Changing Client Settings Sometimes the Administrator may need to change the settings of a client in order to allow or disable customizations or changes to repository objects. In order to perform these operations execute the following sequence of actions:

• Log into any client of the system as super user. • Execute transaction SE06 • Click on the System Change Option button; set Global Setting as Modifiable. • Execute transaction SCC4. Alternately access the menu path Tools -> Administration -> Management -> Client admin. -> Client maintenance • Click on the pencil marked edit button on the top of the resulting screen.

• Click the green right pushbutton on the next window, when the system issues a warning that the table, the administrator is going to change is client independent. • Next double click on the entry of the client whose settings need to be changed.

Setting up a configuration for client-dependent customizations

The default settings “Automatic recording of changes” allow client dependent customizations and also record all such changes through change requests. Administrator may disable all changes by selecting “No Changes Allowed”(for a productive client or integration testing client) Turning off of recording of the customizations by change requests is possible by selecting “Changes w/o automatic recording” (e.g. for a sandbox client) By selecting “No Transports allowed”, administrator allows customizations in the client that cannot be transported to other clients.

Setting up a configuration for client-independent object changes Clicking on the pull down button associated with the single field in the frame for client-independent object changes allows the administrator to select one of the available four options. One can selectively enable or disable changes to client-independent objects as well as to other repository objects.

selectively enable or disable changes to client-independent objects as well as to other repository objects.

Client Copy

Copying clients is another important activity in Client Management. Client copy sometimes involves copying either SAP provided clients or a live and working client to another client. The request for a client copy should be documented and forwarded to the

Administrator for execution. The request should specify the timing of the execution in addition to all other client details. It should be kept in mind that client copy may consume a lot of disk space that is not recoverable by just deleting the client. Hence adequate planning should be done in order to justify the need of a new client.

• From the SAP login screen, login as any super user in any existing client. • At the SAP main menu, click Tools -> Administration -> Client admin. -> Client Maintenance ( Transaction SCC4)

• Click on the pencil marked edit button • Click the green right pushbutton on the next window, when the system sends a warning that the table one is attempting to change is client independent • Click on the ‘New entries’ pushbutton

• Type the new client number e.g. 010 • Select a settings for the client-dependent object changes, and client-independent object and repository object changes • Depending on the type of client, select a category of the client. • Save the entries. • From the SAP login screen, login as SAP*, password ‘pass’, in the new client whose entry has just been created.

• Local Copy: Access the menu path click Tools -> Administration -> Client admin -> Client copy -> Local client copy. Alternately use transaction SCCL.

• Remote Copy: Access the menu path click Tools -> Administration -> Client admin -> Client copy -> Remote client copy. Alternately use transaction SCC9. Ensure that the RFC connection is setup between the source and target systems.

• Enter a source client from where one would like to copy. • Click on the pull down button in the field Profile, and choose an SAP provided copy profile. To check whether the profile that has been selected matches the required one, place the cursor on this field entry and access the menu path Profile -> Display profile. Use a different source client for the user master information.

• Click on the Execute pushbutton to perform the client copy in the foreground. Else, Option Execute in Background pushbutton can be selected in order to schedule a background job for doing the client copy. • After one presses the Execute button, the system will prompt with a window where administrator has to verify whether the selected profile and source client matches what he exactly wants. If so, then continue with the procedure. • Another window box will appear prompting with a message like “ Tables To Be Copied xxxx Copy? “ • Click on [Yes] button in order to start the client copy procedure. To monitor the progress go to transaction SCC3.

• After the client copy gets over, check the copy logs in order to ensure that there was no problem. Access the menu path Tools -> Administration -> Client admin -> Copy logs.

In the resulting window double click on the entry corresponding to the client copy one has just run. In the following window place the cursor on the chosen client copy run, and press the Choose pushbutton. If the client copy process is terminated before completion, due to power failure or other reasons that caused the process to hang, client copy can be restarted without doing the entire procedure afresh.

While client copy is in progress, please ensure that no one is using the source client because any update during that time will result in data inconsistency in the target client.

