SAP BASIS NOTES -15

Security (Part-4) :-

Single Sign-On (SSO)
SAP GUI                        3rd Party Tool (Keon)
HR Secure                        UID
HR Unsecure                        PIN
FI Secure                        PWD
FI Unsecure
SU01 (SNC) -> tab

What is single sign-on ?
1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

We need to go to SU01 and check allow access for the string.

Steps to configure SSO
1) Go to OS services, select service NTLM security provider, change the start up type of the service from manual to automatic NT LM support provides.
2) Copy the GSSNTLM.DDL file to the dir on our central instance, i.e. /usr/SAP/SID/SYS/exe/run
3) Set the environment variable snc_lib to the location of the library.
4) Edit the central instance profile and set the toll parameters
/SNC/Data_protection/max = 1
/SNC/Data_protection/min = 1
/SNC/Data_protection/use = 1
/SNC/enable = 1
/SNC/GSSapp_lib=C:\usr\SAP\SID\SYS\EXE\run\GSSNTLM
/SNC/Identity/as = P:/SID/sap service <SID>
/SNC/Accept_Insecure_CPIC=1
/SNC/Accept_Insecure_GUI=1
/SNC/Accept_Insecure_RFC=1
/SNC/Permit_Insecure_start=1
/SNC/Permit_Insecure_comm=1

Preparing SAP GUI for single Sign on
In SAP logon window choose edit -> advance/network Advance secure network communication
P:\<Domain Name>\sap service <SID>

Mapping sap system users to windows users for single sign-on
Go to SU01, choose SNC user uppercase to enter the name of windows user i.e. to assign to sap system user
P:\<Domain Name>\<User Name> and select insecure communication permitted and save our entries.


Central User Administration
Administering users centrally from one central system

CUA works with RFC’s.

Steps to Configure CUA
CUA works with RFC’s steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFC’s
Note: RFC naming convention must be same as central sys naming convention of logical system.
7) Save the entries
8) Once we expand test for individual systems we normally see the message for each system. ALE distribution was saved, central user admin activated and then comparison was started and should be in green.
Note: If any problem messages refer to sap note 333441 in market place.
9) User transaction SCUG in central system to perform the synchronization activities between the central and child system.
10) Use transaction SUCOMP to administer company address data.


Q) If all the users are locked mistakenly, how do we connect to SAP system ?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB
Select * from <Application Server name>.USR02 where bname=’SAP*’;
Delete from <Application Server name>.USR02 where bname=’SAP*’;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Note:
USR02 is a table in which all user master records are stored.
Killing SAP* will automatically recreate a user master record in USR02 table.

Portal Security
All security related activities like Creation of User accounts and Creation of roles which are normally performed using SU01 and PFCG can be done using portal.

In Portal administration there are two ways of maintaining users and roles information.
1) Accessing portal using an URL
2) Accessing portal using Active Directory Service
Note:
1) Any portal URL, the ports will be in the 50000 series.
2) For portal we need J2EE engine to be installed and no need of ABAP engine to run.
3) All roles are configured in active directory service which are related with only portal i.e. users need to enter travel expenses and file their timesheets using portal, then separate roles are provided which are related with portal. These roles provide access to users to display the screens as well as store the information in DB.
4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of logging into SAP system we use the portal screens from which the user provide the inputs and gets automatically saved in SAP DB.

Problems in Portal
Problem 1) Global page missing
Solution:
 Check in Active Directory whether the user is been correctly added under the role which is considered as global
Note:
In active directory services we have 2 types of roles
1) Global roles ->  Provide access for an user to login to portal i.e. for the initial screen to appear. They are classified based on region the user belongs to. For example: Africa, Europe etc.
2) Local Roles ->  Provide access for certain T – Codes or activities which the user needs to perform. Eg: Time sheet filling, travel expenses. Local roles are categorized based on the location the user is situated. Eg: Country Wise IN, USA, AF
3) Every user who access portal must have one global role and ‘n’ of local roles.

