special Authorizations
1) General Authorizations for client copy
Authorization Allows you to
S_TABU_CLI Maintain cross client tables
S_TABU_DIS Maintain system tables
S_CLIENT_IMP Import data when performing a client copy
S_DATA_SET Access the file system
Copying of clients:
Authorization Allows you to
S_USER_PRO Copy user profiles
S_USER_GRP Copy user master records
2) Special Authorizations
Authorization Allows you to
S_CTMS_ADMI Create object list for client transport and copy object list
between two clients.
Note:This authorization is related with client transports. This authorization object
should have the values TYPE=CLCP and ACTVT=01
Question) what default user has all the authorizations?
Ans) SAP*. This is the reason for locking this user in different environments.
16
2) Select [Change] button
3) Select [New Entry]
Fill the following entries
1) Client No and Description
2) Select the client Role
System Client Specific Cross Client Objects Protection
Objects Level
DEV (Default Automatic Changes to repository and 0
Options) Recording of cross client customizing
changes Allowed
PRD No Changes No Changes to repository and 1 (no
Allowed cross client customizing objects Overwriting)
(Scenario 1) QAS No Changes No Changes to repository and 1 (no
and Testing same Allowed cross client customizing objects Overwriting)
setting as PRD
(Scenario 2) QAS No Changes No Changes to repository and 1 (no
Allowed cross client customizing objects Overwriting)
TRNG Changes w/o No Changes to repository and 1 (no
automatic cross client customizing objects Overwriting)
recording, no
transports
allocated.
SNDB Changes w/o Changes to repository and 1 (no
automatic cross client objects allowed. Overwriting)
recording, no
transports
allocated.
Protection Level
1 is for copying data
Aim of protection level attribute to present the client from being overwritten
intentionally or unintentionally by copying additional client dependent data
from another client.
In DEV protection level is always no restriction
In PROD No overwriting but external availability is there.
CATT
CATT Stands for Computer Aided Test Tool
They generate test data that may be helpful for demonstration purpose.
A client with protection level 1 and 2 cannot function as target client.
CATT scripts are only used in test systems as well as QAS systems.
This option provides access for testing of data using various testing tools.
Restrictions
Locked due to a client copy: This option is used while performing client copy,
i.e. locking the entire client.
Protection against SAP upgrade:
Data in R/3 is of 2 types
Client Dependent data:
Example: Customizing, Application and User data
Client Independent data:
Example: ABAP Program, R/3 Repository Objects and Enterprise img
In table related with client information T000, “mandt” is a field in the table
T000 that stores name/number of the client.
Client present in non-IDES: 000, 001 and 066
Client present in IDES: 000, 001, 066 and 800 (Totally customized Client)
Note:
Option – “No Transport Allowed” deactivates CTS (Change Transport System) in
client.
17
Local Client Copy
Copying clients within the same system
1) Execute the transaction Code SCCL at the SAP command line
2) Select a copy profile that matches your requirement. Click on [Choose]
button
3) Save the profile value by choosing the button [Save Profile Value]. We use
this option if we want to use the selected profile as default settings.
4) Enter the source client
5) Start the copy process. Starting of copy process can be done in 2 ways.
Either schedule it as a background job or start immediately. Note: In a live
environment we schedule it as a background job only.
If you the expected output of the copy process is to copy only user data and
profiles then we can run it online i.e. [Start Immediately]
In order to perform a client copy the most critical step in logging into target
client and perform the above process.
Steps:
1) Login to target client and go to SCC9
2) Select the copy profile
3) Enter the RFC destination
4) Start the copy process
Note: Transaction Code to create RFC destination is SM59
Transporting Clients between systems
Note: You no longer required transporting clients before you can copy clients
between systems. Instead you can make a remote copy. Never the less SAP
continues to provide support for transport function.
During client transport all languages of source system are transported.
They overwrite the text in the target system. Therefore all text are lost in the
target system, whose language exists only in target system but not in source
system
Steps
1) Log onto source system SCC8
2) Select a copy profile
3) Select a target system client.
Note: Logon to source system in the source client with a user that has transport
authorization.
Data export is performed automatically asynchronously.
Output of export includes the names of transport requests that are to be
imported as
<SID>KO<no> Cross client Data
<SID>KT<no> Client specific Data
<SID>KK<no> Texts and Forms
Once we are done with export, go to SE01 or SC09 and check for transport
request crated.
Client import post processing is always necessary and must be performed in
the target client after import of transport request.
Goto SCC7 to check the import Queue and verify the request number and
export system and click on background job tab or start immediately. Thus the
client transport is done.
Note: Client Transport = Client Export + Client import
Log onto target client go to SCC1, give the source client and transport request
number and schedule it in the background. This is how local client transport is
done.
Post processing activities after client import
18
Use the following menu for post processing activities.
Tools -> Administration -> Client Admin -> Client Transport -> Post Processing
Import
Note: We can use this option to transport customizing changes to the target
client, that have been made in the source client after the client copy.
Displaying Client Logs
Goto SCC3 to check for the logs
To display the detail log for a run, position your cursor on appropriate run and
then select the [Choose] button.
The system displays the list with the info Copy Type, Profile, Status, User,
Tables, where copy problems occurred and statistical info.
To view further details choose [Details] button.
Restarting Client Copy
If the process terminates for some technical reasons like database shutdown,
you can always restart the process from the point of termination.
If you start a client copy or a client transport, and the previous process
terminated prematurely, the system automatically proposes restart mode with
the same parameter settings used for the copy that caused the termination.
If the restarted process fails, the log displays a special note indicating possible
reasons for the error.
Error Handling
Client copies usually involve large volumes of data which places strain on CPU and
storage resources of a machine. Depending on data involved and system
configuration the most likely errors are given below with corrections.
Error handling in client copy and transport
Error Cause Solution Remarks
Write Error in Usually a table Check system log
target Client space overflow to determine the
problem. name of table
space. Extend
table space and
repeat entire
copy process.
Note: Do not
delete
System log None These messages
message document special
“SYN MC function that is
Maintenance used to improve
deactivated performance and
Fully” or “Buffer guarantee
TABL/TABLP consistency.
Reset”
Termination in Run log display Client copy
exit program to determine the program has not
after runtime of name of last exit terminated but
several hours program that an appl. Error has
(ABAP runtime caused caused the
error log = ABAP termination termination.
