Sap Basis Goodnotes

SAP R/3 SAP (Systems Application and Programs, Real time)SAP is 3 Tier ArchitectureSAP Standard version starts with 3.0 4.6B

4.7EENW.04 (came in 2004)NW.04SECC5ECC6

OTHER VERSIONSSAP – Industries (Business Related Industry)SAP – Applications (Collaborative for Cross Application)MySap Business Suit OR MySAP.com: has been introduced for small and medium industriesSAP Netweaver – Using InternetSAP Netweaver is a combination of My SAP Business Suit and Sap ApplicationsMySapBS+SAP applicationSteps to Install SAP

• Operating System (OS)• Database (DB)• SAP

First we have to install OS , DB then SAP.Java introduced in 4.7EE Versions. Real Java came in NW04 VersionSAP DATABASE using

• SAO ORACLE SAP• SQL SERVER• DB2

ABAP – Programming language designed by SAP(ABAP+J2EE) - included in NW04Components - NW.04

• WAS-Web Application Server(ABAP+J2EE)• EP- Enterprise Portal

• XI-exchange Infrastructure• MDM• Acrobat Reader

ECC5 and ECC6+Solution ManagerECC5 ECC6 CRM SRM NW (are Web Application Server) XI- Exchange RateMDM - Master Data Management (Manages Data)SAP will consist:Developers (ABAP) + Functional Consultants + Basis BASIS is a Mediator for Database Administrator + SecuritySAP Software Life CycleRamp-up Phase (SERVICE.SAP.COM)

- What is Total Life Cycle - What are the new Sap Products in the market - PAM (Product Availability Matrix)

Software Maintenance two keys- List of SAP packages- Software Release New SAP S/W release

SAP Maintenance Strategy & Planning

1

5-1-2(Formula) (Total 8 Years)5 years of standard maintenance1 year of extended maintenance + with a free of 2% of standard maintenance2 years of extended maintenance + 4% Standard maintenance Navagation3 types of GUI in SAPDefaultWindows Based GUI - SAP GUI for WindowsHTML Based GUI - SAP GUI for HTMLJAVA Based GUI - SAP GUI for JAVA

SAP Login - Client: - User Name: - Password:Two Types of Menus in SAP1. Standard Menu(SAP Menu)2. Roll Based Menu

Each User will get roll based menuUSER_SSM: is a table where all the menu’s related information is stored. (whether it is roll based or standard based)SMEM_BUFFC – is a table where favorite information is storedSMEN_BUFFI – is a table where favorite information is stored

Downloading from SAP to desktop as well as Uploading desktop to SAP stepes are: ->System

->List->Save->Local file

Shortcut Commands/n – Takes to new session in session/o – New window in new session/nend – Logging of current session/nex – To close entire system (without saving)/I – unsaved session logout

Help – SAPIn SAP there are two types of helpsF1 – Technical HelpF4 – It provides possible entries for a particular field. (Maximum 500 entries are allowed in F4)

Filtering Data in SAPSE16 – Is the Transaction Code to view the contents of the particular table. GUI - SAPTwo Types of GUI in SAP

- SAPgui.exe- SAPlogin.exe

Button on GUI- Group - Server- New item- Delete- Change- Login- Validation

2

- Change itemSAP log: Start SAP logon file.Every System will have a port number 32 with (00-99)3298 – nipping3299 – SAP routerSAP Architecture: Three types of Architecture

- Single Tier -> Presentation Layer- Two Tier -> Application Layer- Three Tier -> DB Layer

If P, A, and DB are in one box, it is called Single Tier architecture.If P and A are in one box and DB in other box, it is called Two Tier architecture.If P in one box and A in another box and DB in another box is called Three Tier architecture.

Presentation Layer:- Front EndApplication Layer:- Real calculations and ComputingDatabase:- Database been stored

SAP Landscape (3 system landscape)How SAP systems are arranged

Basis guy can accesses Development, Quality and Production boxes.

- Each box will have a system ID i.e. (SID NO)- In Production box we have only one client (No changes are allowed

in production box)- In Development box we have three clients- In Quality we have two clients- All the changes are done in only in Development box- Only testing is done in Quality box- Changes done in Development box should be moved to quality box

and get tested and finally it is transformed to production box.- End user have accesses to only production box and very few end

users will have accesses to separate training box.

3

- SAND box is used only for R&D purpose. Whatever changes you do in SAND box will not be transported out of the box i.e. the changes are stored under $TEMP (local server only).

- Training box is used by end users for training purpose.- Both SAND and Training box will have the exactly the data as

production box.

Development Box- MAST- CUST- SANDMAST000 001 066 – Clients000 to 999 client number names

Type of Changes in Development box- In SAP there are only two types of changes.

Workbench change: T.C. is SE09 Customizing Change: T.C. is SE10

Workbench Change: changes made to the default values provided by the SAP in the tables is called workbench change.Customizing Change: is a change which a totally new change in a system.ex. creating a new program or modifying structure of a program.

Transaction code SE01 = SE09 + SE10

- What ever workbench changes are transported using the transport layer ‘SAP’

- Customizing transport layer Z<SID>- Anything starting with Z in SAP it’s a customizing change.

4

- In SAP there will be always one export and ‘N’ number of inputs. Ratio of export to imports is E:I; 1:N

- In three system landscape one export and two imports.- Data moved out of development box is called as export- Data pulled into quality and production box is called as import.- The process is called as transportation-

CTD: is a physical location which has to be configured at the time of installation.

- CTD in most cases is configured in development box.- Client number and user name will be same in all boxes

MAST = 000 001 066 ClientMaster Client Backup Client Early watch

Client User ID Password000 sap* 06071992001 ddic 19920706066 early watch surpass/support

These all are SAP client user ID, Client and Password.

- 6th July 1992 when SAP moved from two Tier architecture to three Tier architecture.

- R/2 is Mainframe- R/3 SAP

- Basis guys will have accesses to DDIC only.- Initally all newly created client use dummy i.e. it will not have any data.- We have to do a client copy in order to populate the data in the newly created client. This process is called as client copy.- In order to login into a newly created client should use user ID sap* password is pass.- ddic is also called as god like user.- Early watch is a user ID is used by SAP AG people for trouble shoots (ISDN line and router configuration is require for early watch).3 Tier + 3 system landscape (SAP-model)

5

Multi System Landscape

Server:

I) central instance II) application instance

For set of software components to work we need a set of work process

Presentation Application DBGui web browser D, E, V, B, G, M, S gui for win html

• We have seven types of work process in application layer• Each work process can be configured in a particular instance or

server • The no of work process which can be configured in instance is 0-

99• If we need to configured more then 100 process (i.e 101) we need

a new instance

6

0-99 D

0-99 E

1 M

0-99 B

0-99 V

0-99 G

0-99 S

• Each work process will have one

dispatcher• Dispatcher is called as waiting queue

Updates are of two types: I) Primary V/v1II) Secondary V/v2

Instance: Instance is an application server which provides various services We have 2 types of instance:

1) Central instance2) Application instance

Instance is defined by set of services ie D,E,V,B,G,M,SCentral instance:

1) This is an instance where all the services are configured ( ie D,E,V,B,G,M,S)

2) This is identified by message work process3) Generally message and enque will be hosted on same instance

Application Instance:1) AI is an additional layer of R/3 architecture i.e., user for reducing the load

from directly falling on central instance.2) There in no DB in an application instance.

NOTE: the server in which DB is present is referred as DB server or central instance. Work process:

1) Dialog : the instance in which they are Max no of dialog work process is called as dialog instanceNote:

• For an instance to work we need a minimum of two dialog work process

7

DisPatcher

2) Enquee: The instance in which they are Max no of Enquee work process is called as Enquee instance

Note: • Enquee work process are used for locking and unlock of sap objects

in a table• We should have minimum of one enquee work process in an

instance (By default we have one work process)

3) Background: The instance in which they are Max no of back ground work process is called as background instance

Note:• This work process is user for handling the jobs which are scheduled in the

backgroundEx: - Jobs like list of financial accounting Data, profit and loss sheets Production related info etc……

Note: Jobs are of three types1) Medium :2) High 3) Low:These are represent by different colors as well as monitored and administrated by using third party tools

Update work process: this is of two types1) Primary update (v) : task critical activities are primary update2) Secondary update (v1) : non critical activities are secondary update

Note: Max no of job are of secondary update typeGateway: gateway is used for communication between 2 SAP R/3 systemNote:

• Between SAP R/3 system and non SAP and between R/3 to R/2• Gateway work process is used for external communications• Minimum of one work process is needed

Spool: is used for handling request to external devices like printers and fax machines Note: A minimum one spool work process is requiredMessage: They are three functions of message work process

• Handling the input request from the presentation layer• Communication with dispatcher and the work process• Logon load balancing

Note: We will always have only one message work process in any R/3 installation.

• The server in which M + enquee work process available that server is called central instance or central server.

• The servers in which other type of work process available except message(ie D,E,V,B,G,S) such server is called as application server or application instance

• The transaction code to monitor the type of servers or instance is SM51

• In SM51 we can see only active servers or instances

• The transaction code to monitor both active and inactive instance is SM66

• SM66 is also called as global process overview

• Transaction code to monitor the list of work process present in particular SM50

Note:Each work process required around 75 to 115 MB of memory to be configured

• We can set the execution time for each and every work process by using profile parameters

8

• Default execution time for a work process is 60 sec

Dispatcher: There will be one dispatcher for an instance• Dispatcher is user to handle a request• Dispatcher receives a request and kept them in queue till that particular

work process is free

• Dispatcher follows FIFO method• Dispatcher can be monitored from OS level by command DPMON

• Dispatcher runs by an executable file Disp+Work.exe located in run directory

• The profile parameter to display the no of work process is rdisp/wp_no_<type of wp>Ex;- Dialog = rdisp/wp_no_<dia> = 0-99

Background= rdisp/wp_no_<B+C> = 0-99Spool = rdisp/wp_no_<spool> = 0-99

Types of key available in SAP service market place :1) Developer key2) License key3) SSCR key4) Migration key

1) Developer key: is required for a developer to develop or modify objects in the customer name space. (Y or Z)

Note: this key stored in table “Dev Access”.2) License key : this key used to get the license for sap systems

• In order to authenticate our production sytem we need to apply the license key

• After installation the license key will be valid for 14 days and again we need to apply for permanent key till 31/12/9999

• Even those license is expired the developer not lose any Data• In order to apply original license we need to register our system or

server in market place (service.SAP.com) and generate the key by providing the system number.

The command for SAP license key: Saplicense – get = hardware key Transaction to check license = S license

Steps to install license key using S license :1) log into sap and goto S license2) get the hardware key using the command saplicense-get.3) Go to market place and get registered and get permanent license key4) Get the installation number5) Click on key icon to install license3) SSCR key: (SAP software change registration key) :- in order to

modify the objects in SAP main space we need to obtain SSCR key.Note: in order to obtain SSCR key we need to follow certain steps1) login to SAP market place with s user ID2) select the system for which SSCR key needs to be generated3) specife the program ID,object type and object name along with your

SAP R/3 version4) Migration key: in order to migrate one OS to another OS or from one DB to another DB we required a migration key.

Note: we need to enter the target system OS and DB to generate this keySAP Data is segregated into three layers

1) SAP standard objects2) Cross client objects3) Client specific objects or Data

9

1) SAP standard objects: These are nothing but repository objects which includes functions, transaction, programs, screens etc………..

• All these are in the name space of A to XNote: never try to change the repository objects unless and until it is required

2) Cross client objects : These are cross client tables which can be modified

Ex: currency table, measurement table, client administration table etc…...

• what ever changes we make of type cross client will effect all the users present under that clients

3) Client specific objects (or) Data: a change which are specific to a particular client is called client specific Data..

Ex: user master Data, application Data, customized Data These are three types

1) User master Data:2) Application Data:3) Customized Data:

Starting and Stopping of SAP When we start SAP the following sequence is executed

DatabaseCentral instanceDialog Instance or any other Instance <Optional>

The starting and stopping from windows can be done using SAP Microsoft Management Console. In MMC right click on <SID> will give the following options

StartStop View Start ProfileView Instance ProfileTrace

The color-coding for the status of the sap server Yellow

GreenRed Error

Start StopThree types of profilesStart/Stop of SAP systems at the background is controlled by set of profiles which are located at \USR\SAP\DEV\SYS\Profile where DEV is the SYSID

1) Default Profile DEFAULT.PFL2) Start Profile START_DEVBGMS01_<HOSTNAME>

Where 01 is the instance number3) Instance Profile <SYSID>_DEVBGMS01_<HOSTNAME>

Where 01 is the instance number

Never edit the startup profile because this profile is related with starting/stopping of SAP system.

First profile which is read while staring SAP system is start profile and is followed by instance profile.

All work processes are configured in instance profile. This profile is specific to the instance in which the SAP is installed. Any changes made to the startup profile will affect only that particular instance.

All changes made to default profile will affect the entire instances, which are configured.

