Upload
manasalatha
View
236
Download
12
Embed Size (px)
DESCRIPTION
Tables Reports
Citation preview
R/3 Security Tcodes
End User
Transaction Code Menu Path Purpose
SU3 System --> User Profile--> Own Data
Set address/defaults/parameters
SU53 System --> Utilities --> Display Authorization Check
Display last authority check that failed
SU56 Tools --> Administration --> Monitor --> User Buffer
Display user buffer
SCDO(TCODE) CHANGE DOC OBJECTS
CHANGE DOC OBJECTS STORED IN THE TABLE TCDOB
CDHDR Change docs for header information
Role Administration
Transaction Code Menu Path Purpose
PFCG Tools --> Administration --> User Maintenance --> Roles
Maintain roles using the Profile Generator
PFUD <none> Compare user master in dialog. This function can also be called in the Profile Generator: EnvironmentcompareThe Job for user master comparison is: PFCG_TIME_DEPENDENCY (to Release 4.0 RHAUTUP1)
SUPC Tools --> Administration --> User Maintenance --> Roles --
Mass Generation of Profiles
> Environment --> Mass Generation
User Administration
Transaction Code Menu Path Purpose
SU01 Tools --> Administration --> User Maintenance --> Users
Maintain Users
SU01D Tools --> Administration --> User Maintenance --> Display Users
Display Users
SU10 Tools --> Administration --> User Maintenance --> User Mass Maintenance
User mass maintenance
SU02 Tools --> Administration --> User Maintenance --> Manual Maintenance --> Edit Profiles Manually
Manually create profiles
SU03 Tools --> Administration --> User Maintenance --> Manual Maintenance --> Edit Authorizations Manually
Manually create authorizations
Profile Generator Configuration
Transaction Code Menu Path Purpose
RZ10 Tools --> CCMS --> Configuration --> Profile Maintenance
Maintain system profile parameters.(auth/no_check_in_some_cases = Y).
SU25 IMG Activity:Enterprise IMG --> Basis Components --> System Administration --> Users and
Installation1. Initial Customer Tables FillUpgrade2a. Preparation: Compare with SAP
Authorizations --> Maintain authorizations and profiles using Profile Generator --> Work on SAP check indicators and field values Select: Copy SAP check ID’s and field values
values2b. Reconcile affected transactions2c. Roles to be checked2d. Display changed transaction codes
SU24 Same as for SU25: Select: Change Check Indicators
Maintain Check Indicators
Maintain Templates
Transport
Transaction Code Menu Path Purpose
SCCL Tools --> Administration --> Administration --> Client Administration --> Client Copy --> Local Copy
Local client copy (within one system, between different clients)
SCC9 Tools --> Administration --> Administration --> Client Administration --> Client Copy --> Remote Copy
Remote Client Copy (between clients in different systems) Data exchange over a network (not files).
SCC8 Tools --> Administration --> Administration --> Client Administration --> Client Transport --> Client Export
Client transport (between clients in different systems) Data exchange using a data export at operating system level.
<none> Tools --> Administration --> User Maintenance --> Roles --> Environment --> Mass Transport
Mass transport of roles
<none> Tools --> Administration --> User Maintenance --> Roles --> Role --> Upload/Download
Upload/Download of Roles
SU25 Point 3. Transport of Check indicators
STMS Tools -->Administration --> Transports --> Transport Management System
Transport Management System
System configuration
Transaction Code Menu Path Purpose
RZ10 Tools --> CCMS --> Configuration --> Profile Maintenance
Maintain system profile parameters.(auth/no_check_in_some_cases = Y). .