Dump)
Client deletion:
Deletion of client using an R/3 script in not advised by SAP
Client deletion pre-work:
1) Ensure that there is no backup currently running for the system.
a) Log on to the system at OS level
b) Go to cd /oracle/sid/sapbackup type
19
tail back*, this will display the last l lines of backup log, the last line will
display the latest backup. If the written code listed is the backup is still
running and you will need to wait till it ends.
2) Ensure that any scheduled backup for the target system is held while
archiving is turned off. By default archiving should be on.
3) Turning archive off:
a) First if there are any used currently logged on to the system. AL08,
issue a system message that the system will be used in a few moments
I. Go to SM02
II. Select the create option and enter the message into dialog
box displayed
III. Set the expiration date and select save button
20
c) Enter Trans-Code RZ04, double click on current operation mode and
increases the batch processor assigned to that operation mode
d) Manually switch the operation modes using RZ03
e) To check if the operation mode successfully changed go to SM50 and count
no of batch work process
6) This step is to prepare the user for the deletion process
a) First login to target client for the deletion process
b) Go to SCC5
c) Specify whether you want to delete the client and also select T000 and
execute the process at background
***NOTE: selecting option T000 will not only delete the client locally but also
remove the entire physically from T000 table.
Note: every job is processed without interruption by one single background work
process.
Background job can be scheduled with different priorities
Note: we must ensure that large share of all background tasks are normally
scheduled as class C without target server specification (90% task)
Ex: task scheduled using transaction DB13
21
Scheduling and monitoring: use transaction SM36 to define new jobs
• We can manually schedule the jobs as well as call the jobs wizard
• Most of the case we schedule manually
Required specifications for defining a job:
1) General specification such as job name job priority and target sever
(optional)
2) Definition of one or more job steps
3) Definition of start conditions (time or event based)
Q) Why it is not preferred to use job wizard?
A) Unlike classical scheduling we cannot perform individual steps with
different users.
22
Note:
Standard Jobs
Standard jobs refer to background jobs that should run regularly in a production
system.
As a part of our monitoring we need to take care.
They mainly perform certain clean-up activity of a system such as deletion of
obsolete spool requests.
In SM36 we go to standard jobs.
To schedule all default jobs, choose the “Default Scheduling” option.
All standard jobs that are defined in the table REORGJOBS, are scheduled with
specified variant and period.
To schedule individual jobs choose the particular job using SM36 and set the
execution period.
To define an additional standard job that is not yet available in the table
REORGJOBS choose “Predefined New Jobs”
An event is a signal to the b/g processing system, that a particular status that has
been achieved in the SAP system. The b/g processing system receives events and
then starts all the jobs that are linked to this event.
An application (Central instance) Server is specified for processing of event
based jobs.
Event based jobs can be scheduled with one of the following 3 start conditions.
1. After Event
2. After Job
3. Operation mode
Trans-Code to define a new event is SM62
When defining an event, the administrator differentiates between system and
user events.
System events are events predefined by SAP that you can neither modify nor
trigger.
Triggering events is done in various ways
1. Manually using SM64
2. Using an ABAP program
3. Outside SAP at OS Level, using the program “sapevt” which runs at OS
level.
Reservation for Class A Jobs:
There are very few jobs which will be reserved of type Class A. The reservation
of work process for Class A jobs does not reserve any particular work process
rather it ensures that a particular number of workprocess is always kept free.
To set number of reserved background workprocess for Class A, you define an
operation mode is RZ04 and maintain the workrocess allocation for this
operation mode. By doing so, we have the option of reserving work process.
SAP strongly recommends not to reserve more than one bgwp for processing
Class A jobs.
23
A job server group contains one or more instances with available bgwp. It is
possible to select a job group for a particular job.
TCode to setup a job group SM61
Ttrans-Code to setup an extended job selection SM37c
Background Users
With the definition of jobs in SM36, we can assign each step of the job to a
user.
This particular user shall have authorization for executing the jobs.
There are 2 options
1. By default, the job will be executed using the current user in which I have
logged in.
2. Enter a different user name if your job should not be performed using your
own authorizations.
To perform this action we should have the authorization S_BTCH_NAM, to
enter the names other than your names in the user field.
Use the “System” user type when creating background users. SU01 – Tcode to
create users.
A dialog logon with this user is not possible.
If I define a job using job wizard, by default that name of logged on user, is
used for authorization check.
RFC (Remote Function Call)
It is call of a function module i.e. running in different system to the calling
program.
You can also call a function module in the same system as a RFC, however RFC
are mostly used in calling different systems.
RFC is an SAP interface protocol i.e. it is based on the common programming
interface for communication (CPI-C) this means that ABAP functions can be called
for external applications and tools.
RFC Destinations:
1) R/3 connection
2) Internal Connection
3) Logical destinations
4) SNA/CPI-C connections
5) TCP/IP
6) Connection using ABAP/4 drivers
Transaction code for RFC connections SM59
Types of RFC’s
1) Synchronous RFC (SRFC) – This is used for communication between
different systems and between SAP WAS and SAP GUI.
2) Asynchronous RFC (ARFC) for communication between different systems
and for parallel processing of selected tasks.
3) Transactional RFC (TRFC) – A special form of ARFC. TRFC ensures
transaction like processing of steps that are originally defined.
4) Queued RFC (QRFC) – QRFC is an extension of TRFC. It also ensures that
individual steps are processed in sequence.
Note:
If the SNC is configured, we get a tab in SU01 – user administration.
KeyOn is a 3rd party tool configured for single sign-on for SAP systems.
RFC connection should be bi-directional
24
3) Only when the spool request is to be output on a particular device, is an
output request created.
Device independent print data from the spool request is converted to the
printer language that the selected output device understands. This procedure
allows the user to display spool request before output.
If the user wants to create a spool request and an output request at the same
time, he has to choose “PRINT IMMEDIATELY” option.
Actual document content of a spooled request is stored in TemSe (Temporary
sequential Objects)
We can define the storage location for TemSe objects using the profile
parameter rspo/store_location
Spool requests are stored in DB table TST03.
We can specify the storage location for the output device using the Transaction
Code SPAD.
Note:
1) SICK (SAP Initial Consistency Check). It’s the first Trans-Code used in post
SAP installation.