Contents of Startup Profile:SAPSYSTEMNAMEINSTANCENAMESAPSYSTEM

10

SAPGLOBALHOSTStartdbs.cmd DBMsg_server.exe Central InstanceDisp+work.exe DispatcherIgswd.exe Java

Start/Stop in Unix:Commands used to start and stop at OS level in Unix environment.StartSAPStopSAP <DB>

<R3><ALL>

Note: How to start/stop java engine will be covered later?Directory Structure:The directory structure for SAP installed files will be

\USR\SAP\<SYS_ID>\PRFDOGTMPTRANS

One of the most important directories is Trans. Inside is the following sub directories are present.

Incomplete section. To be filled. Work in Progress.What are the steps involved in stopping SAP system?

Before stopping SAP system we need to check the status of the following

• Check if there are any logged on users. Use Transaction Code – SM04

• Check if there are any Background process is to define – SM36

• Check if there are any Background processing is going on. Use TC – SM37

• Check if there is any Batch input session. Use TC – SM35

• Check if there are any update processes running. Use TC – SM13

Note:1) After verifying the above status we need to send a message to all the

users stating the shutdown time using Transaction Code SM02.2) All transaction codes that we monitor are executed in the central Instance

only.3) To view the users who are logged into all the instances we can use

Transaction code AL08 (Global User Overview)4) Transaction code to view profile parameters RZ11.5) Trans Code to edit or change the profile parameters is RZ10.6) Report “RSPFPAR” is used to provide the same functionality as RZ11.

There are two types of of profile parameters1) Static Parameters2) Dynamic Switchable

For dynamically switchable parameters, we need not restart the SAP system after making the changes. For static parameters, we need to restart the SAP system to make the changes effective.In the table “TPFYPROPTY”, the dynamic indicator (X) identifies all dynamic switchable profile parameters. Note:

• Use Transaction code SE16 to view the contents of a table. • To display profile parameters from OS level we need to use the

followingSappfpar <Parameter Name>

<ALL><Check>

11

<Help>Eg: sappfpar ALL will return the list of all parameters. Modes of Editing Profile

There are 3 types of edit profiles1) Administration of Data2) Basic Maintenance3) Extended Maintenance

Administration of Data: contains type of profile, short description, path of profile, Name of instance and the time of last activation. This profile mode is used only to display the profile parameters. You can perform the maintenance of parameters using either basic maintenance or extended. Basic Maintenance: allows adjusting most important parameters and provides logical description. Extended maintenance: display the unformatted content of the profile i.e. technical names of the profile. In extended maintenance we can change the values, add values as well as delete. Changes are done in 2 steps.

Copy == Changes are temporarily copiedSave == Changes are permanent saved to database

Changes to instance specific profiles takes effect only after a restart of the corresponding instance. Profile parameter related to security administration starts with auth* in RZ10 Profile parameter related to work processes starts with rdisp* in RZ10Steps for tuning Work Processes

• In the command prompt of SAP Execute RZ10.

• In the new screen opened to edit the profile parameters, choose Utilities option from the Menu1) Inside Utilities choose the option Import Profile of Active Servers. This

step is used to read 3 profile parameters from OS level to SAP level. Output of these steps is that it displays profile check log. In which it will show status of the three profiles i.e. any errors in reading the profiles.

2) Press back button3) Select profile tab and select instance profile.4) Goto extended maintenance and select [Change] button

Note: To create a new parameter select [Create Parameter] button.To change the value of the existing parameter, select the parameter under the parameter name column and click on change button. Change the value and select [Copy] button Select [Back] and again click on [Copy] button Click on [Back] and click on [save] button. Operation ModesThere are two types of operation mode 1) Day Mode

2) Night Mode In real time scenario during day mode, we have maximum number of users logging into SAP system hence, we need maximum number of dialog work process to be set. During night mode, maximum number of background work processes is scheduled. Hence we need maximum number of background work processes in the night. In order to make these changes we need to setup operation modeNote: During switching operation modes, neither the instance nor the effected work processes need to be restarted.Setting up of operation Mode In the command prompt of SAP execute the Transaction code RZ04 Create operation mode Day, Night

12

Call all active instances of the system Select work processes that are needed based on the operation mode and assign to it as default. Switching up of operation modes should be set in SM63 (Time Table maintenance) Click SaveNote: Work process allocation is made primarily between dialog and background. Work process type = Dialog, Background, Class A, Update, V2 Update, Enque and Spool. Class A work process are allocated primarily for background jobs of priority high.Maintain Operation mode and Instances

1) Select [Instance/Operation Modes]2) Select [create new instance]3) Enter Hostname, select start profile, and instance profile.4) Click on [save] button5) Work process distribution window pop’s up6) Select type of operation mode and tune the number of work processes and

click on [save].Note: In live environment we will not be required to perform this step regularly, and instead we choose Instance Maintain Instance Work Process Distribution.

7) Click on [consistency check] Button. Note: Always use consistency check button because operation mode switch will not work if there is any inconsistency.

8) Goto SM63 (Timetable maintenance) and select [Change] button.9) Choose the following menu Edit Time Period 15 Minutes. Why only 15

minutes?10)Select start time and end time and select assign and select operation

mode.11)Repeat these steps for Night mode. Go to RZ03 to display server status and Alerts.Note: This step is selected for manual switch of the operation mode.Select Server name and Choose Operation mode

Select the mode and click on ChooseGo to Control | Switch operation Mode

| All Servers -> Selected Servers -> SimulationVery important Questions

1) Which directory do we have the exe files?2) Which directory do we have errors or logs or traces recorded?3) What is the profile parameter for increasing the number of background work

process?4) Difference between Central Instance and Application Server Instance?5) How many Application server instances are there in your company?6) How many modules did you support?7) What is the version of OS, DB and R/3?8) What is the patch level of R/3 used in your project?9) What are the IP addresses of your R/3 systems?10) If the dispatcher work process fails can I login to SAP system?11)How to check the status of dispatcher from OS level?12)What are the start/stop commands for SAP system from IS level?13) If dialog work process fails where can I check the logs related to the dialog

Work Process?14)What are the three types of profile parameters and what is their naming

convention?15)What is the technology used by SAP systems to process user requests?

13

16)What is the transaction code to check whether all my instances are active or not?

17)What is the transaction code for finding out number of work process present in a particular instance?

18)How do I do manual switching of operation mode?19)How many work processes are required in order to login to SAP system? What

are the types?20) In what sequence does the system read system parameters?21)What is the transaction code to check the consistency of individual profiles?22) In which sequence we perform the setting up of operation modes?23)Which SAP processes are started when the SAP system or an instance is

started?24)How do I find out which are dynamically switched or static parameters?25)How do I display current values of system parameters? What are the ways of

displaying current values of system parameters?26) If I make any change to the startup profile do I need to restart SAP system?

Configuring Online DocumentationOnline help in SAP is termed as online documentation. This has to be installed and configured in DEV only.* Transaction code to configure help is SR13Supported help types in SAP

• HTML-Help File . These files are available using a file server and are displayed with the html help weaver. This is a compressed format of help supported by Microsoft. These files have extension of .chm (Compiled HTML format).

• Plain HTML HTTP. Documents are stored in standard html format. Documents are available using a web server and are displayed with standard web browser.• Plain HTML File It is the simplest type of help stored in standard html format. Documents are available using a file server and displayed with standard web browser.• Dynamic Help This help is used on all front-end platforms. It uses standard html format, documents are displayed in standard web browser. The files are available using knowledge warehouse server.Note: The OS file related with help is SAPDOCCD.ini. It is located in the following directoriesa) Windows directoryb) Local (or) Central GUIc) Program Files/sap/front end/SAPgui• SAP Help Portal Help.sap.com provides Internet based access to online documentation.Steps to configure a Help function

• At the command field type the Transaction Code SR13

• Click on the Edit Icon• Choose the [New Entry] option. On click of that enter the following details

Variance {Help Description}Platform {Operating system. Microsoft/Unix}Area (Auto Populated field)Path (Should be the path of help file installation)Language (should be English)Default check box. If the default check box is selected i.e. it is set as default, it is considered as the only help available whenever you login.

CLIENT ADMINISTRATIONThe list of very important transaction codes for client administration

14

Activity Activity Description Transaction CodeClient Creation Create a new client SCC4Client Deletion Delete an existing client SCC5Local Client Copy Copying local client data SCCLRemote client copy Remote client copy SCC9Client Export Client Export SCC8Client Import Client Import SCC7Client Copy Logs Client Copy Logs SCC3Note:CATT – Computer Aided Test Tool

Resource Requirements Copying clients requires large amount of system resources To avoid any bottlenecks we should ensure that there is enough resources available by considering the following

1) DB Storage Space2) Perform a test run before copying a client.

Question) Why do we need to perform a test run?Ans) Test run determines which tables are to be changed.Note: What is the amount of storage space a client will occupy?A client without application data needs approximately 150-200 MB of storage space in a DBImplementation ConsiderationsQuestion) Why do we need to do client copy?Ans) To create new clients.Note: New clients are based on SAP reference client 000 when the R/3 system was first implemented. The new clients are Training, Demo, Test and Production Clients.Note: It is strongly recommended when doing client copy to use the profile SAP_CUST.Question) Do we need to transport clients between systems (or) what is the procedure for copying clients between systems?Ans) We no longer require to transport clients instead we make a remote client copy.FeaturesWhen copying clients you can select the data that you want to transfer from source to target client.Various Types of data are as follows

a) User Master Data: We select this option only if we want to copy all the users of an existing client with same authorizations into target client.

b) Client Specific Customizing: We select this option if you want to setup a new client in an existing system.

c) Client Specific Customizing and Master/Transaction data: We select this option if we want to setup a test client i.e. identical to the production client in the same system.

d) Client Specific and Cross Client Customizing: We select this option if we want to setup a quality Assurance system based in the production client of another system.

e) Client Specific and Cross Client Customizing and Master/Transaction Data: This option is selected to setup a test client based on production client of another system.

Note: When a client copy process is completed the client copy tool automatically generates all ABAP dictionary objects that we created as a result of a generation process.Restrictions:Background Processing: We can copy clients either online or in background.Note: SAP recommends scheduling client copies as background jobs. Why?Answer)

15

• During client copy we must ensure that no users logs on to system (Source Client)

• Users already working in target client cannot be locked automatically before the client copy starts and we must ensure that they leave the system.

• In source client we can lock the users.Note: In normal situations for some technical reasons we should not lock users in source client. Eg: Production client. If the source client is production client, this may lead to inconsistency if users are not logged off. To avoid inconsistencies, the related tables are copied together with other tables. During client copy large volumes of data is transferred and hence it may take several hours for which we need dialog processes.

Note: Client copy tool generally uses minimum of 2-dialog work process even if you start in background. Before performing a client copy set the profile parameter MAX_WPRUN_TIME and it is recommended to set for 30 minutes.Question) Why should we not transport the client data?Ans) this is explained with the help of a scenario. In target system, we have set up clients whose data must not be affected. The cross client data must not be imported into the system from outside, since the cross client data overwrites existing data so that customizing data of other clients in the target system no longer effects. For client transports RFC connection should be established between the systems.Copy ProfilesFor copying clients R/3 offers a set of profilesCopy Profile DescriptionSAP_USR Copies user master records and profiles only.SAP_CUST Copies all customizing tables including user profilesSAP_VCUS Copies all customizing tables, user data and user profiles.SAP_ALL Copies all data belonging to a client.AuthorizationsTo be able to copy and transport clients we need appropriate authorizations There are two Types of authorizations

1) General Authorizations for client copy2) Special Authorizations

1) General Authorizations for client copyAuthorization Allows you toS_TABU_CLI Maintain cross client tablesS_TABU_DIS Maintain system tablesS_CLIENT_IMP Import data when performing a client copyS_DATA_SET Access the file systemCopying of clients:Authorization Allows you toS_USER_PRO Copy user profilesS_USER_GRP Copy user master records2) Special AuthorizationsAuthorization Allows you toS_CTMS_ADMI Create object list for client transport and copy object list

between two clients.Note:This authorization is related with client transports. This authorization object should have the values TYPE=CLCP and ACTVT=01Question) what default user has all the authorizations?Ans) SAP*. This is the reason for locking this user in different environments.

Steps for Client Creation1) Goto SCC4

16

2) Select [Change] button3) Select [New Entry]Fill the following entries1) Client No and Description2) Select the client RoleSystem Client Specific

ObjectsCross Client Objects Protection

LevelDEV (Default Options)

Automatic Recording of changes

Changes to repository and cross client customizing Allowed

0

PRD No Changes Allowed

No Changes to repository and cross client customizing objects

1 (no Overwriting)

(Scenario 1) QAS and Testing same setting as PRD

No Changes Allowed


1 (no Overwriting)

(Scenario 2) QAS No Changes Allowed


1 (no Overwriting)

TRNG Changes w/o automatic recording, no transports allocated.


1 (no Overwriting)

SNDB Changes w/o automatic recording, no transports allocated.

Changes to repository and cross client objects allowed.

1 (no Overwriting)

Protection Level 1 is for copying data Aim of protection level attribute to present the client from being overwritten

intentionally or unintentionally by copying additional client dependent data from another client.

