Sap Basis Goodnotes
February 3, 2017 | Author: Sweeti Sridevi | Category: N/A
Short Description
Download Sap Basis Goodnotes...
Description
SAP R/3 SAP (Systems Application and Programs, Real time) SAP is 3 Tier Architecture SAP Standard version starts with 3.0 4.6B 4.7EE NW.04 (came in 2004) NW.04S ECC5 ECC6 OTHER VERSIONS SAP – Industries (Business Related Industry) SAP – Applications (Collaborative for Cross Application) MySap Business Suit OR MySAP.com: has been introduced for small and medium industries SAP Netweaver – Using Internet SAP Netweaver is a combination of My SAP Business Suit and Sap Applications MySapBS+SAP application Steps to Install SAP • Operating System (OS) • Database (DB) • SAP First we have to install OS , DB then SAP. Java introduced in 4.7EE Versions. Real Java came in NW04 Version SAP DATABASE using • SAO ORACLE SAP • SQL SERVER • DB2 ABAP – Programming language designed by SAP (ABAP+J2EE) - included in NW04 Components - NW.04 • WAS-Web Application Server(ABAP+J2EE) • EP- Enterprise Portal • XI-exchange Infrastructure • MDM • Acrobat Reader ECC5 and ECC6+Solution Manager ECC5 ECC6 CRM SRM NW (are Web Application Server) XI- Exchange Rate MDM - Master Data Management (Manages Data) SAP will consist: Developers (ABAP) + Functional Consultants + Basis BASIS is a Mediator for Database Administrator + Security SAP Software Life Cycle Ramp-up Phase (SERVICE.SAP.COM) - What is Total Life Cycle - What are the new Sap Products in the market - PAM (Product Availability Matrix) Software Maintenance two keys - List of SAP packages - Software Release New SAP S/W release SAP Maintenance Strategy & Planning
1
5-1-2(Formula) (Total 8 Years) 5 years of standard maintenance 1 year of extended maintenance + with a free of 2% of standard maintenance 2 years of extended maintenance + 4% Standard maintenance Navagation 3 types of GUI in SAP Default Windows Based GUI - SAP GUI for Windows HTML Based GUI - SAP GUI for HTML JAVA Based GUI - SAP GUI for JAVA SAP Login - Client: - User Name: - Password: Two Types of Menus in SAP 1. Standard Menu(SAP Menu) 2. Roll Based Menu Each User will get roll based menu USER_SSM: is a table where all the menu’s related information is stored. (whether it is roll based or standard based) SMEM_BUFFC – is a table where favorite information is stored SMEN_BUFFI – is a table where favorite information is stored Downloading from SAP to desktop as well as Uploading desktop to SAP stepes are: ->System ->List ->Save ->Local file Shortcut Commands /n – Takes to new session in session /o – New window in new session /nend – Logging of current session /nex – To close entire system (without saving) /I – unsaved session logout Help – SAP In SAP there are two types of helps F1 – Technical Help F4 – It provides possible entries for a particular field. (Maximum 500 entries are allowed in F4) Filtering Data in SAP SE16 – Is the Transaction Code to view the contents of the particular table. GUI - SAP Two Types of GUI in SAP - SAPgui.exe - SAPlogin.exe Button on GUI - Group - Server - New item - Delete - Change - Login - Validation
2
- Change item SAP log: Start SAP logon file. Every System will have a port number 32 with (00-99) 3298 – nipping 3299 – SAP router SAP Architecture: Three types of Architecture - Single Tier -> Presentation Layer - Two Tier -> Application Layer - Three Tier -> DB Layer If P, A, and DB are in one box, it is called Single Tier architecture. If P and A are in one box and DB in other box, it is called Two Tier architecture. If P in one box and A in another box and DB in another box is called Three Tier architecture. Presentation Layer:- Front End Application Layer:- Real calculations and Computing Database:- Database been stored SAP Landscape (3 system landscape) How SAP systems are arranged
Basis guy can accesses Development, Quality and Production boxes. -
Each box will have a system ID i.e. (SID NO) In Production box we have only one client (No changes are allowed in production box) In Development box we have three clients In Quality we have two clients All the changes are done in only in Development box Only testing is done in Quality box Changes done in Development box should be moved to quality box and get tested and finally it is transformed to production box. End user have accesses to only production box and very few end users will have accesses to separate training box.
3
-
SAND box is used only for R&D purpose. Whatever changes you do in SAND box will not be transported out of the box i.e. the changes are stored under $TEMP (local server only). Training box is used by end users for training purpose. Both SAND and Training box will have the exactly the data as production box.
Development Box - MAST - CUST - SAND MAST 000 001 066 – Clients 000 to 999 client number names Type of Changes in Development box - In SAP there are only two types of changes. Workbench change: T.C. is SE09 Customizing Change: T.C. is SE10 Workbench Change: changes made to the default values provided by the SAP in the tables is called workbench change. Customizing Change: is a change which a totally new change in a system.ex. creating a new program or modifying structure of a program. Transaction code SE01 = SE09 + SE10 -
What ever workbench changes are transported using the transport layer ‘SAP’ Customizing transport layer Z Anything starting with Z in SAP it’s a customizing change.
4
-
In SAP there will be always one export and ‘N’ number of inputs. Ratio of export to imports is E:I; 1:N In three system landscape one export and two imports. Data moved out of development box is called as export Data pulled into quality and production box is called as import. The process is called as transportation
CTD: is a physical location which has to be configured at the time of installation. - CTD in most cases is configured in development box. - Client number and user name will be same in all boxes MAST =
000 Master Client
Client 000 001 066
001 066 Backup Client Early watch User ID sap* ddic early watch
Client
Password 06071992 19920706 surpass/support
These all are SAP client user ID, Client and Password.
-
6th July 1992 when SAP moved from two Tier architecture to three Tier architecture. R/2 is Mainframe R/3 SAP
- Basis guys will have accesses to DDIC only. - Initally all newly created client use dummy i.e. it will not have any data. - We have to do a client copy in order to populate the data in the newly created client. This process is called as client copy. - In order to login into a newly created client should use user ID sap* password is pass. - ddic is also called as god like user. - Early watch is a user ID is used by SAP AG people for trouble shoots (ISDN line and router configuration is require for early watch). 3 Tier + 3 system landscape (SAP-model)
5
Multi System Landscape
Server: I) II)
central instance application instance
For set of software components to work we need a set of work process Presentation DB Gui web browser gui for win html • • • •
Application D, E, V, B, G, M, S
We have seven types of work process in application layer Each work process can be configured in a particular instance or server The no of work process which can be configured in instance is 099 If we need to configured more then 100 process (i.e 101) we need a new instance
6
0-99 D 0-99 E 1M
DisPatcher 0-99 B 0-99 V 0-99 G
0-99 S •
•
dispatcher Dispatcher is called as waiting queue
Each work process will have one
Updates are of two types: I) Primary V/v1 II) Secondary V/v2 Instance: Instance is an application server which provides various services We have 2 types of instance: 1) Central instance 2) Application instance Instance is defined by set of services ie D,E,V,B,G,M,S Central instance: 1) This is an instance where all the services are configured ( ie D,E,V,B,G,M,S) 2) This is identified by message work process 3) Generally message and enque will be hosted on same instance Application Instance: 1) AI is an additional layer of R/3 architecture i.e., user for reducing the load from directly falling on central instance. 2) There in no DB in an application instance. NOTE: the server in which DB is present is referred as DB server or central instance. Work process: 1) Dialog : the instance in which they are Max no of dialog work process is called as dialog instance Note: • For an instance to work we need a minimum of two dialog work process
7
2) Enquee: The instance in which they are Max no of Enquee work process is called as Enquee instance Note: • Enquee work process are used for locking and unlock of sap objects in a table • We should have minimum of one enquee work process in an instance (By default we have one work process) 3) Background: The instance in which they are Max no of back ground work process is called as background instance Note: • This work process is user for handling the jobs which are scheduled in the background Ex: - Jobs like list of financial accounting Data, profit and loss sheets Production related info etc…… Note: Jobs are of three types 1) Medium : 2) High 3) Low: These are represent by different colors as well as monitored and administrated by using third party tools Update work process: this is of two types 1) Primary update (v) : task critical activities are primary update 2) Secondary update (v1) : non critical activities are secondary update Note: Max no of job are of secondary update type Gateway: gateway is used for communication between 2 SAP R/3 system Note: • Between SAP R/3 system and non SAP and between R/3 to R/2 • Gateway work process is used for external communications • Minimum of one work process is needed Spool: is used for handling request to external devices like printers and fax machines Note: A minimum one spool work process is required Message: They are three functions of message work process • Handling the input request from the presentation layer • Communication with dispatcher and the work process • Logon load balancing Note: We will always have only one message work process in any R/3 installation. • The server in which M + enquee work process available that server is called central instance or central server. • The servers in which other type of work process available except message(ie D,E,V,B,G,S) such server is called as application server or application instance • The transaction code to monitor the type of servers or instance is SM51 • In SM51 we can see only active servers or instances • The transaction code to monitor both active and inactive instance is SM66 • SM66 is also called as global process overview • Transaction code to monitor the list of work process present in particular SM50 Note: Each work process required around 75 to 115 MB of memory to be configured • We can set the execution time for each and every work process by using profile parameters
8
•
Default execution time for a work process is 60 sec
Dispatcher: There will be one dispatcher for an instance • Dispatcher is user to handle a request • Dispatcher receives a request and kept them in queue till that particular work process is free • Dispatcher follows FIFO method • Dispatcher can be monitored from OS level by command DPMON • Dispatcher runs by an executable file Disp+Work.exe located in run directory • The profile parameter to display the no of work process is rdisp/wp_no_ Ex;Dialog = rdisp/wp_no_ = 0-99 Background= rdisp/wp_no_ = 0-99 Spool = rdisp/wp_no_ = 0-99 Types of key available in SAP service market place : 1) Developer key 2) License key 3) SSCR key 4) Migration key 1) Developer key: is required for a developer to develop or modify objects in the customer name space. (Y or Z) Note: this key stored in table “Dev Access”. 2) License key : this key used to get the license for sap systems • In order to authenticate our production sytem we need to apply the license key • After installation the license key will be valid for 14 days and again we need to apply for permanent key till 31/12/9999 • Even those license is expired the developer not lose any Data • In order to apply original license we need to register our system or server in market place (service.SAP.com) and generate the key by providing the system number. The command for SAP license key: Saplicense – get = hardware key Transaction to check license = S license Steps to install license key using S license : 1) log into sap and goto S license 2) get the hardware key using the command saplicense-get. 3) Go to market place and get registered and get permanent license key 4) Get the installation number 5) Click on key icon to install license 3) SSCR key: (SAP software change registration key) :- in order to modify the objects in SAP main space we need to obtain SSCR key. Note: in order to obtain SSCR key we need to follow certain steps 1) login to SAP market place with s user ID 2) select the system for which SSCR key needs to be generated 3) specife the program ID,object type and object name along with your SAP R/3 version 4) Migration key: in order to migrate one OS to another OS or from one DB to another DB we required a migration key. Note: we need to enter the target system OS and DB to generate this key SAP Data is segregated into three layers 1) SAP standard objects 2) Cross client objects 3) Client specific objects or Data
9
1) SAP standard objects: These are nothing but repository objects which includes functions, transaction, programs, screens etc……….. • All these are in the name space of A to X Note: never try to change the repository objects unless and until it is required 2) Cross client objects : These are cross client tables which can be modified Ex: currency table, measurement table, client administration table etc…... • what ever changes we make of type cross client will effect all the users present under that clients 3) Client specific objects (or) Data: a change which are specific to a particular client is called client specific Data.. Ex: user master Data, application Data, customized Data These are three types 1) User master Data: 2) Application Data: 3) Customized Data: Starting and Stopping of SAP When we start SAP the following sequence is executed Database Central instance Dialog Instance or any other Instance The starting and stopping from windows can be done using SAP Microsoft Management Console. In MMC right click on will give the following options Start Stop View Start Profile View Instance Profile Trace The color-coding for the status of the sap server Yellow Green Red Error Start Stop Three types of profiles Start/Stop of SAP systems at the background is controlled by set of profiles which are located at \USR\SAP\DEV\SYS\Profile where DEV is the SYSID
1) Default Profile 2) Start Profile 3) Instance Profile
DEFAULT.PFL START_DEVBGMS01_ Where 01 is the instance number _DEVBGMS01_ Where 01 is the instance number
Never edit the startup profile because this profile is related with starting/stopping of SAP system. First profile which is read while staring SAP system is start profile and is followed by instance profile. All work processes are configured in instance profile. This profile is specific to the instance in which the SAP is installed. Any changes made to the startup profile will affect only that particular instance. All changes made to default profile will affect the entire instances, which are configured.