Problem 2) User reports “Not able to access ESS”
Solution:
 Check the global role
 Check the exact local role, assigned to a user
Problem 3) User reports “He us able to access other global screens instead of his own screen”
Solution:
 Find which global screens user is able to access.
 Go to AD service and then to particular global role.
 Edit the role and check if the user ID is been added to that particular role.
 If it is added then remove the user ID and add the user ID to the correct global role and inform the user to restart his system in order to access new changes.
Note:
1) Assigning users using AD service is considered as a direct assignment where as assigning users using portal is considered as indirect assignment. This is similar to assigning users in SAP using PFCG (Direct assignment) and SU01 (Indirect Assignment).
2) Unicode in SAP supports 13 languages. All character sets of these languages are embedded in the software. Non-unicode is language specific.
3) The upgrade of SAP system from non-unicode to Unicode is possible whereas the other way is not. To achieve the transition from non-unicode to Unicode we need to have Non-Unicode export kernel CD and Unicode import kernel CD.
4) SU3 is the transaction code for maintaining user own data.
5) SCAT, T-code is used for running CATT scripts.
6) ACTVT field indicates the type of activity i.e. creates, change, generate and delete.
7) In PFCG transaction code, a profile indicates a unique identifier generated by system to identify a role.
8) Notation for parent role is Z> and for Child / Derived Role it is Z:
9) Any role starting with SAP_ or SAP defined roles, they should not be generated instead they are used as Templates, hence if we want to use any SAP role first copy a role to a customized role and generate it.
10) SAP_ roles are used mainly during implementation.
11) All roles are of type Basic maintenance only whereas HR related roles and work flow related roles are of type complete view. By default the roles are of type basic maintenance.
12) Before we delete a role, it has to be added to a transport because these actions are performed in DEV system.
13) Profile names come by default if it has to be changed then it has to start with Z.
14) Color indications in authorizations
a. Red ->  No organization values
b. Green ->  All fields have values
c. Yellow ->  Some field values are missing.

Role Distribution
Distribution of a role can be done using
->  Go to transaction code PFCG ->  Menu tab -> Distribute button
->  Enter the target system i.e. an RFC connection needs to be created between source and target system.
->  This procedure is distributing the roles between source and target using RFC connections
->  If a role is being distributed to a target system only the structure is being copied and not authorizations. Hence we need to maintain the authorization for a role in the target system.

SAP BASIS NOTES -14

Security (Part-3) :-


As part of our daily activities we might receive the tasks as follows
1) Changes in form of tickets. (Various 3rd party tools are available)
2) Changes in form of CR

Each ticket has its own priority i.e. SLA. Based on the priority there will be response time and resolution time for each request.

SLA(Service Level Aggrement)
Priority      Type                   Response Time        Resolution Time
1                Very Critical         10 min                        30 min
2                High                    30 min                         1 day
3                Medium               60 min                         4 days
4                Low                     4 hrs                            ----

Note:
Response time is time in which we acknowledge the user request, i.e. once a ticket comes into our queue the first major priority is to accept the ticket on our name, once this is done we have to send an acknowledgement to the user informing that someone is working on this issue via email, chatting tool or phone.

Resolution Time: This is the time in which we have to solve the issue.

Note: By default the status of any ticket is in Open status

Stages of ticket:
1) Open
2) Working / In-progress + Assigned to our Name + Inform the user + Copy the comments in the tool under notes column.
3) Closed + Issue Resolved + Inform the user + communicate + Copy the comments in the tool under notes column.
4) Waiting + Needed some inputs from the user to solve the issue + inform the user + Copy the comments in the tool under notes column.
5) Hold + Waiting due to user unavailability i.e. user has gone for vacation + Copy the auto response regarding user unavailability and paste the notes
6) Cancelled: If there are duplications or same request being raised then we can cancel one of the requests by mentioning the previous request no under the notes column. (Or) If the user wishes to cancel his /her request then copy the confirmation under the notes and select cancel button.

Types of CR ( Change Requests)
Work bench / Customizing

1) New functionality CR: This CR carries new functionality changes which are done for the first time i.e. creation of totally new roles.

2) Operational CR: This CR carries the changes which are done on a day to day basis i.e. modification of roles and deletion of roles.

3) Defect CR: This comes in form of ticketing request i.e. based on the ticketing request raised by the user using the ticketing tool we decide whether we need to create a defect CR.
Eg: Some access is already there for a user, but it was lost due to some reason and we investigate and find out that these changes have to be there for users. In this scenario we raise a defect CR.

To rectify a defect CR
CR forms are created based on the quarterly release i.e. we have 4 quarterly releases in a year. During this release different people i.e. technical + functional consultants + security administrators get involve and analyze various roles based on the inputs provided by the auditors
This is where SOX policies come into play. In order to indentify the various defects and conflicts in roles and between transactions we use various SOD (Segregation of duty) tools like VIRSA, BIZRights. The process of identifying the defects or conflicts among the existing transactions and rectifying them as mitigation.

