November 22, 2012



1) How do I assign roles to a specific group, not to a specific user, and apply the roles to all users in that group? This particular group has four users?
Go to suim,enter the user group name in user by complex selection criteria, execute user's list,execute su10 enter list of user's and assign role to them

2) What is fire fighter? When we are using fire fighter?
Fire Fighter is used if you have implemented Virsa/GRC
Fire Fighter is Virsa tool, this used to execute critical tcode when doing configuration
Fire fighter is also a normal user ID but having some specific access [Say Su01 or SAP_ALL] as per the needs. User type is kept as "service user'
When it is used: Say, in your project you are security administrator who
Does not have access to direct SU01 but you needs the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you can perform the task from your login ID and pwd, using tcode /n/virsa/vfat and login with that FFID.
While logging you will be prompted to give business reason for access.
Everything you perform in that period [Using FFID]gets recorded for auditing.

3) I need to give authorization to a user to su01 tcode but the delete options should not work..i.e.  the user should be able to Create, disp, change etc but not delete on su01. How cam i do this?
delete the 06 activity from s_user_grp,

4) What are the components in VIRSA tool and GRC?
In GRC we have these tools:
Access Enforcer
Complaince Caliber
Role expert
Fire Fighter
In VERAS Tool we have: VRAT and VFAT

5) How to create new authorization object?
Using SU21 we can create the New Authorization Object

6) Can anyone tell me what the use of SU24 and SU25 transaction code is exactly?
SU25: A transaction that copies SAP defaults from USBOT & USOBX to USOBT_C and USOBX_C.
USOBT is a table that consists of transactions and authorization objects. It stores default values of authorization from authorization objects.
USOBX is a table that defines the necessary authorization checks that needs to be performed within a transaction.
Initially both tables USOBT and USOBX consist of default values. These two tables are then used for fill up of the customer tables USBOT_C and USOBT_X through the transaction SU25.
SU24: A transaction that maintains the assignment of authorization objects in the customer tables USOBT_C and USOBX_C.

7) What is the difference b/w Copy Roles and Derived Roles?
In derived role, all the transactions of parent role r copied but not the org structure and auth. and we can’t add more transactions in derived role.
In copy roles all the transactions with auth are copied

8) What is temp role and copy role?
Temp role: - it is the sap standard role, which is defined by sap.
Copy role: - copy from an existing role is copy role.

9) How to transport roles?
1. Create a transport request in SE10.
2. PFCG - please specify the role name - press the transport button(truck icon).
*** In case of multiple roles, go to utilities-mass transport**
3. There will be three info screens. Give tick mark.
4. Give the transport request number, which you created in SE10.
5. Press ok.
6. To confirm the changes, go to se10 and see your request number, right click and verify the roles are attached.

10) What are various user types?
Dialog (A)
System (B)
Communication (C)
Service (S)
Reference (L)

Dialog users are used for individual user. Check for expired/initial passwords.Possible to change your own password. Check for multiple dialog logon

A Service user - Only user administrators can change the password.No check for expired/initial passwords. Multiple logon permitted

System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.

A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.



1) Under description; in creating a role what should be written over there ....what does your company follows ?
Description of role defines the role related activity in short. Just seeing the description of the role, one can easily know the role details, like
Role belongs to which SAP module (MM/PP/FICO)
The Company code/Org level values
Restricted values can also be mentioned there
Activity performed after assigning that particular role.

2) What is the correct procedure for Mass Generation of Roles ?
1)Tcode SPUC is for mass generation of roles. Or you can use scripts
2)Program SAPPROFC_NEW inserted roles to be generated and execute.
3)PFCG > Utilities > Mass Generation

3) Can we assign generated profiles to users directly ?
No, we can't assign a generated profile to user directly; we have to as the role associated with that particular profile
The best practice is not to assign profile to a user master record. But then we can assign...
 Check it for example, assign sap_all to a user master record and can actually work.
So, yes a profile can be assigned to user and can work.

4) How many maximum profiles we can assign to one user ?
apprx 312

5) In which way we can assign single role to many users (more than 5000 users) ?
Go to Su10
Click on authorization data
Click on multiple selection button beside user input field a pop up will appear-->click on green import from text file
Give the destination of the excel sheet where you have already kept 5000 users
Execute-->execute-->select all -->transfer this will bring all 5000 users in su10
Now change--> role tab--> assign the single role-->save

6) I want to see list of roles assigned to 10 different users. How do you do it ?
1.Go to SE16 Transaction
2.Type agr_users and go to next screen the user’s field I have the list of user ids
GO to suim -->ROLES-->By user assignment
Click multiple selection
Select user’s ans execute
Now you get a list roles assign to selected users

7) What is the advantage of CUA from a layman/manager point of view ?
CUA - Central User Administration
Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems (where the user  id is requested)Helps in avoiding logging to each individual systems. Layman point of view we don’t have any advantage, But SAP security admin point it takes lesser time for user Admin.

