December 13, 2013

SAP BASIS INTERVIEW QUESTIONS



SAP BASIS INTERVIEW QUESTIONS :-



1) Which directory do we have the exe files?

2) Which directory do we have errors or logs or traces recorded?

3) What is the profile parameter for increasing the number of background work process?

4) Difference between Central Instance and Application Server Instance?

5) How many Application server instances are there in your company?

6) How many modules did you support?

7) What is the version of OS, DB and R/3?

8) What is the patch level of R/3 used in your project?

9) What are the IP addresses of your R/3 systems?

10) If the dispatcher work process fails can I login to SAP system?

11) How to check the status of dispatcher from OS level?

12) What are the start/stop commands for SAP system from IS level?

13) If dialog work process fails where can I check the logs related to the dialog Work Process?

14) What are the three types of profile parameters and what is their naming convention?

15) What is the technology used by SAP systems to process user requests?

16) What is the transaction code to check whether all my instances are active or not?

17) What is the transaction code for finding out number of work process present in a particular instance?

18) How do I do manual switching of operation mode?

19) How many work processes are required in order to login to SAP system? What are the types?

20) In what sequence does the system read system parameters?

21) What is the transaction code to check the consistency of individual profiles?

22) In which sequence we perform the setting up of operation modes?

23) Which SAP processes are started when the SAP system or an instance is started?

24) How do I find out which are dynamically switched or static parameters?

25) How do I display current values of system parameters? What are the ways of displaying current values of system parameters?

26) If I make any change to the startup profile do I need to restart SAP system?




SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -2



SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -2



 
(Q) Can RMAN recover the Database automatically without Recovery catalog ?
(A) NO

(Q) Is whole Backup can be consider as level 0 Backup ?
(A) Whole backup is not level 0 Backup and can’t be used as basis for Incremental Backup.

(Q) Why do we need to perform a preparatory run ?
(A)  If Backup with RMAN is supposed to form sets then we need to run Preparatory run.
     Preparatory run can be run from DB13 prepare for RMAN Backup.
     No Backup is created during preparation run, only estimates Compression rate of BRTOOLS to compress the files and to determine compressed and decompressed file sizes.
     It is recommended to perform preparatory run per one Backup cycle.

(Q) What are the contents of tape lable after a tape is Initialized ?
(A) (i) Tape Name
    (ii) Name of the Database
    (iii) Time stamp of last backup recorded on the tape
    (iv) Number of Backups performed with the tape

(Q) Before writing data to tape if the lable is Red to check the following
(A)(i)    Tape Name
   (ii)    Tape Locked or Expired(Expire_period)
   (iii) No. of times the tape already been read(Tape_use_count)
    If Expiration_period = 0 days, the Volume is not locked at all and can be over written
    • If a lock occurs on a tape, it automatically expires at midnight.

(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape locks ?
(A) There are 2 types of locks
       (i) Physical lock check: Physical lock check is done by checking tape label parameter Expir_period. If the number of days passed since the tape was last used is less than value of parameter Expir_period, then the tape is physically locked.
       (ii) Logical lock check: This value is derived from the time stamp written to tables SDBAH, SDBAD

(Q) What are the various tape selection processes ?
(A)   (i) Auto tape selection BRBACKUP and BRARCH
      (ii) Manual selection by the Operator
      (iii)By external tool

(Q) What is the option to select the tapes automatically by BRBACKUP and BRARCH ?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE

(Q) What is the command to check which tape will be automatically selected ?
(A) BR Backup |  BRARCHIVE –Q | Query { check }

(Q) How do we switch off automatic tape Management ?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the value “SCRATCH”

(Q) How do I turnoff the tape management performed by SAP tools ?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
                                    OR
    UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.

(Q) How do we verify Backups ?
(A) Verification of backups is of 2 types
     (i) Tape Verification: The files are restored file by file and compared with original files to verify if the backup is redable.
     (ii) DB Block consistency: This checks the Database block by block using Oracle tool “DBVERIFY” to identify and restore from bad blocks.
     PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of Archive log Backup
     The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification + DB Block Consistancy Check)

(Q) If SAP started and I am trying to switch to non-archive mode what will happen.
(A) It will show an error showing that SAP instance is running. Please showdown first or use force option.

(Q) If SAP is running and I try to shutdown the DB using BR tools what will happen.
(A) It through an error saying that SAP is running please shutdown the SAP first or force option and then continue.

(Q) If table space is full then what are the possibility to extend the table spaces ?
(A) Option 1: Add another data file to table space
           2: Existing data file can be manually resized
           3: Properties of existing data file can be changed to auto extendable

(Q) What id the formula to increase the data files size ?
(A) Data file size = Expected DB/100

(Q) How many number of data files will be there by default ?
(A) Default there are 100 data files

(Q) What is the error related with table flow ?
(A) For table ORA1653, ORA1654 for indexes.

(Q) Create server parameter file from init<sid>.ora
(A) Login to oracle user (ora<sid>)




SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -1


SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -1


(Q) what is the size of oracle data block ?
(A) 8 KB (fixed size)

(Q) What are the situations in which DBWO writes dirty blocks to disks ?
(A) If the number of scanned buffers reaches a certain thresh hold.
    At a specific time that is when check point occurs.

(Q) What are the conditions in which log writer writes redo log buffer data to online redo log files ?
(A) There 4 conditions:
    When transaction is committed.
    For every three seconds.
    When redo log is 1/3rd of full.
    When DBWR is about to write modified buffers to disk and some of the corresponding redo records have not at been written to online redo log i.e. write ahead logging.

(Q)What are the entries in co files ?
(A) Physical structure of database
      State of  database
      Table space information
      Names and location of data files and redo log files.
      Current log sequence number

(Q) Why do I need ‘SPFILE<SID>.ora’ even though I have ‘init<SID>.ora ?
(A) From Oracle 9.i ‘init<SID>.ora’ is replaced by ‘SPfile<SID>.ora or ‘SPfile.ora.

(Q) If a file is missing from the chain of offline Redo log files, then what we’ll do ?
(A) We have to perform a restore and recovery of Database. Recovery is performed using the method   “Point In Time” by which all the Offline Redo log files older than the last one is used for recovery.

(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
      (ii) Manually dropping Database Objects.
      (iii) Manually dropping Application Objects.

(Q) Is Point in Time Recovery a standard Solution for logical errors in production system ?
(A) NO

(Q) Where do we use the Point IN Time Recovery ?
(A) Point in Time is very critical in a system landscape with Data Dependencies between Systems.

(Q) How do we verify Consistency of Oracle Database ?
(A) By performing by a logical data check.

(Q) Why do we need to perform a logical check ?
(A) In order to verify corrupted Data blocks (Ora – 1578)

(Q) Why do we need to perform a physical Data check ?
(A) To verify the tapes used for Database backup.

(Q) How often we perform Online Backup and Offline Backups ?
(A) Online Backup = Daily
      Offline Backup = Once in a Week

(Q) How do we perform Backup of Offline Redo log files ?
(A) (i) Backup of every Offline Redo log files is taken TWICE on separate tapes before the files are deleted from Archive Directory.
    (ii) Perform additional Backups after each system upgrade and also if Database structure is Modified.

(Q) What are the tools used by Oracle Admin in an SAP System for Backups ?
(A) Database Backups = BRBACKUP
      Offline Redo log files = BRARCHIVE

(Q) What are the occasions in which changes to Tile Structure of Database is made ?
(A)  1) When a Data file is added
       2) When a Data file is moved to a Different Location.
       3) When a Table Space and its Data files are reorganized.

(Q) What are the various Backup types ?
(A) There are 5 Backup types
     1) Online Backup
     2) Offline Backup
     3) Complete Backup
     4) Incremental Backup
     5) Partial Backup

(Q) If the Corresponding Full Backup is already overwritten and can I use Incremental Backup ?
(A) NO, Incremental Backup is useless.

(Q) Can I perform a Backup of Individual data files using Incremental Backups ?
(A) NO

(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP
     i) Complete Backup:- Restore missing Database files from complete Backup, Restore Offline Redo Log files writte during and after this Backup.
     ii) Incremental Backup:- Restore missing Data files from last Full Backup, update them with restore from last Incremental Backup.
     iii)Partial Backup:- Replace complete backup with partial Backups , we need a longer time to perform a recovery from media crash.







SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -3


SAP SECURITY  INTERVIEW QUESTIONS & ANSWERS

Q) Where do all possible activities are stored?
A) In the table TACT

Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ

Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.

Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.

Q) Is a role without Auth-profile considered as complete or not?
A) No

Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role

Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.

Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 – 99 = Activities
A1 – VF = 69

Q) What is the default authorization object which is used to check for any role?
A) S_TCODE
Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.

Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
   Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Q) Unlock a user or track why the user is being locked?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
   Go to SUIM -> Change docs for user -> Enter the user name and execute

Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.

Q) What is single sign-on?
  1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
  2) We can even logon through internet using SSO.
  3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
  4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

Q) What are the Steps to Configure CUA?
  CUA works with RFC’s steps to config CUA.
  1) Create logical systems to all the clients (using BD54/SALE)
  2) Attach logical system to clients using SCC4
  3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
  4) Create RFCS to child systems from central and central to child using SM59
  5) Log on to central system using SCUA to config CUA (Central User Admin)
  6) Enter the model view and enter all child system RFC’s

Q) If all the users are locked mistakenly, how do we connect to SAP system?
A) Follow the steps
   Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
   Select * from <Application Server name>.USR02 where bname=’SAP*’;
   Delete from <Application Server name>.USR02 where bname=’SAP*’;
   Step 2) Then Login using SAP* user
   Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Q) There is one derived role, if i copy the role of derived role will the parent or master role will be the same for the new which is derived from the derived role, if so why if not why ?

yes, if I copy the role from a derived role then that parent role of that derived role will become as a parent role to the new role which we have derived from the other derived role because for that particular derived role will get all the transactions and authorizations from the parent role only so, if we copy a role then all the transaction with authorization copied from other role from where we are copying that might be parent role/derived role.

Q) What is the organizational level ?

It's a customer specific enterprise structures which are subjected to authorization check vary by module. It maintains:
Company code
Controlling Area
Plant
Purchase Order and so on....

Q) How many composite roles can be assigned to a user ?

Ideally there is no limit on number of composite roles/single roles that can be assigned to a user. But keep this in mind that user buffer can hold only 312 profiles in it for a user. Hence there is no use of assigning roles more than 312 profiles to a user. For extending the authorization more than 312 profiles use reference user.

SAP_ALL is said to be good example for composite role so is there any single role limit in SAP_ALL. So there is no limit for adding single roles in composite role...


SAP BASIS INTERVIEW QUESTIONS & ANSWERS 6


SAP BASIS INTERVIEW QUESTIONS & ANSWERS :-


Support :-

Q) What are the steps involved in stopping SAP system?
A) Before stopping SAP system we need to check the status of the following
• Check if there are any logged on users. Use Transaction Code – SM04
• Check if there are any Background process is to define – SM36
• Check if there are any Background processing is going on. Use TC – SM37
• Check if there is any Batch input session. Use TC – SM35
• Check if there are any update processes running. Use TC – SM13

Client Copy :-

Q) Why do we need to perform a test run?
A) Test run determines which tables are to be changed.

Q) What is the amount of storage space a client will occupy?
A) client without application data needs approximately 150-200 MB of storage space in a DB

Q) Why do we need to do client copy?
A) To create new clients.

Q) Do we need to transport clients between systems (or) what is the procedure for copying clients between systems?
A) We no longer require to transport clients instead we make a remote client copy.

Q) Why should we not transport the client data?
A) this is explained with the help of a scenario. In target system, we have set up clients whose data must not be affected. The cross client data must not be imported into the system from outside, since the cross client data overwrites existing data so that customizing data of other clients in the target system no longer effects.

Q) what default user has all the authorizations?
A) SAP*. This is the reason for locking this user in different environments.

Spool :-

Q) How to identify how many spool work process are setup in a particular application server?
A) Trans-Code SM51 and select the application server.
   Go to SM50 and count the number of work process with SPO

Q) How many spool processes are configured in out entire SAP system?
A) SM66 and check for SPO work process. In select process by choosing Type = Spool and Status = Wait

Q) Can we change number of spool work process by operation mode switching?
A) No. Only background and dialog work process can be modified.

Q) How to identify how many spool servers are available in your SAP system?
A) SM51 or SM66 and check for application server with at least one spool workprocess.

Q) How to make setting for an individual SAP user so that an output request is not created immediately for a spool request?
A) SU3 go to Default tab and ensure that output immediately option is not checked.

Q) How to find which printer is defined at OS level of your server?
A) Go to start -> Settings -> Printers (Revisit)

Transport :-

Q) What is a transport group?
A) SAP systems that share a common transport directory tree form a transport group.

Q) What is transport domain controller?
A) R/3 system with the reference configuration is called as the transaction domain controller.

Q) What is transport domain?
A) All R/3 systems that are planned to manage centrally using TMS form a transport domain.

Q) What are the two editor modes in which we can configure the transport routes?
A)     1. Graphical Editor
         2. Hierarchical Editor   

Q) What are the various configuration methods available in STMS?
A)     1. Single system configuration
         2. Development and Production systems
         3. Three systems in a group

Q) What is a standard transport layer?
A) This describes the transport route that the data from the development systems follows.

Q) What is SAP transport layer?
A) It is a predefined transport layer for DEV classes of SAP standard objects

Q) What are the three approval steps you need to follow as a part of approval procedure in QAS?
A)     1. To be approved by system administrator
         2. To be approved by department
         3. To be approved by request owner

Q) What are the various qualifier option or what are the various import options?
A) There are six import options
    1. Leave transport request in queue for later import
    2. Import transport request again
    3. Overwrite originals
    4. Overwrite objects in unconfirmed repairs
    5. Ignore unpermitted transport type
    6. Ignore predecessor relations   


December 12, 2013

Sap Database Notes -4


Sap Database Notes 4:-

BR Tools:
1. Login to ORA<SID> using putty
2. Type BRTOOLS
3. There are totally 9 option in BR tools
a. Select Instant management, it is option 1
b. In Database instance management select option 2 to shutdown the database.
c. Type ‘C’ and click enter to continue
d. In Database instance shutdown main menu select option 1 shutdown DB.
e. Under options for shutting down the DB instance we have to choose option 1, that is close mode(Default mode is immediate)
f. Select option 1 and enter string value for ‘mode’ (Immediate|normal|transcations|abort).
Note: if the users are logged in to the SAP system then I cannot use immediate, normal, transactional modes, using abort mode will forcefully shutdown and will result to data loss hence never use this option so to be on the safest side always shutdown using normal mode.

Alter DB Instance (Switching off archive mode):
1. Shut down SAP -> Stop SAP [SID<adm>]
2. Log on to ORA<SID> user and start BR tools
3. In BR tools -> Select option 1 (Instance Management)
4. Start up database -> Select option 1
5. Alter DB instance -> Option 3
6. Enter ‘c’ to continue
7. Enter ‘c’ to continue
8. Select option 4 for set non archive mode
9. Enter ‘c ‘to continue and select option 5 to show instance status
Note: while switching to archive mode and non-archive mode, it will shutdown the DB instance first and then starts the DB instance. In each of these cases the time stamp is recorded that is data and time. Once the DB is up and running always check the status before performing any action.

(Q) If SAP started and I am trying to switch to non-archive mode what will happen.
(A) It will show an error showing that SAP instance is running. Please showdown first or use force option.

(Q) If SAP is running and I try to shutdown the DB using BR tools what will happen.
(A) It through an error saying that SAP is running please shutdown the SAP first or force option and then continue.

Table space administration:
1. Oracle stores data in table spaces, each table space consists of one or more data files.
2. Data files are plain files stored on local system
3. Oracle has 4 segment types
a. Data -> This segment contains table data in rows
b. Index -> Each table has one primary index and ‘n’ number of secondary indexes (optional). This index is used for faster access to table data and to enforce unique constrains.
c. Temp Segment -> This segment is used for sorts and to create indexes.
d. Roll back/undo segment -> this segment is used to provide read consistency that is ability to roll back changed to tables for recovery.
4. To meet the demand of large DB, DB designers creates partition tables and indexes.
5. An index segment in oracle DB used in SAP holds either all data for take that is not partitioned or all data for a partition of partitioned table.