Ex:  MM01 x MM02
1) Create X Change
2) Change X Delete
3) Create X Delete

Note: Default access is Display

HR Security Activities
There are two types of HR security Activity
1)  Delegation of Authority
2)  Structural Authorizations

Delegation of Authority:- Is a process by which a delegate delegates/assigns his/her access to a delegator for certain period of time i.e. during this period all the POS (Purchase Orders) or any items coming into owners inbox will go to the delegators inbox.

Note: The delegator can delegate the access only to a person to a same hierarchy or higher hierarchy.
The only issues which we get here is the problem with workflow. i.e.
Items not appearing in the inbox
An item appearing in inbox even after the period is expired
Don’t have access to approve the POS appearing in the inbox.

The first two problems are rectified by workflow administrator. The last issue is related with the approve access. Before we provide the approval access we have to identify that particular person having an access or not.
If he’s having an access then keep on email notifying him that as per the security policy any user can have either create/approve access and not both.

Steps related with delegation of Authority
1)  Log into HR box, go to PA20, i.e. display HR master data
Enter the personal details
Select the organization assignment and period today
Output will be position number or personal number
Copy Position No, Go to PO13 (Maintain Position)
Paste under position number
Under Infotype (Select Name and Relationships)
Under Time period select All and Press Overview button
Select the Row where the object type=P and End date = 31-12-9999 and Press Copy button
Under related object  change the type of related Object from person to user
Under ID of related Object, enter the delegates
User ID and Press Enter
  Make changes in dates
  Valid From to Valid To
  Select Save Button

Structural Authorization: Is a concept under HR security using which we assign roles to user based on this organization object.

Structure of organization management:
1) Organization Unit
2) Position
3) Job
4) Task = Description of an activity i.e. performed within organization units. Here we assign any roles to positions and not to user.

The users are called as Holders; holders are assigned to position and not to jobs
Whenever we create an organization unit structure we have to create first the root, i.e. organization unit and then only create additional lower level organization units.

Steps Related with Assignment of HR Roles i.e. Structural Assign
1) Go to PFCG select over all under view.
2) Select inheritance hierarchy.

Go to PFCG, enter New Role Name, in maintenance
Go to -> settings ->  Complete View (Org management and Workflow)
Create role
Authorization
Go to User Tab ->  Select org.mgt. Button
Choose create assignment button
Select the job [Object Type]
After completion select user comparison.

Special PFCG Roles:
1) Customizing roles: We can assign projects/views of the implementation guide (IM) to this role.
2) Composition Roles

Steps:-
Go to PFCG ->  Menu -> Go to Utilities, select Cust_Authorization -> Select Add Tab -> Img Project / Img Project view

Select the customized object based on our requirement  Continue.

If a project/Project view has been assigned to view, we are no longer possible manually assign transaction to roles
This means that the role can only be used for generating and assigning customized authorizations.

Note:-
Any role to which transactions have been manually assigned. These roles are used only during implementation period, we should maintain end date for the role. When it is assigned to the user, once implementation is completed normally we delete this.

Installation and Upgrade
The basic profile parameter Auth_no_check_in_some_cases=Y has to be set if we want to user profile generator (PFCG).

Q) Where do the default value in a Role comes from i.e. activities under auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

SAP delivers tables USOBX_C and USOBT_C. These tables are filled with default values and used for Initial fill of custom tables.
After the initial we can modify the custom tables.
Table USOBX_C table defines which auth are to be performed in a transaction and which should not be.
Table USOBT_C defines for each transaction and each authorization object, which default values and authorization created from the auth. Object should have in the profile generator.

During implementation we use transaction SU25 for security related settings besides this we also use SU24.

Note: Any workbench changes in security are done in SU24. Modifying values in SU24. Go to SU24, enter the transaction code and select execute.
Select the particular authorization object, which we want to modify.
Select the object and click on change button.
Go to proposal column and select “YES”.
Select the object again and change field values.

Note:-
Under check indicator column if no check is there, then select the auth object and check indicator.
After changes in particular field select save. It will automatically prompt us to place a request under a transport.
Go to own request select the transport of type work bench.
Note:- If the transaction request number is created by another team member then go to Other requests button and enter the user ID
Output = All the requests created using the user id will be displayed.
Select the Workbench request based.
Select the button change owner and go to SC01 to release the request.