In DEV protection level is always no restriction In PROD No overwriting but external availability is there.CATT CATT Stands for Computer Aided Test Tool They generate test data that may be helpful for demonstration purpose. A client with protection level 1 and 2 cannot function as target client. CATT scripts are only used in test systems as well as QAS systems. This option provides access for testing of data using various testing tools.RestrictionsLocked due to a client copy: This option is used while performing client copy, i.e. locking the entire client.Protection against SAP upgrade:Data in R/3 is of 2 typesClient Dependent data: Example: Customizing, Application and User dataClient Independent data: Example: ABAP Program, R/3 Repository Objects and Enterprise img In table related with client information T000, “mandt” is a field in the table T000 that stores name/number of the client. Client present in non-IDES: 000, 001 and 066 Client present in IDES: 000, 001, 066 and 800 (Totally customized Client) Note:Option – “No Transport Allowed” deactivates CTS (Change Transport System) in client.

17

Local Client CopyCopying clients within the same system

1) Execute the transaction Code SCCL at the SAP command line2) Select a copy profile that matches your requirement. Click on [Choose]

button3) Save the profile value by choosing the button [Save Profile Value]. We use

this option if we want to use the selected profile as default settings.4) Enter the source client5) Start the copy process. Starting of copy process can be done in 2 ways.

Either schedule it as a background job or start immediately. Note: In a live environment we schedule it as a background job only.

If you the expected output of the copy process is to copy only user data and profiles then we can run it online i.e. [Start Immediately] In order to perform a client copy the most critical step in logging into target client and perform the above process.

Copying Clients between SystemsWhen a Client is copied from one system to another, then data is transferred directly via RFC Interface.

Steps:1) Login to target client and go to SCC92) Select the copy profile3) Enter the RFC destination4) Start the copy processNote: Transaction Code to create RFC destination is SM59

Transporting Clients between systemsNote: You no longer required transporting clients before you can copy clients between systems. Instead you can make a remote copy. Never the less SAP continues to provide support for transport function. During client transport all languages of source system are transported. They overwrite the text in the target system. Therefore all text are lost in the

target system, whose language exists only in target system but not in source system

Steps1) Log onto source system SCC82) Select a copy profile3) Select a target system client.

Note: Logon to source system in the source client with a user that has transport authorization. Data export is performed automatically asynchronously. Output of export includes the names of transport requests that are to be

imported as<SID>KO<no> Cross client Data <SID>KT<no> Client specific Data<SID>KK<no> Texts and Forms

Once we are done with export, go to SE01 or SC09 and check for transport request crated.

Client import post processing is always necessary and must be performed in the target client after import of transport request.

Goto SCC7 to check the import Queue and verify the request number and export system and click on background job tab or start immediately. Thus the client transport is done.

Note: Client Transport = Client Export + Client importLog onto target client go to SCC1, give the source client and transport request number and schedule it in the background. This is how local client transport is done.Post processing activities after client import

18

Use the following menu for post processing activities.Tools -> Administration -> Client Admin -> Client Transport -> Post Processing ImportNote: We can use this option to transport customizing changes to the target client, that have been made in the source client after the client copy.Displaying Client Logs Goto SCC3 to check for the logs To display the detail log for a run, position your cursor on appropriate run and

then select the [Choose] button. The system displays the list with the info Copy Type, Profile, Status, User,

Tables, where copy problems occurred and statistical info. To view further details choose [Details] button.Restarting Client Copy If the process terminates for some technical reasons like database shutdown,

you can always restart the process from the point of termination. If you start a client copy or a client transport, and the previous process

terminated prematurely, the system automatically proposes restart mode with the same parameter settings used for the copy that caused the termination.

If the restarted process fails, the log displays a special note indicating possible reasons for the error.

Error HandlingClient copies usually involve large volumes of data which places strain on CPU and storage resources of a machine. Depending on data involved and system configuration the most likely errors are given below with corrections.Error handling in client copy and transportError Cause Solution Remarks

Write Error in target Client

Usually a table space overflow problem.

Check system log to determine the name of table space. Extend table space and repeat entire copy process.Note: Do not delete

System log message“SYN MC Maintenance deactivated Fully” or “Buffer TABL/TABLP Reset”

None These messages document special function that is used to improve performance and guarantee consistency.

Termination in exit program after runtime of several hours (ABAP runtime error log = ABAP Dump)

Run log display to determine the name of last exit program that caused termination

Client copy program has not terminated but an appl. Error has caused the termination.

Client deletion: Deletion of client using an R/3 script in not advised by SAPClient deletion pre-work:

1) Ensure that there is no backup currently running for the system.a) Log on to the system at OS levelb) Go to cd /oracle/sid/sapbackup type

19

tail back*, this will display the last l lines of backup log, the last line will display the latest backup. If the written code listed is the backup is still running and you will need to wait till it ends.

2) Ensure that any scheduled backup for the target system is held while archiving is turned off. By default archiving should be on.3) Turning archive off:

a) First if there are any used currently logged on to the system. AL08, issue a system message that the system will be used in a few moments

I. Go to SM02 II. Select the create option and enter the message into dialog

box displayed III. Set the expiration date and select save button

These are steps to create system message

b) To turnoff archiving first shutdown SAPI. Sesu- <SID>adm (Status of the system)II. Type stopsap R3III. When you receive a message instance stopped, check the

system is down or not by typing ps –ef |grep dw. There should be no entries visible for SID you have just stopped.

IV. Exit from SID admV. Type sesu_oracle<SID>VI. Enter SAPDBA-U/VII. Choose option f- archive modeVIII. Select option A (toggle database log mode)IX. Type y to the message instance will be bounced and

shutdown immediately” X. After a few movements reply or type y once again to startup

the instance XI. The archive mode menu should now show that database log

mode is offXII. Exit SAPDBAXIII. Exit from ora<SID> in order to restart SAP ensure that you

are in SID adm mode.XIV. Enter start SAP R#, when message instance started is

received check the instance is running or not by typing ps –ef | grep dw and looking for SID that we have just restarted

c) Remove the system message if it is still valid

4) This step will be followed only UNIX OS only. A consequence of shutting down SAP is interrupting of SMTP mail process within UNIX you must manually restart the process

I. In unix type the command sesu_<SID>admII. Go to cd /sapmnt/<SID>/exe,III. Check if the process are still running by issuing a command

ps –ef |grep ml, mail server, if there are any process running that particular process ID needs to be stopped

IV. Enter ‘kill <PID> -9

5) Since client-deleting process involves five processes, and important step before starting any process is to check that these are enough batch process available in order to carry out my work.a) Enter SM50 and check these are at least 5 batch process available (Note: see that equal no of dialog process are also available) b) If they are not enough batch process available the operation modes will need to be switched.

20

c) Enter Trans-Code RZ04, double click on current operation mode and increases the batch processor assigned to that operation moded) Manually switch the operation modes using RZ03e) To check if the operation mode successfully changed go to SM50 and count no of batch work process 6) This step is to prepare the user for the deletion process

a) First login to target client for the deletion process b) Go to SCC5c) Specify whether you want to delete the client and also select T000 and execute the process at background

***NOTE: selecting option T000 will not only delete the client locally but also remove the entire physically from T000 table.

Background JOB Administration:1. We mainly use background work process for long running task called batch work processors2. Background processing is used not only for long running tasks but also for recurring tasks Ex: daily database backup or financial accounting status

A background jobs consist of one or more stepsa) An abap program b) An external commandc) An external program

Note: every job is processed without interruption by one single background work process.Background job can be scheduled with different priorities

I. Class A highest priorityII. Class B medium priorityIII. Class C normal priority

Note: we must ensure that large share of all background tasks are normally scheduled as class C without target server specification (90% task)Ex: task scheduled using transaction DB13

A step within a job can call one of the three actions

1) Every ABAP program can be scheduled as a step of a job if the abap program has one or more selection screen, you can create the input required in the form of a variant.

2) An external command is a call of a predefined script, a command or a program outside a SAP system. With external commands we can mask OS calls and stored them in SAP system under a new name.

3) The execution of external command Is protected using SAP authorization. i.e. certain external commands can only be processed by particular users in the system.

4) An external command is any OS command. SAP authorization concept only specifies whether a user can call external program or not.

Start criteria for background job:A job can be triggered by the following options

1) By scheduling a job on a particular data at a particular time. Ex: time control scheduling

2) By the occurrence of a particular event defined in the sap system (event based scheduling)

21

Scheduling and monitoring: use transaction SM36 to define new jobs• We can manually schedule the jobs as well as call the jobs wizard• Most of the case we schedule manually

Required specifications for defining a job:1) General specification such as job name job priority and target sever

(optional)2) Definition of one or more job steps 3) Definition of start conditions (time or event based)

Q) Why it is not preferred to use job wizard?A) Unlike classical scheduling we cannot perform individual steps with

different users.

Here we can monitor different status of background jobsStatus of Jobs

1) Schedule: The steps of job have already been defined however start condition must still been defined

2) Released: I. The job has been define completely defined including the

start condition II. A job cannot be released without a start conditionIII. Only a relevant authorized user can release a job

3) Ready: the start condition of a released job has been fulfilled. A job scheduler has placed job in the wait queue for a free background work process

4) Active: the job is currently being executed and cannot be released or changed

5) Finished: All steps of the jobs are successfully completed 6) Canceled: the job is terminated reasons for this are

I. An administrator deliberately terminated the job in transaction code SM37 by choosing job _ cancel active job button

II. A job step is terminated with an error. Note: we can change a job status as long a job still has the status scheduled or released

III. We can create a new job by copying an existing job by choosing

JOB-copy

Time Based SchedulingThere are three options to execute a job.1. Immediately2. Particular Date/Time3. On a particular work day (i.e. factory calendar)

A job scheduler in the background handles all time-based jobs. Profile parameters, which specifies the time period in which time dependent job scheduler is active rdisp/bcttime. Execution of jobs with the start condition “Immediate” usually avoids the time-based scheduler. In this case the dialog work process of the user performs the job scheduling. The profile parameter to configure the background work process is rdisp/wp_no_btc The number of background work process depends on the number of tasks to be performed in the background. If the transport system is used there must be at least 2-background process. Default time for time dependent job scheduler us set to 60 seconds (rdisp/bcttime = 60)

22

Note:

An ABAP program, SAP_MSSY2 (An automatic abap program), that automatically runs in a dialog work process. For time based job scheduling we have a job-scheduling table in the DB. Jobs that are not assigned to any particular target server can be executed by any free background work processes. This means that workload is automatically distributed between the systems. If a job is scheduled on a particular target m/c it will run only based on the load of that machine. The automatic selection option is being disabled in this case.

Standard JobsStandard jobs refer to background jobs that should run regularly in a production system. As a part of our monitoring we need to take care. They mainly perform certain clean-up activity of a system such as deletion of obsolete spool requests. In SM36 we go to standard jobs. To schedule all default jobs, choose the “Default Scheduling” option. All standard jobs that are defined in the table REORGJOBS, are scheduled with specified variant and period. To schedule individual jobs choose the particular job using SM36 and set the execution period. To define an additional standard job that is not yet available in the table REORGJOBS choose “Predefined New Jobs”

Event Based Scheduling

An event is a signal to the b/g processing system, that a particular status that has been achieved in the SAP system. The b/g processing system receives events and then starts all the jobs that are linked to this event. An application (Central instance) Server is specified for processing of event

based jobs. Event based jobs can be scheduled with one of the following 3 start conditions.

1. After Event2. After Job3. Operation mode

Trans-Code to define a new event is SM62 When defining an event, the administrator differentiates between system and

user events. System events are events predefined by SAP that you can neither modify nor

trigger. Triggering events is done in various ways

1. Manually using SM642. Using an ABAP program3. Outside SAP at OS Level, using the program “sapevt” which runs at OS

level.Reservation for Class A Jobs: There are very few jobs which will be reserved of type Class A. The reservation

of work process for Class A jobs does not reserve any particular work process rather it ensures that a particular number of workprocess is always kept free.

To set number of reserved background workprocess for Class A, you define an operation mode is RZ04 and maintain the workrocess allocation for this operation mode. By doing so, we have the option of reserving work process.

SAP strongly recommends not to reserve more than one bgwp for processing Class A jobs.

23

A job server group contains one or more instances with available bgwp. It is possible to select a job group for a particular job.

TCode to setup a job group SM61 Ttrans-Code to setup an extended job selection SM37cBackground Users With the definition of jobs in SM36, we can assign each step of the job to a

user. This particular user shall have authorization for executing the jobs.There are 2 options

1. By default, the job will be executed using the current user in which I have logged in.

2. Enter a different user name if your job should not be performed using your own authorizations.

To perform this action we should have the authorization S_BTCH_NAM, to enter the names other than your names in the user field.

Use the “System” user type when creating background users. SU01 – Tcode to create users.

A dialog logon with this user is not possible. If I define a job using job wizard, by default that name of logged on user, is

used for authorization check.RFC (Remote Function Call)It is call of a function module i.e. running in different system to the calling program. You can also call a function module in the same system as a RFC, however RFC are mostly used in calling different systems. RFC is an SAP interface protocol i.e. it is based on the common programming interface for communication (CPI-C) this means that ABAP functions can be called for external applications and tools.