2) SPRO (Customizing)
Installation Of languages (SMLT)
German and English are provided by default. If I want to install a new language
use SMLT to configure new language setting.
Note:
Default profile parameter related with languages is zcsa/installed_languages.
Local Printing:
The spool workprocess and the OS spool are running on the same host machine.
Access Methods of Local Printing:
Unix = L; Windows = C
Local Printing is the fastest and most reliable connection from SAP to OS. You can
configure multiple spool work process for an SAP instance.
Remote Printing:
With remote printing, spool work process and OS system spooler are running on
different hosts.
Access Methods of Remote Printing:
Unix = U and Windows = S as Well as U (Unix Berkeley Protocol)
Front End Printing:
We can connect output devices to our front-end machines. The access method for
front-end printing is F.
In Microsoft windows OS, saplpd, transfer program receives the data stream
and forwards it to the default printer.
We can specify max no of spool work process used for front end printing by the
profile parameter rdisp/wp_no_fro_max (Default value is 1)
Note:
Front End printing is not suitable for production or mass printing.
Since front-end printing requires a connection to the front-end PC, we cannot
use background processing.
25
Spool Server
It is a SAP Application server with Spool work process or logical server name.
Lock Printer in SAP system
Output request for printers for which this indicator is selected are created but not
transferred to the printer. The user receives the message “No immediate
Printing”.
Host Printer = Name of the printer at OS level (Case Sensitive)
Note: The specification _DEFAULT is set for front-end printing.
Destination Host: This is used only for remote printing. It represents the name
of the host where OS system spooler is running.
Host only for local printing and is calculated automatically from the spool server.
Device Type
SAP uses device type to format the output device printout.
When the spool work process generates an output request, it uses the
specification of device type.
This device type describes how print data should be formatted for a particular
output device.
Page Format
This describes the format of printable page in the SAP system. This describes
how output should appear on paper.
Format is a device specific implementation of a Format Type. Example: To
perform an output on a page with letter format.
Character Set: Contains characters that can be an output to a device.
Print Control: This allows the control of display options of output devices,
such as font-size, bold face.
{Questions}
Q How to identify how many spool work process are setup in a particular
application server?
Ans) Trans-Code SM51 and select the application server.
Go to SM50 and count the number of work process with SPO
Q How many spool processes are configured in out entire SAP system?
Ans) SM66 and check for SPO work process. In select process by choosing Type =
Spool and Status = Wait
Q Can we change number of spool work process by operation mode switching?
Ans) No. Only background and dialog work process can be modified.
Q How to identify how many spool servers are available in your SAP system?
Ans) SM51 or SM66 and check for application server with at least one spool
workprocess.
Q How to make setting for an individual SAP user so that an output request is not
created immediately for a spool request?
Ans) SU3 go to Default tab and ensure that output immediately option is not
checked.
Q) How to find which printer is defined at OS level of your server?
Ans) Go to start -> Settings -> Printers (Revisit)
Output a list:
26
To create the suggest list go ‘SA38’ enter the report ‘RSPFPAR’ and execute it. Enter the parameter
‘RSPO*’ and execute again.
Go to ‘SM51 and select the print option.
Creating a remote printer: Procedure is same as local printer.
Creating front end printer:
Go to SPAD, devices/server/page and choose output device
Database
- Database Overview
- Backup Restore & Recovery
- Monitor Cateradf
Oracle database: is a collection of data stored in one or more data files on disks.
- Oracle manages database data in logical units called table spaces.
Instance: Set of oracle background process and memory buffers form an instance.
27
* Database data is permanently stored in datafiles or disks.
* To accelerate read and write access data it is cached in database buffer cache in SGA
* Shared pool divided into executable SQL statements which are stored in shared SQL area of the
shadow pool.
* Oracle data dictionary is stored in row cache of shared pool.
* Data processing never takes place directly on disk, it is first copied by associated shadow
process from disk to the database buffer cache in SGA.
What are the situations in which DBWO writes dirty blocks to disks?
- if the number of scanned buffers reaches a certain thresh hold.
- At a specific time that is when check point occurs.
* Scanning of the buffers is done by shadow process.
* Changes are done in two ways:
- Roll forward changes.
- Roll backward changes.
* Redo events are stored in redo.log files and performs roll forward recovery.
* Undo entries stored in undo table space performs rollback.
* Redo changes = committed changes = new value = after images.
* Undo changes = un committed changes = old value = before image.
* Oracle shadow process records redo changes and stores in redo log buffer of SGA temporarily.
* Oracle background process “log writer – LGWR” writes data in redo log buffer to online redo log
files which are stored physically on disk.
* Redo log buffers is also called as circular buffer.
* Circular buffers records all committed and un-committed changes made to the database.
r
Q: What are the conditions in which log writer writes redo log buffer data to online redo log files?
Ans: There 4 conditions:
- When transaction is committed.
- For every three seconds.
- When redo log is 1/3rd of full.
- When DBWR is about to write modified buffers to disk and some of the
corresponding redo records have not at been written to online redo log i.e. write
ahead logging.
* Each committed transaction will have a system change number (SCN) stored in redo log file.
* Size of Oracle redo log file is 40MB (fixed number). These are four predefined collections of online
redo log files.
* At every log switch oracle will increase the log sequence number.
* Current online redo log file, ‘LGWR’ is writing into is call active online redo logo file.
Control files
This file is used to start and operate database.
What are the entries in co files?.
- Physical structure of database
- State of database
- Table space information
- Names and location of data files and redo log files.
- Current log sequence number
* if physical structure of database is occurred then co.files get updated automatically.
* SAP stores co.files in three locations during installation of SAP. It is recommended to store the files
in three physically separated hard disk.
* If database = open then co.file available for writing.
28
* Normally caches are small and don’t grow.
* ‘RMAN’ for backups, “cofiles may grow by factor 10”, because they contain information about
RMAN backup.
Database Recovery:
* Online redo log files used for database recovery (instance recovery). After restart, the system
performs automatic recovery.
* If online redo log files are lost during a crash, a complete recovery is not possible. Hence online redo
log files must be mirrored i.e. two or more copies needs to be maintained.
* Oracle it self mirrors online redo log files by default.
*Online redo log fines are limited in size, and cannot grow automatically.
* Automatic instance recovery of online redo log files is possible.