8) how do we create firefigter Id in VIRSAs VRAT ?
First create service user and mapp this user in /n/virsa/vFat

9) What is the procedure to delete a role ?
First add the role that need to be deleted in a Transport.
Then delete it. If there is no transport already, then create one for it and then add the role marked for deletion to it and then only we have to delete the role.
If the role is deleted without adding it to a transport then we will not be able to delete the same role in other  systems like Acceptance / Quality / Production in CUA Environment.

10) What is the main difference between role and profile ?
Roles are the set of authorizations.
Profiles are sub component of roles.
We can assign role to user but not profile.

Roles are collection of different transactions, reports/web links where its profile is nothing but set of authorizations which defines the behavior of transactions listed in Role Menu. And another difference could be we canassign roles to user using PFCG but we cannot assign manually created or generated profile directly to users using PFCG.



1)  A user is asking for a t-code to assign? How do you assign the t-code?
First we have to check if user has access to particular tcode. If not then run suim with roles by complex 
selection criteria -->put object1 as S_tcode as the required tcode and hit execute button. The query will 
fetch you a result of roles. Select a role that has minimum authorization and satisfy the user requirement. 
And assign the role to user.

2)  A user is not able to execute a t-code; how do you solve that? What are the different reasons that might be existing?
1. Tcode does not exist
2. User context missing auth for that tcode
3. User comparison is not current
How to solve:
1.check if the user is having the tcode or not.
by SUIM--> role by complex selection criteria [s_bce_68001425]
2. if the tcode is not assigned to user -->assign suiatablle role after taking approval. Make sure to user 
compare to update the user master record
3.if the tcode is available for the user and user still cant access--> ask for result of SU53 screen shot, 
 there might be some other authorization which is missing for the user
4.we can also trace the user's auth check by use of st01 fine searching user's missing access by analyzing 
 st01 report and rc. 

3) What is difference between se16 and sm31?
SE16: table display
SM31: table, view modification

4) What are the authorization objects which are always present in user master record?
For user master record as u must be knowing that different tabs of UMR..So as per my understanding As 
UMR stores information of users...Like his name, roles assigned to him, License data.
Objects which are always present for UMR are:
S_USER_AGR, S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its own importance...
bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP helps to maintain Auth. group 
in Logon Data and S_USER_AUT AND S_USER_PRO helps to maintain set of Auth. profiles and different
Authorizations included in each profile.

5) What is use of System Task Tab on menu bar in PFCG?
Role creation, change and delete.
6) How can we Lock transaction? What happens exactly?
In SM01 transaction we can lock the transactions; we can lock one or many at a time in the system.
After locking transactions, it won’t allow any body to use the transaction.
SM01 transaction can use to lock the transactions; we can lock one or many at a time in the system.
When a user starts a transaction, the system checks in table TSTC whether the transaction code is valid and
 whether the system administrator has locked the transaction.
7) What is Use of SM35P and SM35 is there any difference between these two?
Tcode SM35P use to display/monitor sessions. Using Tcode SM35 you the run/process the sessions in background
 or foreground.

8) Is there any transaction to see Transport Log.? Means, Which data or roles have been transported from which system at what time?
SE01 transaction is use to see Transport Log. 
By clicking tab "DISPLAY" you can able to see the logs.
You can also see the roles or data has been transported from which system at what time.
9) Which role is commonly used?
Composite and single role commonly used.

10)  How to find the already locked users list before a particular date?
Example: list of users already locked before 01/01/2010
Goto SUIM - USERS - USERS BY COMPLEX SELECTION CRITERIA,scroll down to the bottom, 
goto ADDTIONAL SELECTION CRITERIA, then give the validity date and check the check box of the option
LOCKED USERS ONLY, then execute, u will get the list of the locked users.