RZ11 Description of system profile parameters
SM01 Tools --> Administration --> Administration --> Transaction Code Administration
Lock transaction codes from execution
Authorization Object
Transaction Code Menu Path Purpose
SU20 Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Fields
List of authorization fields
SU21 Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Objects
List of authorization objects (Initial screen lists by object class)
Audit
Transaction Code Menu Path Purpose
SE84 Tools --> Administration --> User Maintenance --> Information System
Information System for SAP R/3 Authorizations
SECR* <none> Audit Information System
Table maintenance
Transaction Code Menu Path Purpose
SM30(TablesV_BRG,V_DDAT)
System --> Services --> Table Maintenance --> Extended Table Maintenance
Create table authorization groups (V_BRG)Maintain assignments to tables (V_DDAT)
Table Group
Transaction Code Menu Path Purpose
SE43 ABAP Workbench --> Development --> Other Tools --> Area Menus
Maintain (Display) Area Menus
R/3 Basis Tcodes
Common Transaction Codes for Basis Administration
AL01 SAP Alert Monitor SE14 Utilities for
Dictionary TablesSSM0 Menu
Maintenance and Test
AL02 Database Alert Monitor
SE15 ABAB/4 Repository Info System
SSM1 SAP and Company Menu administration
AL03 Operating System Alert Monitor
SE30 ABAP/4 Run time Analysis
ST01 System Trace
AL04 Monitor Call Distribution
SE38 ABAP/4 Editor ST02 Setup/Tune Buffers
AL05 Monitor Current Workload
SE54 Generate Table View
ST03 Performance SAP statistics, Workload
AL06 Performance: Upload/Download
SE61 R/3 Documentation
ST04 Select Database Activities
AL07 Early Watch Report
SE80 ABAP/4 Development Workbench
ST05 SQL Trace
AL08 Users Logged On SE91 Maintain Messages
ST06 Operating System Monitor
AL10 Download to Early Watch
SE92 Maintain System Log Messages
ST07 Application Monitor
AL11 Directories SE93 Maintain Transaction Codes
ST08 Network Monitor
AL12 Display Table Buffer (Exp session)
SH01 Online Help: F1 Help Server
ST09 Network Alert Monitor
AL13 Display Shared Memory (Expert mode)
SH03 Call Extended Help
ST10 Table Call Statistics
AL15 Customize SAPOSCOL destination
SICK Installation Check ST11 Display Developer Traces
AL18 Local File System Monitor
SLDB Logical Databases (Tree Structure)
ST12 Application Monitor
AL19 Remote File System Monitor
SLW4 Translation: Application Hierarchy
ST14 Application Analysis
AL20 Early Watch Data Collector List
SM01 Lock Transactions ST22 ABAP/4 Runtime Error Analysis
DB01 Analyze Exclusive Lock Waits
SM02 System Messages STAT Local Transaction Statistics
DB02 Analyze Tables and Indexes
SM04 User Overview STDR TADIR Consistency Check
DB03 Parameter Changes in DB
SM12 Display and Delete Locks
STUN Performance Monitor Menu
DB11 Early Watch Profile Maintenance
SM13 Display Upgrade Records
SU01 Maintain User Records
DB12 Overview of Backup Logs
SM21 System Log SU02 Maintain Authorization Profiles
DB13 Database Administration Calendar
SM31 Table Maintenance
SU03 Maintain Authorizations
DB14 Show DBA Action Logs
SM35 Batch Input Monitoring
SU10 Mass Changes to User Master Records
PFCG Profile Generator – Activity Groups
SM36 Background Job Scheduler
SU12 Mass Changes to User Master Records
RZ01 Job Scheduling Monitor
SM37 Background Job Overview
SU20 Maintain Authorization Fields
RZ02 Network Graphics for SAP Instances
SM38 Queue Maintenance Transaction
SU21 Maintain Authorization Objects
RZ03 Presentation, Control SAP Instances
SM39 Job Analysis SU22 Auth Objects Usage in Transactions
RZ04 Maintain SAP Instances
SM50 Workprocess Overview
SU24 Maintain Profile Generator Tables
RZ06 Alert Thresholds Maintenance
SM51 List of SAP Servers
SU25 Copy SAP to Customer Prof Gen Tables
RZ08 SAP Alert Monitor SM63 Display/Maintain Operation Mode Sets
SU30 Overall Authorization Checks
RZ10 Maintenance of Profile Parameters
SM64 Release of an Event
SU50 Maintain User Defaults
RZ11 Profile Parameters SM65 Background Processing Analysis Tool
SU51 Maintain User Address
SAR Maintain Transaction Codes
SM66 System-wide Work Process Overview
SU52 Maintain User Parameters
SARA Archive Management
SM67 Job Scheduling SU53 Analyze Authorization Error
SCAT Computer Aided Test Tool
SM68 Job Administration
SU56 Display list of User Authorizations