Common table spaces:
1. System -> Oracle data dictionary
2. PSAP ROLL -> Roll back segment
Note: From WAS 6.1 version we have SAP undo as roll back segment.
3. PSAP TEMP -> Temporary segment.

(Q) If table space is full then what are the possibility to extend the table spaces ?
(A) Option 1: Add another data file to table space
           2: Existing data file can be manually resized
           3: Properties of existing data file can be changed to auto extendable

(Q) What id the formula to increase the data files size ?
(A) Data file size = Expected DB/100

(Q) How many number of data files will be there by default ?
(A) Default there are 100 data files

(Q) Expected DB size and Data file size
    Expected DB Size     Data File Size
    Up to 200Gb               2Gb
    200 to 400Gb              4Gb
    400 to 800Gb             8Gb
    Greater than 800Gb    60Gb

(Q) What is the error related with table flow ?
(A) For table ORA1653, ORA1654 for indexes.

(Q) What will happen if max extents are reached ?
(A) ORA1533 is the error forms extent reached. If max extent is reaching it limits, then increase next extent. When extents are dripped they are marked as free and their blocks can be used by new extents, but adjacent blocks are not combined. The DBA must use “COALEXE” free extent into one large extent. There are two options for “COALEXE” extent.
     1. BRCONNECT –f check -> COALEXE free extent automatically
    2. BRSPACE –f check -> COALEXE free extent use locally managed table spaces.

To solve above problem with extent we must use locally managed table spaces.
    Segment Sizes           Next segment Size    Max.no.of Extent
    Less than 1Mb          Less than 64Mb               16
    1 to 64Mb                1Mb                                 63
    64Mb to 1Gb           8Mb                                 126
    Greater than 1Gb     64Mb                                Unlimited

Advantage of LMTS (locally managed table spaces) is “ORA1533” error eill no longer occur. The only disadvantage of LMTS is, always it checks for used and free space.

Increase the Table space:
1. Log on to ORA<SID> and enter into BR tools.
2. Space management (option 2)
3. Extent table space (option 1)
4. Enter ‘c’ to continue
5. Enter ‘c’ to continue
It will give “Table space extension main menu”
Note: First use option 2 to show the table spaces and percentage full and make a note of a table space which is 80% and above fill and then add a data file as per the specification using the option 1 that is “extent table space”.
6. Extend table space (option 1)
7. This will list all table spaces and percentage used
Example Table: “PSAPR3700”
8. Select the table space that is ‘pos’ position
9. Enter 2 to select above example table
Note: options for extension of table space
a. Last added file name
b. Last added file size in MB
c. New file to be added
d. Raw disk/link target
e. Size of the new file in MB
f. File auto extend mode = YES
g. Max file size in MB = [10000]
h. File increment size in MB = [20]
i. SQL Command = [alter table space name]

Note: the last added data file name and new file to be added will show the exact location where the data file is residing that is Oracle/<sid>/sapdata 1 to n/

10. Enter ‘c’ to continue
11. Enter option 5 to change the size of new file in MB
12. Press ‘c’ to continue
13. Select ‘NO’ to continue with the current data file addition.
14. Select ‘YES’ to add a new data file to the current table or add new data file to a new table.

Note: this action will update the time stamp in co-file that is, it created a copy of co-file in the location /oracle/<SID>/SAPREORA|[CNTRL<SID>.old]
Once co-file is created, extending of table space is done, one successfully completed it switches to next online redo log file for database instance and finally creates a copy of co-file with new time stamp that is CMTRL<SID>.news

Top 10 Oracle errors:
1. ORA1631 and ORA1632 -> Max extent full
2. ORA1653 -> Table space full
3. ORA1654 -> Index full
4. ORA1113 -> When backup is aborted
5. ORA1144 -> When back is shutdown immediately
6. ORA1578 -> Data block corrupted
7. ORA0255 -> Database struck
8. ORA1555 -> Buffer mode is OFF
9. ORA272 and ORA255 -> Archive struck
10. ORA600 -> Hardware Failure

Note: option 4 and 5 are also called as missing end backup.

Changing Oracle Parameters

Q) Create server parameter file from init<sid>.ora
A) -> Login to oracle user (ora<sid>)


Sap Database Notes -3



Sap Database Notes 3:-

TAPE MANAGEMENT:-

(1) Each and every tape used for Backup, i.e. BRBACKUP and BRARCHIVE needs to be initialized.
(2) During tape Initializing SAP specific label is written on label as First file (Tape.hdro) containing the tape name.
(3) BRTOOLS-> Backup-> Dbcopy-> Additional Functions-> Init of BRBACKUP tape Volume or Init of BRARCHIVE tape volumes.
The command to start the initialization is BRBACKUP or BRARCHIVE or –I/Initialize.

(Q) What are the contents of tape label after a tape is Initialized ?
(A) (i) Tape Name
    (ii) Name of the Database
    (iii) Time stamp of last backup recorded on the tape
    (iv) Number of Backups performed with the tape

Before writing data to tape if the label is Red to check the following
(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)
If Expiration_period = 0 days, the Volume is not locked at all and can be over written
• If a lock occurs on a tape, it automatically expires at midnight.

(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape locks?
(A) There are 2 types of locks
    (i) Physical lock check: Physical lock check is done by checking tape label parameter Expir_period. If the number of days passed since the tape was last used is less than value of parameter Expir_period, then the tape is physically locked.
    (ii) Logical lock check: This value is derived from the time stamp written to tables SDBAH, SDBAD

(Q) What are the various tape selection processes?
(A) (i) Auto tape selection BRBACKUP and BRARCH
    (ii) Manual selection by the Operator
    (iii)By external tool

(Q) What is the option to select the tapes automatically by BRBACKUP and BRARCH?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE

(Q) What is the command to check which tape will be automatically selected?
(A) BR Backup |  BRARCHIVE –Q | Query { check }

(Q) How do we switch off automatic tape Management?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the value “SCRATCH”

(Q) How do I turnoff the tape management performed by SAP tools?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
                                    OR
       UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.

(Q) How do we verify Backups?
(A) Verification of backups is of 2 types
     (i) Tape Verification: The files are restored file by file and compared with original files to verify if the backup is redable.
     (ii) DB Block consistency: This checks the Database block by block using Oracle tool “DBVERIFY” to identify and restore from bad blocks.
PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of Archive log Backup
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification + DB Block Consistancy Check)

STATUS OF OFFLINE REDO LOG FILES:
(1) During Backup to tape= ARCHIVE
(2) First Status= SAVED
SECOND STATUS=COPIED
AFTER DELETION = DELETED
During BACKUP TO Disk = DISK
NOTE: All the above status are recorded in ARCH<SID>.log

ANALYZING Database PROBLEMS:
(1) Check Database alert log and trace files belonging to Bgprocess (SAP Trace/Background)
(i) Check for status of Database = Available or NOT Available
(ii) Check for Error = Media or User error
(iii) Check for corrupted files and file types = Data, Cofile, Online Redo log Files
(iv) Check if Software or Hardware Mirroring = Available or Not
(2) Safest method is to perform a complete Offline Backup before the files are copied back in restore place using BR Backup or any Backup Tools.
(3) The above step is Very Important for Point In Time Recovery or for Database rest because these stratagies always involve Data loss.
(4) Save Offline Redo Log Files in ORARCH Directory using BRArchive only.
(5) To check the reliability of Backup strategy , run regularly restoration report in SAP using DB12
(6) The above report is used to find out which backup to use for recovery as well as it displays information about last successful Backup.
(7) If the list of RedoLog files after the last Database Backup is too long, then perform a complete Database Backup.


Will update soon... Check next post...