1) What is difference between 4.7, ECC 5 and ECC6 from SAP Security point of view?
 SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE.
SAP 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also 
included here we can have both R/3 security for ABAP stack and JAVA stack security which includes in 
portal concept(Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE.
2) What do you mean by profile and object?
 Well, profile is a authorization profile and where as object can be an authorization class or authorization 
 object or field and value. So, to make up a profile it requires several objects.....
More precisely profile is set of different authorizations for different objects. It means when you create role 
and go for generating profile whatever the list of transactions you have added in role menu its corresponding
objects automatically fetch up by profile generator. For which transaction which objects get fetch up this you
can check using SU24 tcode only objects with check/maintain status get fetch up by profile generator during 
profile generation. And for better understanding you just keep in mind for every tcode there are certain set of
objects. And Each objects has different fields and its value is called its value i.e. 01, 02, 03 create, change, 
display respectively.

 3) What is the profile?
 Profile is what a user can do within that role that is assigned to the user.
 When a role is created; a profile is created based on the authorization data i.e. object class, authorization 
 object, filed and values.
 The word "profile" is used in 2 different concepts.
1) Authorization Profiles
2) System Profiles
Authorization Profile:This profile is the one created when a role is created and is called as 
authorization profile.
System Profile: This profile exists to change the parameters for the instances...

4) I want a list of users along with roles for a client? How to do it?
 We can use tcode se16 in it AGR_USERS  uname: enter the user ids and AGRname: role name
 Youcan get in SUIM also.
5) In an environment of derived roles; a user is asking for a t-code; which is not found in suim 
in search of roles? What will u do?
1. Check if the tcode exists or not.
2. Try to search the role with S_tcode and then putting the tcode in "roles by complex selection criteria"
3. You should at least get SAP standard role which should not be assigned.

So after doing all these you are not able to find any end user role available in system.
Next step is the proposal of adding the tcode to a suitable role.
as it's a derived role envi---> need to add the tcode in template / parent role
Take approval from BPR/role owner for role modification. They will decide which parent role to change.
Change role [by adding the tcode] in Dev and transport to rest of the sys in landscape
6) Can u secure profiles? If so , how to do it ?
Yes you can. Secure Profile S_User_PRF
7)  I want to lock all the users except sap* and DDIC of a particular client ?
F4 on user id field
Change the hit list restriction according to users present
It will bring all available users
Remove SAP* and DDIC from list
Select all and enter
It will bring u back to SU10
With all users except SAP* and DDIC
Select all 
it will lock your user also
We can do it by ewz5

8) I want to delete 1000 users of a particular client, how can I do it?
You can create a SECATT script to delete the users which is easy to create and easy to execute.
You can also delete users of a particular client by using t-code su10.

9) Can u tell me some of the password related parameters ?
Password related parameters are:
login/min_password_lng (Defines minimum length for password)
These are the main parameters - which can be maintained via RZ10
You can go to t-code se16
Write login/* and enter ... then u will get all login parameters
Here there is no need of remembering
10)  How can I assign a same role to 200 users?
You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on user 
comparison-> complete comparison -> Save the role - it's done
One can also use "Authorization Data" functionality in transaction SU10 to complete this task.

November 16, 2012

Update your SAP Kernel in a SAP ECC system

Update your SAP Kernel in a SAP ECC system :-

1. First of all, go to the SAP Service Marketplace (, and download your desired kernel version:

Downloads --> SAP Support Packages --> Entry by Application Group --> SAP NetWeaver --> SAP Netweaver --> SAP Netweaver <version> --> Entry by Component --> <select component> -->  <select your system version> --> #Database independent (this is the part I. In the same step,  select your database to download the part II of the package).  

2. After you have the two parts downloaded, log into the OS level and uncar the 2 parts in separate directories. Copy the part I in a new folder, and copy the part II into the same folder (there are cases that files may need to be replaced. replace them, don't worry).  

3. Stop the database, SAP and the services related to them (SAPSID##, SAPOSCOL).  

4. Backup the old kernel. Usually it is located in: </usr/sap/SID/SYS/exe/<uc or nuc>/<system>.  

5. Delete the old backed up kernel, and copy the new kernel there.  

6. Start the services related, database and SAP.

Now just confirm the new kernel version in SAP.

November 11, 2012

ST03N: Workload Monitor [Monitoring]

ST03N: Workload Monitor [Monitoring]

ST03N is used to analyze statistical data for the ABAP kernel and monitor the performance of a system. You can display the total values for all instances, and compare the performance of particular instances over a period of time.

The workload overview provides system administrators with various detailed information about the most important workload data, such as the CPU time, the number of database changes, the response times, and so on. You can display the workload overview for all task types (Dialog, Background, RFC, ALE, and Update), or only for one particular task type.