* To manually restore and recover data files which are missing, we need both a database backup and all
redo log information written after the backup.
* Archiving must be exclusively activated by tuning on archived log mode i.e.
“LOG_ARCHIVE_START” is true.
* Archiving is take care by an oracle background process called as “ARCO” (archive)
*Oracle cannot mirror offline redo log files, hence we must use RAID.
* Offline redo log files and data files should be on different disk.
29
• The home directory for oracle is ORACLE_HOME
• The location for cofiles and offline redo logs is configured in the oracle profile
init<SID>.ora.
• The location for data files and online redolog files is stored in database.
• The oracle tool to ping is ‘TNSPING’
Oracle System Privileges
• SYS DBA and SYSOPR are oracle system privileges.
• Control at this privileges is outside the database.
• The privileges allow accesses to database instance even when database is not
open.
Operating System Users and Groups (Start->programs->Admin tools-> Configure Management ->
users, groups)
Users:
<SAP SID> Admin and ORAdb<SID> are the two users which are created in unix system, where as
<SAPSID> admin, <SAP service.SAP<SID> created in windows system.
Groups:
1. ‘ora_dba’ = Member of this groups can connect to oracle database as dba without a password.
2. ‘ora_<SID>_dba’ = admin group
3. ‘ora_<SID>_OPER = db operate group
Extra Groups:
SAP_<SID>_Global Admin = SAP Global Admin Group.
SAP_<SID>_Local Admin = SAP Local Admin Group
SAP_Local Admin = SAP local Admin Group
30
• ‘SQL NET.ORA’ = Contains client side information.
• Oracle has one listener i.e. ‘LSNRCTL’
Options:
OS level : lnsnrctl_help
OS level : lnsnrctl_status = oracle.
Location of parameters and listener log files.
Note: ‘Listener_Ora = Listener tracing files.
Options:
1. Off = Offered
2. User = Limited Trace
3. Admin = Detail Trace
12. SPfile.ora is server side initialization parameter file (oracle database server)
• Do not make parameter changes on oracle level, because if only changes parameter
values in SPfile, hence always use BR* tools, because it monitors consistency by
copying the contents in both files.
• The transaction code DB02 and ST04 still use ‘init<SID>.ora’
• SAP installation tool do not create SPfile. SPfile is created using SQL*plus
‘CREATE SPFILE’.
• SPfile is stored in ‘oracle_home’ directory same as ‘init<SID>_ora’.
31
• RZ20: Database alert monitor.
Starting of Database
1. No mount = reads parameter files, database instance started and allocated memory
buffers.
2. Mount face: opens cofiles.
3. Open: opens all data files and online redo log files.
• Mount face is used for database recovery, for changing archive log mode, for
removing and moving data file and also for adding, dropping, renaming online redo
log files.
• Do not use ‘BRCONNECT’ to start and shutdown database, instead use ‘BRSPACE’
because it tried logfile actions.
• No mount space is used for creation of database and for recreation of lost cofiles.
Stopping of Database
1. Normal: Oracle waits till all users are disconnected from the database. All files are closed
and database is dis mounted and instance is shutdown.
2. Transactional: Oracle waits till all open transactional to finish and then it disconnects
users and shutdown database.
3. Immedaite: No new connections and transaction are allowed. PMON ends all user
sessions and performance roll back of any open transactions then only shutdown database.
4. Abort: no new connection and transactional allowed. No roll back of open transactions.
Users are disconnected and oracle processes are stopped.
Note: With all the above first three methods, database is shutdown in a consistent state and does
not need recovery at next restart.
• Default mode for oracle shutdown is normal
• Oracle commands shutdown immediate and shutdown abort stage oracle instance
even if work process still has connections of database.
• Oracle info messages, warnings and errors are logged in oracle dump files i.e.
background, user trace which is located in ‘SAPDATA_NAME’ directory.
• Background directory store alert log file. Alert_<SID>.log. Whereas user directory
store trace files written on behalf of shadow process.
(Q) If a file is missing from the chain of offline Redo log files, then what we’ll
do?
(A) We have to perform a restore and recovery of Database. Recovery is
performed using the method “Point In Time” by which all the Offline Redo log files older than
the last one is used for recovery.
(Q) What are the causes for logical errors related to Database?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
(ii) Manually dropping Database Objects.
(iii) Manually dropping Application Objects.
(Q) Is Point in Time Recovery a standard Solution for logical errors in production system?
(A) NO
32
(Q) Why do we need to perform a logical check?
(A) In order to verify corrupted Data blocks (Ora – 1578)
(Q) What are the tools used by Oracle Admin in an SAP System for Backups?
(A) Database Backups = BRBACKUP
Offline Redo log files = BRARCHIVE
(Q) What are the occasions in which changes to Tile Structure of Database is made?
(A) 1) When a Data file is added
2) When a Data file is moved to a Different Location.
3) When a Table Space and its Data files are reorganized.
Complete Backup:
All the Data in the Database is backed up. Complete Backup is again
divided into 2 Types
1) Full Backup:- After data backup an additional information , i.e. Catalog is
Written into Cofile by Recovery Manager.
2) Whole Backup:- It creates a Backup of all the data without the Catalog.
Incremental Backup:
i) This Backup Is used for taking needed Data blocks that have changed since the
time of Full Backup.
ii) During Incremental Backup the amount of data to be backed up to get shorten
and not for The Backup time.
iii) During Incremental Backup is only based on previous Full Backup.
(Q) If the Corresponding Full Backup is already overwritten and can I use Incremental
Backup?
(A) NO, Incremental Backup is useless.
(Q) Can I perform a Backup of Individual data files using Incremental Backups?
(A) NO
Partial Backup:
The backup of Database in smaller parts is called as Partial Backup.
*NOTE:- Sum of individual partial Backups form an Entire Complete Backup.
*NOTE:- Recovery Backup using partial Backup data is very much time consuming,
because it needs all oldest Backup Offline and Online recovery Processes.
33
(Q) What are the various Backup strategies used in SAP?
(A) There are 3 Backup strategies in SAP
i) Complete Backup:- Restore missing Database files from complete Backup, Restore
Offline Redo Log files writte during and after this Backup.
ii) Incremental Backup:- Restore missing Data files from last Full Backup, update them
with restore from last Incremental Backup.
iii)Partial Backup:- Replace complete backup with partial Backups , we need a longer
time to perform a recovery from media crash.