Deleting a Client

• From the SAP login screen, login as any super user in any existing client. • Access the menu path Tools -> Administration -> Client admin.-> Special functions -> Delete client. Alternately run transaction SCC5. • In the resulting screen select the option ‘Delete from T000’ and click on ‘Online’ pushbutton in order to run the client delete in the foreground. Alternately administrator can also run this in the background by clicking the pushbutton ‘Background’

Exporting a client

On both systems it is necessary that the dictionary is the same when doing a remote client copy. Is this not the case (could be because some tables have not been established because they are situated in a transport that has not yet been released) you have to undertake a client export. The export is started in the client you wish to copy and is started from transaction code SCC8:

• From SAP log in screen, log in as super user in the client that is to be exported. • From menu select, Tools > Administration • Next select Administration > Client Admin > Client Transport > Client Export. Alternately run transaction SCC8.

• For selected profile field, any of the options available from the list of values can be selected. For example for copying the entire client one can select SAP_ALL profile, for selecting user masters and authorizations select SAP_USER. • The target system should be a different SID than the one from which the client export is being taken. • Select Execute in background and schedule the job to be triggered immediately / later.

Depending on the profile selected, the client export generates 2 - 6 files – Datafile (RO*) and cofile (KO*) for client independent objects – Datafile (RT*) and cofile (KT*) for client dependent objects – Datafile (RX*) and cofile (KX*) for Sapscripts

• These files are ftp-ed to the target system. The datafiles are ftp-ed in binary format to directory /usr/sap/trans/data, co-files are ftp-ed in ASCII format to directory /usr/sap/trans/cofiles, sapscript file is ftp-ed in ASCII format to directory /usr/sap/trans/data.

Importing a client

• In the target system, log into SAP as superuser and go to transaction SCC4. • Create a new entry for the client as discussed above. • Check the database space through transaction DB02 and ensure there is space for the new client that is to be imported. • Log in to the operating system as sidadm. • Go to directory /usr/sap/trans/bin • First client independent transport file is to be imported. # tp addtobuffer KO pf=/usr/sap/trans/bin/TP_DOMAIN_SID.PFL # tp import KO client nnn u18 pf=/usr/sap/trans/bin/TP_DOMAIN_SID.PFL where nnn – client number in which the data is to be imported and u18 is unconditional mode. • Next client dependent transport file is to be imported. # tp addtobuffer KT . pf=/usr/sap/trans/bin/TP_DOMAIN_SID.PFL # tp import KT client nnn u18 pf=/usr/sap/trans/bin/TP_DOMAIN_SID.PFL

where nnn – client number in which the data is to be imported and u18 is unconditional mode. • Next SAPScript transport file is to be imported. # tp addtobuffer KX . pf=/usr/sap/trans/bin/TP_DOMAIN_SID.PFL # tp import KX client nnn u18 pf=/usr/sap/trans/bin/TP_DOMAIN_SID.PFL where nnn – client number in which the data is to be imported and and u18 is unconditional mode After these transports are over we have to do the post client import processing using the transaction SCC7. The screen displays the Source Client, the profile with which the client was exported. Execute the post-processing in foreground by pressing the ‘Execute in Foreground’ button. Once the post-processing is over, the client import process is complete.Client Copy ToolsThe system includes five tools to perform client copy functions. All these tools are available from the ToolsAdministration Administration Client admin. menu. Options under this menu are

Client maintenance, transaction SCC4. It's the function for maintaining system clients: creating newones, modifying attributes, and so on.

Client copy. It's the main client copy function and includes two options: o Local client copy, transaction SCCL. It's the function for copying clients

within the same SAPsystem.

o Remote client copy, transaction SCC9. It's the function for copying clients among differentbut connected SAP systems.

Special functions. Includes special functions for client maintenance such as deleting clients,comparing tables between clients, or copying a client in base to transport request. Menu options are:

o Special functions, transaction SCC1.o Delete client, transaction SCC5.o Table analyses, transaction SCU0.