SCC0 Client Copy SMGW Gateway Monitor SVER ABAP/4 Verification
SCU3 Table History SMLG Logon Groups SVMC Start View Maintenance with Memory
SD11 Data Modeler SMX Display Own Jobs SWT0 Configure Workflow Trace
SDBE Matchcode Objects (test)
SOFF SAPoffice: Area Menu
SWU8 Technical Trace On/Off
SE01 Transports and SP00 Spool and Related SWU9 Display
Correction System Areas Technical Trace
SE02 Environment Analyzer
SP01 Output Controller SWUD Diagnostic Tools
SE03 Transport Utilities SP11 TemSe Directory SWUE Initiate Event
SE07 Transport System Status Display
SP12 TemSe Administration
SWUF Workflow Monitor
SE09 Workbench Organizer
SPIT Output Controller SWUH Test Method
SE10 Customizer Organizer
SPAD Spool Administration
SWWD Switch on Work Item Error Monitoring
SE11 ABAP/4 Dictionary Maintenance
SPAM SAP Patch Manager
SYNT Display Syntax Trace Output
SE12 ABAP/4 Dictionary Display
SPAT Spool Administration - test
TU01 Call Statistics
SE13 Maintain Technical Settings (Tables)
SPDD Display Modified DDIC objects
TU02 Active Instance Profile parameters
R/3 Security Tips
QucikViewer (SQVI)QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a whole range of options for defining reports. SAP Query also supports different kinds of reports such as basic lists, statistics, and ranked lists. QuickViewer (SQVI), on the other hand, is a tool that allows even relatively inexperienced users to create basic lists. I have created a tutorial for SQVI. SQVI Tutorial
User assignmentNever insert generated profiles directly into the user master record (Transaction SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab in role maintenance (PFCG) and enter the user to whom
you want to assign the role or profile. If you then compare the user master records, the system inserts the generated profile in the user master record.
Do not assign any authorizations for modules you have not yet installedIf you intend to gradually add modules to your system, it is important you do not assign any authorizations for those modules you have not yet installed. This ensures that you cannot accidentally change data in your production system you may need at a later stage. Leave the corresponding authorizations or organizational levels open.
Creating SPRO Display only. You might be asked to give SPRO display while implementing your SAP. Igenerally give these authoriztion to make it display only. Please test it.
Object Field ValueS_PROJECT PROJECT_ID *S_PROJECT PROJ_CONF *S_RFC ACTVT 03S_RFC RFC_NAME *S_RFC RFC_TYPE *S_TABU_CLI CLIIDMAINT 'S_TABU_DIS ACTVT 03S_TABU_DIS DICBERCLS *
S_TRANSPRTTTYPEDeactivate or remove PIEC and TASK
S_CODE REMOVE SPRO
Creating Authorization Fields In authorization objects, authorization fields represent the values to be tested during authorization checks.To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Fields.To create an authorization field, proceed as follows:
1. Choose Create authorization field. 2. On the next screen, enter the name of the field. Field names must be
unique and must begin with the letter Y or Z. 3. Assign a data element from the ABAP Dictionary to the field.
You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
Creating Authorization ObjectsAn authorization object groups together up to ten authorization fields that are checked together in an authorization check.To create authorization fields, choose Tools --> ABAP Workbench, Development --> Other tools --> Authorization objects --> Objects.Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and documentation for it. Ensure that the object definition matches the ABAP AUTHORITY-CHECK calls that refer to the object.
Locking Security Holes through IMG transactionsEven though you have restricted your users from SU01 or PFCG (to modifiy themselves or other people) they can get into these areas by the different IMG transaction codes. If your core team or user community has access to:
OY20 - AuthorizationsOY21 - User profilesOY22 - Create subadministratorOY24 - Client maintenanceOY25 - CS BC: Set up ClientOY27 - Create Super UserOY28 - Deactivate SAP*
R/3 Security Tables Su21 or su03-list of authorization objects,activities wil store in tact table ,su02-profiles displayed that exist in your system,su02-list of profiles, su22-maintain assignment of authorization objects.