TOOLS:
(1) BRBACKUP: Backup of Oracle Data files , Cofiles, Db Redolog files, Oracle
Software Directories and SAP System directories.
(2) BRARCHIVE: Backup of Redo log files.
(3) BRRESTORE: Restore all Db files and Offline Redo log files
(4) BRRECOVER: Checks for Database for missing files , it calls BRRESTORE for
restoration of missing Data and Offline redo log files.
NOTE:
(1) Both BRBACKUP and BRARCHIVE records their actions in log files, BRRESTORE
uses above logs for restoration of missing files.
(2) Both BRBACKUP and BRARCHIVE supports Backup to Tapes, Disks as well as
Backups with Third party Tools.
Important Parameters for Configuration of BRBACKUP and BRARCHIVE(Init<SID>.SAP)
(A) Backup_mode = All(Whole)
Full(full backup)
Incremental Backup
Partial(Table space name, Dir path, File id.s)
(B) Backup_type = Online and Offline Backup
(C) Backup_dev_type = Tape or Disk or External Interface
(D) Util_file = BACKINT(External Backup program through Interface BACKINT)
(E) TAPE_COPY_CMD = CPIO or DD or RMAN(Copying files from Disk to Tapes)
NOTE:
DD = Raw devices are copied with this option
CPIO = Directories are copied with this option
The Profiles init<SID>.ora and init<SID..sap and Summary and detail logs are
copied with this CPIO.
(F) DISK_COPY_CMD = cp, copy (Copying files to disks)
Cp is used in UNIX
Copy is used in WINDOWS
(G) Expire_period = (1)We have to specify the expiry period of a tape
(2)Tape_use_count = Max number of times, volumes can be written to
tapes.
(H) Volume_Backup: Names of volumes used for backups(BRBACKUP)
Volume_Archive: Names of volume used for backups of Offline redo log
files(BRARCHIVE)
(I)Tape_Address = Identifies device address of tapes.
(J) DD_Flags and DD_IN_FLAGS= Specify block ( Size of at least 64kb)
34
(Q) Can RMAN recover the Database automatically without Recovery catalog?
(A) NO
(9) RMAN writes Header, tailer and blocks of atleast one Database or one raw disk
file to a file called SAVESETS
(10) Using SAVESETS speeds up Backup Process.
PREPARATORY RUN:
Preparatory run is used to determine the optimal SAVESET distribution of
data files we want to backup.
(Q) Why do we need to perform a preparatory run?
(A) If Backup with RMAN is supposed to form sets then we need to run Preparatory
run.
Preparatory run can be run from DB13 prepare for RMAN Backup.
No Backup is created during preparation run, only estimates Compression rate
of BRTOOLS to compress the files and to determine compressed and
decompressed file sizes.
It is recommended to perform preparatory run per one Backup cycle.
TAPE MANAGEMENT:
(1) Each and every tape used for Backup, i.e. BRBACKUP and BRARCHIVE
needs to be initialized.
(2) During tape Initializing SAP specific label is written on lable as First file
(Tape.hdro) containing the tape name.
(3) BRTOOLS-> Backup-> Dbcopy-> Additional Functions-> Init of BRBACKUP
tape Volume or Init of BRARCHIVE tape volumes.
The command to start the initialization is BRBACKUP or BRARCHIVE or –
I/Initialize.
(Q) What are the contents of tape lable after a tape is Initialized?
(A) (i) Tape Name
(ii)Name of the Database
(iii) Time stamp of last backup recorded on the tape
(iv) Number of Backups performed with the tape
Before writing data to tape if the lable is Red to check the following
(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)
If Expiration_period = 0 days, the Volume is not locked at all and can be over
written
• If a lock occurs on a tape, it automatically expires at midnight.
35
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape
locks?
(A) There are 2 types of locks
(i) Physical lock check: Physical lock check is done by checking tape label
parameter Expir_period. If the number of days passed since the tape was last
used is less than value of parameter Expir_period, then the tape is physically
locked.
(ii) Logical lock check: This value is derived from the time stamp written to tables
SDBAH, SDBAD
(Q) What is the option to select the tapes automatically by BRBACKUP and
BRARCH?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE
(Q) What is the command to check which tape will be automatically selected?
(A) BR Backup | BRARCHIVE –Q | Query { check }
36
(iv) Check if Software or Hardware Mirroring = Available or Not
(2) Safest method is to perform a complete Offline Backup before the files are
copied back in restore place using BR Backup or any Backup Tools.
(3) The above step is Very Important for Point In Time Recovery or for
Database rest because these stratagies always involve Data loss.
(4) Save Offline Redo Log Files in ORARCH Directory using BRArchive only.
(5) To check the reliability of Backup strategy , run regularly restoration report
in SAP using DB12
(6) The above report is used to find out which backup to use for recovery as
well as it displays information about last successful Backup.
(7) If the list of RedoLog files after the last Database Backup is too long, then
perform a complete Database Backup.
BR Tools:
Login to ORA<SID> using putty
Type BRTOOLS
There are totally 9 option in BR tools
Select Instant management, it is option 1
b. In Database instance management select option 2 to shutdown
the database.
c. Type ‘C’ and click enter to continue
d. In Database instance shutdown main menu select option 1
shutdown DB.
e. Under options for shutting down the DB instance we have to choose
option 1, that is close mode(Default mode is immediate)
f. Select option 1 and enter string value for ‘mode’ (Immediate|
normal|transcations|abort).
Note: if the users are logged in to the SAP system then I cannot use immediate,
normal, transactional modes, using abort mode will forcefully shutdown and will
result to data loss hence never use this option so to be on the safest side always
shutdown using normal mode.
Alter DB Instance (Switching off archive mode):
Shut down SAP Stop SAP [SID<adm>]
Log on to ORA<SID> user and start BR tools
In BR tools Select option 1 (Instance Management)
Start up database Select option 1
Alter DB instance Option 3
Enter ‘c’ to continue
Enter ‘c’ to continue
Select option 4 for set non archive mode
Enter ‘c ‘to continue and select option 5 to show instance status
Note: while switching to archive mode and non-archive mode, it will shutdown the
DB instance first and then starts the DB instance. In each of these cases the time
stamp is recorded that is data and time. Once the DB is up and running always
check the status before performing any action.