Sap Database Notes -2


Sap Database Notes 2:-

BR Tools (Used for entire backup administration)
• BR  tools is a package name which contain various tools.
• These tools are divided into various ways based on their performance.
Note: If you get an error message while calling BR tools then your version might be older. (Less than 4.7).
• These are two modes while calling the various options in BR Tools.
 -Main Menu Mode
 -Quick Mode

BRConnect: is must, be called in main menu mode.
• ‘BRSPACE’ and ‘BRRECOVER’ always make a ‘CONNECT/AS SYS DBA’, because their actions require SYSDBA privilege.
• Once you connect a SYSDBA, if you do not want to enter a user name, password, while calling ‘SQL* PLUS call the interactive program using the command ‘SQLPLUS/NO LOG’
• ‘SQLSTARPLUS by default connects to the db defined in enhancement oracle database.
• Changing the password for SAP user is done using ‘BR CONNECT’
Note: Passwords for DB user ‘SAP SCHEMA ID’ or ‘SAPR3’ should not be changed using oracle methods.

Database Transaction Codes:

1. DB13: Schedule backups and other administrative jobs.
Note: ‘DB13C’ : This is used to schedule backups and admin activities centrally for all SAP systems and database.
2. DB14: To check the status and logs of all database operations.
3. DB16: Overview of database system checks.
4. Db17: View and maintain check conditions for database system check.
5. DB20: Maintain Statistics.
6. DB21: Configuration of Statistics
7. DB26: Database parameter overview with history.
8. DB02: Table and index monitor
9. ST04: Database performance monitor
10. RZ20 – DB Alert Monitor (Optional)
11. DB13 is used as an interface to schedule back ground jobs starting with DBA*. These background jobs look into table ‘SDBAC’
12. SPfile.ora is server side initialization parameter file (oracle database server)
• Do not make parameter changes on oracle level, because if only changes parameter values in SPfile, hence always use BR* tools, because it monitors consistency by copying the contents in both files.
• The transaction code DB02 and ST04 still use ‘init<SID>.ora’
• SAP installation tool do not create SPfile. SPfile is created using SQL*plus ‘CREATE SPFILE’.
• SPfile is stored in ‘oracle_home’ directory same as ‘init<SID>_ora’.
• RZ20: Database alert monitor.

Start and Stop Commands
BRSPACE_C FORCE_F dbstand_S <State>
BRSPACE_C FORCE_F dbstand_S <State>

Starting of Database

1. No mount = reads parameter files, database instance started and allocated memory buffers.
2. Mount face: opens cofiles.
3. Open: opens all data files and online redo log files.
• Mount face is used for database recovery, for changing archive log mode, for removing and moving data file and also for adding, dropping, renaming online redo log files.
• Do not use ‘BRCONNECT’ to start and shutdown database, instead use ‘BRSPACE’ because it tried logfile actions.
• No mount space is used for creation of database and for recreation of lost cofiles.

Stopping of Database
1. Normal: Oracle waits till all users are disconnected from the database. All files are closed and database is dis mounted and instance is shutdown.
2. Transactional: Oracle waits till all open transactional to finish and then it disconnects users and shutdown database.
3. Immedaite: No new connections and transaction are allowed. PMON ends all user sessions and performance roll back of any open transactions then only shutdown database.
4. Abort: no new connection and transactional allowed. No roll back of open transactions. Users are disconnected and oracle processes are stopped.
Note: With all the above first three methods, database is shutdown in a consistent state and does not need recovery at next restart.
• Default mode for oracle shutdown is normal
• Oracle commands shutdown immediate and shutdown abort stage oracle instance even if work process still has connections of database.
• Oracle info messages, warnings and errors are logged in oracle dump files i.e. background, user trace which is located in ‘SAPDATA_NAME’ directory.
• Background directory store alert log file. Alert_<SID>.log. Whereas user directory store trace files written on behalf of shadow process.

(Q) Why do I need ‘SPFILE<SID>.ora’ even though I have ‘init<SID>.ora ?
(A) From Oracle 9.i ‘init<SID>.ora’ is replaced by ‘SPfile<SID>.ora or ‘SPfile.ora.

(Q) If a file is missing from the chain of offline Redo log files, then what we’ll do ?
(A) We have to perform a restore and recovery of Database. Recovery is performed using the method “Point In Time” by which all the Offline Redo log files older than the last one is used for recovery.

(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
    (ii) Manually dropping Database Objects.
    (iii) Manually dropping Application Objects.

(Q) Is Point in Time Recovery a standard Solution for logical errors in production system ?
(A) NO

(Q) Where do we use the Point IN Time Recovery ?
(A) Point in Time is very critical in a system landscape with Data Dependencies between Systems.

(Q) How do we verify Consistency of Oracle Database ?
(A) By performing by a logical data check.

(Q) Why do we need to perform a logical check ?
(A) In order to verify corrupted Data blocks (Ora – 1578)

(Q) Why do we need to perform a physical Data check ?
(A) To verify the tapes used for Database backup.

(Q) How often we perform Online Backup and Offline Backups ?
(A) Online Backup = Daily
    Offline Backup = Once in a Week

(Q) How do we perform Backup of Offline Redo log files ?
 (A) (i) Backup of every Offline Redo log files is taken TWICE on separate tapes before the    files are  deleted from Archive Directory.
   (ii) Perform additional Backups after each system upgrade and also if Database structure is Modified.

(Q) What are the tools used by Oracle Admin in an SAP System for Backups ?
(A) Database Backups = BRBACKUP
    Offline Redo log files = BRARCHIVE

(Q) What are the occasions in which changes to Tile Structure of Database is made ?
(A) 1) When a Data file is added
    2) When a Data file is moved to a Different Location.
    3) When a Table Space and its Data files are reorganized.

(Q) What are the various Backup types?
(A) There are 5 Backup types
    1) Online Backup
    2) Offline Backup
    3) Complete Backup
    4) Incremental Backup
    5) Partial Backup

Complete Backup:
All the Data in the Database is backed up. Complete Backup is again divided into 2 Types
1) Full Backup:- After data backup an additional information , i.e. Catalog is Written into Cofile by Recovery Manager.
2) Whole Backup:- It creates a Backup of all the data without the Catalog.

Incremental Backup:
i) This Backup Is used for taking needed Data blocks that have changed since the time of Full Backup.
ii) During Incremental Backup the amount of data to be backed up to get shorten and not for The Backup time.
iii) During Incremental Backup is only based on previous Full Backup.

(Q) If the Corresponding Full Backup is already overwritten and can I use Incremental Backup ?
(A) NO, Incremental Backup is useless.

(Q) Can I perform a Backup of Individual data files using Incremental Backups ?
(A) NO

Partial Backup:
The backup of Database in smaller parts is called as Partial Backup.
NOTE:- Sum of individual partial Backups form an Entire Complete Backup.
NOTE:- Recovery Backup using partial Backup data is very much time consuming, because it needs all oldest Backup Offline and Online recovery Processes.

(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP
     i) Complete Backup:- Restore missing Database files from complete Backup, Restore Offline Redo Log files writte during and after this Backup.
     ii) Incremental Backup:- Restore missing Data files from last Full Backup, update them with restore from last Incremental Backup.
     iii)Partial Backup:- Replace complete backup with partial Backups , we need a longer time to perform a recovery from media crash.

TOOLS:
(1) BRBACKUP: Backup of Oracle Data files , Cofiles, Db Redolog files, Oracle Software Directories and SAP System directories.
(2) BRARCHIVE: Backup of Redo log files.
(3) BRRESTORE: Restore all Db files and Offline Redo log files
(4) BRRECOVER: Checks for Database for missing files , it calls BRRESTORE for restoration of missing Data and Offline redo log files.