Contents of Startup Profile: SAPSYSTEMNAME INSTANCENAME SAPSYSTEM
10
SAPGLOBALHOST Startdbs.cmd DB Msg_server.exe Central Instance Disp+work.exe Dispatcher Igswd.exe Java Start/Stop in Unix: Commands used to start and stop at OS level in Unix environment. StartSAP StopSAP Note: How to start/stop java engine will be covered later? Directory Structure:The directory structure for SAP installed files will be \USR\SAP\\ PRFDOG TMP TRANS One of the most important directories is Trans. Inside is the following sub directories are present. Incomplete section. To be filled. Work in Progress. What are the steps involved in stopping SAP system? Before stopping SAP system we need to check the status of the following • Check if there are any logged on users. Use Transaction Code – SM04 • Check if there are any Background process is to define – SM36 • Check if there are any Background processing is going on. Use TC – SM37 • Check if there is any Batch input session. Use TC – SM35 • Check if there are any update processes running. Use TC – SM13 Note:
1) After verifying the above status we need to send a message to all the users stating the shutdown time using Transaction Code SM02. 2) All transaction codes that we monitor are executed in the central Instance only. 3) To view the users who are logged into all the instances we can use Transaction code AL08 (Global User Overview) 4) Transaction code to view profile parameters RZ11. 5) Trans Code to edit or change the profile parameters is RZ10. 6) Report “RSPFPAR” is used to provide the same functionality as RZ11. There are two types of of profile parameters 1) Static Parameters 2) Dynamic Switchable For dynamically switchable parameters, we need not restart the SAP system after making the changes. For static parameters, we need to restart the SAP system to make the changes effective. In the table “TPFYPROPTY”, the dynamic indicator (X) identifies all dynamic switchable profile parameters. Note: • Use Transaction code SE16 to view the contents of a table. • To display profile parameters from OS level we need to use the following Sappfpar
11
Eg: sappfpar ALL will return the list of all parameters. Modes of Editing Profile There are 3 types of edit profiles 1) Administration of Data 2) Basic Maintenance 3) Extended Maintenance Administration of Data: contains type of profile, short description, path of profile, Name of instance and the time of last activation. This profile mode is used only to display the profile parameters. You can perform the maintenance of parameters using either basic maintenance or extended. Basic Maintenance: allows adjusting most important parameters and provides logical description. Extended maintenance: display the unformatted content of the profile i.e. technical names of the profile. In extended maintenance we can change the values, add values as well as delete. Changes are done in 2 steps. Copy == Changes are temporarily copied Save == Changes are permanent saved to database Changes to instance specific profiles takes effect only after a restart of the corresponding instance. Profile parameter related to security administration starts with auth* in RZ10 Profile parameter related to work processes starts with rdisp* in RZ10 Steps for tuning Work Processes • In the command prompt of SAP Execute RZ10. • In the new screen opened to edit the profile parameters, choose Utilities option from the Menu 1) Inside Utilities choose the option Import Profile of Active Servers. This step is used to read 3 profile parameters from OS level to SAP level. Output of these steps is that it displays profile check log. In which it will show status of the three profiles i.e. any errors in reading the profiles. 2) Press back button 3) Select profile tab and select instance profile. 4) Goto extended maintenance and select [Change] button Note: To create a new parameter select [Create Parameter] button. To change the value of the existing parameter, select the parameter under the parameter name column and click on change button. Change the value and select [Copy] button Select [Back] and again click on [Copy] button Click on [Back] and click on [save] button. Operation Modes There are two types of operation mode 1) Day Mode 2) Night Mode In real time scenario during day mode, we have maximum number of users logging into SAP system hence, we need maximum number of dialog work process to be set. During night mode, maximum number of background work processes is scheduled. Hence we need maximum number of background work processes in the night. In order to make these changes we need to setup operation mode Note: During switching operation modes, neither the instance nor the effected work processes need to be restarted. Setting up of operation Mode In the command prompt of SAP execute the Transaction code RZ04 Create operation mode Day, Night
12
Call all active instances of the system Select work processes that are needed based on the operation mode and assign to it as default. Switching up of operation modes should be set in SM63 (Time Table maintenance) Click Save Note: Work process allocation is made primarily between dialog and background. Work process type = Dialog, Background, Class A, Update, V2 Update, Enque and Spool. Class A work process are allocated primarily for background jobs of priority high. Maintain Operation mode and Instances 1) Select [Instance/Operation Modes] 2) Select [create new instance] 3) Enter Hostname, select start profile, and instance profile. 4) Click on [save] button 5) Work process distribution window pop’s up 6) Select type of operation mode and tune the number of work processes and click on [save]. Note: In live environment we will not be required to perform this step regularly, and instead we choose Instance Maintain Instance Work Process Distribution. 7) Click on [consistency check] Button. Note: Always use consistency check button because operation mode switch will not work if there is any inconsistency. 8) Goto SM63 (Timetable maintenance) and select [Change] button. 9) Choose the following menu Edit Time Period 15 Minutes. Why only 15 minutes? 10) Select start time and end time and select assign and select operation mode. 11) Repeat these steps for Night mode. Go to RZ03 to display server status and Alerts. Note: This step is selected for manual switch of the operation mode. Select Server name and Choose Operation mode Select the mode and click on Choose Go to Control | Switch operation Mode | All Servers -> Selected Servers -> Simulation Very important Questions 1) Which directory do we have the exe files? 2) Which directory do we have errors or logs or traces recorded? 3) What is the profile parameter for increasing the number of background work process? 4) Difference between Central Instance and Application Server Instance? 5) How many Application server instances are there in your company? 6) How many modules did you support? 7) What is the version of OS, DB and R/3? 8) What is the patch level of R/3 used in your project? 9) What are the IP addresses of your R/3 systems? 10) If the dispatcher work process fails can I login to SAP system? 11) How to check the status of dispatcher from OS level? 12) What are the start/stop commands for SAP system from IS level? 13) If dialog work process fails where can I check the logs related to the dialog Work Process? 14) What are the three types of profile parameters and what is their naming convention? 15) What is the technology used by SAP systems to process user requests?
13
16) What is the transaction code to check whether all my instances are active or not? 17) What is the transaction code for finding out number of work process present in a particular instance? 18) How do I do manual switching of operation mode? 19) How many work processes are required in order to login to SAP system? What are the types? 20) In what sequence does the system read system parameters? 21) What is the transaction code to check the consistency of individual profiles? 22) In which sequence we perform the setting up of operation modes? 23) Which SAP processes are started when the SAP system or an instance is started? 24) How do I find out which are dynamically switched or static parameters? 25) How do I display current values of system parameters? What are the ways of displaying current values of system parameters? 26) If I make any change to the startup profile do I need to restart SAP system? Configuring Online Documentation Online help in SAP is termed as online documentation. This has to be installed and configured in DEV only. * Transaction code to configure help is SR13 Supported help types in SAP • HTML-Help File. These files are available using a file server and are displayed with the html help weaver. This is a compressed format of help supported by Microsoft. These files have extension of .chm (Compiled HTML format). • Plain HTML HTTP. Documents are stored in standard html format. Documents are available using a web server and are displayed with standard web browser. • Plain HTML File It is the simplest type of help stored in standard html format. Documents are available using a file server and displayed with standard web browser. • Dynamic Help This help is used on all front-end platforms. It uses standard html format, documents are displayed in standard web browser. The files are available using knowledge warehouse server. Note: The OS file related with help is SAPDOCCD.ini. It is located in the following directories a) Windows directory b) Local (or) Central GUI c) Program Files/sap/front end/SAPgui • SAP Help Portal Help.sap.com provides Internet based access to online documentation. Steps to configure a Help function • At the command field type the Transaction Code SR13 • Click on the Edit Icon • Choose the [New Entry] option. On click of that enter the following details Variance {Help Description} Platform {Operating system. Microsoft/Unix} Area (Auto Populated field) Path (Should be the path of help file installation) Language (should be English) Default check box. If the default check box is selected i.e. it is set as default, it is considered as the only help available whenever you login. CLIENT ADMINISTRATION The list of very important transaction codes for client administration
14
Activity Activity Description Transaction Code Client Creation Create a new client SCC4 Client Deletion Delete an existing client SCC5 Local Client Copy Copying local client data SCCL Remote client copy Remote client copy SCC9 Client Export Client Export SCC8 Client Import Client Import SCC7 Client Copy Logs Client Copy Logs SCC3 Note: CATT – Computer Aided Test Tool Resource Requirements Copying clients requires large amount of system resources To avoid any bottlenecks we should ensure that there is enough resources available by considering the following 1) DB Storage Space 2) Perform a test run before copying a client. Question) Why do we need to perform a test run? Ans) Test run determines which tables are to be changed. Note: What is the amount of storage space a client will occupy? A client without application data needs approximately 150-200 MB of storage space in a DB Implementation Considerations Question) Why do we need to do client copy? Ans) To create new clients. Note: New clients are based on SAP reference client 000 when the R/3 system was first implemented. The new clients are Training, Demo, Test and Production Clients. Note: It is strongly recommended when doing client copy to use the profile SAP_CUST. Question) Do we need to transport clients between systems (or) what is the procedure for copying clients between systems? Ans) We no longer require to transport clients instead we make a remote client copy. Features When copying clients you can select the data that you want to transfer from source to target client. Various Types of data are as follows a) User Master Data: We select this option only if we want to copy all the users of an existing client with same authorizations into target client. b) Client Specific Customizing: We select this option if you want to setup a new client in an existing system. c) Client Specific Customizing and Master/Transaction data: We select this option if we want to setup a test client i.e. identical to the production client in the same system. d) Client Specific and Cross Client Customizing: We select this option if we want to setup a quality Assurance system based in the production client of another system. e) Client Specific and Cross Client Customizing and Master/Transaction Data: This option is selected to setup a test client based on production client of another system. Note: When a client copy process is completed the client copy tool automatically generates all ABAP dictionary objects that we created as a result of a generation process. Restrictions: Background Processing: We can copy clients either online or in background. Note: SAP recommends scheduling client copies as background jobs. Why? Answer)
15
•
During client copy we must ensure that no users logs on to system (Source Client) • Users already working in target client cannot be locked automatically before the client copy starts and we must ensure that they leave the system. • In source client we can lock the users. Note: In normal situations for some technical reasons we should not lock users in source client. Eg: Production client. If the source client is production client, this may lead to inconsistency if users are not logged off. To avoid inconsistencies, the related tables are copied together with other tables. During client copy large volumes of data is transferred and hence it may take several hours for which we need dialog processes. Note: Client copy tool generally uses minimum of 2-dialog work process even if you start in background. Before performing a client copy set the profile parameter MAX_WPRUN_TIME and it is recommended to set for 30 minutes. Question) Why should we not transport the client data? Ans) this is explained with the help of a scenario. In target system, we have set up clients whose data must not be affected. The cross client data must not be imported into the system from outside, since the cross client data overwrites existing data so that customizing data of other clients in the target system no longer effects. For client transports RFC connection should be established between the systems. Copy Profiles For copying clients R/3 offers a set of profiles Copy Profile Description SAP_USR Copies user master records and profiles only. SAP_CUST Copies all customizing tables including user profiles SAP_VCUS Copies all customizing tables, user data and user profiles. SAP_ALL Copies all data belonging to a client. Authorizations To be able to copy and transport clients we need appropriate authorizations There are two Types of authorizations 1) General Authorizations for client copy 2) Special Authorizations 1) General Authorizations for client copy Authorization Allows you to S_TABU_CLI Maintain cross client tables S_TABU_DIS Maintain system tables S_CLIENT_IMP Import data when performing a client copy S_DATA_SET Access the file system Copying of clients: Authorization Allows you to S_USER_PRO Copy user profiles S_USER_GRP Copy user master records 2) Special Authorizations Authorization Allows you to S_CTMS_ADMI Create object list for client transport and copy object list between two clients.