RFC Destinations: 1) R/3 connection2) Internal Connection3) Logical destinations4) SNA/CPI-C connections5) TCP/IP6) Connection using ABAP/4 drivers

Transaction code for RFC connections SM59

Types of RFC’s1) Synchronous RFC (SRFC) – This is used for communication between

different systems and between SAP WAS and SAP GUI.2) Asynchronous RFC (ARFC) for communication between different systems

and for parallel processing of selected tasks.3) Transactional RFC (TRFC) – A special form of ARFC. TRFC ensures

transaction like processing of steps that are originally defined.4) Queued RFC (QRFC) – QRFC is an extension of TRFC. It also ensures that

individual steps are processed in sequence.Note: If the SNC is configured, we get a tab in SU01 – user administration. KeyOn is a 3rd party tool configured for single sign-on for SAP systems. RFC connection should be bi-directional

Configuring Printers in SAP SystemsThe way in which documents are created may be completely different. But the output on paper is always performed using same mechanism in two steps

1) A spool request is created2) The spool request contains device independent print data and includes

administrative info and the actual print data.

24

3) Only when the spool request is to be output on a particular device, is an output request created.

Device independent print data from the spool request is converted to the printer language that the selected output device understands. This procedure allows the user to display spool request before output. If the user wants to create a spool request and an output request at the same time, he has to choose “PRINT IMMEDIATELY” option. Actual document content of a spooled request is stored in TemSe (Temporary sequential Objects) We can define the storage location for TemSe objects using the profile parameter rspo/store_location Spool requests are stored in DB table TST03. We can specify the storage location for the output device using the Transaction Code SPAD. Note:

1) SICK (SAP Initial Consistency Check). It’s the first Trans-Code used in post SAP installation.

2) SPRO (Customizing)

Installation Of languages (SMLT)German and English are provided by default. If I want to install a new language use SMLT to configure new language setting.

Note:Default profile parameter related with languages is zcsa/installed_languages.Local Printing:The spool workprocess and the OS spool are running on the same host machine.Access Methods of Local Printing:Unix = L; Windows = CLocal Printing is the fastest and most reliable connection from SAP to OS. You can configure multiple spool work process for an SAP instance.Remote Printing:With remote printing, spool work process and OS system spooler are running on different hosts.Access Methods of Remote Printing:Unix = U and Windows = S as Well as U (Unix Berkeley Protocol)Front End Printing:We can connect output devices to our front-end machines. The access method for front-end printing is F. In Microsoft windows OS, saplpd, transfer program receives the data stream and forwards it to the default printer. We can specify max no of spool work process used for front end printing by the profile parameter rdisp/wp_no_fro_max (Default value is 1)

Note:Front End printing is not suitable for production or mass printing. Since front-end printing requires a connection to the front-end PC, we cannot use background processing.

Create an Output DeviceGo to trans-code SPAD to create output device parameters to be given in SPAD Output Devices Devices/Servers1) Output Device: Enter the name (Case Sensitive) of output device, max of

30 characters2) Short Name: Can be generated automatically3) Device Type: Printer model needs to be given. Device type “SWIN” is used

for front-end printing. Location = Room + Building where printer is located.

25

Spool ServerIt is a SAP Application server with Spool work process or logical server name.Lock Printer in SAP systemOutput request for printers for which this indicator is selected are created but not transferred to the printer. The user receives the message “No immediate Printing”. Host Printer = Name of the printer at OS level (Case Sensitive)Note: The specification _DEFAULT is set for front-end printing.Destination Host: This is used only for remote printing. It represents the name of the host where OS system spooler is running.Host only for local printing and is calculated automatically from the spool server.Device Type SAP uses device type to format the output device printout. When the spool work process generates an output request, it uses the specification of device type. This device type describes how print data should be formatted for a particular output device.Page Format This describes the format of printable page in the SAP system. This describes how output should appear on paper. Format is a device specific implementation of a Format Type. Example: To perform an output on a page with letter format. Character Set: Contains characters that can be an output to a device. Print Control: This allows the control of display options of output devices, such as font-size, bold face.

{Questions}Q How to identify how many spool work process are setup in a particular application server?Ans) Trans-Code SM51 and select the application server.

Go to SM50 and count the number of work process with SPOQ How many spool processes are configured in out entire SAP system?Ans) SM66 and check for SPO work process. In select process by choosing Type = Spool and Status = WaitQ Can we change number of spool work process by operation mode switching? Ans) No. Only background and dialog work process can be modified.Q How to identify how many spool servers are available in your SAP system?Ans) SM51 or SM66 and check for application server with at least one spool workprocess.Q How to make setting for an individual SAP user so that an output request is not created immediately for a spool request?Ans) SU3 go to Default tab and ensure that output immediately option is not checked.Q) How to find which printer is defined at OS level of your server?Ans) Go to start -> Settings -> Printers (Revisit)

Steps to create a local printera. Goto SPAD->device/server tab

i. choose output deviceb. Select the change button

i. to get into a change modeii. Device contribute step

iii. device typeiv. spool server

c. Accesses method-> host spool access method (c) host printer (name of the printer) the same.

Output a list:

26

To create the suggest list go ‘SA38’ enter the report ‘RSPFPAR’ and execute it. Enter the parameter ‘RSPO*’ and execute again.Go to ‘SM51 and select the print option.Creating a remote printer: Procedure is same as local printer.Creating front end printer:Go to SPAD, devices/server/page and choose output deviceDatabase

- Database Overview- Backup Restore & Recovery- Monitor Cateradf

Oracle database: is a collection of data stored in one or more data files on disks.- Oracle manages database data in logical units called table spaces.

Table space: One or more data files.

Instance: Set of oracle background process and memory buffers form an instance.

What happen when oracle instance is stored?- Shared global are allocated (SAG is allocated)- Oracle background processes are started.

* In unix we can identify oracle process as individual system process* In windows these processes run as threads with one common oracle OS process i.e. ‘Oracle.exe’.* When an oracle instance starts a special process called listener, process opens and establish communication between net weaver and oracle.* Listener process is not part of oracle instance; it is rather part of network process that works with oracle.* In SAP dedicated server configuration is used. i.e. for each work process we have dedicated server processor called as shadow processes.* The ratio of work process to shadow process is 1:1* To handle database request for SAP uses a work process communicate with its core shadow process.

27

* Database data is permanently stored in datafiles or disks.* To accelerate read and write access data it is cached in database buffer cache in SGA* Shared pool divided into executable SQL statements which are stored in shared SQL area of the shadow pool.* Oracle data dictionary is stored in row cache of shared pool.* Data processing never takes place directly on disk, it is first copied by associated shadow process from disk to the database buffer cache in SGA.

Q: what is the size of oracle data block?Ans: 8 KB (fixed size)* Oracle keeps most recently used data blocks in the database buffer cache.* Sometimes oracle writes the least recently used data blocks in buffer cache.* Modified data blocks are call as Dirty blocks.* Shadow process never copies modified data into disk.* Coping data into disk is done by a special background process called as ‘DBWO’ (DW writer).

What are the situations in which DBWO writes dirty blocks to disks?- if the number of scanned buffers reaches a certain thresh hold.- At a specific time that is when check point occurs.

* Scanning of the buffers is done by shadow process.* Changes are done in two ways:

- Roll forward changes.- Roll backward changes.

* Redo events are stored in redo.log files and performs roll forward recovery.* Undo entries stored in undo table space performs rollback.* Redo changes = committed changes = new value = after images.* Undo changes = un committed changes = old value = before image.* Oracle shadow process records redo changes and stores in redo log buffer of SGA temporarily.* Oracle background process “log writer – LGWR” writes data in redo log buffer to online redo log files which are stored physically on disk.* Redo log buffers is also called as circular buffer.* Circular buffers records all committed and un-committed changes made to the database.rQ: What are the conditions in which log writer writes redo log buffer data to online redo log files?Ans: There 4 conditions:

- When transaction is committed.- For every three seconds.- When redo log is 1/3rd of full.- When DBWR is about to write modified buffers to disk and some of the

corresponding redo records have not at been written to online redo log i.e. write ahead logging.

* Each committed transaction will have a system change number (SCN) stored in redo log file.* Size of Oracle redo log file is 40MB (fixed number). These are four predefined collections of online redo log files.* At every log switch oracle will increase the log sequence number.* Current online redo log file, ‘LGWR’ is writing into is call active online redo logo file.

Control filesThis file is used to start and operate database.What are the entries in co files?.

- Physical structure of database- State of database- Table space information- Names and location of data files and redo log files.- Current log sequence number

* if physical structure of database is occurred then co.files get updated automatically.* SAP stores co.files in three locations during installation of SAP. It is recommended to store the files in three physically separated hard disk.* If database = open then co.file available for writing.

28

* Normally caches are small and don’t grow.* ‘RMAN’ for backups, “cofiles may grow by factor 10”, because they contain information about RMAN backup.

Check point Functions:* Checkpoint wakes up the database writer to copy all buffers that are dirty to the disk.* It also updates header of all data files to record details of the check point.* If writers information about the check point position in online redo log files into the cofile. This information is used during database recovery.* Less frequently the checkpoint occurs the longer is the time the instance need for recovery.* Checkpoints occurs at log switch.

Database Recovery:* Online redo log files used for database recovery (instance recovery). After restart, the system performs automatic recovery.* If online redo log files are lost during a crash, a complete recovery is not possible. Hence online redo log files must be mirrored i.e. two or more copies needs to be maintained.* Oracle it self mirrors online redo log files by default.*Online redo log fines are limited in size, and cannot grow automatically.* Automatic instance recovery of online redo log files is possible.* To manually restore and recover data files which are missing, we need both a database backup and all redo log information written after the backup.* Archiving must be exclusively activated by tuning on archived log mode i.e. “LOG_ARCHIVE_START” is true.* Archiving is take care by an oracle background process called as “ARCO” (archive)*Oracle cannot mirror offline redo log files, hence we must use RAID.* Offline redo log files and data files should be on different disk.

SMON (System Monitor)* SMON performs recovery at instance startup* It writers alert log information if any instance process fails.*If cleans up temporary segments that are no longer in use.

PMON (Process Monitoring)* This monitors shadow process.* PMON roll backs, its uncommitted data, stops shadow process and frees resources incase of a client process crash.

Oracle Directory Structure in SAPIn Unix all directories are present under one single tree, where as in windows all directories are present under separate drive letters. They have 3 files inside the directories

/database (Windows) init<SID>.ora/database (Unix) init<SID>.sap

Spfile<SID>.ora (only from oracle 9i)

• Online redo log file = original log and mirror log.

• Define redo log files: original arch, SAP arch.Note: All previous versions till oracle 8i has saparch directory.

• SAP trace = Alert <SID> log = SAP trace/background/user trace• Data files = SAP data1

...

...

...SAP data <n>

There are 3 environment variables on database server1. Oracle_SID = system ID for DB instance2. Oracle_HOME = the directory for BR* tools.3. SAP DATA_HOME = the data file directory.

29

• The home directory for oracle is ORACLE_HOME• The location for cofiles and offline redo logs is configured in the oracle profile

init<SID>.ora.• The location for data files and online redolog files is stored in database.• The oracle tool to ping is ‘TNSPING’

Oracle System Privileges• SYS DBA and SYSOPR are oracle system privileges.• Control at this privileges is outside the database.• The privileges allow accesses to database instance even when database is not

open.

Operating System Users and Groups (Start->programs->Admin tools-> Configure Management -> users, groups)Users:<SAP SID> Admin and ORAdb<SID> are the two users which are created in unix system, where as <SAPSID> admin, <SAP service.SAP<SID> created in windows system.Groups:

1. ‘ora_dba’ = Member of this groups can connect to oracle database as dba without a password.2. ‘ora_<SID>_dba’ = admin group3. ‘ora_<SID>_OPER = db operate group

Extra Groups:SAP_<SID>_Global Admin = SAP Global Admin Group.SAP_<SID>_Local Admin = SAP Local Admin GroupSAP_Local Admin = SAP local Admin Group

• Operating System group DBA will have administrative privileges, where as OS group OPER will have restricted privileges.Note: Always assign database rates to users.

• Data base rolls have privileges.Rolls:DBA, SAPDBA are the two rolls.DBA rolls is created by oracleSAP DBA rolls is created by SAP.

• The Roll DBA has all admin privileges except the ‘SYS DBA’ and ‘SYS OPER’ system privileges

Note: The privileges ‘SAPDAB’ provides accesses for administrating certain tables.• SYSOPER has all SYSDBA privileges except create DB and without ability to look

at user data.Database Users:1. ‘SYS’ and ‘SYSTEM’ are created by oracle.2. SAP <SID> are SAP <SCHEMA_id> is created by SAP.3. Default user used by SAP to connect to database is system.4. During installation oracle database, you will be promoted to enter the password for the user SYS, System, and SAP <SCHEMA_ID>Note: OPS$ is an user which is created by SAP and doesnot need a password.