Client transport. It's the function for performing client copy transport functions and includes twooptions:

o Client export, transaction SCC8.o Postprocess import, transaction SCC7

Copy logs, transaction SCC3. This option presents the list of the client copy logs and allows copyprogress to be monitored.

eply from john yves T | posted Jan 21, 2008 | Replies (10) 0Hi ! do not play w/ not IDES client I dunno if I am wrong, but it sounds the client 800 is reserved for IDES instance. Is it your case ? I do not see it in your question, so .. You should find this information on https://websmp109.sap-ag.de/support and selecting the key word : IDES I.e OSS note 118282 Please, get an another client instead !!

You Need to do something like this .

Logon to the systemstart Transaction SM31Enter 'T000' as the table namecreate a new entry with your preferred client numberlogg off the systemStart a new gui logging on to the new client with user'SAP*' and password 'pass'Start transaction 'SCCL'Use client 000 as source and your new client as targetgive it the 'go'wait some time :-)

Today I want to teach you how to transport a table entries from one client to another, the technique is using a transport request just like when you transport programs.

In this tutorial let’s create a transport request for SPFLI table entries.

1. First execute TCODE Se01. Click on the Create button on the upper left corner.

2. Choose Workbench request.

3. Type in the short description in this transport request.

4. After that double click the TR number below the Modifiable section.

5. Click on the change button.

6. Enter the Program ID = R3TR, OBJECT = TABU, OBJECT NAME = SPFLI, after that click the key button.

7. Double click the selected area, until you see a pop up screen appears.

8. Now type in the key value, for client you can type in the active client. Click enter or the okay button.

9. To display the table content, just click on the Table Contents button.

10. Now just choose the entire table option.

11. Here’s the SPFLI table entries that you want to transport.

12. Now the last step is to save your transport request.

13. Just ignore the warning and click ok to continue.

14. Now you can execute Se01 again and see your transport request.

15. Now you just email the BASIS team to transport this TR into your destination client.

SAP PFCG Create a role 1. Go to Tcode PFCG2. Enter New Role Name you want to create3. Click "Role " button

4. Describe the Role in "Description" field

5. Click "Menu" tab

6. Click "Transaction" button to add Tcode

7. Click 8. Click "Authorizations" tab9. Click "pencil" button to change authorization

10. Put "Org element value"11. Save

12. Fill in the missing authorization

13. If We wish to give full authorization to this role , Hit the "check" button

This is the current BC_A Object class

And this is the whole roles list

14. Save the role. 15 Enter profile name.

(we can get auto generated profile name from system if we leave it blank).

16. Generate for authorization17. Click "user" tab to assign role to relevant users

18. Click to make comparison of users

Back

Senior AdministratorProfile: S_A.ADMIN, S_A.SYSTEM

Junior AdministratorT-codeSU01 (Display)STMSOS07SM21ST22SMQ1SM58SOSTSM59DB12DB13SM12SM13DB02SP02ST04SM37SM51SM50SM66SM35ST02ST03NPFCG(Display)SUIMSNOTE

DB16SE16SM04AL08SM01SM02,OSS1

How to create SAP single role ?September 1, 2010 by ammFiled under: SAP Security : SAP Authorization 

Transaction code for create role is “pfcg”

1. Execute tcode pfcg

2. Fill in rolename . Then , click at single role button

3. Fill in role description and click save

4. At Menu tab , click transaction button to add tcode to this role and save ( you can add report to role as well by click at report button) 

5. At Authorization tab , click at the pencil Icon (change authorization data) to maintain authorization object.

6. Maintain authorization object . Then , generate role.

7. At User tab, fill in userid you want to asign this role to and set the validity for user to authorize in this role.

8. Click user comparison button to assign role to user

How to create Mass roles ?September 4, 2010 by ammFiled under: SAP Security : SAP Authorization 

It always happened that during the project you may have to create hundreds of roles.

The best way to finish role creation is start from now go to pfcg and do it.

However, there are some cases that we can use the type of role to help reduce effort to create roles.

If your roles match the following criteria , then you can use this method to create roles.

- Every roles you want to create contain the same tcode

- Every Authorization object field has the same value , except organization field value ( company code , plant , shipping point, etc.)