SU25:- Profile generator for upgrade and first installation.
This transaction code is used only during implementation and during an upgrade. The main purpose of this transaction code is to move the default changes which are maintained in the current version to new version.

Versions are 2 types
1) Version in which no PFCG tool
2) Version in which PFCG tool. (4.6 B)

Upgrade Scenario 1: Release without PFCG tool:
Always use step 6 in SU25 to convert manually created profiles and authorizations into roles

Scenario 2: Versions with PFCG
1) Execute the profile generator with comparison with SAP values i.e. comparing by tables USOBX_C, USOBT_C tables.
2) Add affected transactions
3) Update the existing roles with new authorization values
4) Display all values for where changed transaction codes
Note: Do not execute step 1 (Initially customer table)
Step 3: Once the above steps are done transport these changes using step 3.

Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.


Will update soon... Check next post...

SAP BASIS NOTES -13

Security (Part-2) :-


STEPS to CREATE a ROLE (PFCG)

Creation of parental Role: Any customized role should start with Z or Y.
Enter the role name and select role name button.
Enter a valid description.
Go to Menu tab to add the transactions
Click on Save
Select add transaction
Note: Default transaction to be added for every user of SAP SU53
Assign Transaction and Save the Role

Creation of Child / Derived Role:
Select the derived role name and
Under Transaction Inheritance in Derive from Role and Click on “Yes”
Note:
1) In derive role we can’t make any changes under menu tab. Eg: Adding transaction, report, Deletion
2) Relationship between Parent and Derived role is 1:n
3) First time creation of role, always go to export mode.

Go to Authorization tab to generate the derived role.

List of Tabs:-
Manually: Adding authorization objects manually to a role.

Open: To view all open fields, i.e. the fields in which the values are not maintained (Represented by color yellow)

Changed: To view the changed authorization objects.

Maintained: It will show the fields of the authorization objects for which the missing values are maintained.

Organization Levels:  This field is used to maintain organizational hierarchy like Plant, warehouse, comp code and call center.

Note:
1) Always maintain a value in the open field
2) If any standard value is changed, then automatically the status is changed from standard to changed.
3) By default all the auth objects the type will be standard.
4) Always maintain the organization values using organizational levels button only.

Hierarchy in a Role:-
Role Name: Blue
Class = Orange
Auth Object = Green
Authorization = Yellow
Fields = White

Q) What is the default authorization object which is used to check for any role ?
A) S_TCODE

Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.

Note:
All roles will be created in development system. Any modifications will be done in Dev system only. The developed changes are then transported to quality and get tested and approved in Quality and then only moved to production.

Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Rules to be followed in editing the standard Objects:
1) Copy the standard object
2) Inactivate the standard, i.e. the first one.
3) Make the changes only in the copied one.

Note:
1) Once we make changes in the copied one, the status changed to maintained.
2) If we do not follow the above steps, then during the regeneration of a role next time, a new open field appears. Hence, in order to avoid the duplication of fields we need to follow the above rule/procedure.
3) If we make any changes to a parent role like add, delete or Transaction Code, we have to generate all the child roles under the parent role.
4) Whenever we generate a derived role, always choose maintenance as read old status and merge with the new data.
5) If we choose edit old status then it will not reflect in any open fields even though they are present.
6) Never try to select delete and recreate profile.
7) Once the role is generated then we have to assign the role to a user using SU01 (or) Add a user to a role using PFCG -> User tab
8) Always assign only derived roles to a user whenever add a user in a Role always compare with user compare.
9) In order to refresh user buffer with new values we have to always go for user compare.

Compare User Master Record:
Comparing user master record can be done in 2 ways
1) A default background job i.e. Report called “pfcg_time_dependency” is executed before start of the business day, but after mid night, meaning that the authorization profile the user master record always have the most up to date in the morning.
2) Using transaction pfud (User master record reconciliation). As an admin, we should regularly execute this transaction, in this way we can manually process errors that have occurred.

Authorization Troubleshooting for a User
Whenever a user tries to execute a Transaction which is not assigned or tries to perform an activity which is not defined for existing Transaction, then the user gets “Not Authorized To” error.
In such a case ask the user for SU53 screenshot for any authorization issues.
SU53 Analysis
SU53 has 2 parts
1) Authorization check failed: It captures actual cause of the error.
2) Users authorization data: It captures the existing access to the users

Note: In order to check SU53 analyses of other users go to SU53, click on display for different users authorization object.