Note:This authorization is related with client transports. This authorization object should have the values TYPE=CLCP and ACTVT=01 Question) what default user has all the authorizations? Ans) SAP*. This is the reason for locking this user in different environments. Steps for Client Creation 1) Goto SCC4
16
2) Select [Change] button 3) Select [New Entry] Fill the following entries 1) Client No and Description 2) Select the client Role System Client Specific Objects DEV (Default Automatic Options) Recording of changes PRD No Changes Allowed (Scenario 1) QAS No Changes and Testing same Allowed setting as PRD (Scenario 2) QAS No Changes Allowed TRNG Changes w/o automatic recording, no transports allocated. SNDB Changes w/o automatic recording, no transports allocated.
Cross Client Objects Changes to repository and cross client customizing Allowed No Changes to repository and cross client customizing objects No Changes to repository and cross client customizing objects
Protection Level 0 1 (no Overwriting) 1 (no Overwriting)
No Changes to repository and cross client customizing objects No Changes to repository and cross client customizing objects
1 (no Overwriting) 1 (no Overwriting)
Changes to repository and cross client objects allowed.
1 (no Overwriting)
Protection Level 1 is for copying data Aim of protection level attribute to present the client from being overwritten intentionally or unintentionally by copying additional client dependent data from another client. In DEV protection level is always no restriction In PROD No overwriting but external availability is there. CATT CATT Stands for Computer Aided Test Tool They generate test data that may be helpful for demonstration purpose. A client with protection level 1 and 2 cannot function as target client. CATT scripts are only used in test systems as well as QAS systems. This option provides access for testing of data using various testing tools. Restrictions Locked due to a client copy: This option is used while performing client copy, i.e. locking the entire client. Protection against SAP upgrade: Data in R/3 is of 2 types Client Dependent data: Example: Customizing, Application and User data Client Independent data: Example: ABAP Program, R/3 Repository Objects and Enterprise img In table related with client information T000, “mandt” is a field in the table T000 that stores name/number of the client. Client present in non-IDES: 000, 001 and 066 Client present in IDES: 000, 001, 066 and 800 (Totally customized Client) Note: Option – “No Transport Allowed” deactivates CTS (Change Transport System) in client.
17
Local Client Copy Copying clients within the same system 1) Execute the transaction Code SCCL at the SAP command line 2) Select a copy profile that matches your requirement. Click on [Choose] button 3) Save the profile value by choosing the button [Save Profile Value]. We use this option if we want to use the selected profile as default settings. 4) Enter the source client 5) Start the copy process. Starting of copy process can be done in 2 ways. Either schedule it as a background job or start immediately. Note: In a live environment we schedule it as a background job only. If you the expected output of the copy process is to copy only user data and profiles then we can run it online i.e. [Start Immediately] In order to perform a client copy the most critical step in logging into target client and perform the above process. Copying Clients between Systems When a Client is copied from one system to another, then data is transferred directly via RFC Interface. Steps: 1) Login to target client and go to SCC9 2) Select the copy profile 3) Enter the RFC destination 4) Start the copy process Note: Transaction Code to create RFC destination is SM59 Transporting Clients between systems Note: You no longer required transporting clients before you can copy clients between systems. Instead you can make a remote copy. Never the less SAP continues to provide support for transport function. During client transport all languages of source system are transported. They overwrite the text in the target system. Therefore all text are lost in the target system, whose language exists only in target system but not in source system Steps 1) Log onto source system SCC8 2) Select a copy profile 3) Select a target system client. Note: Logon to source system in the source client with a user that has transport authorization. Data export is performed automatically asynchronously. Output of export includes the names of transport requests that are to be imported as KO Cross client Data KT Client specific Data KK Texts and Forms Once we are done with export, go to SE01 or SC09 and check for transport request crated. Client import post processing is always necessary and must be performed in the target client after import of transport request. Goto SCC7 to check the import Queue and verify the request number and export system and click on background job tab or start immediately. Thus the client transport is done. Note: Client Transport = Client Export + Client import Log onto target client go to SCC1, give the source client and transport request number and schedule it in the background. This is how local client transport is done. Post processing activities after client import
18
Use the following menu for post processing activities. Tools -> Administration -> Client Admin -> Client Transport -> Post Processing Import Note: We can use this option to transport customizing changes to the target client, that have been made in the source client after the client copy. Displaying Client Logs Goto SCC3 to check for the logs To display the detail log for a run, position your cursor on appropriate run and then select the [Choose] button. The system displays the list with the info Copy Type, Profile, Status, User, Tables, where copy problems occurred and statistical info. To view further details choose [Details] button. Restarting Client Copy If the process terminates for some technical reasons like database shutdown, you can always restart the process from the point of termination. If you start a client copy or a client transport, and the previous process terminated prematurely, the system automatically proposes restart mode with the same parameter settings used for the copy that caused the termination. If the restarted process fails, the log displays a special note indicating possible reasons for the error. Error Handling Client copies usually involve large volumes of data which places strain on CPU and storage resources of a machine. Depending on data involved and system configuration the most likely errors are given below with corrections. Error handling in client copy and transport Error Cause Solution Remarks Write Error target Client
in
System log message “SYN MC Maintenance deactivated Fully” or “Buffer TABL/TABLP Reset” Termination in exit program after runtime of several hours (ABAP runtime error log = ABAP Dump)
Usually a table space overflow problem.
Check system log to determine the name of table space. Extend table space and repeat entire copy process. Note: Do not delete None
Run log display to determine the name of last exit program that caused termination
These messages document special function that is used to improve performance and guarantee consistency. Client copy program has not terminated but an appl. Error has caused the termination.
Client deletion: Deletion of client using an R/3 script in not advised by SAP Client deletion pre-work: 1) Ensure that there is no backup currently running for the system. a) Log on to the system at OS level b) Go to cd /oracle/sid/sapbackup type
19
tail back*, this will display the last l lines of backup log, the last line will display the latest backup. If the written code listed is the backup is still running and you will need to wait till it ends. 2) Ensure that any scheduled backup for the target system is held while archiving is turned off. By default archiving should be on. 3) Turning archive off: a) First if there are any used currently logged on to the system. AL08, issue a system message that the system will be used in a few moments I. Go to SM02 II. Select the create option and enter the message into dialog box displayed III. Set the expiration date and select save button These are steps to create system message b) To turnoff archiving first shutdown SAP I. Sesu- adm (Status of the system) II. Type stopsap R3 III. When you receive a message instance stopped, check the system is down or not by typing ps –ef |grep dw. There should be no entries visible for SID you have just stopped. IV. Exit from SID adm V. Type sesu_oracle VI. Enter SAPDBA-U/ VII. Choose option f- archive mode VIII. Select option A (toggle database log mode) IX. Type y to the message instance will be bounced and shutdown immediately” X. After a few movements reply or type y once again to startup the instance XI. The archive mode menu should now show that database log mode is off XII. Exit SAPDBA XIII. Exit from ora in order to restart SAP ensure that you are in SID adm mode. XIV. Enter start SAP R#, when message instance started is received check the instance is running or not by typing ps –ef | grep dw and looking for SID that we have just restarted c) Remove the system message if it is still valid 4) This step will be followed only UNIX OS only. A consequence of shutting down SAP is interrupting of SMTP mail process within UNIX you must manually restart the process I. In unix type the command sesu_adm II. Go to cd /sapmnt//exe, III. Check if the process are still running by issuing a command ps –ef |grep ml, mail server, if there are any process running that particular process ID needs to be stopped IV. Enter ‘kill -9 5) Since client-deleting process involves five processes, and important step before starting any process is to check that these are enough batch process available in order to carry out my work. a) Enter SM50 and check these are at least 5 batch process available (Note: see that equal no of dialog process are also available) b) If they are not enough batch process available the operation modes will need to be switched.