(Q) If SAP started and I am trying to switch to non-archive mode what will happen.
(A) It will show an error showing that SAP instance is running. Please showdown
first or use force option.
(Q) If SAP is running and I try to shutdown the DB using BR tools what will happen.
(A) It through an error saying that SAP is running please shutdown the SAP first or
force option and then continue.
1. Oracle stores data in table spaces, each table space consists of one
or more data files.
2. Data files are plain files stored on local system
3. Oracle has 4 segment types
37
a. Data This segment contains table data in rows
b. Index Each table has one primary index and ‘n’ number of
secondary indexes (optional). This index is used for faster
access to table data and to enforce unique constrains.
c. Temp Segment This segment is used for sorts and to create
indexes.
d. Roll back/undo segment this segment is used to provide read
consistency that is ability to roll back changed to tables for
recovery.
4. To meet the demand of large DB, DB designers creates partition
tables and indexes.
5. An index segment in oracle DB used in SAP holds either all data for
take that is not partitioned or all data for a partition of partitioned
table.
Up to 200Gb 2Gb
200 to 400Gb 4Gb
400 to 800Gb 8Gb
38
To solve above problem with extent we must use locally managed table spaces.
Segment Sizes Next segment Size Max.no.of Extent
Note: the last added data file name and new file to be added will show the exact
location where the data file is residing that is Oracle/<sid>/sapdata 1 to n/
Note: this action will update the time stamp in co-file that is, it created a copy of
co-file in the location /oracle/<SID>/SAPREORA|[CNTRL<SID>.old]
Once co-file is created, extending of table space is done, one successfully
completed it switches to next online redo log file for database instance and finally
creates a copy of co-file with new time stamp that is CMTRL<SID>.news
39
3. ORA1654 Index full
4. ORA1113 When backup is aborted
5. ORA1144 When back is shutdown immediately
6. ORA1578 Data block corrupted
7. ORA0255 Database struck
8. ORA1555 Buffer mode is OFF
9. ORA272 and ORA255 Archive struck
10. ORA600 Hardware Failure
Note: option 4 and 5 are also called as missing end backup.
Security
This is user for creation of user accounts and other functions besides creation, delete, change, display,
copy, lock/unlock and password reset.
Note: user naming convention should be alpha numeric. First character should be there in the
beginning.
Steps to create User Accounts
1. Enter the user and press create button.
2. In address tab only field we need to mention LAST NAME
3. In Logon data UserType: By default Dialog A
Note:
• With user type Dialog we can login into SAP system
• To create a user we need to maintain the validity of the user.
• For permanent user valid through 31-12-9999 and for Temp and Contract user validity
through date will be given in the ticket.
• Any request in security should have approval from a manager.
40
• By default approval comes in the form of an email in some cases a third party tool is used. It
can contain an approval form. For example. BSSR (Business Security Service Request)
• Default user group is SUPER. Based on the region or department we assign the user groups.
Sample Ticket
Default Values
Spool
Output Device….. By default it will be Empty
Parameter:
By default based on the roles, parameter values are assigned.
Eg: ESS roles i.e related with Time sheets
ROLES
Is where we assign the roles.
Note: Always assign the role first and not the profile. Every role by default has its own system defined
profile.
We can set the Role Validity from …. To. Default value is 31-12-9999
PROFILES
Do not enter any profile directly instead it will be pulled automatically once it’s assigned in roles tab.
GROUPS
Already maintained in Logon Data
PERSONALIZATION
Set of Transaction Codes to work
User
Role
Authorization Profile
Authorization
41
Authorization Object
User / User Master Record: This is used for logging on to SAP system and
grants restricted access to functions and object of SAP system based on SAP
profiles.
Note:
Authorization and authorization profiles are customizing objects.
Authorization classes, objects and fields are development objects.
42
Creation of Child / Derived Role:
Select the derived role name and
Under Transaction Inheritance in Derive from Role and Click on “Yes”
Note:
1) In derive role we can’t make any changes under menu tab. Eg: Adding
transaction, report, Deletion
2) Relationship between Parent and Derived role is 1:n
3) First time creation of role, always go to export mode.
Go to Authorization tab to generate the derived role.
List of Tabs:-
Manually: Adding authorization objects manually to a role.
Open: To view all open fields, i.e. the fields in which the values are not
maintained (Represented by color yellow)
Changed: To view the changed authorization objects.
Maintained: It will show the fields of the authorization objects for which the
missing values are maintained.
Note:
43
1) Once we make changes in the copied one, the status changed to
maintained.
2) If we do not follow the above steps, then during the regeneration of a role
next time, a new open field appears. Hence, in order to avoid the
duplication of fields we need to follow the above rule/procedure.
3) If we make any changes to a parent role like add, delete or Transaction
Code, we have to generate all the child roles under the parent role.
4) Whenever we generate a derived role, always choose maintenance as read
old status and merge with the new data.
5) If we choose edit old status then it will not reflect in any open fields even
though they are present.
6) Never try to select delete and recreate profile.
7) Once the role is generated then we have to assign the role to a user using
SU01 (or) Add a user to a role using PFCG User tab
8) Always assign only derived roles to a user whenever add a user in a Role
always compare with user compare.
9) In order to refresh user buffer with new values we have to always go for
user compare.
Note: In order to check SU53 analyses of other users go to SU53, click on display
for different users authorization object.
Analysis using SUIM
Scenario 1: User is having access to plant 1000 in MM01, now he is trying to
create for plant 0001 and he got the error no authorization to the plant 0001.
Solution: Request for SU53 screenshot. Once you receive the screenshot
Go to SUIM
In SUIM check the roles which are having access to plant 0001.
SUIM Go to Roles Roles by complex selection criteria and deselect the user.
Go to Authorization Object 1 from SU53 screenshot and select entry values button
Enter the values as per SU53 under the authorization Object and select Execute
button.
Double click on the role on which we want to assign.
It will automatically take us to PFCG transaction.
Go to Authorization tab Select Display authorization data.
Go to Find Button (Cntrl +F)
Enter the authorization object in authorization field and clicks enter on Find
Object.
Go to Utilities and select Technical names on
Second Method of Role Maintenance
44
1) Create a parent role and Add Transaction codes in menu tabs and
generate the role.