Workload Overview :-

Processing time – This is equivalent to response time minus the sum of wait time, database request time, load time, roll time, and enqueue time
Hint: > 2x of CPU time
Probs: Hardware

CPU time – A work process uses the CPU.
Hint: 40% of response time]
Probs: CPU bottleneck
In ST06,
Go to Detail Analysis Menu -> Top CPU , check existence of Non-SAP (external) programs by sorting by CPU time. Try to run these external programs in offline hours.
In ST02,
Check for any swapping happening in all the buffers. If there is high swapping for any buffer, increase the size of the buffer.

Response time – The time when a dialog process sends a request to a dispatcher work process, and the dialog is complete and the data is transferred to the presentation layer. The response time does not include the time for transferring the data from the SAP front end to the application server.
Hint: 1 second (dialog), <1 second (update)

Wait time – The time when a user request sits in the dispatcher queue. It starts when user request is entered in the dispatcher queue; and ends when the request starts being processed.
Hint: < 10% of response time
Probs: long running tasks, locked tasks, not enough work process
Look for all the configured work processes are in Waiting or Running state. If all the wotk processes are running state, then increase the number of Dialog work processes.
In SM66,
This monitor will help to analyse the total work processes configured in all the servers and instances.

DB calls – Number of parsed accesses to the database.
Hint: DB calls/requests good ratio is 1:10 = efficiency table buffering

DB requests/DB Time – The time when a database request is put through to the database interface & when the database interface has delivered the result.
Hint: 40% of response time
Probs: CPU/memory bottleneck on DB server, expensive SQL statement, missing indexes, small buffer, missing statistics
- Database buffer quality (> 95%), if <, increase database buffer cache size.
- Reads/User Calls (< 30), if >, the expensive SQL statements need to be tune. Some of expensive SQLs statement problems:
i) incorrect index access (Solution = create new index or reorganize the index)
ii) high table size (Solution = archive the old entries)

Average load & generation – The time needed to load and generate objects.
Hint: < 10% of response time, < 50ms
Probs: Program buffer, CUA buffer, screen buffer too small

GUI time – Response time between the dispatcher and the GUI during the roundtrips (roundtrips are communication steps between the SAP system and the front end during a transaction step).
Hint: < 200ms
Probs: network between GUI & SAP]
In ST06,
Go to Detail Analysis Menu -> LAN Check by PING. If there is high Avg. time or Loss time for any presentation servers, means there are some settings need to be change for the presentation server.
In SE38,
Execute PROFGEN_CORR_REPORT_5 report. From the output check if any user assigned with > 1000 user menu nodes.

Roll in time -  The time needed to roll user context information into the work process.
Hint: < 20ms
Probs: SAP memory configuration (extended memory, roll buffer)

Roll wait time – Queue time in the roll area.
Hint: < 200ms
Probs: network between GUI & SAP

Post Installation Steps

Post Installation Steps :-

After Installing R/3 into a new system, Basis has to perform some post Installation steps before handing over to end users for operation. Post Installation steps make sure that System is ready, properly configured, Tuned and take load of user requests.

Below are some standard steps which has to perform immediately after the installation is finished.

PART 1:-

1. Login to SAP system using DDIC/000

2. Execute SE06 , Select Standard Installation and click on execute Perform Post Installation Steps. Click yes on each next screen.

3. Execute STMS , to configure TMS configuration system. If there is no Domain controller in organization then configure this new system as DC.

4. Execute SICK to check for any Installation error , If anything is reported then trouble shoot those errors.

5. Execute sapdba or brtools to check/increase tablespace size if any is >90%

6. IF sapdba then check the tablespace utilization by selecting c. Tablespace Adminitration - c. Free space fragmentation of Tablespaces

7. List out all the tablespaces filled above 90%

8. Add datafiles to corresponding tablespaces to increase the tablespace size and bring the utilization of tablespaces below 80%

9. Login as SAP*/000

10. Execute SCC4 -> Click on change button -> Confirm the warning and click on new entries to create a new client.

11. Execute RZ10 -> Utilities -> Import profiles -> Of Active Servers

12. check the system log in SM21

13. Check any dumps in ST22

14. Login at command prompt using ora<sid> or <SID>adm

PART 2:-

1. login to new client to perform a client copy using SAP*/<new client number>/PASS