20
c) Enter Trans-Code RZ04, double click on current operation mode and increases the batch processor assigned to that operation mode d) Manually switch the operation modes using RZ03 e) To check if the operation mode successfully changed go to SM50 and count no of batch work process 6) This step is to prepare the user for the deletion process a) First login to target client for the deletion process b) Go to SCC5 c) Specify whether you want to delete the client and also select T000 and execute the process at background ***NOTE: selecting option T000 will not only delete the client locally but also remove the entire physically from T000 table. Background JOB Administration: 1. We mainly use background work process for long running task called batch work processors 2. Background processing is used not only for long running tasks but also for recurring tasks Ex: daily database backup or financial accounting status A background jobs consist of one or more steps a) An abap program b) An external command c) An external program Note: every job is processed without interruption by one single background work process. Background job can be scheduled with different priorities I. Class A highest priority II. Class B medium priority III. Class C normal priority Note: we must ensure that large share of all background tasks are normally scheduled as class C without target server specification (90% task) Ex: task scheduled using transaction DB13 A step within a job can call one of the three actions 1) Every ABAP program can be scheduled as a step of a job if the abap program has one or more selection screen, you can create the input required in the form of a variant. 2) An external command is a call of a predefined script, a command or a program outside a SAP system. With external commands we can mask OS calls and stored them in SAP system under a new name. 3) The execution of external command Is protected using SAP authorization. i.e. certain external commands can only be processed by particular users in the system. 4) An external command is any OS command. SAP authorization concept only specifies whether a user can call external program or not. Start criteria for background job: A job can be triggered by the following options 1) By scheduling a job on a particular data at a particular time. Ex: time control scheduling 2) By the occurrence of a particular event defined in the sap system (event based scheduling)
21
Scheduling and monitoring: use transaction SM36 to define new jobs • We can manually schedule the jobs as well as call the jobs wizard • Most of the case we schedule manually Required specifications for defining a job: 1) General specification such as job name job priority and target sever (optional) 2) Definition of one or more job steps 3) Definition of start conditions (time or event based) Q) Why it is not preferred to use job wizard? A) Unlike classical scheduling we cannot perform individual steps with different users. Here we can monitor different status of background jobs Status of Jobs 1) Schedule: The steps of job have already been defined however start condition must still been defined 2) Released: I. The job has been define completely defined including the start condition II. A job cannot be released without a start condition III. Only a relevant authorized user can release a job 3) Ready: the start condition of a released job has been fulfilled. A job scheduler has placed job in the wait queue for a free background work process 4) Active: the job is currently being executed and cannot be released or changed 5) Finished: All steps of the jobs are successfully completed 6) Canceled: the job is terminated reasons for this are I. An administrator deliberately terminated the job in transaction code SM37 by choosing job _ cancel active job button II. A job step is terminated with an error. Note: we can change a job status as long a job still has the status scheduled or released III. We can create a new job by copying an existing job by choosing JOB-copy Time Based Scheduling There are three options to execute a job. 1. Immediately 2. Particular Date/Time 3. On a particular work day (i.e. factory calendar) A job scheduler in the background handles all time-based jobs. Profile parameters, which specifies the time period in which time dependent job scheduler is active rdisp/bcttime. Execution of jobs with the start condition “Immediate” usually avoids the timebased scheduler. In this case the dialog work process of the user performs the job scheduling. The profile parameter to configure the background work process is rdisp/wp_no_btc The number of background work process depends on the number of tasks to be performed in the background. If the transport system is used there must be at least 2-background process. Default time for time dependent job scheduler us set to 60 seconds (rdisp/bcttime = 60)
22
Note: An ABAP program, SAP_MSSY2 (An automatic abap program), that automatically runs in a dialog work process. For time based job scheduling we have a job-scheduling table in the DB. Jobs that are not assigned to any particular target server can be executed by any free background work processes. This means that workload is automatically distributed between the systems. If a job is scheduled on a particular target m/c it will run only based on the load of that machine. The automatic selection option is being disabled in this case. Standard Jobs Standard jobs refer to background jobs that should run regularly in a production system. As a part of our monitoring we need to take care. They mainly perform certain clean-up activity of a system such as deletion of obsolete spool requests. In SM36 we go to standard jobs. To schedule all default jobs, choose the “Default Scheduling” option. All standard jobs that are defined in the table REORGJOBS, are scheduled with specified variant and period. To schedule individual jobs choose the particular job using SM36 and set the execution period. To define an additional standard job that is not yet available in the table REORGJOBS choose “Predefined New Jobs” Event Based Scheduling An event is a signal to the b/g processing system, that a particular status that has been achieved in the SAP system. The b/g processing system receives events and then starts all the jobs that are linked to this event. An application (Central instance) Server is specified for processing of event based jobs. Event based jobs can be scheduled with one of the following 3 start conditions. 1. After Event 2. After Job 3. Operation mode Trans-Code to define a new event is SM62 When defining an event, the administrator differentiates between system and user events. System events are events predefined by SAP that you can neither modify nor trigger. Triggering events is done in various ways 1. Manually using SM64 2. Using an ABAP program 3. Outside SAP at OS Level, using the program “sapevt” which runs at OS level. Reservation for Class A Jobs: There are very few jobs which will be reserved of type Class A. The reservation of work process for Class A jobs does not reserve any particular work process rather it ensures that a particular number of workprocess is always kept free. To set number of reserved background workprocess for Class A, you define an operation mode is RZ04 and maintain the workrocess allocation for this operation mode. By doing so, we have the option of reserving work process. SAP strongly recommends not to reserve more than one bgwp for processing Class A jobs.
23
A job server group contains one or more instances with available bgwp. It is possible to select a job group for a particular job. TCode to setup a job group SM61 Ttrans-Code to setup an extended job selection SM37c Background Users With the definition of jobs in SM36, we can assign each step of the job to a user. This particular user shall have authorization for executing the jobs. There are 2 options 1. By default, the job will be executed using the current user in which I have logged in. 2. Enter a different user name if your job should not be performed using your own authorizations. To perform this action we should have the authorization S_BTCH_NAM, to enter the names other than your names in the user field. Use the “System” user type when creating background users. SU01 – Tcode to create users. A dialog logon with this user is not possible. If I define a job using job wizard, by default that name of logged on user, is used for authorization check. RFC (Remote Function Call) It is call of a function module i.e. running in different system to the calling program. You can also call a function module in the same system as a RFC, however RFC are mostly used in calling different systems. RFC is an SAP interface protocol i.e. it is based on the common programming interface for communication (CPI-C) this means that ABAP functions can be called for external applications and tools. RFC Destinations: 1) R/3 connection 2) Internal Connection 3) Logical destinations 4) SNA/CPI-C connections 5) TCP/IP 6) Connection using ABAP/4 drivers Transaction code for RFC connections SM59 Types of RFC’s 1) Synchronous RFC (SRFC) – This is used for communication between different systems and between SAP WAS and SAP GUI. 2) Asynchronous RFC (ARFC) for communication between different systems and for parallel processing of selected tasks. 3) Transactional RFC (TRFC) – A special form of ARFC. TRFC ensures transaction like processing of steps that are originally defined. 4) Queued RFC (QRFC) – QRFC is an extension of TRFC. It also ensures that individual steps are processed in sequence. Note: If the SNC is configured, we get a tab in SU01 – user administration. KeyOn is a 3rd party tool configured for single sign-on for SAP systems. RFC connection should be bi-directional Configuring Printers in SAP Systems The way in which documents are created may be completely different. But the output on paper is always performed using same mechanism in two steps 1) A spool request is created 2) The spool request contains device independent print data and includes administrative info and the actual print data.
24
3) Only when the spool request is to be output on a particular device, is an output request created. Device independent print data from the spool request is converted to the printer language that the selected output device understands. This procedure allows the user to display spool request before output. If the user wants to create a spool request and an output request at the same time, he has to choose “PRINT IMMEDIATELY” option. Actual document content of a spooled request is stored in TemSe (Temporary sequential Objects) We can define the storage location for TemSe objects using the profile parameter rspo/store_location Spool requests are stored in DB table TST03. We can specify the storage location for the output device using the Transaction Code SPAD. Note: 1) SICK (SAP Initial Consistency Check). It’s the first Trans-Code used in post SAP installation. 2) SPRO (Customizing) Installation Of languages (SMLT) German and English are provided by default. If I want to install a new language use SMLT to configure new language setting. Note: Default profile parameter related with languages is zcsa/installed_languages. Local Printing: The spool workprocess and the OS spool are running on the same host machine. Access Methods of Local Printing: Unix = L; Windows = C Local Printing is the fastest and most reliable connection from SAP to OS. You can configure multiple spool work process for an SAP instance. Remote Printing: With remote printing, spool work process and OS system spooler are running on different hosts. Access Methods of Remote Printing: Unix = U and Windows = S as Well as U (Unix Berkeley Protocol) Front End Printing: We can connect output devices to our front-end machines. The access method for front-end printing is F. In Microsoft windows OS, saplpd, transfer program receives the data stream and forwards it to the default printer. We can specify max no of spool work process used for front end printing by the profile parameter rdisp/wp_no_fro_max (Default value is 1) Note: Front End printing is not suitable for production or mass printing. Since front-end printing requires a connection to the front-end PC, we cannot use background processing. Create an Output Device Go to trans-code SPAD to create output device parameters to be given in SPAD Output Devices Devices/Servers 1) Output Device: Enter the name (Case Sensitive) of output device, max of 30 characters 2) Short Name: Can be generated automatically 3) Device Type: Printer model needs to be given. Device type “SWIN” is used for front-end printing. Location = Room + Building where printer is located.
25
Spool Server
It is a SAP Application server with Spool work process or logical server name. Lock Printer in SAP system Output request for printers for which this indicator is selected are created but not transferred to the printer. The user receives the message “No immediate Printing”. Host Printer = Name of the printer at OS level (Case Sensitive) Note: The specification _DEFAULT is set for front-end printing. Destination Host: This is used only for remote printing. It represents the name of the host where OS system spooler is running. Host only for local printing and is calculated automatically from the spool server. Device Type SAP uses device type to format the output device printout. When the spool work process generates an output request, it uses the specification of device type. This device type describes how print data should be formatted for a particular output device. Page Format This describes the format of printable page in the SAP system. This describes how output should appear on paper. Format is a device specific implementation of a Format Type. Example: To perform an output on a page with letter format. Character Set: Contains characters that can be an output to a device. Print Control: This allows the control of display options of output devices, such as font-size, bold face. {Questions} Q How to identify how many spool work process are setup in a particular application server? Ans) Trans-Code SM51 and select the application server. Go to SM50 and count the number of work process with SPO Q How many spool processes are configured in out entire SAP system? Ans) SM66 and check for SPO work process. In select process by choosing Type = Spool and Status = Wait Q Can we change number of spool work process by operation mode switching? Ans) No. Only background and dialog work process can be modified. Q How to identify how many spool servers are available in your SAP system? Ans) SM51 or SM66 and check for application server with at least one spool workprocess. Q How to make setting for an individual SAP user so that an output request is not created immediately for a spool request? Ans) SU3 go to Default tab and ensure that output immediately option is not checked. Q) How to find which printer is defined at OS level of your server? Ans) Go to start -> Settings -> Printers (Revisit) Steps to create a local printer a. Goto SPAD->device/server tab i. choose output device b. Select the change button i. to get into a change mode ii. Device contribute step iii. device type iv. spool server c. Accesses method-> host spool access method (c) host printer (name of the printer) the same. Output a list:
26
To create the suggest list go ‘SA38’ enter the report ‘RSPFPAR’ and execute it. Enter the parameter ‘RSPO*’ and execute again. Go to ‘SM51 and select the print option. Creating a remote printer: Procedure is same as local printer. Creating front end printer: Go to SPAD, devices/server/page and choose output device Database - Database Overview - Backup Restore & Recovery - Monitor Cateradf
Oracle database: is a collection of data stored in one or more data files on disks. - Oracle manages database data in logical units called table spaces. Table space: One or more data files. Instance: Set of oracle background process and memory buffers form an instance. What happen when oracle instance is stored? - Shared global are allocated (SAG is allocated) - Oracle background processes are started. * In unix we can identify oracle process as individual system process * In windows these processes run as threads with one common oracle OS process i.e. ‘Oracle.exe’. * When an oracle instance starts a special process called listener, process opens and establish communication between net weaver and oracle. * Listener process is not part of oracle instance; it is rather part of network process that works with oracle. * In SAP dedicated server configuration is used. i.e. for each work process we have dedicated server processor called as shadow processes. * The ratio of work process to shadow process is 1:1 * To handle database request for SAP uses a work process communicate with its core shadow process.