Security Tables
Table Description
USR02 Logon data
USR04 User master authorization (one row per user)
UST04 User profiles (multiple rows per user)
USR10 I t will showAuthorisation profiles (i.e. &_SAP_ALL)
UST10C Composit profiles (i.e. profile has sub profile)
USR11 Text for authorisation profiles
USR12 Authorisation values
USR13 Short text for authorisation
USR40 Tabl for illegal passwords
USGRP User groups
USGRPT Text table for USGRP
USH02 Change history for logon data
USR01Ust10s
User Master (runtime data)All single profiles with their authorization registered
USER_ADDR Address Data for users
AGR_1016 ROLES TOGETHER WITH THEIR PROFILES R STORED
AGR_1016B Name of the activity group profile
AGR_1250 List ofAuthorization objects for individual role
AGR_1251 Authorization data corresponding field values
AGR_1252 Organizational values for individual roles
AGR_AGRSOVERVIEW OF COMPOSITE ROLE AND THEIR ASSIGNED ROLES
AGR_DEFINEALL ROLES
AGR_HIER2 Menu structure information - Customer vers
AGR_HIERT Role menu texts
AGR_OBJ Assignment of Menu Nodes to Role
AGR_PROF Profile name for role
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TEXTS Text information stored in the table
AGR_TIMEIt showsTime Stamp information for profiles ,menu authorization
AGR_USERS Assignment of roles to users
USOBT Relation between transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBXFLAGS Temporary table for storing USOBX/T* chang
USOBX_C Check Table for Table USOBT_C
USORG ORGANIZATION VALUES ARE LISTED IN THE TALE
Agr_hier It shows menu information
Agr_tcodes Overview of role with transaction codes
Agr_prof Has all roles with their profiles and profile names
Agr_num_2 Internal counter for profiles in roles is stored
Agr_timeb Time stamp for profile generation
Agr_timec Time stamp for user assignments
Agr_timed Time stamp for profile comparision
Agr_users Overview of roles and user assignments
sapmenu Is stored in the table smensapnew,text wil store in smensapt
Usgrp_user General user groups stored in this table
usrefus Assignment of ref users to users(RSUVMO13)
TutypUser measurement data serve as basis for calculation of license fees
Tobj_off To disable authorization objects
SAP Security Reports
SAP Security Report Name Description
RSUSR_SYSINFO_ROLE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS)
Report cross-systm information/role STANDARD SELECTION, User name, Receiving system, SELECT ROLE Role
RSUSR_SYSINFO_PROFILE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS)
Report cross-systm information/profile STANDARD CRITERIA User Name, Receiving system, Profile
RSUSRSUIMRHAUTUPD_NEW
Same as SUIM User Information System MASS COMPARISION
RSUSR402 Download user data for CA manager from Secude
RSUSR300 Set External Security Name for all Users
RSUSR200 List of Users According to Logon Date and Password Change
RSUSR102 Change Documents for Authorizations
RSUSR000 Currently Active Users Tcodes SU04 and AL08
RSUSR002 (it’s a core tool for user authorization evaluation)Users by Complex Selection Criteria (search by User, Group, User Group, Reference User, User ID Alias, Role, Profile Name, Tcode, SELECTION BY FIELD NAME, Field Name, SELECTION BY AUTHORIZATIONS Authorizatrion Object, Authorization, SELECTION BY VALUES, Authorization Object 1, AND Authorization Object 2, AND Authorization Object3, ADDITIONAL SELECTION CRITERIA, Account number, Start Menu, Output Device, Valid Until, Locked Users ONLY, Unlocked Users Only, CATT Check ID
RSUSR002_ADDRESS Select User According to Address, NAMES, First Name, Last Name, User, COMMUNICATION PATHS, Company, City, Buildings, Room, Extension, OTHER DATA, Department, Cost Center
RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients (SAP* DDIC SAPCPIC )
RSUSR004 Restrict User Values to
the following Simple Profiles and Auth Objs SELECTION CRITERIA Single Profiles, Authorization Objs
RSUSR005 List of Users with Critical Authorizations (SAME AS RSUSR009 but difference is here you can't chose)