• SAP workprocess at OS level connect oracle with the user name ‘SAP<SCHEMA_ID>.

• The password for this user is stored in oracle system table ‘SAPUSER’• Workprocess first connect to ‘OPS$ user and get the password for ‘SAP

SCHEMA_ID’ from the table ‘SAP USER’.• Never change the password for ‘SAP SCHEMA_ID’, always use ‘BR*’ tools, ie.

‘BRCONNECT’ to change the password.•

OS files stored in ‘ORACLE_HOME’ directory. • ‘Listener_ora’ = contains all oracle system ID and protocol address.• ‘TNSNAME.ORA’ = Contains all the list of server names for all the databases that

can be accessed in the network.

30

• ‘SQL NET.ORA’ = Contains client side information.• Oracle has one listener i.e. ‘LSNRCTL’

Options: OS level : lnsnrctl_helpOS level : lnsnrctl_status = oracle.Location of parameters and listener log files.

Note: ‘Listener_Ora = Listener tracing files.Options:1. Off = Offered2. User = Limited Trace3. Admin = Detail Trace

BR* Tools (Used for entire backup administration)• BR* tools is a package name which contain various tools.

• These tools are divided into various ways based on their performance.Note: If you get an error message while calling BR tools then your version might be older. (Less than 4.7).• These are two modes while calling the various options in BR Tools.- Main Menu Mode- Quick Mode

BRConnect: is must, be called in main menu mode.

• ‘BRSPACE’ and ‘BRRECOVER’ always make a ‘CONNECT/AS SYS DBA’, because their actions require SYSDBA privilege.

• Once you connect a SYSDBA, if you do not want to enter a user name, password, while calling ‘SQL* PLUS call the interactive program using the command ‘SQLPLUS/NO LOG’

• ‘SQLSTARPLUS by default connects to the db defined in enhancement oracle database.

• Changing the password for SAP user is done using ‘BR CONNECT’Note: Passwords for DB user ‘SAP SCHEMA ID’ or ‘SAPR3’ should not be changed using oracle methods.

Database Transaction Codes:1. DB13: Schedule backups and other administrative jobs.

Note: ‘DB13C’ : This is used to schedule backups and admin activities centrally for all SAP systems and database.

2. DB14: To check the status and logs of all database operations.3. DB16: Overview of database system checks.4. Db17: View and maintain check conditions for database system check.5. DB20: Maintain Statistics.6. DB21: Configuration of Statistics7. DB26: Database parameter overview with history.8. DB02: Table and index monitor9. ST04: Database performance monitor10. RZ20 – DB Alert Monitor (Optional)11. DB13 is used as an interface to schedule back ground jobs starting with DBA*. These

background jobs look into table ‘SDBAC’

Q: Why do I need ‘SPFILE<SID>.ora’ even though I have ‘init<SID>.ora?Ans: From Oracle 9.i ‘init<SID>.ora’ is replaced by ‘SPfile<SID>.ora or ‘SPfile.ora.

12. SPfile.ora is server side initialization parameter file (oracle database server)• Do not make parameter changes on oracle level, because if only changes parameter

values in SPfile, hence always use BR* tools, because it monitors consistency by copying the contents in both files.

• The transaction code DB02 and ST04 still use ‘init<SID>.ora’• SAP installation tool do not create SPfile. SPfile is created using SQL*plus

‘CREATE SPFILE’.• SPfile is stored in ‘oracle_home’ directory same as ‘init<SID>_ora’.

31

• RZ20: Database alert monitor.

Starting of Database1. No mount = reads parameter files, database instance started and allocated memory

buffers.2. Mount face: opens cofiles.3. Open: opens all data files and online redo log files.

• Mount face is used for database recovery, for changing archive log mode, for removing and moving data file and also for adding, dropping, renaming online redo log files.

• Do not use ‘BRCONNECT’ to start and shutdown database, instead use ‘BRSPACE’ because it tried logfile actions.

• No mount space is used for creation of database and for recreation of lost cofiles.

Start and Stop CommandsBRSPACE_C FORCE_F dbstand_S <State>BRSPACE_C FORCE_F dbstand_S <State>

Stopping of Database1. Normal: Oracle waits till all users are disconnected from the database. All files are closed

and database is dis mounted and instance is shutdown.2. Transactional: Oracle waits till all open transactional to finish and then it disconnects

users and shutdown database.3. Immedaite: No new connections and transaction are allowed. PMON ends all user

sessions and performance roll back of any open transactions then only shutdown database.4. Abort: no new connection and transactional allowed. No roll back of open transactions.

Users are disconnected and oracle processes are stopped.Note: With all the above first three methods, database is shutdown in a consistent state and does not need recovery at next restart.

• Default mode for oracle shutdown is normal

• Oracle commands shutdown immediate and shutdown abort stage oracle instance even if work process still has connections of database.

• Oracle info messages, warnings and errors are logged in oracle dump files i.e. background, user trace which is located in ‘SAPDATA_NAME’ directory.

• Background directory store alert log file. Alert_<SID>.log. Whereas user directory store trace files written on behalf of shadow process.

(Q) If a file is missing from the chain of offline Redo log files, then what we’ll do?

(A) We have to perform a restore and recovery of Database. Recovery is performed using the method “Point In Time” by which all the Offline Redo log files older than the last one is used for recovery.

(Q) What are the causes for logical errors related to Database?(A) (i) Manually deleting parts of Database objects such as Rows in a table. (ii) Manually dropping Database Objects. (iii) Manually dropping Application Objects.

(Q) Is Point in Time Recovery a standard Solution for logical errors in production system?(A) NO

(Q) Where do we use the Point IN Time Recovery?(A) Point in Time is very critical in a system landscape with Data Dependencies between Systems.

(Q) How do we verify Consistency of Oracle Database?(A) By performing by a logical data check.

32

(Q) Why do we need to perform a logical check?(A) In order to verify corrupted Data blocks (Ora – 1578)

(Q) Why do we need to perform a physical Data check?(A) To verify the tapes used for Database backup.

(Q) How often we perform Online Backup and Offline Backups?(A) Online Backup = Daily

Offline Backup = Once in a Week

(Q) How do we perform Backup of Offline Redo log files?(A)(i) Backup of every Offline Redo log files is taken TWICE on separate tapes before the files are deleted from Archive Directory. (ii) Perform additional Backups after each system upgrade and also if Database structure is Modified.

(Q) What are the tools used by Oracle Admin in an SAP System for Backups?(A) Database Backups = BRBACKUP Offline Redo log files = BRARCHIVE

(Q) What are the occasions in which changes to Tile Structure of Database is made?(A) 1) When a Data file is added

2) When a Data file is moved to a Different Location.3) When a Table Space and its Data files are reorganized.

(Q) What are the various Backup types?(A) There are 5 Backup types

1) Online Backup2) Offline Backup

3) Complete Backup 4) Incremental Backup 5) Partial Backup

Complete Backup:All the Data in the Database is backed up. Complete Backup is again

divided into 2 Types1) Full Backup:- After data backup an additional information , i.e. Catalog is

Written into Cofile by Recovery Manager.2) Whole Backup:- It creates a Backup of all the data without the Catalog.

Incremental Backup:i) This Backup Is used for taking needed Data blocks that have changed since the

time of Full Backup.ii) During Incremental Backup the amount of data to be backed up to get shorten

and not for The Backup time.iii) During Incremental Backup is only based on previous Full Backup.

(Q) If the Corresponding Full Backup is already overwritten and can I use Incremental Backup?(A) NO, Incremental Backup is useless.

(Q) Can I perform a Backup of Individual data files using Incremental Backups?(A) NO

Partial Backup:The backup of Database in smaller parts is called as Partial Backup.

*NOTE:- Sum of individual partial Backups form an Entire Complete Backup.*NOTE:- Recovery Backup using partial Backup data is very much time consuming, because it needs all oldest Backup Offline and Online recovery Processes.

33

(Q) What are the various Backup strategies used in SAP?(A) There are 3 Backup strategies in SAP i) Complete Backup:- Restore missing Database files from complete Backup, Restore Offline Redo Log files writte during and after this Backup. ii) Incremental Backup:- Restore missing Data files from last Full Backup, update them with restore from last Incremental Backup. iii)Partial Backup:- Replace complete backup with partial Backups , we need a longer time to perform a recovery from media crash.

TOOLS:(1) BRBACKUP: Backup of Oracle Data files , Cofiles, Db Redolog files, Oracle

Software Directories and SAP System directories.(2) BRARCHIVE: Backup of Redo log files.(3) BRRESTORE: Restore all Db files and Offline Redo log files(4) BRRECOVER: Checks for Database for missing files , it calls BRRESTORE for

restoration of missing Data and Offline redo log files.

NOTE:

(1) Both BRBACKUP and BRARCHIVE records their actions in log files, BRRESTORE uses above logs for restoration of missing files.

(2) Both BRBACKUP and BRARCHIVE supports Backup to Tapes, Disks as well as Backups with Third party Tools.

Important Parameters for Configuration of BRBACKUP and BRARCHIVE(Init<SID>.SAP)(A) Backup_mode = All(Whole)

Full(full backup)Incremental BackupPartial(Table space name, Dir path, File id.s)

(B) Backup_type = Online and Offline Backup(C) Backup_dev_type = Tape or Disk or External Interface(D) Util_file = BACKINT(External Backup program through Interface BACKINT)(E) TAPE_COPY_CMD = CPIO or DD or RMAN(Copying files from Disk to Tapes)NOTE: DD = Raw devices are copied with this option CPIO = Directories are copied with this optionThe Profiles init<SID>.ora and init<SID..sap and Summary and detail logs are copied with this CPIO.(F) DISK_COPY_CMD = cp, copy (Copying files to disks)

Cp is used in UNIXCopy is used in WINDOWS

(G) Expire_period = (1)We have to specify the expiry period of a tape(2)Tape_use_count = Max number of times, volumes can be written to tapes.

(H) Volume_Backup: Names of volumes used for backups(BRBACKUP) Volume_Archive: Names of volume used for backups of Offline redo log files(BRARCHIVE)(I)Tape_Address = Identifies device address of tapes.(J) DD_Flags and DD_IN_FLAGS= Specify block ( Size of at least 64kb)

Integration of Oracle Recovery Manager (RMAN) into SAP Tools:(1) RMAN is Default Oracle Backup and Restore Program(2) RMAN executables run in Client process and connection to Database(3) Backup with RMAN is done in 2 ways(i) RMAN classifies complete backup level 0 Backup(ii) Level 0 serves as basis for Level 1 (Incremental)

(4) Backups performed without RMAN call CPIO or DD to save Database files to tape

*NOTE: RMAN always writes the information in a separate file recovery catalog

34

(Q) Can RMAN recover the Database automatically without Recovery catalog?(A) NO

(5) RMAN performs Backups directly to Disks and not to Tapes(6) RMAN uses Oracle shadow process to check for data block corruptions and

filters those blocks and then writes used blocks to backup media.(7) The Parameter to set the controls of copying data to Backup media to

RMAN is TAPE_COPY_CMD or DISK_COPY_CMD= RMAN_DISK (RMAN Value)(8) Advantages of using RMAN:

I) All blocks are checked for block corruption to ensure the consistency state.

II) Only used blocks are copied to Backup mediaIII) Empty blocks used before are always backed up

(Q) Is whole Backup can be consider as level 0 Backup?(A) Whole backup is not level 0 Backup and can’t be used as basis for Incremental Backup.

(9) RMAN writes Header, tailer and blocks of atleast one Database or one raw disk file to a file called SAVESETS(10) Using SAVESETS speeds up Backup Process.

PREPARATORY RUN:Preparatory run is used to determine the optimal SAVESET distribution of

data files we want to backup.(Q) Why do we need to perform a preparatory run?(A) If Backup with RMAN is supposed to form sets then we need to run Preparatory run. Preparatory run can be run from DB13 prepare for RMAN Backup. No Backup is created during preparation run, only estimates Compression rate of BRTOOLS to compress the files and to determine compressed and decompressed file sizes.

It is recommended to perform preparatory run per one Backup cycle.

TAPE MANAGEMENT:

(1) Each and every tape used for Backup, i.e. BRBACKUP and BRARCHIVE needs to be initialized.

(2) During tape Initializing SAP specific label is written on lable as First file (Tape.hdro) containing the tape name.

(3) BRTOOLS-> Backup-> Dbcopy-> Additional Functions-> Init of BRBACKUP tape Volume or Init of BRARCHIVE tape volumes.The command to start the initialization is BRBACKUP or BRARCHIVE or –I/Initialize.

(Q) What are the contents of tape lable after a tape is Initialized?(A) (i) Tape Name (ii)Name of the Database

(iii) Time stamp of last backup recorded on the tape(iv) Number of Backups performed with the tape

Before writing data to tape if the lable is Red to check the following(i) Tape Name(ii) Tape Locked or Expired(Expire_period)(iii) No. of times the tape already been read(Tape_use_count)

If Expiration_period = 0 days, the Volume is not locked at all and can be over written

• If a lock occurs on a tape, it automatically expires at midnight.