- or in another way , we can say that roles are the same except their organization field value

If the answer for each criteria is  “yes” , then you can use derive role type to create roles.

This will considerably reduce the effort and it is easy to maintain roles.

To create derive role , you need to create only  1 role as a template  and maintain authorization object value (except organization field value) from this template role. The others role that you link with this template will have the same authorization except the organization field value that you need to maintain differently. However , with LSMW tool filling organization value can achieve easily.

There are some built-in templates in sap system which can be used to create different roles. Following are the some of role templates which are available in ecc 6.0 sr2.

SAP_ADM_AU – Administration: Authorization data administrator

SAP_ADM_PR – Administration: Authorization profile administrator

SAP_ADM_US – Administration: User administrator

SAP_ALL – Complete authorization with all authorization objects

SAP_PRINT – Print Authorization

SAP_USER_B – Basis authorizations for users

S_RS_NEW_NW04S – BW: New Authorizations for NW2004s

Steps to create a role using role template. I am using S_RS_NEW_NW04S – BW template to create a single role.

Type t-code pfcg and hit enter Name the role using proper naming convention ex:

‘Z:RAJ_NEW_AUTH_NW2004S’ and description as ‘New Authorizations for NW2004s’

Use long text area to write about who has instructed you to create this role with what permissions. This will be useful when you are working in real time for future reference and better understanding about the role

Save the role and click directly Authorization tab – do not click Menu – Menu will be generated automatically after generating a profile

Click Propose name for profile button - profile name will be generated automatically

Click Change Authorization Data tab Templates box will be displayed Select the template  S_RS_NEW_NW04S – BW: New Authorizations for

NW2004s Click Adopt Reference Change Role – Authorizations window will be displayed Click save, generate and click back Attach to user and do user comparison

You create one role using each template and attach to a separate fresh user to understand the difference between different templates. Login to check the authorizations of created roles.

« SAP: How to disable SAP Menu and User Menu

SAP: Changing ALV Row Color »

SAP: How to Create and Use the Authorization Objects in ABAP

Published by rson March 16, 2009in ABAP, Authorization, BASIS, SAP and Technical. Tags: abap, Authorization, BASIS, SAP, sap blogger, sdn blogger.

Authorization Objects are used to manipulate the current user’s privileges for specific data selection and activities from within a program.

We could always create our own authorization objects and implement it in our own abap programs. As an example, we will create our own authorization field similar to TCD used in S_TCODE Authorization object (see #3 in figure 1).

Figure 1

Steps to create authorization field1. Go to transaction code SU202. Click the create new button on the application toolbar.3. Enter “ZTCODE” in the Field Name and “TCODE” in the Data Element, then hit Enter.4. Click the save button on the system toolbar.

Next step is to create the authorization class(see #1 in figure 1) and authorization object(see #2 in figure 1).

Steps to create authorization class1. Go to transaction code SU212. Click on the Create button’s drop down icon and select “Object Class”.3. Enter “ZTRN” on the Object Class field.4. Give it a description and save it.

Steps to create authorization object1. Again in SU21, in the list of authorization class(folder icon), click the one that we’ve created(ZTRN).2. Click on the Create buttodrop down, this time selecting “Authorization Object”.3. Enter “Z_TCODE” on the Object field and give it a description.4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we’ve created earlier which isresponsible for holding a list of tcodes.5. On the Further Authorization Object Settings, click on “Permitted activities” button. Here we will select the specific activities that we want to be available for our authorization object.6. As an example, we will select 01(Create), 02(Change), and 03(Display).7. Save and Exit.

Now we’re done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role(see figure 2)1. Go to transaction code PFCG.2. Enter “ZAUTHTEST” on Role field and click the “Single Role” button.3. Now give it a description, click the save button and click the Authorization tab.4. Click the “Change Authorization Data” button inside the authorization tab.5. Then click the “Manually” button on the application toolbar and type in the name of the authorization object that we’ve created earlier(”Z_TCODE”) and press enter.6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.7. Enter the tcode of our own abap program in ZTCODE field, in our example I used “ZCOMM” .8. And also don’t forget to add the S_TCODE authorization object and enter ZCOMM on it’s field.9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.10. press the back button and assign a specific user on the user tab and click User Comparison button.11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on

step 6.12. Then assign this 2nd role to another user.