RSUSR006 List of Users According to Logon Date and Password Change
RSUSR007 List Users Whose Address Data is Incomplete (here give the Required Address Data)
RSUSR008 Critical Combinations of Authorizations at Transaction Start (Can view either Critical Combinations or Users)
RSUSR009 List of User with Critical Authorizations SAME AS RSUSR005 but here you can (Check using either customer data of Check using SAP data)
RSUSR010 Transaction for User with Profile or Authorization (Transaction executable either by, User, with Role, Profile, Authorization
It provides a list of transactions that are assigned in the context of
selected category
RSUSR011 Lists of transactions after selection by User, profile or obj SELECTION FOR User
RSUSR012 Search authorizations, profiles and users with specified object value (DISPLAY authorization objects, DISPLAY authorizations, DISPLAY profiles, DISPLAY users)
RSUSR020 Profiles by Complex Criteria SELECTION CRITERIA Profile, Profile test, ADDITIONAL CRITERIA FOR PROFILES, Composite Profile, Single Profile, Generated Profiles, SELECTION BY CONTAINED PROFILES Profile, SELECTION BY AUTHORIZATIONS, Authorization Object, Authorization, SELECTION BY VALUES, Auth obj, auth obj2, auth obj3, SELECTION BY ROLE(this report allows searching for profiles that correspond with the entered selection criteria)
RSUSR030 We can evaluate Authorizations by Complex Selection
Criteria SELECTION CRITERIA, Auth Object, Authorization, BY VALUES
RSUSR040 Authorization Objects by Complex Criteria, STANDARD SELECTIONS, Authorization object, ADDITIONAL CRITERIA Object class, Obj class text, Field(it helps to search authorization objects)
RSUSR050 COMPARISIONS, Compare Users, USER A ------ USER B--------, ROLES, PROFILES< AUTHORIZATIONS, Across Systems(.its a good tool to check and validate role changes in development phase or user setups across the system)
RSUSR070 Roles by Complex Selection Criteria STANDARD SELECTION Role, Description, SELECTION BY USER Assignments(excellent tool for role research)
RSUSR100 Change Documents for Users(change history for user authorizations)
RSUSR101 Change Document for Profiles
PFCG_ORGFIELD_CREATE
PFCG_ORGFIELD_UPDATE
PFCG_ORGFIELD_FIELD
ORGANIZATIONAL FIELDS CAN BE MAINTAINED IN PROFILE GENERATOR
RSUVMOO2 System measurement calculation of license fees
RSUVMOO5 To review which user is which user type
RSDELSAP Deletes the user sap* in 066 client
RSABAPSC To check source code of program
RSUSR060OBJ Authorization object in transactions and programs
RSSCD100_PFCG Display change doc’s for role administration
RSTBHIST Evaluation of log history
RSCSAUTH Assignment of reports to authorization group
RSANAL00 Analyze abap programs
RSABAPSC Source code analysis
RPR_ABAP_SOURCE_SCAN Scan abap report sources
RSABABSC Statistical prog analysis to find abap lang commands
RSTMS_SYSTEM_OVERVIEW SETTING CAN BE REVIEWED
RSSCD100 Overview of change docs
RSSCD110 Cross client evaluation of change docs
RSSCD150 Detail view of change docs
RSTXPDFT4 PDF CREATION
Single Sign On
If you are one of those admin who faces any of the issues listed below, then SSO is for you.
Users access multiple systems, including SAP and non-SAP Systems. Some systems reside in a dedicated network zone in the intranet but many systems reside on different networks or on the Internet.
Users need to have different IDs and passwords to access these systems. Each of these systems also maintains its own password policy. For example, in
the SAP HR system, the user has to change his or her password every 30 days. In the next system, the user has to change the password every 90 days. In another system, the user does not need to regularly change his or her password at all.
What does this lead to? Users forget their passwords. The administrator is constantly resetting passwords. Keep in mind that this makes social engineering much easier.