Analysis using SUIM

Scenario 1: User is having access to plant 1000 in MM01, now he is trying to create for plant 0001 and he got the error no authorization to the plant 0001.
Solution: Request for SU53 screenshot. Once you receive the screenshot
Go to SUIM
In SUIM check the roles which are having access to plant 0001.
SUIM -> Go to Roles -> Roles by complex selection criteria and deselect the user.
Go to Authorization Object 1 from SU53 screenshot and select entry values button
Enter the values as per SU53 under the authorization Object and select Execute button.
Double click on the role on which we want to assign.
It will automatically take us to PFCG transaction.
Go to Authorization tab -> Select Display authorization data.
Go to Find Button (Cntrl +F)
Enter the authorization object in authorization field and clicks enter on Find Object.
Go to Utilities and select Technical names on

Second Method of Role Maintenance
1) Create a parent role and Add Transaction codes in menu tabs and generate the role.
2) Create child roles and assign the parent and generate the child nodes.

Note: The generation of child roles/derived is always done from the parent role.

Process:
Go to Authorization
Edit Read old/merge with data.
Make changes in parent role
Generate Parent
Finally generate derived roles button (or) select Auth -> Just Derived -> Generate derived roles
This will generate automatically all the derived roles from the parent role.

Note: In this method org values cannot be maintained using parent role, we have to individually maintain org values in the derived roles.

Mass Generation of Derived Roles:
Copy all the derived roles into a notepad
Goto PFCG -> Go to utilities -> Select mass generation -> In mass generation screen
Select all roles under presentation
Select Display data when created and changed
Click on Role -> Multiple Selection

Note:
Go to notepad, select all and copy
Come back to multiple role selection and select upload from click board button
Select check entries button
And select copy button & select execute button.

Deletion of a Role:-
Before deletion of any role first add to a role to transport and proceed with deletion.

Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Note:
1) In choose objects options never check user assignment. Assignments of users to a role are done only in production box.
2) Changes done using SU24 is of type work bench
3) Changes using PFCG is type customizing.

SUIM change documents:-
For users:-
1) In order to find when the user is created, deleted as well as password reset and user lock/unlock information. Besides this we can track info regarding the roles like when the roles are added and deleted and who has performed this action/date of action.

Scenario 1:
Q) Unlock a user or track why the user is being locked ?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute

Note: Locks are of 2 types
1) Locked due to incorrect log on
2) Locked by admin

If the lock is of type Admin lock, then we need to contact the admin for the reason for locking hence never unlock directly.
If lock is due to incorrect logon then go to SU01. Select the user and press unlock button.

Scenario 2: Mass user locking during upgrade:
1) Go to SU01, select * under user column
2) This will give entire list of user in my system
3) Copy the usernames in a notepad
4) Got to SU10, copy/paste the users and select the lock

Note: In SU10 we cannot set the password for all the users

Reference User is for internet purpose.
Note: Assignment of reference user
Go to SU01 -> Under roles tab -> ref user for additional rights where we enter ref username.
Process steps followed in security - Requests coming in form of CR / Templates
1) Request comes in form of Approved CR form (Unique ID = CR Name)
2) Login to DEV and perform the action as per CR form requirement
3) Put the completed task in DEV under a TP ( CUST/WORKBENCH)
4) Transport / Move the TP to QAS for testing
5) Create a test id in QAS with the above changes and send the test id details to the CR Owner.
6) Once testing is completed in QAS the CR Owner will send an approval regarding the test results
a) If test results are positive then move to PR13 else rectify the changes needed.
b) Rectification of changes is done again in development.
c) The rectified change has to be kept in a new TP with description of above CR Name and moved to QAS.
7) Based on approval, we move the changes to production.
8) Once changes are in production, the CR owner or the end user tests and confirms the final status.
9) Once we get the final confirmation i.e 2nd approval in PRD then we can close the CR.




Will update soon... Check next post...

SAP BASIS NOTES -12

Security (Part-1) :-


We have two parts of security
I. User administration
II. Role administration (role of a particular user)
    Create / Change / Delete  ->  Any one role has to be given to an user.