2. Perform local client copy procedure to copy new client from 000 client.

3. Once client copy is over , login to new client using SAP* and password of SAP* which was
 used in client 000

4. Execute RZ10 -> Select Instance Profile -> check Extended maint -> click on change.

5. Add parameter login/system_client parameter to make new <client_number> as default client to login.

6. Make changes to dialog process and background if you need to change than default one.

7. Save the profile and activate it.

8. Create one or two super users using SU01 with profiles SAP_ALL and SAP_NEW

9. Create some developer users if you can, else leave it.

10. Stop and Start SAP R/3 for profile parameter to be in effect.

11. Upgrade the kernel to the latest level

12. Upgrade the SPAM version to latest level

13. Apply latest support pack to components SAP_BASIS, SAP_ABAP, SAP_APPL and some other components if it is required.

14. Follow the kernel, SPAM and support pack application methods

15. Now system is ready to login and work for developers and administrator

16. Keep on changing the parameters , system configuration as per requirement later.

17. Run SGEN to regenerate the objects . In this process SAP keeps all the required objects access in SAP buffer. So that transaction accessing becomes faster.

Support Pack Upgrade Process

Support Pack Upgrade Process :-

Support Pack Application:-

1. Check the current patch in your system.

a. Check SPAM Version
b. Check SAP_BASIS patch level
c. check SAP_ABAP patch level
d. Check SAP_APPL Patch level.

To get all the above information follows the following steps:-

Execute SPAM - Check the SPAM level at the top.
Click on Package Level to display all the patches in the system

Note down SAP_BASIS, SAP_ABAP, SAP_APPL patch level in the display.

2. Find out what is the latest patch level available for above components.

Download -> Support Packages and Patches -> Entry by Application Group-> Application Components ->SAP R/3 Enterprise -> SAP R/3 Enterprise 47 X 110 -Entry by component -> SAP R/3 Enterprise Server-> SAP_BASIS620 ->

3. From the list select which component you want and click on it. on SAP BASIS 6.20 and select the patch level 25 you want comparing your current patchlevel. Select all the patches you are behind to current and add to download basket.

All the patches are in .CAR format.

Repeat the same step for all components you want to apply for your system.

4. Download all the patches you added to download basket by using SAP Download Manager.

5. Save all the .CAR files to your local hard drive say C:\supportpacks

6. now transfer all these .CAR files to Your Unix Server where your SAP is running using ftp.

ftp steps
go to command prompt
cd c:\supportpacks
c:\supportpacks\> ftp solsrv (solsrv is the unix servername)
username : SIDADM
password : (Password of SIDADM)
ftp> cd /downloads/supp_pack
ftp> bin
ftp> mput *.CAR (press y for all the confirmations)
ftp> bye

7. Now extract the .CAR files by using executable CAR.EXE

#cd /download/supp_pack
# CAR -xvf <Filename1>.CAR (files are extracted to .../EPS/in folder)
Repeat extraction for all .CAR files
You will get the files with extension .ATT and .PAT

8. Now go to /usr/sap/trans/EPS/in directory and remove the existing files out there.

login as <SID>adm and pasword
# cd /usr/sap/trans/EPS/in
# rm -rf *

9. Now Copy all .ATT and .PAT files to /usr/sap/trans/EPS/in directory

# cp /download/supp_pack/* /usr/sap/trans/EPS/in
# ls –l

10. Login to SAP using a superuser other than SAP* and DDIC to 000 client.

11. Execute SPAM in SAP command line

12. Click on Support Package -> Load Packages -> From Application Server.

Here all the .ATT and .PAT files are converted into proper Patch format and available on SAP level to apply suuport packs as per the requirement.
Click on Back button

13. Now Click on Display/define

14. Ask all the users to logoff from the system OR lock all the users in all business clients using customizing program or SAP tool.

15. Make sure you have full backup of system before applying the patch
and enough downtime to apply the patch

SPAM Update

16. Select support package ->Import SPAM update to update the SPAM version.

Applying Patch

Before Applying the Patch to system, we have to check if there are any objects under modification or any Transport Request in modification condition. IF any then we may have to adjust those prior to applying
the SAP Patch.

Execute SPAU and see if any objects are there to adjust
Execute SPDD to see if any dictionary objects are there to adjust.
Execute SPAM
Click on display/Define
Select the component (e.g. SAP_BASIS)
Select the Patch number (e.g. SAPKB62012)
Click on confirm Queue (\/)
Select Import queue by selecting truck button
Confirm it by clicking on (\/) mark
Patch application is started.
If you encounter error during patch application, start applying again.
Confirm the message
SPAM status is in yellow
Click "confirm queue” button to confirm the queue.
Check the spam status. It should be green.
Support pack application is successful
Click on Package level to see the change.