NOTE:
(1) Both BRBACKUP and BRARCHIVE records their actions in log files, BRRESTORE uses above logs for restoration of missing files.
(2) Both BRBACKUP and BRARCHIVE supports Backup to Tapes, Disks as well as Backups with Third party Tools.
Important Parameters for Configuration of BRBACKUP and BRARCHIVE(Init<SID>.SAP)
(A) Backup_mode =   All(Whole)
            Full(full backup)
            Incremental Backup
            Partial(Table space name, Dir path, File id.s)
(B) Backup_type = Online and Offline Backup
(C) Backup_dev_type = Tape or Disk or External Interface
(D) Util_file = BACKINT(External Backup program through Interface BACKINT)
(E) TAPE_COPY_CMD = CPIO or DD or RMAN(Copying files from Disk to Tapes)
NOTE:
 DD = Raw devices are copied with this option
 CPIO = Directories are copied with this option
The Profiles init<SID>.ora and init<SID..sap and Summary and detail logs are copied with this CPIO.
(F) DISK_COPY_CMD = cp, copy (Copying files to disks)
    Cp is used in UNIX
    Copy is used in WINDOWS
(G) Expire_period = (1)We have to specify the expiry period of a tape
        (2)Tape_use_count = Max number of times, volumes can be written   to tapes.
(H) Volume_Backup: Names of volumes used for backups(BRBACKUP)
    Volume_Archive: Names of volume used for backups of Offline redo log files(BRARCHIVE)
(I)Tape_Address = Identifies device address of tapes.
(J) DD_Flags and DD_IN_FLAGS= Specify block ( Size of at least 64kb)

Integration of Oracle Recovery Manager (RMAN) into SAP Tools:
(1) RMAN is Default Oracle Backup and Restore Program
(2) RMAN executables run in Client process and connection to Database
(3) Backup with RMAN is done in 2 ways
(i) RMAN classifies complete backup level 0 Backup
(ii) Level 0 serves as basis for Level 1 (Incremental)
(4) Backups performed without RMAN call CPIO or DD to save Database files to tape
NOTE: RMAN always writes the information in a separate file recovery catalog

(Q) Can RMAN recover the Database automatically without Recovery catalog ?
(A) NO

(5) RMAN performs Backups directly to Disks and not to Tapes
(6) RMAN uses Oracle shadow process to check for data block corruptions and filters those blocks and then writes used blocks to backup media.
(7) The Parameter to set the controls of copying data to Backup media to RMAN is TAPE_COPY_CMD or DISK_COPY_CMD= RMAN_DISK (RMAN Value)
(8) Advantages of using RMAN:
I) All blocks are checked for block corruption to ensure the consistency state.
II) Only used blocks are copied to Backup media
III) Empty blocks used before are always backed up

(Q) Is whole Backup can be consider as level 0 Backup ?
(A) Whole backup is not level 0 Backup and can’t be used as basis for Incremental Backup.

(9) RMAN writes Header, tailer and blocks of atleast one Database or one raw disk file to a file called SAVESETS
(10) Using SAVESETS speeds up Backup Process.

PREPARATORY RUN:
    Preparatory run is used to determine the optimal SAVESET distribution of data files we want to backup.
(Q) Why do we need to perform a preparatory run ?
(A) If Backup with RMAN is supposed to form sets then we need to run Preparatory run.
     Preparatory run can be run from DB13 prepare for RMAN Backup.
     No Backup is created during preparation run, only estimates Compression rate of BRTOOLS to compress the files and to determine compressed and decompressed file sizes.
     It is recommended to perform preparatory run per one Backup cycle.


Will update soon... Check next post...

Sap Database Notes -1


Sap Database Notes 1:-

Database :-

Oracle database: is a collection of data stored in one or more data files on disks.
                      Oracle manages database data in logical units called table spaces.



Table space: One or more data files.

Instance: Set of oracle background process and memory buffers form an instance.

Q) What happen when oracle instance is stored ?
      Shared global are allocated (SAG is allocated)
      Oracle background processes are started.

* In unix we can identify oracle process as individual system process
* In windows these processes run as threads with one common oracle OS process i.e. ‘Oracle.exe’.
* When an oracle instance starts a special process called listener, process opens and establish communication between net weaver and oracle.
* Listener process is not part of oracle instance; it is rather part of network process that works with oracle.
* In SAP dedicated server configuration is used. i.e. for each work process we have dedicated server processor called as shadow processes.
* The ratio of work process to shadow process is 1:1
* To handle database request for SAP uses a work process communicate with its core shadow process.
* Database data is permanently stored in datafiles or disks.
* To accelerate read and write access data it is cached in database buffer cache in SGA
* Shared pool divided into executable SQL statements which are stored in shared SQL area of the shadow pool.
* Oracle data dictionary is stored in row cache of shared pool.
* Data processing never takes place directly on disk, it is first copied by associated shadow process from disk to the database buffer cache in SGA.
* Oracle keeps most recently used data blocks in the database buffer cache.
* Sometimes oracle writes the least recently used data blocks in buffer cache.
* Modified data blocks are call as Dirty blocks.
* Shadow process never copies modified data into disk.
* Coping data into disk is done by a special background process called as ‘DBWO’ (DW writer).

Q) What are the situations in which DBWO writes dirty blocks to disks ?
 if the number of scanned buffers reaches a certain thresh hold.
 At a specific time that is when check point occurs.
* Scanning of the buffers is done by shadow process.
* Changes are done in two ways:
      Roll forward changes.
      Roll backward changes.
* Redo events are stored in redo.log files and performs roll forward recovery.
* Undo entries stored in undo table space performs rollback.
* Redo changes = committed changes = new value = after images.
* Undo changes = un committed changes = old value = before image.
* Oracle shadow process records redo changes and stores in redo log buffer of SGA temporarily.
* Oracle background process “log writer – LGWR” writes data in redo log buffer to online redo log files which are stored physically on disk.
* Redo log buffers is also called as circular buffer.
* Circular buffers records all committed and un-committed changes made to the database.

Q: What are the conditions in which log writer writes redo log buffer data to online redo log files ?
Ans: There 4 conditions:
 When transaction is committed.
 For every three seconds.
 When redo log is 1/3rd of full.
 When DBWR is about to write modified buffers to disk and some of the corresponding redo records have not at been written to online redo log i.e. write ahead logging.
* Each committed transaction will have a system change number (SCN) stored in redo log file.
* Size of Oracle redo log file is 40MB (fixed number). These are four predefined collections of online redo log files.
* At every log switch oracle will increase the log sequence number.
* Current online redo log file, ‘LGWR’ is writing into is call active online redo logo file.

Control files
This file is used to start and operate database.

Q) What are the entries in co files ?.
 Physical structure of database
 State of  database
 Table space information
 Names and location of data files and redo log files.
 Current log sequence number
* if physical structure of database is occurred then co.files get updated automatically.
* SAP stores co.files in three locations during installation of SAP. It is recommended to store the files in three physically separated hard disk.
* If database = open then co.file available for writing.
* Normally caches are small and don’t grow.
* ‘RMAN’ for backups, “cofiles may grow by factor 10”, because they contain information about RMAN backup.

Check point Functions:
* Checkpoint wakes up the database writer to copy all buffers that are dirty to the disk.
* It also updates header of all data files to record details of the check point.
* If writers information about the check point position in online redo log files into the cofile. This information is used during database recovery.
* Less frequently the checkpoint occurs the longer is the time the instance need for recovery.
* Checkpoints occurs at log switch.

Database Recovery:
* Online redo log files used for database recovery (instance recovery). After restart, the system performs automatic recovery.
* If online redo log files are lost during a crash, a complete recovery is not possible. Hence online redo log files must be mirrored i.e. two or more copies needs to be maintained.
* Oracle it self mirrors online redo log files by default.
* Online redo log fines are limited in size, and cannot grow automatically.
* Automatic instance recovery of online redo log files is possible.
* To manually restore and recover data files which are missing, we need both a database backup and all redo log information written after the backup.
* Archiving must be exclusively activated by tuning on archived log mode i.e. “LOG_ARCHIVE_START” is true.
* Archiving is take care by an oracle background process called as “ARCO” (archive)
* Oracle cannot mirror offline redo log files, hence we must use RAID.
* Offline redo log files and data files should be on different disk.

SMON (System Monitor)
* SMON performs recovery at instance startup
* It writers alert log information if any instance process fails.
* If cleans up temporary segments that are no longer in use.

PMON (Process Monitoring)
* This monitors shadow process.
* PMON roll backs, its uncommitted data, stops shadow process and frees resources incase of a client process crash.

Oracle Directory Structure in SAP
In Unix all directories are present under one single tree, where as in windows all directories are present under separate drive letters. They have 3 files inside the directories
 /database (Windows)    init<SID>.ora
 /database (Unix)       init<SID>.sap
 Spfile<SID>.ora (only from oracle 9i)
• Online redo log file = original log and mirror log.
• Define redo log files: original arch, SAP arch.
Note: All previous versions till oracle 8i has saparch directory.
• SAP trace = Alert <SID> log = SAP trace/background/user trace
• Data files = SAP data1
    ...
    ...
    ...
    SAP data <n>
There are 3 environment variables on database server
1. Oracle_SID = system ID for DB instance
2. Oracle_HOME = the directory for BR* tools.
3. SAP DATA_HOME = the data file directory.