27
* Database data is permanently stored in datafiles or disks. * To accelerate read and write access data it is cached in database buffer cache in SGA * Shared pool divided into executable SQL statements which are stored in shared SQL area of the shadow pool. * Oracle data dictionary is stored in row cache of shared pool. * Data processing never takes place directly on disk, it is first copied by associated shadow process from disk to the database buffer cache in SGA. Q: what is the size of oracle data block? Ans: 8 KB (fixed size) * Oracle keeps most recently used data blocks in the database buffer cache. * Sometimes oracle writes the least recently used data blocks in buffer cache. * Modified data blocks are call as Dirty blocks. * Shadow process never copies modified data into disk. * Coping data into disk is done by a special background process called as ‘DBWO’ (DW writer). What are the situations in which DBWO writes dirty blocks to disks? - if the number of scanned buffers reaches a certain thresh hold. - At a specific time that is when check point occurs. * Scanning of the buffers is done by shadow process. * Changes are done in two ways: - Roll forward changes. - Roll backward changes. * Redo events are stored in redo.log files and performs roll forward recovery. * Undo entries stored in undo table space performs rollback. * Redo changes = committed changes = new value = after images. * Undo changes = un committed changes = old value = before image. * Oracle shadow process records redo changes and stores in redo log buffer of SGA temporarily. * Oracle background process “log writer – LGWR” writes data in redo log buffer to online redo log files which are stored physically on disk. * Redo log buffers is also called as circular buffer. * Circular buffers records all committed and un-committed changes made to the database. r Q: What are the conditions in which log writer writes redo log buffer data to online redo log files? Ans: There 4 conditions: - When transaction is committed. - For every three seconds. - When redo log is 1/3rd of full. - When DBWR is about to write modified buffers to disk and some of the corresponding redo records have not at been written to online redo log i.e. write ahead logging. * Each committed transaction will have a system change number (SCN) stored in redo log file. * Size of Oracle redo log file is 40MB (fixed number). These are four predefined collections of online redo log files. * At every log switch oracle will increase the log sequence number. * Current online redo log file, ‘LGWR’ is writing into is call active online redo logo file. Control files This file is used to start and operate database. What are the entries in co files?. - Physical structure of database - State of database - Table space information - Names and location of data files and redo log files. - Current log sequence number * if physical structure of database is occurred then co.files get updated automatically. * SAP stores co.files in three locations during installation of SAP. It is recommended to store the files in three physically separated hard disk. * If database = open then co.file available for writing.
28
* Normally caches are small and don’t grow. * ‘RMAN’ for backups, “cofiles may grow by factor 10”, because they contain information about RMAN backup. Check point Functions: * Checkpoint wakes up the database writer to copy all buffers that are dirty to the disk. * It also updates header of all data files to record details of the check point. * If writers information about the check point position in online redo log files into the cofile. This information is used during database recovery. * Less frequently the checkpoint occurs the longer is the time the instance need for recovery. * Checkpoints occurs at log switch. Database Recovery: * Online redo log files used for database recovery (instance recovery). After restart, the system performs automatic recovery. * If online redo log files are lost during a crash, a complete recovery is not possible. Hence online redo log files must be mirrored i.e. two or more copies needs to be maintained. * Oracle it self mirrors online redo log files by default. *Online redo log fines are limited in size, and cannot grow automatically. * Automatic instance recovery of online redo log files is possible. * To manually restore and recover data files which are missing, we need both a database backup and all redo log information written after the backup. * Archiving must be exclusively activated by tuning on archived log mode i.e. “LOG_ARCHIVE_START” is true. * Archiving is take care by an oracle background process called as “ARCO” (archive) *Oracle cannot mirror offline redo log files, hence we must use RAID. * Offline redo log files and data files should be on different disk. SMON (System Monitor) * SMON performs recovery at instance startup * It writers alert log information if any instance process fails. *If cleans up temporary segments that are no longer in use. PMON (Process Monitoring) * This monitors shadow process. * PMON roll backs, its uncommitted data, stops shadow process and frees resources incase of a client process crash. Oracle Directory Structure in SAP In Unix all directories are present under one single tree, where as in windows all directories are present under separate drive letters. They have 3 files inside the directories /database (Windows) init.ora /database (Unix) init.sap Spfile.ora (only from oracle 9i) • Online redo log file = original log and mirror log. • Define redo log files: original arch, SAP arch. Note: All previous versions till oracle 8i has saparch directory. • •
SAP trace = Alert log = SAP trace/background/user trace Data files = SAP data1 ... ... ... SAP data There are 3 environment variables on database server 1. Oracle_SID = system ID for DB instance 2. Oracle_HOME = the directory for BR* tools. 3. SAP DATA_HOME = the data file directory.
29
• •
The home directory for oracle is ORACLE_HOME The location for cofiles and offline redo logs is configured in the oracle profile init.ora. • The location for data files and online redolog files is stored in database. • The oracle tool to ping is ‘TNSPING’ Oracle System Privileges • SYS DBA and SYSOPR are oracle system privileges. • Control at this privileges is outside the database. • The privileges allow accesses to database instance even when database is not open. Operating System Users and Groups (Start->programs->Admin tools-> Configure Management -> users, groups) Users: Admin and ORAdb are the two users which are created in unix system, where as admin, Dbcopy-> Additional Functions-> Init of BRBACKUP tape Volume or Init of BRARCHIVE tape volumes. The command to start the initialization is BRBACKUP or BRARCHIVE or – I/Initialize. (Q) What are the contents of tape lable after a tape is Initialized? (A) (i) Tape Name (ii)Name of the Database (iii) Time stamp of last backup recorded on the tape (iv) Number of Backups performed with the tape Before writing data to tape if the lable is Red to check the following (i) Tape Name (ii) Tape Locked or Expired(Expire_period) (iii) No. of times the tape already been read(Tape_use_count) If Expiration_period = 0 days, the Volume is not locked at all and can be over written • If a lock occurs on a tape, it automatically expires at midnight.
35
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape locks? (A) There are 2 types of locks (i) Physical lock check: Physical lock check is done by checking tape label parameter Expir_period. If the number of days passed since the tape was last used is less than value of parameter Expir_period, then the tape is physically locked. (ii) Logical lock check: This value is derived from the time stamp written to tables SDBAH, SDBAD (Q) What are the various tape selection processes? (A) (i) Auto tape selection BRBACKUP and BRARCH (ii) Manual selection by the Operator (iii)By external tool (Q) What is the option to select the tapes automatically by BRBACKUP and BRARCH? (A) Set the parameter Volume_Backup and Volume_archive to TAPE (Q) What is the command to check which tape will be automatically selected? (A) BR Backup | BRARCHIVE –Q | Query { check } (Q) How do we switch off automatic tape Management? (A) By setting up the parameter(Volume Backup and Volume Archive) to the value “SCRATCH” (Q) How do I turnoff the tape management performed by SAP tools? (A) Configure the parameter Backup_dev_type= UTIL_FILE OR UTIL_FILE_ONLINE and also configure BACKINT interface in init.sap NOTE: BackINT Interface program is only supported for external Backup. (Q) How do we verify Backups? (A) Verification of backups is of 2 types (i) Tape Verification: The files are restored file by file and compared with original files to verify if the backup is redable. (ii) DB Block consistency: This checks the Database block by block using Oracle tool “DBVERIFY” to identify and restore from bad blocks. PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of Archive log Backup (iv) The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification + DB Block Consistancy Check) STATUS OF OFFLINE REDO LOG FILES: (1) During Backup to tape= ARCHIVE (2) First Status= SAVED SECOND STATUS=COPIED AFTER DELETION = DELETED During BACKUP TO Disk = DISK NOTE: All the above status are recorded in ARCH.log ANALYZING Database PROBLEMS: (1) Check Database alert log and trace files belonging to Bgprocess (SAP Trace/Background) (i) Check for status of Database = Available or NOT Available (ii) Check for Error = Media or User error (iii) Check for corrupted files and file types = Data, Cofile, Online Redo log Files
36
(iv) Check if Software or Hardware Mirroring = Available or Not (2) Safest method is to perform a complete Offline Backup before the files are copied back in restore place using BR Backup or any Backup Tools. (3) The above step is Very Important for Point In Time Recovery or for Database rest because these stratagies always involve Data loss. (4) Save Offline Redo Log Files in ORARCH Directory using BRArchive only. (5) To check the reliability of Backup strategy , run regularly restoration report in SAP using DB12 (6) The above report is used to find out which backup to use for recovery as well as it displays information about last successful Backup. (7) If the list of RedoLog files after the last Database Backup is too long, then perform a complete Database Backup. BR Tools: Login to ORA using putty Type BRTOOLS There are totally 9 option in BR tools Select Instant management, it is option 1 b. In Database instance management select option 2 to shutdown the database. c. Type ‘C’ and click enter to continue d. In Database instance shutdown main menu select option 1 shutdown DB. e. Under options for shutting down the DB instance we have to choose option 1, that is close mode(Default mode is immediate) f. Select option 1 and enter string value for ‘mode’ (Immediate| normal|transcations|abort). Note: if the users are logged in to the SAP system then I cannot use immediate, normal, transactional modes, using abort mode will forcefully shutdown and will result to data loss hence never use this option so to be on the safest side always shutdown using normal mode. Alter DB Instance (Switching off archive mode): Shut down SAP Stop SAP [SID] Log on to ORA user and start BR tools In BR tools Select option 1 (Instance Management) Start up database Select option 1 Alter DB instance Option 3 Enter ‘c’ to continue Enter ‘c’ to continue Select option 4 for set non archive mode Enter ‘c ‘to continue and select option 5 to show instance status Note: while switching to archive mode and non-archive mode, it will shutdown the DB instance first and then starts the DB instance. In each of these cases the time stamp is recorded that is data and time. Once the DB is up and running always check the status before performing any action. (Q) If SAP started and I am trying to switch to non-archive mode what will happen. (A) It will show an error showing that SAP instance is running. Please showdown first or use force option. (Q) If SAP is running and I try to shutdown the DB using BR tools what will happen. (A) It through an error saying that SAP is running please shutdown the SAP first or force option and then continue. Table space administration: 1. Oracle stores data in table spaces, each table space consists of one or more data files. 2. Data files are plain files stored on local system 3. Oracle has 4 segment types
37
a. Data This segment contains table data in rows b. Index Each table has one primary index and ‘n’ number of secondary indexes (optional). This index is used for faster access to table data and to enforce unique constrains. c. Temp Segment This segment is used for sorts and to create indexes. d. Roll back/undo segment this segment is used to provide read consistency that is ability to roll back changed to tables for recovery. 4. To meet the demand of large DB, DB designers creates partition tables and indexes. 5. An index segment in oracle DB used in SAP holds either all data for take that is not partitioned or all data for a partition of partitioned table. Common table spaces:
1. 2. 3.