35

(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape locks?(A) There are 2 types of locks (i) Physical lock check: Physical lock check is done by checking tape label parameter Expir_period. If the number of days passed since the tape was last used is less than value of parameter Expir_period, then the tape is physically locked.(ii) Logical lock check: This value is derived from the time stamp written to tables SDBAH, SDBAD

(Q) What are the various tape selection processes?(A) (i) Auto tape selection BRBACKUP and BRARCH (ii) Manual selection by the Operator (iii)By external tool

(Q) What is the option to select the tapes automatically by BRBACKUP and BRARCH?(A) Set the parameter Volume_Backup and Volume_archive to TAPE

(Q) What is the command to check which tape will be automatically selected?(A) BR Backup | BRARCHIVE –Q | Query { check }

(Q) How do we switch off automatic tape Management?(A) By setting up the parameter(Volume Backup and Volume Archive) to the value “SCRATCH”

(Q) How do I turnoff the tape management performed by SAP tools?(A) Configure the parameter Backup_dev_type= UTIL_FILE OR UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sapNOTE: BackINT Interface program is only supported for external Backup.

(Q) How do we verify Backups?(A) Verification of backups is of 2 types (i) Tape Verification: The files are restored file by file and compared with original files to verify if the backup is redable.(ii) DB Block consistency: This checks the Database block by block using Oracle tool “DBVERIFY” to identify and restore from bad blocks.PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of Archive log Backup

(iv) The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification + DB Block Consistancy Check)

STATUS OF OFFLINE REDO LOG FILES:(1) During Backup to tape= ARCHIVE(2) First Status= SAVED

SECOND STATUS=COPIEDAFTER DELETION = DELETEDDuring BACKUP TO Disk = DISK

NOTE: All the above status are recorded in ARCH<SID>.log

ANALYZING Database PROBLEMS:(1) Check Database alert log and trace files belonging to Bgprocess (SAP

Trace/Background)(i) Check for status of Database = Available or NOT Available(ii) Check for Error = Media or User error(iii) Check for corrupted files and file types = Data, Cofile, Online

Redo log Files

36

(iv) Check if Software or Hardware Mirroring = Available or Not(2) Safest method is to perform a complete Offline Backup before the files are

copied back in restore place using BR Backup or any Backup Tools.(3) The above step is Very Important for Point In Time Recovery or for

Database rest because these stratagies always involve Data loss.(4) Save Offline Redo Log Files in ORARCH Directory using BRArchive only.(5) To check the reliability of Backup strategy , run regularly restoration report

in SAP using DB12(6) The above report is used to find out which backup to use for recovery as

well as it displays information about last successful Backup.(7) If the list of RedoLog files after the last Database Backup is too long, then

perform a complete Database Backup.BR Tools:Login to ORA<SID> using putty Type BRTOOLSThere are totally 9 option in BR tools

a. Select Instant management, it is option 1b. In Database instance management select option 2 to shutdown

the database.c. Type ‘C’ and click enter to continued. In Database instance shutdown main menu select option 1

shutdown DB.e. Under options for shutting down the DB instance we have to choose

option 1, that is close mode(Default mode is immediate)f. Select option 1 and enter string value for ‘mode’ (Immediate|

normal|transcations|abort).Note: if the users are logged in to the SAP system then I cannot use immediate, normal, transactional modes, using abort mode will forcefully shutdown and will result to data loss hence never use this option so to be on the safest side always shutdown using normal mode.Alter DB Instance (Switching off archive mode): Shut down SAP Stop SAP [SID<adm>] Log on to ORA<SID> user and start BR tools In BR tools Select option 1 (Instance Management) Start up database Select option 1 Alter DB instance Option 3 Enter ‘c’ to continue Enter ‘c’ to continue Select option 4 for set non archive mode Enter ‘c ‘to continue and select option 5 to show instance statusNote: while switching to archive mode and non-archive mode, it will shutdown the DB instance first and then starts the DB instance. In each of these cases the time stamp is recorded that is data and time. Once the DB is up and running always check the status before performing any action.

(Q) If SAP started and I am trying to switch to non-archive mode what will happen.(A) It will show an error showing that SAP instance is running. Please showdown first or use force option.(Q) If SAP is running and I try to shutdown the DB using BR tools what will happen.(A) It through an error saying that SAP is running please shutdown the SAP first or force option and then continue.

Table space administration:

1. Oracle stores data in table spaces, each table space consists of one or more data files.

2. Data files are plain files stored on local system3. Oracle has 4 segment types

37

a. Data This segment contains table data in rowsb. Index Each table has one primary index and ‘n’ number of

secondary indexes (optional). This index is used for faster access to table data and to enforce unique constrains.

c. Temp Segment This segment is used for sorts and to create indexes.

d. Roll back/undo segment this segment is used to provide read consistency that is ability to roll back changed to tables for recovery.

4. To meet the demand of large DB, DB designers creates partition tables and indexes.

5. An index segment in oracle DB used in SAP holds either all data for take that is not partitioned or all data for a partition of partitioned table.

Common table spaces:

1. System Oracle data dictionary 2. PSAP ROLL Roll back segment

Note: From WAS 6.1 version we have SAP undo as roll back segment.

3. PSAP TEMP Temporary segment.(Q) If table space is full then what are the possibility to extend the table spaces?(A) Option 1: Add another data file to table space 2: Existing data file can be manually resized 3: Properties of existing data file can be changed to auto extendable

(Q) What id the formula to increase the data files size?(A) Data file size = Expected DB/100

(Q) How many number of data files will be there by default?(A) Default there are 100 data files

(Q) Expected DB size and Data file size

Expected DB Size Data File Size

Up to 200Gb 2Gb

200 to 400Gb 4Gb

400 to 800Gb 8Gb

Greater than 800Gb 60Gb

(Q) What is the error related with table flow?(A) For table ORA1653, ORA1654 for indexes.

(Q) What will happen if max extents are reached?(A) ORA1533 is the error forms extent reached. If max extent is reaching it limits, then increase next extent. When extents are dripped they are marked as free and their blocks can be used by new extents, but adjacent blocks are not combined. The DBA must use “COALEXE” free extent into one large extent. There are two options for “COALEXE” extent. 1. BRCONNECT –f check COALEXE free extent automatically

2. BRSPACE –f check COALEXE free extent use locally managed table spaces.

38

To solve above problem with extent we must use locally managed table spaces.Segment Sizes Next segment Size Max.no.of Extent

Less than 1Mb Less than 64Mb 161 to 64Mb 1Mb 6364Mb to 1Gb 8Mb 126Greater than 1Gb 64Mb Unlimited

Advantage of LMTS (locally managed table spaces) is “ORA1533” error eill no longer occur. The only disadvantage of LMTS is, always it checks for used and free space.

Increase the Table space:

1. Log on to ORA<SID> and enter into BR tools.2. Space management (option 2)3. Extent table space (option 1)4. Enter ‘c’ to continue5. Enter ‘c’ to continue

It will give “Table space extension main menu”Note: First use option 2 to show the table spaces and percentage full and make a note of a table space which is 80% and above fill and then add a data file as per the specification using the option 1 that is “extent table space”.

6. Extend table space (option 1)7. This will list all table spaces and percentage used

Example Table: “PSAPR3700”8. Select the table space that is ‘pos’ position9. Enter 2 to select above example table

Note: options for extension of table spacea. Last added file nameb. Last added file size in MBc. New file to be added d. Raw disk/link targete. Size of the new file in MBf. File auto extend mode = YESg. Max file size in MB = [10000]h. File increment size in MB = [20]i. SQL Command = [alter table space name]

Note: the last added data file name and new file to be added will show the exact location where the data file is residing that is Oracle/<sid>/sapdata 1 to n/

10. Enter ‘c’ to continue11. Enter option 5 to change the size of new file in MB12. Press ‘c’ to continue13. Select ‘NO’ to continue with the current data file addition.14. Select ‘YES’ to add a new data file to the current table or add new data file

to a new table.

Note: this action will update the time stamp in co-file that is, it created a copy of co-file in the location /oracle/<SID>/SAPREORA|[CNTRL<SID>.old]Once co-file is created, extending of table space is done, one successfully completed it switches to next online redo log file for database instance and finally creates a copy of co-file with new time stamp that is CMTRL<SID>.news

Top 10 Oracle errors:1. ORA1631 and ORA1632 Max extent full2. ORA1653 Table space full

39

3. ORA1654 Index full4. ORA1113 When backup is aborted5. ORA1144 When back is shutdown immediately6. ORA1578 Data block corrupted7. ORA0255 Database struck8. ORA1555 Buffer mode is OFF9. ORA272 and ORA255 Archive struck10. ORA600 Hardware Failure

Note: option 4 and 5 are also called as missing end backup.

Changing Oracle Parameters

Q) Create server parameter file from init<sid>.oraA) Login to oracle user (ora<sid>)

Security

We have two parts of security I. User administration

II. Role administration (role of a particular user)Create / Change / Delete } Any one role has to be given to an user.

SOD: segregation of dutyTime sheet Travel

expenditurePermanent user(X)

Do Do

Temporary user(Y)

Do Don’t

Contractor user(Z)

Don’t Don’t

User administration (SU10)

This is user for creation of user accounts and other functions besides creation, delete, change, display, copy, lock/unlock and password reset.

The most common tickets1. creation\deletion of user accounts2. locking and unlocking accounts3. password reset

Note: user naming convention should be alpha numeric. First character should be there in the beginning. Steps to create User Accounts

1. Enter the user and press create button.2. In address tab only field we need to mention LAST NAME3. In Logon data UserType: By default Dialog A

Note: • With user type Dialog we can login into SAP system

• To create a user we need to maintain the validity of the user.• For permanent user valid through 31-12-9999 and for Temp and Contract user validity

through date will be given in the ticket. • Any request in security should have approval from a manager.

40

• By default approval comes in the form of an email in some cases a third party tool is used. It can contain an approval form. For example. BSSR (Business Security Service Request)

• Default user group is SUPER. Based on the region or department we assign the user groups.

Sample Ticket

UID Mgr ID:UName Mgr Dept:Position StatusDepartmentSAP Requirements

Default Values

Default Language: ENG & GERDecimal Notation: Is divided as 2 parts

1) Germany2) Rest of the world.

Default Date Format: DD-MM-YYYY

SpoolOutput Device….. By default it will be EmptyParameter:By default based on the roles, parameter values are assigned.Eg: ESS roles i.e related with Time sheets

ROLESIs where we assign the roles.Note: Always assign the role first and not the profile. Every role by default has its own system defined profile.We can set the Role Validity from …. To. Default value is 31-12-9999PROFILES Do not enter any profile directly instead it will be pulled automatically once it’s assigned in roles tab.GROUPSAlready maintained in Logon DataPERSONALIZATIONSet of Transaction Codes to work

LICENSE – User LicensePFCG – Roll administrationSU10 - Mass user administrationSE16 – Table viewSUIM – User info managementSU24 - Maintained authorization checkEWZ5 - Mass lock and unlockSU53 - Missing authorization errorST01 - System trace/authorization trace

Basic Terminology of AuthorizationOverview of elements of SAP Authorization Concept

User

Role

Authorization Profile

Authorization

41

Authorization Object

Authorization Object Class

Authorization Object Class: Logical grouping of authorization objectsAuthorization Object: Group of 1-10 authorization fields together form an object.Authorization Field: Smallest unit against which a check should run.Authorization: An instance of an authorization object i.e. a combination of allowed values for each Authorization field of an Authorization object.Authorization Profile: Contains instances (Auth) for different Auth objects.Role: Is generated using profile generator (PFCG) and allows automatic generation of an authorization profile.

Note: A role describes activities of a user.

User / User Master Record: This is used for logging on to SAP system and grants restricted access to functions and object of SAP system based on SAP profiles.

Note:Authorization and authorization profiles are customizing objects.Authorization classes, objects and fields are development objects.

Q) Where do all possible activities are stored?A) In the table TACTQ) Where do valid activities for each authorization Objects are stored?A) In the table TACTZQ) How do I identify pre-defined roles and what is their use?A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.Q) Can we assign pre-defined roles to a user? If so, how?A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.Q) Is a role without Auth-profile considered as complete or not?A) NoQ) What are the types of roles?A) Roles are 2 types 1) Parental Role 2) Derived / Base RoleQ) What is the relationship between parent and derived roles?A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.Note: As per SAP recommendations never generate a Parent Role. Always generate derived roles and maintain the field values as well as organizational values in derived values only.Q) What are the total numbers of activities?A) As per 4.7 total number of activities=16801 – 99 = ActivitiesA1 – VF = 69STEPS to CREATE a ROLE (PFCG)Creation of parental Role: Any customized role should start with Z or Y. Enter the role name and select role name button.Enter a valid description.Go to Menu tab to add the transactionsClick on SaveSelect add transactionNote: Default transaction to be added for every user of SAP SU53Assign Transaction and Save the Role

42

Creation of Child / Derived Role:Select the derived role name and Under Transaction Inheritance in Derive from Role and Click on “Yes”Note:

1) In derive role we can’t make any changes under menu tab. Eg: Adding transaction, report, Deletion

2) Relationship between Parent and Derived role is 1:n3) First time creation of role, always go to export mode.