2) Create child roles and assign the parent and generate the child nodes.
Note: The generation of child roles/derived is always done from the parent role.
Process:
Go to Authorization
Edit Read old/merge with data.
Make changes in parent role
Generate Parent
Finally generate derived roles button (or) select Auth Just Derived Generate
derived roles
This will generate automatically all the derived roles from the parent role.
Note: In this method org values cannot be maintained using parent role, we have
to individually maintain org values in the derived roles.
Mass Generation of Derived Roles:
Copy all the derived roles into a notepad
Goto PFCG Go to utilities Select mass generation
In mass generation screen
Select all roles under presentation
Select Display data when created and changed
Click on Role Multiple Selection
Note:
Go to notepad, select all and copy
Come back to multiple role selection and select upload from click board button
Select check entries button
And select copy button & select execute button.
Deletion of a Role:-
Before deletion of any role first add to a role to transport and proceed with
deletion.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to
production. If I delete a role in dev box, the same role has to be deleted in prod
because these roles are finally used by the users in prod box only. Hence the
deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting
transport role button.
Note:
1) In choose objects options never check user assignment. Assignments of
users to a role are done only in production box.
2) Changes done using SU24 is of type work bench
3) Changes using PFCG is type customizing.
SUIM change documents:-
For users:-
1) In order to find when the user is created, deleted as well as password reset
and user lock/unlock information. Besides this we can track info regarding
the roles like when the roles are added and deleted and who has
performed this action/date of action.
Scenario 1:
Q) Unlock a user or track why the user is being locked?
A) Go to SU01 Enter the user ID Log on data and check the user is locked.
Go to SUIM Change docs for user Enter the user name and execute
45
If the lock is of type Admin lock, then we need to contact the admin for the reason
for locking hence never unlock directly.
If lock is due to incorrect logon then go to SU01. Select the user and press unlock
button.
SLA
Priority Type Response Time Resolution Time
0 Very Critical 10 min 30 min
1 High 30 min 1 day
2 Medium 60 min 4 days
3 Low 4 hrs ----
Note:
Response time is time in which we acknowledge the user request, i.e. once a
ticket comes into our queue the first major priority is to accept the ticket on
our name, once this is done we have to send an acknowledgement to the user
informing that someone is working on this issue via email, chatting tool or
phone.
Resolution Time: This is the time in which we have to solve the issue.
46
Stages of ticket:
1) Open
2) Working / In-progress + Assigned to our Name + Inform the user +
Copy the comments in the tool under notes column.
3) Closed + Issue Resolved + Inform the user + communicate + Copy the
comments in the tool under notes column.
4) Waiting + Needed some inputs from the user to solve the issue + inform
the user + Copy the comments in the tool under notes column.
5) Hold + Waiting due to user unavailability i.e. user has gone for vacation +
Copy the auto response regarding user unavailability and paste the notes
6) Cancelled: If there are duplications or same request being raised then we
can cancel one of the requests by mentioning the previous request no
under the notes column. (Or) If the user wishes to cancel his /her request
then copy the confirmation under the notes and select cancel button.
To rectify a defect CR
CR forms are created based on the quarterly release i.e. we have 4 quarterly
releases in a year. During this release different people i.e. technical +
functional consultants + security administrators get involve and analyze
various roles based on the inputs provided by the auditors
This is where SOX policies come into play. In order to indentify the various
defects and conflicts in roles and between transactions we use various SOD
(Segregation of duty) tools like VIRSA, BIZRights. The process of identifying
the defects or conflicts among the existing transactions and rectifying them as
mitigation.
HR Security Activities
There are two types of HR security Activity
1) Delegation of Authority
2) Structural Authorizations
47
An item appearing in inbox even after the period is expired
Don’t have access to approve the POS appearing in the inbox.
The first two problems are rectified by workflow administrator. The last issue is
related with the approve access. Before we provide the approval access we have
to identify that particular person having an access or not.
If he’s having an access then keep on email notifying him that as per the security
policy any user can have either create/approve access and not both.
48
Steps:-
Go to PFCG Menu
Go to Utilities, select Cust_Authorization
Note:-
Any role to which transactions have been manually assigned. These roles are used
only during implementation period, we should maintain end date for the role.
When it is assigned to the user, once implementation is completed normally we
delete this.
Q) Where do the default value in a Role comes from i.e. activities under auth
object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of
profile generator after the trans has been selected.
SAP delivers tables USOBX_C and USOBT_C. These tables are filled with default
values and used for Initial fill of custom tables.
After the initial we can modify the custom tables.
Table USOBX_C table defines which auth are to be performed in a transaction and
which should not be.
Table USOBT_C defines for each transaction and each authorization object, which
default values and authorization created from the auth. Object should have in the
profile generator.
Note: Any workbench changes in security are done in SU24. Modifying values in
SU24. Go to SU24, enter the transaction code and select execute.
Select the particular authorization object, which we want to modify.
Select the object and click on change button.
Go to proposal column and select “YES”.
Select the object again and change field values.
Note:-
Under check indicator column if no check is there, then select the auth object and
check indicator.
After changes in particular field select save. It will automatically prompt us to
place a request under a transport.
Go to own request select the transport of type work bench.
Note:- If the transaction request number is created by another team member then
go to Other requests button and enter the user ID
Output = All the requests created using the user id will be displayed.
49
Select the Workbench request based.
Select the button change owner and go to SC01 to release the request.
50
/SNC/Permit_Insecure_start=1
/SNC/Permit_Insecure_comm=1
SAP System
Q) If all the users are locked mistakenly, how do we connect to SAP system?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to
Oracle DB
Select * from <Application Server name>.USR02 where bname=’SAP*’;
51
Delete from <Application Server name>.USR02 where bname=’SAP*’;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.
Note:
USR02 is a table in which all user master records are stored.
Killing SAP* will automatically recreate a user master record in USR02 table.
Portal Security
All security related activities like Creation of User accounts and Creation of roles
which are normally performed using SU01 and PFCG can be done using portal.
In Portal administration there are two ways of maintaining users and roles
information.
1) Accessing portal using an URL
2) Accessing portal using Active Directory Service
Note:
1) Any portal URL, the ports will be in the 50000 series.
2) For portal we need J2EE engine to be installed and no need of ABAP engine
to run.