System Oracle data dictionary PSAP ROLL Roll back segment Note: From WAS 6.1 version we have SAP undo as roll back segment. PSAP TEMP Temporary segment. (Q) If table space is full then what are the possibility to extend the table spaces? (A) Option 1: Add another data file to table space 2: Existing data file can be manually resized 3: Properties of existing data file can be changed to auto extendable (Q) What id the formula to increase the data files size? (A) Data file size = Expected DB/100 (Q) How many number of data files will be there by default? (A) Default there are 100 data files (Q) Expected DB size and Data file size Expected DB Size
Data File Size
Up to 200Gb
2Gb
200 to 400Gb
4Gb
400 to 800Gb
8Gb
Greater than 800Gb
60Gb
(Q) What is the error related with table flow? (A) For table ORA1653, ORA1654 for indexes. (Q) What will happen if max extents are reached? (A) ORA1533 is the error forms extent reached. If max extent is reaching it limits, then increase next extent. When extents are dripped they are marked as free and their blocks can be used by new extents, but adjacent blocks are not combined. The DBA must use “COALEXE” free extent into one large extent. There are two options for “COALEXE” extent. 1. BRCONNECT –f check COALEXE free extent automatically 2. BRSPACE –f check COALEXE free extent use locally managed table spaces.
38
To solve above problem with extent we must use locally managed table spaces. Segment Sizes Next segment Size Max.no.of Extent Less than 1Mb 1 to 64Mb 64Mb to 1Gb Greater than 1Gb
Less than 64Mb 1Mb 8Mb 64Mb
16 63 126 Unlimited
Advantage of LMTS (locally managed table spaces) is “ORA1533” error eill no longer occur. The only disadvantage of LMTS is, always it checks for used and free space. Increase the Table space: 1. Log on to ORA and enter into BR tools. 2. Space management (option 2) 3. Extent table space (option 1) 4. Enter ‘c’ to continue 5. Enter ‘c’ to continue It will give “Table space extension main menu” Note: First use option 2 to show the table spaces and percentage full and make a note of a table space which is 80% and above fill and then add a data file as per the specification using the option 1 that is “extent table space”. 6. Extend table space (option 1) 7. This will list all table spaces and percentage used Example Table: “PSAPR3700” 8. Select the table space that is ‘pos’ position 9. Enter 2 to select above example table Note: options for extension of table space a. Last added file name b. Last added file size in MB c. New file to be added d. Raw disk/link target e. Size of the new file in MB f. File auto extend mode = YES g. Max file size in MB = [10000] h. File increment size in MB = [20] i. SQL Command = [alter table space name] Note: the last added data file name and new file to be added will show the exact location where the data file is residing that is Oracle//sapdata 1 to n/ 10. Enter ‘c’ to continue 11. Enter option 5 to change the size of new file in MB 12. Press ‘c’ to continue 13. Select ‘NO’ to continue with the current data file addition. 14. Select ‘YES’ to add a new data file to the current table or add new data file to a new table. Note: this action will update the time stamp in co-file that is, it created a copy of co-file in the location /oracle//SAPREORA|[CNTRL.old] Once co-file is created, extending of table space is done, one successfully completed it switches to next online redo log file for database instance and finally creates a copy of co-file with new time stamp that is CMTRL.news Top 10 Oracle errors: 1. ORA1631 and ORA1632 Max extent full 2. ORA1653 Table space full
39
3. ORA1654 Index full 4. ORA1113 When backup is aborted 5. ORA1144 When back is shutdown immediately 6. ORA1578 Data block corrupted 7. ORA0255 Database struck 8. ORA1555 Buffer mode is OFF 9. ORA272 and ORA255 Archive struck 10. ORA600 Hardware Failure Note: option 4 and 5 are also called as missing end backup. Changing Oracle Parameters Q) Create server parameter file from init.ora A) Login to oracle user (ora) Security We have two parts of security I. User administration II. Role administration (role of a particular user) Create / Change / Delete } Any one role has to be given to an user. SOD: segregation of duty Time sheet Permanent user(X)
Do
Travel expenditure Do
Temporary user(Y)
Do
Don’t
Contractor user(Z)
Don’t
Don’t
User administration (SU10) This is user for creation of user accounts and other functions besides creation, delete, change, display, copy, lock/unlock and password reset. The most common tickets 1. creation\deletion of user accounts 2. locking and unlocking accounts 3. password reset Note: user naming convention should be alpha numeric. First character should be there in the beginning. Steps to create User Accounts 1. Enter the user and press create button. 2. In address tab only field we need to mention LAST NAME 3. In Logon data UserType: By default Dialog A Note: • With user type Dialog we can login into SAP system • To create a user we need to maintain the validity of the user. • For permanent user valid through 31-12-9999 and for Temp and Contract user validity through date will be given in the ticket. • Any request in security should have approval from a manager.
40
• •
By default approval comes in the form of an email in some cases a third party tool is used. It can contain an approval form. For example. BSSR (Business Security Service Request) Default user group is SUPER. Based on the region or department we assign the user groups.
Sample Ticket UID Mgr ID: UName Mgr Dept: Position Status Department SAP Requirements Default Values Default Language: ENG & GER Decimal Notation: Is divided as 2 parts 1) Germany 2) Rest of the world. Default Date Format: DD-MM-YYYY Spool Output Device….. By default it will be Empty Parameter: By default based on the roles, parameter values are assigned. Eg: ESS roles i.e related with Time sheets ROLES Is where we assign the roles. Note: Always assign the role first and not the profile. Every role by default has its own system defined profile. We can set the Role Validity from …. To. Default value is 31-12-9999 PROFILES Do not enter any profile directly instead it will be pulled automatically once it’s assigned in roles tab. GROUPS Already maintained in Logon Data PERSONALIZATION Set of Transaction Codes to work LICENSE PFCG SU10 SE16 SUIM SU24 EWZ5 SU53 ST01
– User License – Roll administration - Mass user administration – Table view – User info management - Maintained authorization check - Mass lock and unlock - Missing authorization error - System trace/authorization trace
Basic Terminology of Authorization Overview of elements of SAP Authorization Concept User Role Authorization Profile Authorization
41
Authorization Object Authorization Object Class Authorization Object Class: Logical grouping of authorization objects Authorization Object: Group of 1-10 authorization fields together form an object. Authorization Field: Smallest unit against which a check should run. Authorization: An instance of an authorization object i.e. a combination of allowed values for each Authorization field of an Authorization object. Authorization Profile: Contains instances (Auth) for different Auth objects. Role: Is generated using profile generator (PFCG) and allows automatic generation of an authorization profile. Note: A role describes activities of a user. User / User Master Record: This is used for logging on to SAP system and grants restricted access to functions and object of SAP system based on SAP profiles. Note: Authorization and authorization profiles are customizing objects. Authorization classes, objects and fields are development objects. Q) Where do all possible activities are stored? A) In the table TACT Q) Where do valid activities for each authorization Objects are stored? A) In the table TACTZ Q) How do I identify pre-defined roles and what is their use? A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles. Q) Can we assign pre-defined roles to a user? If so, how? A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role. Q) Is a role without Auth-profile considered as complete or not? A) No Q) What are the types of roles? A) Roles are 2 types 1) Parental Role 2) Derived / Base Role Q) What is the relationship between parent and derived roles? A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles. Note: As per SAP recommendations never generate a Parent Role. Always generate derived roles and maintain the field values as well as organizational values in derived values only. Q) What are the total numbers of activities? A) As per 4.7 total number of activities=168 01 – 99 = Activities A1 – VF = 69 STEPS to CREATE a ROLE (PFCG) Creation of parental Role: Any customized role should start with Z or Y. Enter the role name and select role name button. Enter a valid description. Go to Menu tab to add the transactions Click on Save Select add transaction Note: Default transaction to be added for every user of SAP SU53 Assign Transaction and Save the Role
42
Creation of Child / Derived Role: Select the derived role name and Under Transaction Inheritance in Derive from Role and Click on “Yes” Note: 1) In derive role we can’t make any changes under menu tab. Eg: Adding transaction, report, Deletion 2) Relationship between Parent and Derived role is 1:n 3) First time creation of role, always go to export mode. Go to Authorization tab to generate the derived role. List of Tabs:Manually: Adding authorization objects manually to a role. Open: To view all open fields, i.e. the fields in which the values are not maintained (Represented by color yellow) Changed: To view the changed authorization objects. Maintained: It will show the fields of the authorization objects for which the missing values are maintained. Organization Levels: This field is used to maintain organizational hierarchy like Plant, warehouse, comp code and call center. Note: 1) Always maintain a value in the open field 2) If any standard value is changed, then automatically the status is changed from standard to changed. 3) By default all the auth objects the type will be standard. 4) Always maintain the organization values using organizational levels button only. Hierarchy in a Role:Role Name: Blue Class = Orange Auth Object = Green Authorization = Yellow Fields = White Q) What is the default authorization object which is used to check for any role? A) S_TCODE Note: 1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role. 2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup. 3) Red color indicates missing organizational values 4) Yellow indicates missing field values and not organizational values. Note: All roles will be created in development system. Any modifications will be done in Dev system only. The developed changes are then transported to quality and get tested and approved in Quality and then only moved to production. Q) Why should we not add organizational values directly in a role without using org levels button? A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten. Rules to be followed in editing the standard Objects: 1) Copy the standard object 2) Inactivate the standard, i.e. the first one. 3) Make the changes only in the copied one. Note:
43
1) Once we make changes in the copied one, the status changed to maintained. 2) If we do not follow the above steps, then during the regeneration of a role next time, a new open field appears. Hence, in order to avoid the duplication of fields we need to follow the above rule/procedure. 3) If we make any changes to a parent role like add, delete or Transaction Code, we have to generate all the child roles under the parent role. 4) Whenever we generate a derived role, always choose maintenance as read old status and merge with the new data. 5) If we choose edit old status then it will not reflect in any open fields even though they are present. 6) Never try to select delete and recreate profile. 7) Once the role is generated then we have to assign the role to a user using SU01 (or) Add a user to a role using PFCG User tab 8) Always assign only derived roles to a user whenever add a user in a Role always compare with user compare. 9) In order to refresh user buffer with new values we have to always go for user compare. Compare User Master Record: Comparing user master record can be done in 2 ways 1) A default background job i.e. Report called “pfcg_time_dependency” is executed before start of the business day, but after mid night, meaning that the authorization profile the user master record always have the most up to date in the morning. 2) Using transaction pfud (User master record reconciliation). As an admin, we should regularly execute this transaction, in this way we can manually process errors that have occurred. Authorization Troubleshooting for a User Whenever a user tries to execute a Transaction which is not assigned or tries to perform an activity which is not defined for existing Transaction, then the user gets “Not Authorized To” error. In such a case ask the user for SU53 screenshot for any authorization issues. SU53 Analysis SU53 has 2 parts 1) Authorization check failed: It captures actual cause of the error. 2) Users authorization data: It captures the existing access to the users Note: In order to check SU53 analyses of other users go to SU53, click on display for different users authorization object. Analysis using SUIM Scenario 1: User is having access to plant 1000 in MM01, now he is trying to create for plant 0001 and he got the error no authorization to the plant 0001. Solution: Request for SU53 screenshot. Once you receive the screenshot Go to SUIM In SUIM check the roles which are having access to plant 0001. SUIM Go to Roles Roles by complex selection criteria and deselect the user. Go to Authorization Object 1 from SU53 screenshot and select entry values button Enter the values as per SU53 under the authorization Object and select Execute button. Double click on the role on which we want to assign. It will automatically take us to PFCG transaction. Go to Authorization tab Select Display authorization data. Go to Find Button (Cntrl +F) Enter the authorization object in authorization field and clicks enter on Find Object. Go to Utilities and select Technical names on Second Method of Role Maintenance