Figure 2

Now let’s implement this authorization in our ABAP program. Let say we have a dialog program(ZCOMM) wherein we have a button on the screen that when clicked, the user will go to the Create/Edit screen(1000) if he’s authorized. On the other hand, he will go to display only screen(2000) if he’s not authorized. To do that, simply add the code below on your program.

  AUTHORITY-CHECK OBJECT ‘Z_TCODE’    “authorization object that we’ve created      ID ‘ACTVT’ FIELD ‘01′                        “Activity = 01, authorized to create      ID ‘ZTCODE’ FIELD ‘ZCOMM’.            “tcodes that we wants to check for authorization  IF sy-subrc EQ 0.      CALL SCREEN 1000.        “The user is authorized to create  ELSE.      CALL SCREEN 2000.        “User is not authorized to create (Display only)  ENDIF.

Bookmarks

Hide Sites

« SAP: How to disable SAP Menu and User Menu SAP: Changing ALV Row Color »

2 Responses to “SAP: How to Create and Use the Authorization Objects in ABAP”Feed for this Entry Trackback Address

1. 1 Enrique

July 6, 2009 at 7:23 pm

Hi,

What about modify the stantard transaction to include the new authorization object?If I select transaction SU24 and I add the new object. Does it work?

2. 2 Terry

August 5, 2009 at 11:08 am

Hi..

“select transaction SU24 and I add the new object. Does it work?”

The answer is Yes and No.The authorisation checks are called in the ABAP program, so it depends on how the ABAP has been written.So ABAP programs check for named authorization objects.. some ABAP programs check the SU24 tables ( USOBT & USOBT_c)So you can add an authorization into SU24, but the system may not check it.Check the ABAP code..look for something like this

AUTHORITY-CHECK OBJECT ‘Z_TCODE’ID ‘ACTVT’ FIELD ‘03′ ” read accessID ‘ZTCODE’ FIELD p_tcode. ” actual valueor

AUTHORITY-CHECK OBJECT ‘S_TRVL_BKS’ID ‘ACTVT’ FIELD ‘02′ID ‘CUSTTYPE’ FIELD ‘B’.IF SY-SUBRC 0.

MESSAGE E…ENDIF.

Terry

SAP Security Tables

 

Central User Administration

 

SAP Security Reports

   

SAP Security Report Name Description

RSUSR_SYSINFO_ROLE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS)

Report cross-systm information/role STANDARD SELECTION, User name, Receiving system, SELECT ROLE Role

RSUSR_SYSINFO_PROFILE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS)

Report cross-systm information/profile STANDARD CRITERIA User Name, Receiving system, Profile

RSUSRSUIM Same as SUIM User Information System 

RSUSR402 Download user data for CA manager from Secude 

RSUSR300 Set External Security Name for all Users 

 

RSUSR200 List of Users According to Logon Date and Password Change 

RSUSR102 Change Documents for Authorizations 

RSUSR000 Currently Active Users Tcodes SU04 and AL08 

RSUSR002 Users by Complex Selection Criteria (search by User, Group, User Group, Reference User, User ID Alias, Role, Profile Name, Tcode, SELECTION BY FIELD NAME, Field Name, SELECTION BY AUTHORIZATIONS Authorizatrion Object, Authorization, SELECTION BY VALUES, Authorization Object 1, AND Authorization Object 2, AND Authorization Object3, ADDITIONAL SELECTION CRITERIA, Account number, Start Menu, Output Device, Valid Until, Locked Users ONLY, Unlocked Users Only, CATT Check ID 

RSUSR002_ADDRESS Select User According to Address, NAMES, First Name, Last Name, User, COMMUNICATION PATHS, Company, City, Buildings, Room, Extension, OTHER DATA, Department, Cost Center 

RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients (SAP* DDIC SAPCPIC ) 