• The home directory for oracle is ORACLE_HOME
• The location for cofiles and offline redo logs is configured in the oracle profile init<SID>.ora.
• The location for data files and online redolog files is stored in database.
• The oracle tool to ping is ‘TNSPING’

Oracle System Privileges
• SYS DBA and SYSOPR are oracle system privileges.
• Control at this privileges is outside the database.
• The privileges allow accesses to database instance even when database is not open.

Operating System Users and Groups (Start->programs->Admin tools-> Configure Management -> users, groups)

Users:
<SAP SID> Admin and ORAdb<SID> are the two users which are created in unix system,
where as <SAPSID> admin, <SAP service.SAP<SID> created in windows system.

Groups:
1. ‘ora_dba’ = Member of this groups can connect to oracle database as dba without a password.
2. ‘ora_<SID>_dba’ = admin group
3. ‘ora_<SID>_OPER = db operate group

Extra Groups:
SAP_<SID>_Global Admin = SAP Global Admin Group.
SAP_<SID>_Local Admin = SAP Local Admin Group
SAP_Local Admin = SAP local Admin Group

• Operating System group DBA will have administrative privileges, where as OS group OPER will have restricted privileges.
Note: Always assign database rates to users.
• Data base rolls have privileges.

Rolls:
DBA, SAPDBA are the two rolls.
DBA rolls is created by oracle
SAP DBA rolls is created by SAP.
• The Roll DBA has all admin privileges except the ‘SYS DBA’ and ‘SYS OPER’ system privileges
Note: The privileges ‘SAPDAB’ provides accesses for administrating certain tables.
• SYSOPER has all SYSDBA privileges except create DB and without ability to look at user data.

Database Users:
1. ‘SYS’ and ‘SYSTEM’ are created by oracle.
2. SAP <SID> are SAP <SCHEMA_id> is created by SAP.
3. Default user used by SAP to connect to database is system.
4. During installation oracle database, you will be promoted to enter the password for the user SYS, System, and SAP <SCHEMA_ID>
Note: OPS$ is an user which is created by SAP and doesnot need a password.
• SAP workprocess at OS level connect oracle with the user name ‘SAP<SCHEMA_ID>.
• The password for this user is stored in oracle system table ‘SAPUSER’
• Workprocess first connect to ‘OPS$ user and get the password for ‘SAP SCHEMA_ID’ from the table ‘SAP USER’.
• Never change the password for ‘SAP SCHEMA_ID’, always use ‘BR*’ tools, ie. ‘BRCONNECT’ to change the password.
• OS files stored in ‘ORACLE_HOME’ directory.
• ‘Listener_ora’ = contains all oracle system ID and protocol address.
• ‘TNSNAME.ORA’ = Contains all the list of server names for all the databases that can be accessed in the network.
• ‘SQL NET.ORA’ = Contains client side information.
• Oracle has one listener i.e. ‘LSNRCTL’
Options:
OS level : lnsnrctl_help
OS level : lnsnrctl_status = oracle.
Location of parameters and listener log files.
Note: ‘Listener_Ora = Listener tracing files.
Options:
1. Off = Offered
2. User = Limited Trace
3. Admin = Detail Trace


Will update soon... Check next post...






December 11, 2013

SAP BASIS NOTES -15



Security (Part-4) :-

Single Sign-On (SSO)
SAP GUI                        3rd Party Tool (Keon)
HR Secure                        UID
HR Unsecure                        PIN
FI Secure                        PWD
FI Unsecure
SU01 (SNC) -> tab

What is single sign-on ?
1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

We need to go to SU01 and check allow access for the string.

Steps to configure SSO
1) Go to OS services, select service NTLM security provider, change the start up type of the service from manual to automatic NT LM support provides.
2) Copy the GSSNTLM.DDL file to the dir on our central instance, i.e. /usr/SAP/SID/SYS/exe/run
3) Set the environment variable snc_lib to the location of the library.
4) Edit the central instance profile and set the toll parameters
/SNC/Data_protection/max = 1
/SNC/Data_protection/min = 1
/SNC/Data_protection/use = 1
/SNC/enable = 1
/SNC/GSSapp_lib=C:\usr\SAP\SID\SYS\EXE\run\GSSNTLM
/SNC/Identity/as = P:/SID/sap service <SID>
/SNC/Accept_Insecure_CPIC=1
/SNC/Accept_Insecure_GUI=1
/SNC/Accept_Insecure_RFC=1
/SNC/Permit_Insecure_start=1
/SNC/Permit_Insecure_comm=1

Preparing SAP GUI for single Sign on
In SAP logon window choose edit -> advance/network Advance secure network communication
P:\<Domain Name>\sap service <SID>

Mapping sap system users to windows users for single sign-on
Go to SU01, choose SNC user uppercase to enter the name of windows user i.e. to assign to sap system user
P:\<Domain Name>\<User Name> and select insecure communication permitted and save our entries.


Central User Administration

Administering users centrally from one central system

CUA works with RFC’s.

Steps to Configure CUA
CUA works with RFC’s steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFC’s
Note: RFC naming convention must be same as central sys naming convention of logical system.
7) Save the entries
8) Once we expand test for individual systems we normally see the message for each system. ALE distribution was saved, central user admin activated and then comparison was started and should be in green.
Note: If any problem messages refer to sap note 333441 in market place.
9) User transaction SCUG in central system to perform the synchronization activities between the central and child system.
10) Use transaction SUCOMP to administer company address data.


Q) If all the users are locked mistakenly, how do we connect to SAP system ?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
Select * from <Application Server name>.USR02 where bname=’SAP*’;
Delete from <Application Server name>.USR02 where bname=’SAP*’;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Note:
USR02 is a table in which all user master records are stored.
Killing SAP* will automatically recreate a user master record in USR02 table.

Portal Security
All security related activities like Creation of User accounts and Creation of roles which are normally performed using SU01 and PFCG can be done using portal.

In Portal administration there are two ways of maintaining users and roles information.
1) Accessing portal using an URL
2) Accessing portal using Active Directory Service
Note:
1) Any portal URL, the ports will be in the 50000 series.
2) For portal we need J2EE engine to be installed and no need of ABAP engine to run.
3) All roles are configured in active directory service which are related with only portal i.e. users need to enter travel expenses and file their timesheets using portal, then separate roles are provided which are related with portal. These roles provide access to users to display the screens as well as store the information in DB.
4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of logging into SAP system we use the portal screens from which the user provide the inputs and gets automatically saved in SAP DB.

Problems in Portal
Problem 1) Global page missing
Solution:
 Check in Active Directory whether the user is been correctly added under the role which is considered as global
Note:
In active directory services we have 2 types of roles
1) Global roles ->  Provide access for an user to login to portal i.e. for the initial screen to appear. They are classified based on region the user belongs to. For example: Africa, Europe etc.
2) Local Roles ->  Provide access for certain T – Codes or activities which the user needs to perform. Eg: Time sheet filling, travel expenses. Local roles are categorized based on the location the user is situated. Eg: Country Wise IN, USA, AF
3) Every user who access portal must have one global role and ‘n’ of local roles.