User Types :-

Permanent user   
Temporary user   
Contractor user   

User administration (SU10)
This is user for creation of user accounts and other functions besides creation, delete, change, display, copy, lock/unlock and password reset.

The most common tickets
1. creation\deletion of user accounts
2. locking and unlocking accounts
3. password  reset

Note: user naming convention should be alpha numeric. First character should be there in the beginning.

Steps to create User Accounts
1.Enter the user and press create button.
2.In address tab only field we need to mention LAST NAME
3.In Logon data UserType: By default Dialog A

Note:
• With user type Dialog we can login into SAP system
• To create a user we need to maintain the validity of the user.
• For permanent user valid through 31-12-9999 and for Temp and Contract user validity through date will  be given in the ticket.
• Any request in security should have approval from a manager.
• By default approval comes in the form of an email in some cases a third party tool is used. It can contain an approval form. For example. BSSR (Business Security Service Request)
• Default user group is SUPER. Based on the region or department we assign the user groups.

Sample Ticket
UID             Mgr ID:
UName        Mgr Dept:
Position        Status
Department
SAP Requirements

Default Values

Default Language: ENG & GER
Decimal Notation: Is divided as 2 parts
1) Germany
2) Rest of the world.

Default Date Format: DD-MM-YYYY

Spool
Output Device….. By default it will be Empty

Parameter:
By default based on the roles, parameter values are assigned.
Eg: ESS roles i.e related with Time sheets

ROLES
Is where we assign the roles.

Note: Always assign the role first and not the profile. Every role by default has its own system defined profile.
We can set the Role Validity from …. To. Default value is 31-12-9999

PROFILES
Do not enter any profile directly instead it will be pulled automatically once it’s assigned in roles tab.

GROUPS
Already maintained in Logon Data

PERSONALIZATION
Set of Transaction Codes to work


Main T-Code :-
LICENSE – User License
PFCG    – Roll administration
SU10    – Mass user administration
SE16    – Table view
SUIM    – User info management
SU24    – Maintained authorization check
EWZ5    – Mass lock and unlock
SU53     – Missing authorization error
ST01     – System trace/authorization trace

Basic Terminology of Authorization
Overview of elements of SAP Authorization Concept

Authorization Object Class: Logical grouping of authorization objects

Authorization Object: Group of 1-10 authorization fields together form an object.

Authorization Field: Smallest unit against which a check should run.

Authorization: An instance of an authorization object i.e. a combination of allowed values for each Authorization field of an Authorization object.

Authorization Profile: Contains instances (Auth) for different Auth objects.

Role: Is generated using profile generator (PFCG) and allows automatic generation of an authorization profile.

Note: A role describes activities of a user.

User / User Master Record: This is used for logging on to SAP system and grants restricted access to functions and object of SAP system based on SAP profiles.

Note:
Authorization and authorization profiles are customizing objects.
Authorization classes, objects and fields are development objects.

Q) Where do all possible activities are stored?
A) In the table TACT

Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ

Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.

Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.

Q) Is a role without Auth-profile considered as complete or not?
A) No

Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role

Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.

Note: As per SAP recommendations never generate a Parent Role. Always generate derived roles and maintain the field values as well as organizational values in derived values only.

Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 – 99 = Activities
A1 – VF = 69



Will update soon... Check next post...

SAP BASIS NOTES -11

STMS (SAP Transport management System) :-

1) SAP normally follows 3 system landscape with 3 tier architecture. i.e. DEV, QAS, PRD.
2) One of the systems has to be configured as transport domain controller. This configuration is done as a   part of implementation i.e. immediately after executing SICK transaction.
3) The transaction to configure transport management. STMS
4) RFC’s are generated when the Transport Management System when continued R/3 system to communicate with all R/3 systems in a domain.

Q) What is a transport group?
A) SAP systems that share a common transport directory tree form a transport group.

Q) What is transport domain controller?
A) R/3 system with the reference configuration is called as the transaction domain controller.

Q) What is transport domain?
A) All R/3 systems that are planned to manage centrally using TMS form a transport domain.

In order to configure transaction domain controller we have to login using client 000 and user sap* or any user having similar authorization using sap*.