44
1) Create a parent role and Add Transaction codes in menu tabs and generate the role. 2) Create child roles and assign the parent and generate the child nodes. Note: The generation of child roles/derived is always done from the parent role. Process: Go to Authorization Edit Read old/merge with data. Make changes in parent role Generate Parent Finally generate derived roles button (or) select Auth Just Derived Generate derived roles This will generate automatically all the derived roles from the parent role. Note: In this method org values cannot be maintained using parent role, we have to individually maintain org values in the derived roles. Mass Generation of Derived Roles: Copy all the derived roles into a notepad Goto PFCG Go to utilities Select mass generation In mass generation screen Select all roles under presentation Select Display data when created and changed Click on Role Multiple Selection Note: Go to notepad, select all and copy Come back to multiple role selection and select upload from click board button Select check entries button And select copy button & select execute button. Deletion of a Role:Before deletion of any role first add to a role to transport and proceed with deletion. Q) Why do I need to add a role to transport? A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported. Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button. Note: 1) In choose objects options never check user assignment. Assignments of users to a role are done only in production box. 2) Changes done using SU24 is of type work bench 3) Changes using PFCG is type customizing. SUIM change documents:For users:1) In order to find when the user is created, deleted as well as password reset and user lock/unlock information. Besides this we can track info regarding the roles like when the roles are added and deleted and who has performed this action/date of action. Scenario 1: Q) Unlock a user or track why the user is being locked? A) Go to SU01 Enter the user ID Log on data and check the user is locked. Go to SUIM Change docs for user Enter the user name and execute Note: Locks are of 2 types 1) Locked due to incorrect log on 2) Locked by admin
45
If the lock is of type Admin lock, then we need to contact the admin for the reason for locking hence never unlock directly. If lock is due to incorrect logon then go to SU01. Select the user and press unlock button. Scenario 2: Mass user locking during upgrade: 1) Go to SU01, select * under user column 2) This will give entire list of user in my system 3) Copy the usernames in a notepad 4) Got to SU10, copy/paste the users and select the lock Note: In SU10 we cannot set the password for all the users Reference User is for internet purpose. Note: Assignment of reference user Go to SU01 Under roles tab ref user for additional rights where we enter ref username. Process steps followed in security - Requests coming in form of CR / Templates 1) Request comes in form of Approved CR form (Unique ID = CR Name) 2) Login to DEV and perform the action as per CR form requirement 3) Put the completed task in DEV under a TP ( CUST/WORKBENCH) 4) Transport / Move the TP to QAS for testing 5) Create a test id in QAS with the above changes and send the test id details to the CR Owner. 6) Once testing is completed in QAS the CR Owner will send an approval regarding the test results a) If test results are positive then move to PR13 else rectify the changes needed. b) Rectification of changes is done again in development. c) The rectified change has to be kept in a new TP with description of above CR Name and moved to QAS. 7) Based on approval, we move the changes to production. 8) Once changes are in production, the CR owner or the end user tests and confirms the final status. 9) Once we get the final confirmation i.e 2nd approval in PRD then we can close the CR. As part of our daily activities we might receive the tasks as follows 1) Changes in form of tickets. (Various 3rd party tools are available) 2) Changes in form of CR Each ticket has its own priority i.e. SLA. Based on the priority there will be response time and resolution time for each request. SLA Priority 0 1 2 3
Type Very Critical High Medium Low
Response Time 10 min 30 min 60 min 4 hrs
Resolution Time 30 min 1 day 4 days
----
Note: Response time is time in which we acknowledge the user request, i.e. once a ticket comes into our queue the first major priority is to accept the ticket on our name, once this is done we have to send an acknowledgement to the user informing that someone is working on this issue via email, chatting tool or phone. Resolution Time: This is the time in which we have to solve the issue. Note: By default the status of any ticket is in Open status
46
Stages of ticket: 1) Open 2) Working / In-progress + Assigned to our Name + Inform the user + Copy the comments in the tool under notes column. 3) Closed + Issue Resolved + Inform the user + communicate + Copy the comments in the tool under notes column. 4) Waiting + Needed some inputs from the user to solve the issue + inform the user + Copy the comments in the tool under notes column. 5) Hold + Waiting due to user unavailability i.e. user has gone for vacation + Copy the auto response regarding user unavailability and paste the notes 6) Cancelled: If there are duplications or same request being raised then we can cancel one of the requests by mentioning the previous request no under the notes column. (Or) If the user wishes to cancel his /her request then copy the confirmation under the notes and select cancel button. Types of CR ( Change Requests) Work bench / Customizing 1) New functionality CR: This CR carries new functionality changes which are done for the first time i.e. creation of totally new roles. 2) Operational CR: This CR carries the changes which are done on a day to day basis i.e. modification of roles and deletion of roles. 3) Defect CR: This comes in form of ticketing request i.e. based on the ticketing request raised by the user using the ticketing tool we decide whether we need to create a defect CR. Eg: Some access is already there for a user, but it was lost due to some reason and we investigate and find out that these changes have to be there for users. In this scenario we raise a defect CR. To rectify a defect CR CR forms are created based on the quarterly release i.e. we have 4 quarterly releases in a year. During this release different people i.e. technical + functional consultants + security administrators get involve and analyze various roles based on the inputs provided by the auditors This is where SOX policies come into play. In order to indentify the various defects and conflicts in roles and between transactions we use various SOD (Segregation of duty) tools like VIRSA, BIZRights. The process of identifying the defects or conflicts among the existing transactions and rectifying them as mitigation. Ex: MM01 x MM02 1) Create X Change 2) Change X Delete 3) Create X Delete Note: Default access is Display HR Security Activities There are two types of HR security Activity 1) Delegation of Authority 2) Structural Authorizations Delegation of Authority:- Is a process by which a delegate delegates/assigns his/her access to a delegator for certain period of time i.e. during this period all the POS (Purchase Orders) or any items coming into owners inbox will go to the delegators inbox. Note: The delegator can delegate the access only to a person to a same hierarchy or higher hierarchy. The only issues which we get here is the problem with workflow. i.e. Items not appearing in the inbox
47
An item appearing in inbox even after the period is expired Don’t have access to approve the POS appearing in the inbox. The first two problems are rectified by workflow administrator. The last issue is related with the approve access. Before we provide the approval access we have to identify that particular person having an access or not. If he’s having an access then keep on email notifying him that as per the security policy any user can have either create/approve access and not both. Steps related with delegation of Authority 1) Log into HR box, go to PA20, i.e. display HR master data Enter the personal details Select the organization assignment and period today Output will be position number or personal number Copy Position No, Go to PO13 (Maintain Position) Paste under position number Under Infotype (Select Name and Relationships) Under Time period select All and Press Overview button Select the Row where the object type=P and End date = 31-12-9999 and Press Copy button Under related object change the type of related Object from person to user Under ID of related Object, enter the delegates User ID and Press Enter • Make changes in dates Valid From to Valid To Select Save Button Structural Authorization: Is a concept under HR security using which we assign roles to user based on this organization object. Structure of organization management: 1) Organization Unit 2) Position 3) Job 4) Task = Description of an activity i.e. performed within organization units. Here we assign any roles to positions and not to user. The users are called as Holders; holders are assigned to position and not to jobs Whenever we create an organization unit structure we have to create first the root, i.e. organization unit and then only create additional lower level organization units. Steps Related with Assignment of HR Roles i.e. Structural Assign 1) Go to PFCG select over all under view. 2) Select inheritance hierarchy. Go to PFCG, enter New Role Name, in maintenance Go to settings Complete View (Org management and Workflow) Create role Authorization Go to User Tab Select org.mgt. Button Choose create assignment button Select the job [Object Type] After completion select user comparison. Special PFCG Roles: 1) Customizing roles: We can assign projects/views of the implementation guide (IM) to this role. 2) Composition Roles
48
Steps:Go to PFCG Menu Go to Utilities, select Cust_Authorization Select Add Tab Img Project / Img Project view Select the customized object based on our requirement Continue. If a project/Project view has been assigned to view, we are no longer possible manually assign transaction to roles This means that the role can only be used for generating and assigning customized authorizations. Note:Any role to which transactions have been manually assigned. These roles are used only during implementation period, we should maintain end date for the role. When it is assigned to the user, once implementation is completed normally we delete this. Installation and Upgrade The basic profile parameter Auth_no_check_in_some_cases=Y has to be set if we want to user profile generator (PFCG). Q) Where do the default value in a Role comes from i.e. activities under auth object? A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected. SAP delivers tables USOBX_C and USOBT_C. These tables are filled with default values and used for Initial fill of custom tables. After the initial we can modify the custom tables. Table USOBX_C table defines which auth are to be performed in a transaction and which should not be. Table USOBT_C defines for each transaction and each authorization object, which default values and authorization created from the auth. Object should have in the profile generator. During implementation we use transaction SU25 for security related settings besides this we also use SU24. Note: Any workbench changes in security are done in SU24. Modifying values in SU24. Go to SU24, enter the transaction code and select execute. Select the particular authorization object, which we want to modify. Select the object and click on change button. Go to proposal column and select “YES”. Select the object again and change field values. Note:Under check indicator column if no check is there, then select the auth object and check indicator. After changes in particular field select save. It will automatically prompt us to place a request under a transport. Go to own request select the transport of type work bench. Note:- If the transaction request number is created by another team member then go to Other requests button and enter the user ID Output = All the requests created using the user id will be displayed.