Go to Authorization tab to generate the derived role.List of Tabs:-Manually: Adding authorization objects manually to a role.Open: To view all open fields, i.e. the fields in which the values are not maintained (Represented by color yellow)Changed: To view the changed authorization objects.Maintained: It will show the fields of the authorization objects for which the missing values are maintained.

Organization Levels: This field is used to maintain organizational hierarchy like Plant, warehouse, comp code and call center.Note:

1) Always maintain a value in the open field2) If any standard value is changed, then automatically the status is changed

from standard to changed.3) By default all the auth objects the type will be standard.4) Always maintain the organization values using organizational levels button

only.Hierarchy in a Role:-Role Name: BlueClass = OrangeAuth Object = GreenAuthorization = YellowFields = WhiteQ) What is the default authorization object which is used to check for any role?A) S_TCODENote:

1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.

2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.

3) Red color indicates missing organizational values4) Yellow indicates missing field values and not organizational values.

Note:All roles will be created in development system. Any modifications will be done in Dev system only. The developed changes are then transported to quality and get tested and approved in Quality and then only moved to production.Q) Why should we not add organizational values directly in a role without using org levels button?A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Rules to be followed in editing the standard Objects:1) Copy the standard object2) Inactivate the standard, i.e. the first one.3) Make the changes only in the copied one.

Note:

43

1) Once we make changes in the copied one, the status changed to maintained.

2) If we do not follow the above steps, then during the regeneration of a role next time, a new open field appears. Hence, in order to avoid the duplication of fields we need to follow the above rule/procedure.

3) If we make any changes to a parent role like add, delete or Transaction Code, we have to generate all the child roles under the parent role.

4) Whenever we generate a derived role, always choose maintenance as read old status and merge with the new data.

5) If we choose edit old status then it will not reflect in any open fields even though they are present.

6) Never try to select delete and recreate profile. 7) Once the role is generated then we have to assign the role to a user using

SU01 (or) Add a user to a role using PFCG User tab8) Always assign only derived roles to a user whenever add a user in a Role

always compare with user compare.9) In order to refresh user buffer with new values we have to always go for

user compare.

Compare User Master Record:Comparing user master record can be done in 2 ways

1) A default background job i.e. Report called “pfcg_time_dependency” is executed before start of the business day, but after mid night, meaning that the authorization profile the user master record always have the most up to date in the morning.

2) Using transaction pfud (User master record reconciliation). As an admin, we should regularly execute this transaction, in this way we can manually process errors that have occurred.

Authorization Troubleshooting for a UserWhenever a user tries to execute a Transaction which is not assigned or tries to perform an activity which is not defined for existing Transaction, then the user gets “Not Authorized To” error.In such a case ask the user for SU53 screenshot for any authorization issues.SU53 AnalysisSU53 has 2 parts

1) Authorization check failed: It captures actual cause of the error.2) Users authorization data: It captures the existing access to the users

Note: In order to check SU53 analyses of other users go to SU53, click on display for different users authorization object.Analysis using SUIMScenario 1: User is having access to plant 1000 in MM01, now he is trying to create for plant 0001 and he got the error no authorization to the plant 0001.Solution: Request for SU53 screenshot. Once you receive the screenshotGo to SUIMIn SUIM check the roles which are having access to plant 0001.SUIM Go to Roles Roles by complex selection criteria and deselect the user.Go to Authorization Object 1 from SU53 screenshot and select entry values buttonEnter the values as per SU53 under the authorization Object and select Execute button.Double click on the role on which we want to assign.It will automatically take us to PFCG transaction.Go to Authorization tab Select Display authorization data.Go to Find Button (Cntrl +F)Enter the authorization object in authorization field and clicks enter on Find Object.Go to Utilities and select Technical names on Second Method of Role Maintenance

44

1) Create a parent role and Add Transaction codes in menu tabs and generate the role.

2) Create child roles and assign the parent and generate the child nodes.

Note: The generation of child roles/derived is always done from the parent role.Process: Go to Authorization Edit Read old/merge with data.Make changes in parent roleGenerate ParentFinally generate derived roles button (or) select Auth Just Derived Generate derived rolesThis will generate automatically all the derived roles from the parent role.Note: In this method org values cannot be maintained using parent role, we have to individually maintain org values in the derived roles.Mass Generation of Derived Roles:Copy all the derived roles into a notepadGoto PFCG Go to utilities Select mass generation In mass generation screen Select all roles under presentationSelect Display data when created and changedClick on Role Multiple SelectionNote: Go to notepad, select all and copyCome back to multiple role selection and select upload from click board buttonSelect check entries buttonAnd select copy button & select execute button.Deletion of a Role:-Before deletion of any role first add to a role to transport and proceed with deletion.Q) Why do I need to add a role to transport?A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Note:1) In choose objects options never check user assignment. Assignments of

users to a role are done only in production box.2) Changes done using SU24 is of type work bench3) Changes using PFCG is type customizing.

SUIM change documents:-For users:-

1) In order to find when the user is created, deleted as well as password reset and user lock/unlock information. Besides this we can track info regarding the roles like when the roles are added and deleted and who has performed this action/date of action.

Scenario 1:Q) Unlock a user or track why the user is being locked?A) Go to SU01 Enter the user ID Log on data and check the user is locked.Go to SUIM Change docs for user Enter the user name and execute

Note: Locks are of 2 types1) Locked due to incorrect log on2) Locked by admin

45

If the lock is of type Admin lock, then we need to contact the admin for the reason for locking hence never unlock directly.If lock is due to incorrect logon then go to SU01. Select the user and press unlock button.

Scenario 2: Mass user locking during upgrade:1) Go to SU01, select * under user column 2) This will give entire list of user in my system3) Copy the usernames in a notepad4) Got to SU10, copy/paste the users and select the lock

Note: In SU10 we cannot set the password for all the users

Reference User is for internet purpose.Note: Assignment of reference userGo to SU01 Under roles tab ref user for additional rights where we enter ref username.Process steps followed in security - Requests coming in form of CR / Templates

1) Request comes in form of Approved CR form (Unique ID = CR Name)2) Login to DEV and perform the action as per CR form requirement3) Put the completed task in DEV under a TP ( CUST/WORKBENCH)4) Transport / Move the TP to QAS for testing5) Create a test id in QAS with the above changes and send the test id details

to the CR Owner.6) Once testing is completed in QAS the CR Owner will send an approval

regarding the test resultsa) If test results are positive then move to PR13 else rectify the

changes needed.b) Rectification of changes is done again in development.c) The rectified change has to be kept in a new TP with description of

above CR Name and moved to QAS.7) Based on approval, we move the changes to production.8) Once changes are in production, the CR owner or the end user tests and

confirms the final status.9) Once we get the final confirmation i.e 2nd approval in PRD then we can

close the CR.As part of our daily activities we might receive the tasks as follows1) Changes in form of tickets. (Various 3rd party tools are available)2) Changes in form of CR

Each ticket has its own priority i.e. SLA. Based on the priority there will be response time and resolution time for each request.

SLAPriority Type Response Time Resolution Time0 Very Critical 10 min 30 min1 High 30 min 1 day2 Medium 60 min 4 days3 Low 4 hrs ----

Note:Response time is time in which we acknowledge the user request, i.e. once a ticket comes into our queue the first major priority is to accept the ticket on our name, once this is done we have to send an acknowledgement to the user informing that someone is working on this issue via email, chatting tool or phone.Resolution Time: This is the time in which we have to solve the issue.

Note: By default the status of any ticket is in Open status

46

Stages of ticket:1) Open2) Working / In-progress + Assigned to our Name + Inform the user +

Copy the comments in the tool under notes column.3) Closed + Issue Resolved + Inform the user + communicate + Copy the

comments in the tool under notes column.4) Waiting + Needed some inputs from the user to solve the issue + inform

the user + Copy the comments in the tool under notes column.5) Hold + Waiting due to user unavailability i.e. user has gone for vacation +

Copy the auto response regarding user unavailability and paste the notes6) Cancelled: If there are duplications or same request being raised then we

can cancel one of the requests by mentioning the previous request no under the notes column. (Or) If the user wishes to cancel his /her request then copy the confirmation under the notes and select cancel button.

Types of CR ( Change Requests)Work bench / Customizing1) New functionality CR: This CR carries new functionality changes which are

done for the first time i.e. creation of totally new roles.2) Operational CR: This CR carries the changes which are done on a day to

day basis i.e. modification of roles and deletion of roles.3) Defect CR: This comes in form of ticketing request i.e. based on the

ticketing request raised by the user using the ticketing tool we decide whether we need to create a defect CR.

Eg: Some access is already there for a user, but it was lost due to some reason and we investigate and find out that these changes have to be there for users. In this scenario we raise a defect CR.

To rectify a defect CRCR forms are created based on the quarterly release i.e. we have 4 quarterly releases in a year. During this release different people i.e. technical + functional consultants + security administrators get involve and analyze various roles based on the inputs provided by the auditorsThis is where SOX policies come into play. In order to indentify the various defects and conflicts in roles and between transactions we use various SOD (Segregation of duty) tools like VIRSA, BIZRights. The process of identifying the defects or conflicts among the existing transactions and rectifying them as mitigation.

Ex: MM01 x MM021) Create X Change 2) Change X Delete3) Create X DeleteNote: Default access is Display

HR Security ActivitiesThere are two types of HR security Activity1) Delegation of Authority2) Structural Authorizations

Delegation of Authority:- Is a process by which a delegate delegates/assigns his/her access to a delegator for certain period of time i.e. during this period all the POS (Purchase Orders) or any items coming into owners inbox will go to the delegators inbox.

Note: The delegator can delegate the access only to a person to a same hierarchy or higher hierarchy.The only issues which we get here is the problem with workflow. i.e. Items not appearing in the inbox

47

An item appearing in inbox even after the period is expiredDon’t have access to approve the POS appearing in the inbox.

The first two problems are rectified by workflow administrator. The last issue is related with the approve access. Before we provide the approval access we have to identify that particular person having an access or not.If he’s having an access then keep on email notifying him that as per the security policy any user can have either create/approve access and not both.

Steps related with delegation of Authority

1) Log into HR box, go to PA20, i.e. display HR master dataEnter the personal detailsSelect the organization assignment and period todayOutput will be position number or personal numberCopy Position No, Go to PO13 (Maintain Position)Paste under position numberUnder Infotype (Select Name and Relationships)Under Time period select All and Press Overview buttonSelect the Row where the object type=P and End date = 31-12-9999 and Press Copy buttonUnder related object change the type of related Object from person to userUnder ID of related Object, enter the delegatesUser ID and Press Enter• Make changes in dates

Valid From to Valid To Select Save Button

Structural Authorization: Is a concept under HR security using which we assign roles to user based on this organization object.Structure of organization management:

1) Organization Unit2) Position3) Job4) Task = Description of an activity i.e. performed within organization units.

Here we assign any roles to positions and not to user.The users are called as Holders; holders are assigned to position and not to jobsWhenever we create an organization unit structure we have to create first the root, i.e. organization unit and then only create additional lower level organization units.

Steps Related with Assignment of HR Roles i.e. Structural Assign1) Go to PFCG select over all under view.2) Select inheritance hierarchy.

Go to PFCG, enter New Role Name, in maintenance Go to settings Complete View (Org management and Workflow)Create roleAuthorizationGo to User Tab Select org.mgt. ButtonChoose create assignment buttonSelect the job [Object Type]After completion select user comparison.

Special PFCG Roles:1) Customizing roles: We can assign projects/views of the implementation

guide (IM) to this role.2) Composition Roles

48

Steps:- Go to PFCG Menu Go to Utilities, select Cust_Authorization

Select Add Tab

Img Project / Img Project view

Select the customized object based on our requirement Continue.If a project/Project view has been assigned to view, we are no longer possible manually assign transaction to rolesThis means that the role can only be used for generating and assigning customized authorizations.

Note:-Any role to which transactions have been manually assigned. These roles are used only during implementation period, we should maintain end date for the role. When it is assigned to the user, once implementation is completed normally we delete this.

Installation and UpgradeThe basic profile parameter Auth_no_check_in_some_cases=Y has to be set if we want to user profile generator (PFCG).

Q) Where do the default value in a Role comes from i.e. activities under auth object?A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

SAP delivers tables USOBX_C and USOBT_C. These tables are filled with default values and used for Initial fill of custom tables.After the initial we can modify the custom tables.Table USOBX_C table defines which auth are to be performed in a transaction and which should not be.Table USOBT_C defines for each transaction and each authorization object, which default values and authorization created from the auth. Object should have in the profile generator.

During implementation we use transaction SU25 for security related settings besides this we also use SU24.

Note: Any workbench changes in security are done in SU24. Modifying values in SU24. Go to SU24, enter the transaction code and select execute.Select the particular authorization object, which we want to modify. Select the object and click on change button.Go to proposal column and select “YES”. Select the object again and change field values.