Configuring Transport domain controller:-
1) Login to SAP using client 000 and sap*
2) Go to STMS, it will propose the system as transport domain controller, provide the description and save.
3) Go to overview menu and select systems
4) Place the cursor on SYS ID and select SAP system display
5) Go to transport pool and check under global parameter transport directory. i.e. transport directory path (\usr\sap\trans)

Note: The above steps are performed in Dev System which we can assume as domain controller

Steps for Requesting inclusion of QAS and PRD systems into domain controller
Log on to QAS with 000 and SAP* go to STMS
Select other configuration
Provide the description and target hostname of the transport domain i.e. DEV system domain name and instance no and save
Login to Development using 000 and sap * and goto STMS
Select the QAS
Go to sap systems -> Approve
This will pop up message saying “Inclusion of system in Transport Domain” then click “Yes”

Note: Repeat the above steps for inclusion of PROD system also
In Dev distribute TMS configuration by selecting extras -> Distribute TMS configuration
It POPs us a message and then select “Yes”

Backup Domain Controller   
Backup domain controller holds the copy of reference configuration and configuration changes can be managed when transport domain controller is not available.

Steps in defining backup domain controller:
1. Log on to transport domain controller system using client 000 and SAP*. Go to STMS T-code.
2. In STMS screen go to overview -> systems -> select the R3 system to be defined as backup domain controller.
3. Go to SAP system -> Display
4. Go to communication tab -> Select change under backup, you have to mention “QAS” and save then it will give a pop-up windows requesting you to configure the changes immediately, select YES.
5. Go to Extras from menu -> Activate backup domain controller. It will give a pop-up windows as “Activate system QAS as a domain controller” click “YES”.

Transport Routes:
Transport routes indicate the roles of each systems and flow of change request.

Steps to configure transport routes:
1. Go to STMS T-code and Extras -> Settings -> Transport Routes  -> Select the desired editor and choose continue (By default graphical editor)
2. Go to overview -> Transport routes -> Select display or change mode
3. Go to configuration -> Standard configuration -> Three system in group.
4. Select the R3 system in the pop-up according to their roles and click continue and save and specify the type of configuration and choose continue, it will ask you to distribute and activate the change then select YES.

Q) What are the two editor modes in which we can configure the transport routes?
A) 1. Graphical Editor
     2. Hierarchical Editor   

Q) What are the various configuration methods available in STMS?
A)  1. Single system configuration
      2. Development and Production systems
      3. Three systems in a group

Q)  What is a standard transport layer?
A)  This describes the transport route that the data from the development systems follows.

Q)  What is SAP transport layer?
A)  It is a predefined transport layer for DEV classes of SAP standard objects

Create Transport Layer:
1. STMS -> Overview -> Transport routes -> Select change button -> select zoon in button -> Select the particular transport route -> Go to Edit -> Transport layer -> Create.
2. Enter the transport layer name and description.

Configuring transport routes manually:
1. STMS -> Overview -> Transport routes
2. Go to Edit -> Transport route and add transport route -> Select source and target and leave it then we get pop-up window transport layer and click continue.

Note: Development system consider as consolidation system. Quality system consider as delivery system. Production system is considered as integration system.

Enabling Quality assurance approval procedure (QAS):
1. Go to STMS -> Overview -> Transport routes -> Select change mode and double click on QAS System.
2. Go to System -> System attributes -> Delivery after configuration and click on procedure button.
3. Select the check box under the column “ASTV” as required and choose save.
4. Select distribute and activate (F8) button icon.

Q) What are the three approval steps you need to follow as a part of approval procedure in QAS?
A) 1. To be approved by system administrator
     2. To be approved by department
     3. To be approved by request owner

Using TMS on day to day operations:
Go to “STMS_IMPORT” = this will take us to the screen in which all the imports are available. Select the import that is transport request and click the truck button (Half loaded truck).

Note:
1. If the import request button are not appears under STMS_IMPORTS then go to Extras -> other request and select add enter the transport request number manually which you want to manually import.
2. Move transport number xyz to client 100.

Transporting request in OS Level:
1. Log on to any SAP system go to “\usr\sap\trans\bin” execute the command “TP add to buffer <request number> <SID>client <client number>”
2. To import the command is “TP import <request number><SID>Client <ClientNo> U0

Note: U0 is a qualifier to leave the transport in the buffer.

Q)  What are the various qualifier option or what are the various import options?
A) There are six import options
  1. Leave transport request in queue for later import
  2. Import transport request again
  3. Overwrite originals
  4. Overwrite objects in unconfirmed repairs
  5. Ignore unpermitted transport type
  6. Ignore predecessor relations   




Will update soon... Check next post...