49
Select the Workbench request based. Select the button change owner and go to SC01 to release the request. SU25:- Profile generator for upgrade and first installation. This transaction code is used only during implementation and during an upgrade. The main purpose of this transaction code is to move the default changes which are maintained in the current version to new version. Versions are 2 types 1) Version in which no PFCG tool 2) Version in which PFCG tool. (4.6 B) Upgrade Scenario 1: Release without PFCG tool: Always use step 6 in SU25 to convert manually created profiles and authorizations into roles Scenario 2: Versions with PFCG 1) Execute the profile generator with comparison with SAP values i.e. comparing by tables USOBX_C, USOBT_C tables. 2) Add affected transactions 3) Update the existing roles with new authorization values 4) Display all values for where changed transaction codes Note: Do not execute step 1 (Initially customer table) Step 3: Once the above steps are done transport these changes using step 3. Q) How do I deactivate authorization object globally? A) Go to SU25 select step 5 deactivate authorization globally. Single Sign-On (SSO) SAP GUI 3rd Party Tool (Keon) HR Secure UID HR Unsecure PIN FI Secure PWD FI Unsecure SU01 (SNC)tab What is single sign-on? 1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials. 2) We can even logon through internet using SSO. 3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files. 4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string. We need to go to SU01 and check allow access for the string. Steps to configure SSO 1) Go to OS services, select service NTLM security provider, change the start up type of the service from manual to automatic NT LM support provides. 2) Copy the GSSNTLM.DDL file to the dir on our central instance, i.e. /usr/SAP/SID/SYS/exe/run 3) Set the environment variable snc_lib to the location of the library. 4) Edit the central instance profile and set the toll parameters /SNC/Data_protection/max = 1 /SNC/Data_protection/min = 1 /SNC/Data_protection/use = 1 /SNC/enable = 1 /SNC/GSSapp_lib=C:\usr\SAP\SID\SYS\EXE\run\GSSNTLM /SNC/Identity/as = P:/SID/sap service /SNC/Accept_Insecure_CPIC=1 /SNC/Accept_Insecure_GUI=1 /SNC/Accept_Insecure_RFC=1
50
/SNC/Permit_Insecure_start=1 /SNC/Permit_Insecure_comm=1 Preparing SAP GUI for single Sign on In SAP logon window choose edit advance/network Advance secure network communication P:\\sap service Mapping sap system users to windows users for single sign-on Go to SU01, choose SNC user uppercase to enter the name of windows user i.e. to assign to sap system user P:\\ and select insecure communication permitted and save our entries. Central User Administration Administering users centrally from one central system
SAP System
CUA works with RFC’s. Steps to Configure CUA CUA works with RFC’s steps to config CUA. 1) Create logical systems to all the clients (using BD54/SALE) 2) Attach logical system to clients using SCC4 3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT /name in child system with 2 roles. 4) Create RFCS to child systems from central and central to child using SM59 5) Log on to central system using SCUA to config CUA (Central User Admin) 6) Enter the model view and enter all child system RFC’s Note: RFC naming convention must be same as central sys naming convention of logical system. 7) Save the entries 8) Once we expand test for individual systems we normally see the message for each system. ALE distribution was saved, central user admin activated and then comparison was started and should be in green. Note: If any problem messages refer to sap note 333441 in market place. 9) User transaction SCUG in central system to perform the synchronization activities between the central and child system. 10) Use transaction SUCOMP to administer company address data. Security Extension Classes Conducted on Saturday (Dec 1st 2007) In SAP the nomenclature for roles are version 4.6 B 4.6 C DAG - Derived Activity Group Derived Role GAG – Global Activity Group Parent Role Q) If all the users are locked mistakenly, how do we connect to SAP system? A) Follow the steps Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB Select * from .USR02 where bname=’SAP*’;
51
Delete from .USR02 where bname=’SAP*’; Step 2) Then Login using SAP* user Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users. Note: USR02 is a table in which all user master records are stored. Killing SAP* will automatically recreate a user master record in USR02 table. Portal Security All security related activities like Creation of User accounts and Creation of roles which are normally performed using SU01 and PFCG can be done using portal. In Portal administration there are two ways of maintaining users and roles information. 1) Accessing portal using an URL 2) Accessing portal using Active Directory Service Note: 1) Any portal URL, the ports will be in the 50000 series. 2) For portal we need J2EE engine to be installed and no need of ABAP engine to run. 3) All roles are configured in active directory service which are related with only portal i.e. users need to enter travel expenses and file their timesheets using portal, then separate roles are provided which are related with portal. These roles provide access to users to display the screens as well as store the information in DB. 4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of logging into SAP system we use the portal screens from which the user provide the inputs and gets automatically saved in SAP DB. Problems in Portal Problem 1) Global page missing Solution: Check in Active Directory whether the user is been correctly added under the role which is considered as global Note: In active directory services we have 2 types of roles 1) Global roles Provide access for an user to login to portal i.e. for the initial screen to appear. They are classified based on region the user belongs to. For example: Africa, Europe etc. 2) Local Roles Provide access for certain T – Codes or activities which the user needs to perform. Eg: Time sheet filling, travel expenses. Local roles are categorized based on the location the user is situated. Eg: Country Wise IN, USA, AF 3) Every user who access portal must have one global role and ‘n’ of local roles. Problem 2) User reports “Not able to access ESS” Solution: Check the global role Check the exact local role, assigned to a user Problem 3) User reports “He us able to access other global screens instead of his own screen” Solution: Find which global screens user is able to access. Go to AD service and then to particular global role. Edit the role and check if the user ID is been added to that particular role. If it is added then remove the user ID and add the user ID to the correct global role and inform the user to restart his system in order to access new changes. Note:
52
1) Assigning users using AD service is considered as a direct assignment where as assigning users using portal is considered as indirect assignment. This is similar to assigning users in SAP using PFCG (Direct assignment) and SU01 (Indirect Assignment). 2) Unicode in SAP supports 13 languages. All character sets of these languages are embedded in the software. Non-unicode is language specific. 3) The upgrade of SAP system from non-unicode to Unicode is possible whereas the other way is not. To achieve the transition from non-unicode to Unicode we need to have Non-Unicode export kernel CD and Unicode import kernel CD. 4) SU3 is the transaction code for maintaining user own data. 5) SCAT, T-code is used for running CATT scripts. 6) ACTVT field indicates the type of activity i.e. creates, change, generate and delete. 7) In PFCG transaction code, a profile indicates a unique identifier generated by system to identify a role. 8) Notation for parent role is Z> and for Child / Derived Role it is Z: 9) Any role starting with SAP_ or SAP defined roles, they should not be generated instead they are used as Templates, hence if we want to use any SAP role first copy a role to a customized role and generate it. 10) SAP_ roles are used mainly during implementation. 11) All roles are of type Basic maintenance only whereas HR related roles and work flow related roles are of type complete view. By default the roles are of type basic maintenance. 12) Before we delete a role, it has to be added to a transport because these actions are performed in DEV system. 13) Profile names come by default if it has to be changed then it has to start with Z. 14) Color indications in authorizations a. Red No organization values b. Green All fields have values c. Yellow Some field values are missing. Role Distribution Distribution of a role can be done using Go to transaction code PFCG Menu tab Distribute button Enter the target system i.e. an RFC connection needs to be created between source and target system. This procedure is distributing the roles between source and target using RFC connections If a role is being distributed to a target system only the structure is being copied and not authorizations. Hence we need to maintain the authorization for a role in the target system. STMS (SAP Transport management System)
1) SAP normally follows 3 system landscape with 3 tier architecture. i.e. DEV, QAS, PRD. 2) One of the systems has to be configured as transport domain controller. This configuration is done as a part of implementation i.e. immediately after executing SICK transaction. 3) The transaction to configure transport management. STMS 4) RFC’s are generated when the Transport Management System when continued R/3 system to communicate with all R/3 systems in a domain. Q) What is a transport group?
53
A) SAP systems that share a common transport directory tree form a transport group. Q) What is transport domain controller? A) R/3 system with the reference configuration is called as the transaction domain controller. Q) What is transport domain? A) All R/3 systems that are planned to manage centrally using TMS form a transport domain. In order to configure transaction domain controller we have to login using client 000 and user sap* or any user having similar authorization using sap*. Configuring Transport domain controller:1) Login to SAP using client 000 and sap* 2) Go to STMS, it will propose the system as transport domain controller, provide the description and save. 3) Go to overview menu and select systems 4) Place the cursor on SYS ID and select SAP system display 5) Go to transport pool and check under global parameter transport directory. i.e. transport directory path (\usr\sap\trans) Note: The above steps are performed in Dev System which we can assume as domain controller Steps for Requesting inclusion of QAS and PRD systems into domain controller Log on to QAS with 000 and SAP* go to STMS Select other configuration Provide the description and target hostname of the transport domain i.e. DEV system domain name and instance no and save Login to Development using 000 and sap * and goto STMS Select the QAS Go to sap systems Approve This will pop up message saying “Inclusion of system in Transport Domain” then click “Yes” Note: Repeat the above steps for inclusion of PROD system also In Dev distribute TMS configuration by selecting extras Distribute TMS configuration It POPs us a message and then select “Yes” Backup Domain Controller Backup domain controller holds the copy of reference configuration and configuration changes can be managed when transport domain controller is not available. Steps in defining backup domain controller: 1. Log on to transport domain controller system using client 000 and SAP*. Go to STMS T-code. 2. In STMS screen go to overviewsystems select the R3 system to be defined as backup domain controller. 3. Go to SAP systemDisplay 4. Go to communication tab Select change under backup, you have to mention “QAS” and save then it will give a pop-up windows requesting you to configure the changes immediately, select YES. 5. Go to Extras from menu Activate backup domain controller. It will give a pop-up windows as “Activate system QAS as a domain controller” click “YES”. Transport Routes: Transport routes indicate the roles of each systems and flow of change request.
54
Steps to configure transport routes: 1. Go to STMS T-code and ExtrasSettingsTransport RoutesSelect the desired editor and choose continue (By default graphical editor) 2. Go to overviewTransport routesSelect display or change mode 3. Go to configurationStandard configuration Three system in group. 4. Select the R3 system in the pop-up according to their roles and click continue and save and specify the type of configuration and choose continue, it will ask you to distribute and activate the change then select YES. Q. What are the two editor modes in which we can configure the transport routes? A. 1. Graphical Editor 2. Hierarchical Editor Q. What are the various configuration methods available in STMS? A. 1. Single system configuration 2. Development and Production systems 3. Three systems in a group Q. What is a standard transport layer? A. This describes the transport route that the data from the development systems follows. Q. What is SAP transport layer? A. It is a predefined transport layer for DEV classes of SAP standard objects Create Transport Layer: 1. STMSOverviewTransport routesSelect change buttonselect zoon in buttonSelect the particular transport routeGo to EditTransport layerCreate. 2. Enter the transport layer name and description. Configuring transport routes manually: 1. STMSOverviewTransport routes 2. Go to EditTransport route and add transport routeSelect source and target and leave it then we get pop-up window transport layer and click continue. Note: Development system consider as consolidation system. Quality system consider as delivery system. Production system is considered as integration system. Enabling Quality assurance approval procedure (QAS): 1. Go to STMSOverviewTransport routesSelect change mode and double click on QAS System. 2. Go to SystemSystem attributesDelivery after configuration and click on procedure button. 3. Select the check box under the column “ASTV” as required and choose save. 4. Select distribute and activate (F8) button icon. Q. What are the three approval steps you need to follow as a part of approval procedure in QAS? A. 1. To be approved by system administrator 2. To be approved by department 3. To be approved by request owner Using TMS on day to day operations: Go to “STMS_IMPORT” = this will take us to the screen in which all the imports are available. Select the import that is transport request and click the truck button (Half loaded truck). Note:
55
1. If the import request button are not appears under STMS_IMPORTS then go to Extrasother request and select add enter the transport request number manually which you want to manually import. 2. Move transport number xyz to client 100. Transporting request in OS Level: 1. Log on to any SAP system go to “\usr\sap\trans\bin” execute the command “TP add to buffer client ” 2. To import the command is “TP import Client U0 Note: U0 is a qualifier to leave the transport in the buffer. Q. What are the various qualifier option or what are the various import options? A. There are six import options 1. Leave transport request in queue for later import 2. Import transport request again 3. Overwrite originals 4. Overwrite objects in unconfirmed repairs 5. Ignore unpermitted transport type 6. Ignore predecessor relations
56
View more...
Comments