Note:-Under check indicator column if no check is there, then select the auth object and check indicator.After changes in particular field select save. It will automatically prompt us to place a request under a transport.Go to own request select the transport of type work bench.Note:- If the transaction request number is created by another team member then go to Other requests button and enter the user IDOutput = All the requests created using the user id will be displayed.

49

Select the Workbench request based. Select the button change owner and go to SC01 to release the request.

SU25:- Profile generator for upgrade and first installation. This transaction code is used only during implementation and during an upgrade. The main purpose of this transaction code is to move the default changes which are maintained in the current version to new version.Versions are 2 types

1) Version in which no PFCG tool2) Version in which PFCG tool. (4.6 B)

Upgrade Scenario 1: Release without PFCG tool:Always use step 6 in SU25 to convert manually created profiles and authorizations into rolesScenario 2: Versions with PFCG

1) Execute the profile generator with comparison with SAP values i.e. comparing by tables USOBX_C, USOBT_C tables.

2) Add affected transactions3) Update the existing roles with new authorization values4) Display all values for where changed transaction codes

Note: Do not execute step 1 (Initially customer table)Step 3: Once the above steps are done transport these changes using step 3.

Q) How do I deactivate authorization object globally?A) Go to SU25 select step 5 deactivate authorization globally. Single Sign-On (SSO)SAP GUI 3 rd Party Tool (Keon) HR Secure UIDHR Unsecure PINFI Secure PWDFI UnsecureSU01 (SNC)tabWhat is single sign-on?

1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials.

2) We can even logon through internet using SSO.3) SSO is represented in form of SNC (Secured Network Connection) string for

the SNC String to be activated we need to configure certain DLL files at OS files.

4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

We need to go to SU01 and check allow access for the string.Steps to configure SSO

1) Go to OS services, select service NTLM security provider, change the start up type of the service from manual to automatic NT LM support provides.

2) Copy the GSSNTLM.DDL file to the dir on our central instance, i.e. /usr/SAP/SID/SYS/exe/run

3) Set the environment variable snc_lib to the location of the library.4) Edit the central instance profile and set the toll parameters

/SNC/Data_protection/max = 1/SNC/Data_protection/min = 1/SNC/Data_protection/use = 1/SNC/enable = 1/SNC/GSSapp_lib=C:\usr\SAP\SID\SYS\EXE\run\GSSNTLM/SNC/Identity/as = P:/SID/sap service <SID>/SNC/Accept_Insecure_CPIC=1/SNC/Accept_Insecure_GUI=1/SNC/Accept_Insecure_RFC=1

50

/SNC/Permit_Insecure_start=1/SNC/Permit_Insecure_comm=1

Preparing SAP GUI for single Sign onIn SAP logon window choose edit advance/network Advance secure network communicationP:\<Domain Name>\sap service <SID>

Mapping sap system users to windows users for single sign-onGo to SU01, choose SNC user uppercase to enter the name of windows user i.e. to assign to sap system userP:\<Domain Name>\<User Name> and select insecure communication permitted and save our entries.

Central User AdministrationAdministering users centrally from one central system

CUA works with RFC’s.Steps to Configure CUACUA works with RFC’s steps to config CUA.

1) Create logical systems to all the clients (using BD54/SALE)2) Attach logical system to clients using SCC43) Create user CUA_SID in central system with 3 roles and create user

CUA_SID_CLIENT <number>/name in child system with 2 roles.4) Create RFCS to child systems from central and central to child using SM595) Log on to central system using SCUA to config CUA (Central User Admin)6) Enter the model view and enter all child system RFC’s

Note : RFC naming convention must be same as central sys naming convention of logical system.

7) Save the entries8) Once we expand test for individual systems we normally see the message

for each system. ALE distribution was saved, central user admin activated and then comparison was started and should be in green.

Note: If any problem messages refer to sap note 333441 in market place.9) User transaction SCUG in central system to perform the synchronization

activities between the central and child system.10)Use transaction SUCOMP to administer company address data.

Security Extension Classes Conducted on Saturday (Dec 1 st 2007)

In SAP the nomenclature for roles areversion 4.6 B 4.6 CDAG - Derived Activity Group Derived RoleGAG – Global Activity Group Parent Role

Q) If all the users are locked mistakenly, how do we connect to SAP system?A) Follow the steps

Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DBSelect * from <Application Server name>.USR02 where bname=’SAP*’;

51

SAP System

Delete from <Application Server name>.USR02 where bname=’SAP*’;Step 2) Then Login using SAP* userStep 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Note:USR02 is a table in which all user master records are stored.Killing SAP* will automatically recreate a user master record in USR02 table.

Portal SecurityAll security related activities like Creation of User accounts and Creation of roles which are normally performed using SU01 and PFCG can be done using portal.

In Portal administration there are two ways of maintaining users and roles information.

1) Accessing portal using an URL2) Accessing portal using Active Directory Service

Note:1) Any portal URL, the ports will be in the 50000 series.2) For portal we need J2EE engine to be installed and no need of ABAP engine

to run.3) All roles are configured in active directory service which are related with

only portal i.e. users need to enter travel expenses and file their timesheets using portal, then separate roles are provided which are related with portal. These roles provide access to users to display the screens as well as store the information in DB.

4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of logging into SAP system we use the portal screens from which the user provide the inputs and gets automatically saved in SAP DB.

Problems in PortalProblem 1) Global page missing

Solution: Check in Active Directory whether the user is been correctly added under the role which is considered as globalNote:In active directory services we have 2 types of roles1) Global roles Provide access for an user to login to portal i.e. for the

initial screen to appear. They are classified based on region the user belongs to. For example: Africa, Europe etc.

2) Local Roles Provide access for certain T – Codes or activities which the user needs to perform. Eg: Time sheet filling, travel expenses. Local roles are categorized based on the location the user is situated. Eg: Country Wise IN, USA, AF

3) Every user who access portal must have one global role and ‘n’ of local roles.

Problem 2) User reports “Not able to access ESS” Solution: Check the global roleCheck the exact local role, assigned to a user

Problem 3) User reports “He us able to access other global screens instead of his own screen”

Solution:Find which global screens user is able to access.Go to AD service and then to particular global role.Edit the role and check if the user ID is been added to that particular role.If it is added then remove the user ID and add the user ID to the correct

global role and inform the user to restart his system in order to access new changes.Note:

52

1) Assigning users using AD service is considered as a direct assignment where as assigning users using portal is considered as indirect assignment. This is similar to assigning users in SAP using PFCG (Direct assignment) and SU01 (Indirect Assignment).

2) Unicode in SAP supports 13 languages. All character sets of these languages are embedded in the software. Non-unicode is language specific.

3) The upgrade of SAP system from non-unicode to Unicode is possible whereas the other way is not. To achieve the transition from non-unicode to Unicode we need to have Non-Unicode export kernel CD and Unicode import kernel CD.

4) SU3 is the transaction code for maintaining user own data.5) SCAT, T-code is used for running CATT scripts.6) ACTVT field indicates the type of activity i.e. creates, change, generate and

delete.7) In PFCG transaction code, a profile indicates a unique identifier generated

by system to identify a role.8) Notation for parent role is Z> and for Child / Derived Role it is Z:9) Any role starting with SAP_ or SAP defined roles, they should not be

generated instead they are used as Templates, hence if we want to use any SAP role first copy a role to a customized role and generate it.

10)SAP_ roles are used mainly during implementation.11)All roles are of type Basic maintenance only whereas HR related roles and

work flow related roles are of type complete view. By default the roles are of type basic maintenance.

12)Before we delete a role, it has to be added to a transport because these actions are performed in DEV system.

13)Profile names come by default if it has to be changed then it has to start with Z.

14)Color indications in authorizationsa. Red No organization valuesb. Green All fields have valuesc. Yellow Some field values are missing.

Role DistributionDistribution of a role can be done using

Go to transaction code PFCG Menu tab Distribute button Enter the target system i.e. an RFC connection needs to be created between

source and target system. This procedure is distributing the roles between source and target using RFC

connections If a role is being distributed to a target system only the structure is being

copied and not authorizations. Hence we need to maintain the authorization for a role in the target system.

STMS (SAP Transport management System)

1) SAP normally follows 3 system landscape with 3 tier architecture. i.e. DEV, QAS, PRD.2) One of the systems has to be configured as transport domain controller. This configuration is done as a part of implementation i.e. immediately after executing SICK transaction.3) The transaction to configure transport management. STMS4) RFC’s are generated when the Transport Management System when continued R/3 system to communicate with all R/3 systems in a domain.

Q) What is a transport group?

53

A) SAP systems that share a common transport directory tree form a transport group.Q) What is transport domain controller?A) R/3 system with the reference configuration is called as the transaction domain controller.Q) What is transport domain?A) All R/3 systems that are planned to manage centrally using TMS form a transport domain.

In order to configure transaction domain controller we have to login using client 000 and user sap* or any user having similar authorization using sap*.

Configuring Transport domain controller:- 1) Login to SAP using client 000 and sap*2) Go to STMS, it will propose the system as transport domain controller, provide

the description and save.3) Go to overview menu and select systems4) Place the cursor on SYS ID and select SAP system display5) Go to transport pool and check under global parameter transport directory. i.e.

transport directory path (\usr\sap\trans)

Note: The above steps are performed in Dev System which we can assume as domain controllerSteps for Requesting inclusion of QAS and PRD systems into domain controllerLog on to QAS with 000 and SAP* go to STMSSelect other configurationProvide the description and target hostname of the transport domain i.e. DEV system domain name and instance no and saveLogin to Development using 000 and sap * and goto STMSSelect the QAS Go to sap systems ApproveThis will pop up message saying “Inclusion of system in Transport Domain” then click “Yes”

Note: Repeat the above steps for inclusion of PROD system alsoIn Dev distribute TMS configuration by selecting extras Distribute TMS configurationIt POPs us a message and then select “Yes”

Backup Domain Controller

Backup domain controller holds the copy of reference configuration and configuration changes can be managed when transport domain controller is not available.Steps in defining backup domain controller:

1. Log on to transport domain controller system using client 000 and SAP*. Go to STMS T-code.

2. In STMS screen go to overviewsystems select the R3 system to be defined as backup domain controller.

3. Go to SAP systemDisplay4. Go to communication tab Select change under backup, you have to

mention “QAS” and save then it will give a pop-up windows requesting you to configure the changes immediately, select YES.

5. Go to Extras from menu Activate backup domain controller. It will give a pop-up windows as “Activate system QAS as a domain controller” click “YES”.

Transport Routes:Transport routes indicate the roles of each systems and flow of change request.

54

Steps to configure transport routes:1. Go to STMS T-code and ExtrasSettingsTransport RoutesSelect the

desired editor and choose continue (By default graphical editor)2. Go to overviewTransport routesSelect display or change mode3. Go to configurationStandard configuration Three system in group.4. Select the R3 system in the pop-up according to their roles and click

continue and save and specify the type of configuration and choose continue, it will ask you to distribute and activate the change then select YES.

Q. What are the two editor modes in which we can configure the transport routes?A. 1. Graphical Editor

2. Hierarchical EditorQ. What are the various configuration methods available in STMS?A. 1. Single system configuration 2. Development and Production systems 3. Three systems in a groupQ. What is a standard transport layer?A. This describes the transport route that the data from the development systems follows.Q. What is SAP transport layer?A. It is a predefined transport layer for DEV classes of SAP standard objectsCreate Transport Layer:

1. STMSOverviewTransport routesSelect change buttonselect zoon in buttonSelect the particular transport routeGo to EditTransport layerCreate.

2. Enter the transport layer name and description.

Configuring transport routes manually:1. STMSOverviewTransport routes2. Go to EditTransport route and add transport routeSelect source and

target and leave it then we get pop-up window transport layer and click continue.

Note: Development system consider as consolidation system. Quality system consider as delivery system. Production system is considered as integration system.

Enabling Quality assurance approval procedure (QAS):1. Go to STMSOverviewTransport routesSelect change mode and

double click on QAS System.2. Go to SystemSystem attributesDelivery after configuration and click on

procedure button.3. Select the check box under the column “ASTV” as required and choose

save.4. Select distribute and activate (F8) button icon.

Q. What are the three approval steps you need to follow as a part of approval procedure in QAS?A. 1. To be approved by system administrator

2. To be approved by department3. To be approved by request owner

Using TMS on day to day operations:Go to “STMS_IMPORT” = this will take us to the screen in which all the imports are available. Select the import that is transport request and click the truck button (Half loaded truck).Note:

55

1. If the import request button are not appears under STMS_IMPORTS then go to Extrasother request and select add enter the transport request number manually which you want to manually import.2. Move transport number xyz to client 100.

Transporting request in OS Level:1. Log on to any SAP system go to “\usr\sap\trans\bin” execute the command

“TP add to buffer <request number> <SID>client <client number>”2. To import the command is “TP import <request number><SID>Client

<ClientNo> U0Note: U0 is a qualifier to leave the transport in the buffer.

Q. What are the various qualifier option or what are the various import options?A. There are six import options

1. Leave transport request in queue for later import2. Import transport request again3. Overwrite originals4. Overwrite objects in unconfirmed repairs5. Ignore unpermitted transport type6. Ignore predecessor relations

56