Problem 2) User reports “Not able to access ESS”
Solution:
 Check the global role
 Check the exact local role, assigned to a user
Problem 3) User reports “He us able to access other global screens instead of his own screen”
Solution:
 Find which global screens user is able to access.
 Go to AD service and then to particular global role.
 Edit the role and check if the user ID is been added to that particular role.
 If it is added then remove the user ID and add the user ID to the correct global role and inform the user to restart his system in order to access new changes.
Note:
1) Assigning users using AD service is considered as a direct assignment where as assigning users using portal is considered as indirect assignment. This is similar to assigning users in SAP using PFCG (Direct assignment) and SU01 (Indirect Assignment).
2) Unicode in SAP supports 13 languages. All character sets of these languages are embedded in the software. Non-unicode is language specific.
3) The upgrade of SAP system from non-unicode to Unicode is possible whereas the other way is not. To achieve the transition from non-unicode to Unicode we need to have Non-Unicode export kernel CD and Unicode import kernel CD.
4) SU3 is the transaction code for maintaining user own data.
5) SCAT, T-code is used for running CATT scripts.
6) ACTVT field indicates the type of activity i.e. creates, change, generate and delete.
7) In PFCG transaction code, a profile indicates a unique identifier generated by system to identify a role.
8) Notation for parent role is Z> and for Child / Derived Role it is Z:
9) Any role starting with SAP_ or SAP defined roles, they should not be generated instead they are used as Templates, hence if we want to use any SAP role first copy a role to a customized role and generate it.
10) SAP_ roles are used mainly during implementation.
11) All roles are of type Basic maintenance only whereas HR related roles and work flow related roles are of type complete view. By default the roles are of type basic maintenance.
12) Before we delete a role, it has to be added to a transport because these actions are performed in DEV system.
13) Profile names come by default if it has to be changed then it has to start with Z.
14) Color indications in authorizations
a. Red ->  No organization values
b. Green ->  All fields have values
c. Yellow ->  Some field values are missing.

Role Distribution
Distribution of a role can be done using
->  Go to transaction code PFCG ->  Menu tab -> Distribute button
->  Enter the target system i.e. an RFC connection needs to be created between source and target system.
->  This procedure is distributing the roles between source and target using RFC connections
->  If a role is being distributed to a target system only the structure is being copied and not authorizations. Hence we need to maintain the authorization for a role in the target system.



SAP BASIS NOTES -14




Security (Part-3) :-


As part of our daily activities we might receive the tasks as follows
1) Changes in form of tickets. (Various 3rd party tools are available)
2) Changes in form of CR

Each ticket has its own priority i.e. SLA. Based on the priority there will be response time and resolution time for each request.

SLA(Service Level Aggrement)
Priority      Type                   Response Time        Resolution Time
1                Very Critical         10 min                        30 min
2                High                    30 min                         1 day
3                Medium               60 min                         4 days
4                Low                     4 hrs                            ----

Note:
Response time is time in which we acknowledge the user request, i.e. once a ticket comes into our queue the first major priority is to accept the ticket on our name, once this is done we have to send an acknowledgement to the user informing that someone is working on this issue via email, chatting tool or phone.

Resolution Time: This is the time in which we have to solve the issue.

Note: By default the status of any ticket is in Open status

Stages of ticket:
1) Open
2) Working / In-progress + Assigned to our Name + Inform the user + Copy the comments in the tool under notes column.
3) Closed + Issue Resolved + Inform the user + communicate + Copy the comments in the tool under notes column.
4) Waiting + Needed some inputs from the user to solve the issue + inform the user + Copy the comments in the tool under notes column.
5) Hold + Waiting due to user unavailability i.e. user has gone for vacation + Copy the auto response regarding user unavailability and paste the notes
6) Cancelled: If there are duplications or same request being raised then we can cancel one of the requests by mentioning the previous request no under the notes column. (Or) If the user wishes to cancel his /her request then copy the confirmation under the notes and select cancel button.

Types of CR ( Change Requests)
Work bench / Customizing

1) New functionality CR: This CR carries new functionality changes which are done for the first time i.e. creation of totally new roles.

2) Operational CR: This CR carries the changes which are done on a day to day basis i.e. modification of roles and deletion of roles.

3) Defect CR: This comes in form of ticketing request i.e. based on the ticketing request raised by the user using the ticketing tool we decide whether we need to create a defect CR.
Eg: Some access is already there for a user, but it was lost due to some reason and we investigate and find out that these changes have to be there for users. In this scenario we raise a defect CR.

To rectify a defect CR
CR forms are created based on the quarterly release i.e. we have 4 quarterly releases in a year. During this release different people i.e. technical + functional consultants + security administrators get involve and analyze various roles based on the inputs provided by the auditors
This is where SOX policies come into play. In order to indentify the various defects and conflicts in roles and between transactions we use various SOD (Segregation of duty) tools like VIRSA, BIZRights. The process of identifying the defects or conflicts among the existing transactions and rectifying them as mitigation.

Ex:  MM01 x MM02
1) Create X Change
2) Change X Delete
3) Create X Delete

Note: Default access is Display

HR Security Activities
There are two types of HR security Activity
1)  Delegation of Authority
2)  Structural Authorizations

Delegation of Authority:- Is a process by which a delegate delegates/assigns his/her access to a delegator for certain period of time i.e. during this period all the POS (Purchase Orders) or any items coming into owners inbox will go to the delegators inbox.

Note: The delegator can delegate the access only to a person to a same hierarchy or higher hierarchy.
The only issues which we get here is the problem with workflow. i.e.
Items not appearing in the inbox
An item appearing in inbox even after the period is expired
Don’t have access to approve the POS appearing in the inbox.

The first two problems are rectified by workflow administrator. The last issue is related with the approve access. Before we provide the approval access we have to identify that particular person having an access or not.
If he’s having an access then keep on email notifying him that as per the security policy any user can have either create/approve access and not both.

Steps related with delegation of Authority
1)  Log into HR box, go to PA20, i.e. display HR master data
Enter the personal details
Select the organization assignment and period today
Output will be position number or personal number
Copy Position No, Go to PO13 (Maintain Position)
Paste under position number
Under Infotype (Select Name and Relationships)
Under Time period select All and Press Overview button
Select the Row where the object type=P and End date = 31-12-9999 and Press Copy button
Under related object  change the type of related Object from person to user
Under ID of related Object, enter the delegates
User ID and Press Enter
  Make changes in dates
  Valid From to Valid To
  Select Save Button

Structural Authorization: Is a concept under HR security using which we assign roles to user based on this organization object.

Structure of organization management:
1) Organization Unit
2) Position
3) Job
4) Task = Description of an activity i.e. performed within organization units. Here we assign any roles to positions and not to user.

The users are called as Holders; holders are assigned to position and not to jobs
Whenever we create an organization unit structure we have to create first the root, i.e. organization unit and then only create additional lower level organization units.

Steps Related with Assignment of HR Roles i.e. Structural Assign
1) Go to PFCG select over all under view.
2) Select inheritance hierarchy.

Go to PFCG, enter New Role Name, in maintenance
Go to -> settings ->  Complete View (Org management and Workflow)
Create role
Authorization
Go to User Tab ->  Select org.mgt. Button
Choose create assignment button
Select the job [Object Type]
After completion select user comparison.

Special PFCG Roles:

1) Customizing roles: We can assign projects/views of the implementation guide (IM) to this role.
2) Composition Roles

Steps:-
Go to PFCG ->  Menu -> Go to Utilities, select Cust_Authorization -> Select Add Tab -> Img Project / Img Project view

Select the customized object based on our requirement  Continue.

If a project/Project view has been assigned to view, we are no longer possible manually assign transaction to roles
This means that the role can only be used for generating and assigning customized authorizations.

Note:-
Any role to which transactions have been manually assigned. These roles are used only during implementation period, we should maintain end date for the role. When it is assigned to the user, once implementation is completed normally we delete this.

Installation and Upgrade
The basic profile parameter Auth_no_check_in_some_cases=Y has to be set if we want to user profile generator (PFCG).

Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

SAP delivers tables USOBX_C and USOBT_C. These tables are filled with default values and used for Initial fill of custom tables.
After the initial we can modify the custom tables.
Table USOBX_C table defines which auth are to be performed in a transaction and which should not be.
Table USOBT_C defines for each transaction and each authorization object, which default values and authorization created from the auth. Object should have in the profile generator.

During implementation we use transaction SU25 for security related settings besides this we also use SU24.

Note: Any workbench changes in security are done in SU24. Modifying values in SU24. Go to SU24, enter the transaction code and select execute.
Select the particular authorization object, which we want to modify.
Select the object and click on change button.
Go to proposal column and select “YES”.
Select the object again and change field values.

Note:-
Under check indicator column if no check is there, then select the auth object and check indicator.
After changes in particular field select save. It will automatically prompt us to place a request under a transport.
Go to own request select the transport of type work bench.
Note:- If the transaction request number is created by another team member then go to Other requests button and enter the user ID
Output = All the requests created using the user id will be displayed.
Select the Workbench request based.
Select the button change owner and go to SC01 to release the request.