RSUSR004 Restrict User Values to the following Simple Profiles and Auth Objs SELECTION CRITERIA Single Profiles, Authorization Objs 

RSUSR005 List of Users with Critical Authorizations (SAME AS RSUSR009 but difference is here you can't chose) 

RSUSR006 List of Users According to Logon Date and

Password Change 

RSUSR007 List Users Whose Address Data is Incomplete (here give the Required Address Data)

RSUSR008 Critical Combinations of Authorizations at Transaction Start (Can view either Critical Combinations or Users) 

RSUSR009 List of User with Critical Authorizations SAME AS RSUSR005 but here you can (Check using either customer data of Check using SAP data) 

RSUSR010 Transaction for User with Profile or Authorization (Transaction executable either by, User, with Role, Profile, Authorization 

RSUSR011 Lists of transactions after selection by User, profile or obj SELECTION FOR User 

RSUSR012 Search authorizations, profiles and users with specified object value (DISPLAY authorization objects, DISPLAY authorizations, DISPLAY profiles, DISPLAY users) 

RSUSR020 Profiles by Complex Criteria SELECTION CRITERIA Profile, Profile test, ADDITIONAL CRITERIA FOR PROFILES, Composite Profile, Single Profile, Generated Profiles, SELECTION BY CONTAINED PROFILES Profile, SELECTION BY AUTHORIZATIONS, Authorization Object, Authorization, SELECTION BY VALUES, Auth obj, auth obj2, auth obj3, SELECTION BY ROLE

RSUSR030 Authorizations by Complex Selection Criteria SELECTION CRITERIA, Auth Object, Authorization, BY VALUES

RSUSR040 Authorization Objects by Complex Criteria, STANDARD SELECTIONS, Authorization

object, ADDITIONAL CRITERIA Object class, Obj class text, Field 

RSUSR050 COMPARISIONS, Compare Users, USER A ------   USER B--------, ROLES, PROFILES< AUTHORIZATIONS, Across Systems

RSUSR070 Roles by Complex Selection Criteria STANDARD SELECTION Role, Description, SELECTION BY USER Assignments 

RSUSR100 Change Documents for Users 

RSUSR101 Change Document for Profiles

 

Virtual Systems

Virtual Systems are SAP systems that are planned by not yet physically present. In order to subsequently replace a SAP system by a Virtual System use the same SID for both.

You can create a Virtual System through Tramsport Management System tcode STMS.

Why do I need a Virtual System?

In order to replicate the transport routes of the planned system landscape and to ensure that the import queues of the subsequent system already exist.

During SAP Upgrades or when initailly a sand box or development system is available it is required to create a Virtual System in order to store the development and customizing work in the import queues of the respective planned systems.

This is how a Virtual System is created.

1) Log on to the Transport Domain Controller with a user id having full transport authorizations.

2) Using tcode STMS go to Overview=> Systems=>

3) In the Systems Overview choose SAP System=> Create=> Virtual System

4) In the dialog box TMS => Configure Virtual System, enter the name of the SAP system and a description text. Also specify an SAP system as the

Communications system for the Virtual System. (By default the Transport Domain Controller is chosen).This system must be already a part of the transport domain. It cannot be a Virtual System or an external system.

5) Distribute the configuration change.

No RFC addresses can be created for virtual systems, so RFC’s are accessed using the transport directory of an already existing SAP system. This system will act as the Communications Systems and the Virtual System will have to always belong to the same transport group as the assoicated Communication System

After the planned system is physically installed it is time to replace the Virtual System with the realized system.

The procedure for the same is as under:

1) Delete the Virtual System from the transport domain

Using STMS got to Overview=> Systems

Chose SAP System=> Delete (confirm)

Distribute configuration change.

As soon as the configuration change is distributed, the virtual system is deleted. The import queue for this system in TMS disappears but it is available as import buffer at the operating systems level.

 Now add the new (physical system) to the transport domain:

1) Initialize the Transport Management System on the real SAP System and include the system in the transport domain.

2) Go to the Transport Domain Controller and accept the system. (As the import buffer is available at the operating system level, no change requests will be lost)

3) Distribute the configuration changes.