3) All roles are configured in active directory service which are related with
only portal i.e. users need to enter travel expenses and file their
timesheets using portal, then separate roles are provided which are
related with portal. These roles provide access to users to display the
screens as well as store the information in DB.
4) Some portal screens will be integrated with SAP system i.e. PROS. Instead
of logging into SAP system we use the portal screens from which the user
provide the inputs and gets automatically saved in SAP DB.
Problems in Portal
Problem 1) Global page missing
Solution:
Check in Active Directory whether the user is been correctly added under the
role which is considered as global
Note:
In active directory services we have 2 types of roles
1) Global roles Provide access for an user to login to portal i.e. for the
initial screen to appear. They are classified based on region the user
belongs to. For example: Africa, Europe etc.
2) Local Roles Provide access for certain T – Codes or activities which the
user needs to perform. Eg: Time sheet filling, travel expenses. Local roles
are categorized based on the location the user is situated. Eg: Country
Wise IN, USA, AF
3) Every user who access portal must have one global role and ‘n’ of local
roles.
52
1) Assigning users using AD service is considered as a direct assignment
where as assigning users using portal is considered as indirect assignment.
This is similar to assigning users in SAP using PFCG (Direct assignment)
and SU01 (Indirect Assignment).
2) Unicode in SAP supports 13 languages. All character sets of these
languages are embedded in the software. Non-unicode is language
specific.
3) The upgrade of SAP system from non-unicode to Unicode is possible
whereas the other way is not. To achieve the transition from non-unicode
to Unicode we need to have Non-Unicode export kernel CD and Unicode
import kernel CD.
4) SU3 is the transaction code for maintaining user own data.
5) SCAT, T-code is used for running CATT scripts.
6) ACTVT field indicates the type of activity i.e. creates, change, generate and
delete.
7) In PFCG transaction code, a profile indicates a unique identifier generated
by system to identify a role.
8) Notation for parent role is Z> and for Child / Derived Role it is Z:
9) Any role starting with SAP_ or SAP defined roles, they should not be
generated instead they are used as Templates, hence if we want to use
any SAP role first copy a role to a customized role and generate it.
10) SAP_ roles are used mainly during implementation.
11) All roles are of type Basic maintenance only whereas HR related roles and
work flow related roles are of type complete view. By default the roles are
of type basic maintenance.
12) Before we delete a role, it has to be added to a transport because these
actions are performed in DEV system.
13) Profile names come by default if it has to be changed then it has to start
with Z.
14) Color indications in authorizations
a. Red No organization values
b. Green All fields have values
c. Yellow Some field values are missing.
Role Distribution
Distribution of a role can be done using
Go to transaction code PFCG Menu tab Distribute button
Enter the target system i.e. an RFC connection needs to be created between
source and target system.
This procedure is distributing the roles between source and target using RFC
connections
If a role is being distributed to a target system only the structure is being
copied and not authorizations. Hence we need to maintain the authorization
for a role in the target system.
1) SAP normally follows 3 system landscape with 3 tier architecture. i.e. DEV,
QAS, PRD.
2) One of the systems has to be configured as transport domain controller.
This configuration is done as a part of implementation i.e. immediately after
executing SICK transaction.
3) The transaction to configure transport management. STMS
4) RFC’s are generated when the Transport Management System when
continued R/3 system to communicate with all R/3 systems in a domain.
53
A) SAP systems that share a common transport directory tree form a transport
group.
Q) What is transport domain controller?
A) R/3 system with the reference configuration is called as the transaction domain
controller.
Q) What is transport domain?
A) All R/3 systems that are planned to manage centrally using TMS form a
transport domain.
Note: The above steps are performed in Dev System which we can assume as
domain controller
Steps for Requesting inclusion of QAS and PRD systems into domain controller
Log on to QAS with 000 and SAP* go to STMS
Select other configuration
Provide the description and target hostname of the transport domain i.e. DEV
system domain name and instance no and save
Login to Development using 000 and sap * and goto STMS
Select the QAS
Go to sap systems Approve
This will pop up message saying “Inclusion of system in Transport Domain” then
click “Yes”
Note: Repeat the above steps for inclusion of PROD system also
In Dev distribute TMS configuration by selecting extras Distribute TMS
configuration
It POPs us a message and then select “Yes”
54
Steps to configure transport routes:
1. Go to STMS T-code and ExtrasSettingsTransport RoutesSelect the
desired editor and choose continue (By default graphical editor)
2. Go to overviewTransport routesSelect display or change mode
3. Go to configurationStandard configuration Three system in group.
4. Select the R3 system in the pop-up according to their roles and click
continue and save and specify the type of configuration and choose
continue, it will ask you to distribute and activate the change then select
YES.
Q. What are the two editor modes in which we can configure the transport routes?
A. 1. Graphical Editor
2. Hierarchical Editor
Q. What are the various configuration methods available in STMS?
A. 1. Single system configuration
2. Development and Production systems
3. Three systems in a group
Q. What is a standard transport layer?
A. This describes the transport route that the data from the development systems
follows.
Q. What is SAP transport layer?
A. It is a predefined transport layer for DEV classes of SAP standard objects
Create Transport Layer:
1. STMSOverviewTransport routesSelect change buttonselect zoon in
buttonSelect the particular transport routeGo to EditTransport
layerCreate.
2. Enter the transport layer name and description.
Q. What are the three approval steps you need to follow as a part of approval
procedure in QAS?
A. 1. To be approved by system administrator
2. To be approved by department
3. To be approved by request owner
55
1. If the import request button are not appears under STMS_IMPORTS then
go to Extrasother request and select add enter the transport request
number manually which you want to manually import.
2. Move transport number xyz to client 100.
Transporting request in OS Level:
1. Log on to any SAP system go to “\usr\sap\trans\bin” execute the command
“TP add to buffer <request number> <SID>client <client number>”
2. To import the command is “TP import <request number><SID>Client
<ClientNo> U0
Note: U0 is a qualifier to leave the transport in the buffer.
Q. What are the various qualifier option or what are the various import options?
A. There are six import options
1. Leave transport request in queue for later import
2. Import transport request again
3. Overwrite originals
4. Overwrite objects in unconfirmed repairs
5. Ignore unpermitted transport type
6. Ignore predecessor relations
56