SU25:- Profile generator for upgrade and first installation.
This transaction code is used only during implementation and during an upgrade. The main purpose of this transaction code is to move the default changes which are maintained in the current version to new version.

Versions are 2 types
1) Version in which no PFCG tool
2) Version in which PFCG tool. (4.6 B)

Upgrade Scenario 1: Release without PFCG tool:
Always use step 6 in SU25 to convert manually created profiles and authorizations into roles

Scenario 2: Versions with PFCG
1) Execute the profile generator with comparison with SAP values i.e. comparing by tables USOBX_C, USOBT_C tables.
2) Add affected transactions
3) Update the existing roles with new authorization values
4) Display all values for where changed transaction codes
Note: Do not execute step 1 (Initially customer table)
Step 3: Once the above steps are done transport these changes using step 3.

Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.


Will update soon... Check next post...

December 5, 2013

SAP BASIS NOTES -13




Security (Part-2) :-


STEPS to CREATE a ROLE (PFCG)

Creation of parental Role: Any customized role should start with Z or Y.
Enter the role name and select role name button.
Enter a valid description.
Go to Menu tab to add the transactions
Click on Save
Select add transaction
Note: Default transaction to be added for every user of SAP SU53
Assign Transaction and Save the Role

Creation of Child / Derived Role:
Select the derived role name and
Under Transaction Inheritance in Derive from Role and Click on “Yes”
Note:
1) In derive role we can’t make any changes under menu tab. Eg: Adding transaction, report, Deletion
2) Relationship between Parent and Derived role is 1:n
3) First time creation of role, always go to export mode.

Go to Authorization tab to generate the derived role.

List of Tabs:-
Manually: Adding authorization objects manually to a role.

Open: To view all open fields, i.e. the fields in which the values are not maintained (Represented by color yellow)

Changed: To view the changed authorization objects.

Maintained: It will show the fields of the authorization objects for which the missing values are maintained.

Organization Levels:  This field is used to maintain organizational hierarchy like Plant, warehouse, comp code and call center.

Note:
1) Always maintain a value in the open field
2) If any standard value is changed, then automatically the status is changed from standard to changed.
3) By default all the auth objects the type will be standard.
4) Always maintain the organization values using organizational levels button only.

Hierarchy in a Role:-
Role Name: Blue
Class = Orange
Auth Object = Green
Authorization = Yellow
Fields = White

Q) What is the default authorization object which is used to check for any role ?
A) S_TCODE

Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.

Note:
All roles will be created in development system. Any modifications will be done in Dev system only. The developed changes are then transported to quality and get tested and approved in Quality and then only moved to production.

Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Rules to be followed in editing the standard Objects:
1) Copy the standard object
2) Inactivate the standard, i.e. the first one.
3) Make the changes only in the copied one.

Note:
1) Once we make changes in the copied one, the status changed to maintained.
2) If we do not follow the above steps, then during the regeneration of a role next time, a new open field appears. Hence, in order to avoid the duplication of fields we need to follow the above rule/procedure.
3) If we make any changes to a parent role like add, delete or Transaction Code, we have to generate all the child roles under the parent role.
4) Whenever we generate a derived role, always choose maintenance as read old status and merge with the new data.
5) If we choose edit old status then it will not reflect in any open fields even though they are present.
6) Never try to select delete and recreate profile.
7) Once the role is generated then we have to assign the role to a user using SU01 (or) Add a user to a role using PFCG -> User tab
8) Always assign only derived roles to a user whenever add a user in a Role always compare with user compare.
9) In order to refresh user buffer with new values we have to always go for user compare.

Compare User Master Record:
Comparing user master record can be done in 2 ways
1) A default background job i.e. Report called “pfcg_time_dependency” is executed before start of the business day, but after mid night, meaning that the authorization profile the user master record always have the most up to date in the morning.
2) Using transaction pfud (User master record reconciliation). As an admin, we should regularly execute this transaction, in this way we can manually process errors that have occurred.

Authorization Troubleshooting for a User
Whenever a user tries to execute a Transaction which is not assigned or tries to perform an activity which is not defined for existing Transaction, then the user gets “Not Authorized To” error.
In such a case ask the user for SU53 screenshot for any authorization issues.
SU53 Analysis
SU53 has 2 parts
1) Authorization check failed: It captures actual cause of the error.
2) Users authorization data: It captures the existing access to the users

Note: In order to check SU53 analyses of other users go to SU53, click on display for different users authorization object.

Analysis using SUIM

Scenario 1: User is having access to plant 1000 in MM01, now he is trying to create for plant 0001 and he got the error no authorization to the plant 0001.
Solution: Request for SU53 screenshot. Once you receive the screenshot
Go to SUIM
In SUIM check the roles which are having access to plant 0001.
SUIM -> Go to Roles -> Roles by complex selection criteria and deselect the user.
Go to Authorization Object 1 from SU53 screenshot and select entry values button
Enter the values as per SU53 under the authorization Object and select Execute button.
Double click on the role on which we want to assign.
It will automatically take us to PFCG transaction.
Go to Authorization tab -> Select Display authorization data.
Go to Find Button (Cntrl +F)
Enter the authorization object in authorization field and clicks enter on Find Object.
Go to Utilities and select Technical names on

Second Method of Role Maintenance
1) Create a parent role and Add Transaction codes in menu tabs and generate the role.
2) Create child roles and assign the parent and generate the child nodes.

Note: The generation of child roles/derived is always done from the parent role.

Process:
Go to Authorization
Edit Read old/merge with data.
Make changes in parent role
Generate Parent
Finally generate derived roles button (or) select Auth -> Just Derived -> Generate derived roles
This will generate automatically all the derived roles from the parent role.

Note: In this method org values cannot be maintained using parent role, we have to individually maintain org values in the derived roles.

Mass Generation of Derived Roles:
Copy all the derived roles into a notepad
Goto PFCG -> Go to utilities -> Select mass generation -> In mass generation screen
Select all roles under presentation
Select Display data when created and changed
Click on Role -> Multiple Selection

Note:
Go to notepad, select all and copy
Come back to multiple role selection and select upload from click board button
Select check entries button
And select copy button & select execute button.

Deletion of a Role:-
Before deletion of any role first add to a role to transport and proceed with deletion.

Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Note:
1) In choose objects options never check user assignment. Assignments of users to a role are done only in production box.
2) Changes done using SU24 is of type work bench
3) Changes using PFCG is type customizing.

SUIM change documents:-
For users:-
1) In order to find when the user is created, deleted as well as password reset and user lock/unlock information. Besides this we can track info regarding the roles like when the roles are added and deleted and who has performed this action/date of action.

Scenario 1:
Q) Unlock a user or track why the user is being locked ?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute

Note: Locks are of 2 types
1) Locked due to incorrect log on
2) Locked by admin

If the lock is of type Admin lock, then we need to contact the admin for the reason for locking hence never unlock directly.
If lock is due to incorrect logon then go to SU01. Select the user and press unlock button.

Scenario 2: Mass user locking during upgrade:
1) Go to SU01, select * under user column
2) This will give entire list of user in my system
3) Copy the usernames in a notepad
4) Got to SU10, copy/paste the users and select the lock

Note: In SU10 we cannot set the password for all the users

Reference User is for internet purpose.
Note: Assignment of reference user
Go to SU01 -> Under roles tab -> ref user for additional rights where we enter ref username.
Process steps followed in security - Requests coming in form of CR / Templates
1) Request comes in form of Approved CR form (Unique ID = CR Name)
2) Login to DEV and perform the action as per CR form requirement
3) Put the completed task in DEV under a TP ( CUST/WORKBENCH)
4) Transport / Move the TP to QAS for testing
5) Create a test id in QAS with the above changes and send the test id details to the CR Owner.
6) Once testing is completed in QAS the CR Owner will send an approval regarding the test results
a) If test results are positive then move to PR13 else rectify the changes needed.
b) Rectification of changes is done again in development.
c) The rectified change has to be kept in a new TP with description of above CR Name and moved to QAS.
7) Based on approval, we move the changes to production.
8) Once changes are in production, the CR owner or the end user tests and confirms the final status.
9) Once we get the final confirmation i.e 2nd approval in PRD then we can close the CR.




Will update soon... Check next post...