Solution is Single Sing On. SSO users access multiple systems based on single authentication.
Implementing SSO in Netweaver 2004s
Verify the following profile parameters are set correctly in the backend using rz11
login/accept_sso2_ticket = 1login/create_sso2_ticket = 0
Make sure that in the portal the connector to back end is defined with following setting and permission is set correct.
Authentication Ticket Type - SAP Logon TicketLogon Method - SAPLOGONTICKETUser Mapping Type - useradmin,user
Fix certificate
Login in to Visual Administrator1. Select the Key Storage Service.
2. Select the TicketKeystore view.
3. Delete the SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert entries.
4. Under Entry, choose Create . The Key and Certificate Generation dialog appears.
5. Enter the Subject Properties in the corresponding fields.
The entries in these fields build a Distinguished Name in the form:CN= , OU= , O=, L=, ST= , C=
Use capital letters for the Country Name.
6. Enter SAPLogonTicketKeypair as the Entry Name.
Do not enter a different name. This J2EE Engine uses the entry with this name to sign logon tickets.
7. Select the Store certificate option and choose DSA as the algorithm to use.
8. Choose Generate .
Now downloaded the J2EE Ticket via Visual Admin Tool
Login to Visual Admin Tool open tree "Server # > Services > Key Storage"Within the "Key Storage" choose view "Ticket Keystore" and entry "SAPLogonTicketKeypair-cert" click on "Export" and save the ticket to a propper location
Finaly uploaded the new ticket to STRUST
Implementing SSO (R/3 / Enterprise portal)
Implementing Single signon for Enterprise Portal and R/3 Backend
ProcedureDownload public-key certificate of Portal Server
Use the Keystore Administration tool to download the verify.der file from the
portal.
Set profile parametersOn all of the component system's application servers:
1. Set the profile parameters login/accept_sso2_ticket = 1 and login/create_sso2_ticket = 0 in every instance profile.
Import public-key certificate of Portal Server to component system's certificate list andadd Portal Server to ACL of component system
Both of these steps can be performed with transaction STRUSTSSO2, which is an extendedversion of transaction STRUST. For detailed documentation on transaction STRUST, see theWeb Application Server documentation under Security > Trust Manager.In the SAP System, start transaction STRUSTSSO2.
A screen with the following layout appears
The PSE status frame on the left displays the PSEs that are defined for the system.
The PSE maintenance section on the top right displays the PSE information for thePSE selected in the PSE status frame.
Below that, the certificate section displays certificate information for a certificate thatyou have selected or imported.
The Single Sign-On ACL section on the bottom right displays the entries in the ACL ofthe system.
Note that the layout of the transaction will vary slightly, depending on therelease of the SAP System.
2. In the PSE status frame on the left, choose the system PSE.3. In the certificate section, choose Import Certificate.
The Import Certificate screen appears.
4. Choose the File tab.5. In the File path field, enter the path of the portal’s verify.der file.6. Set the file format to DER coded and confirm.7. In the Trust Manager, choose Add to PSE.8. Choose Add to ACL, to add the Portal Server to the ACL list.9. In the dialog box that appears, enter the portal’s system ID and client.
By default, the portal’s system ID is the common name (CN) of the Distinguished Name entered during installation of the portal. The default client is 000.
If necessary, you can change these default values by changing the properties login.ticket_issuer and login.ticket_client respectively in usermanagement properties.
The other values are taken from the certificate.
10. Save your entry.
11. Do not forget to set profile parameters and ITS service parameters as described in Configuring SAP Systems to Accept and Verify SAP Logon Tickets .
Result
The SAP component systems are able to accept SAP logon tickets and verify the PortalServer's digital signature when they receive a logon ticket from a user.
Importing Portal Certificate into SAP System
PrerequisitesYou have downloaded the public-key certificate of the portal server (verify.pse file). Usethe Keystore Administration tool for this.
Procedure
1. In the component system, start transaction STRUST.
The following screen appears.
This screen displays a list of the certificates contained in the PSE of the component system.
2. In the certificate group box, choose Import Certificate.
The Import Certificate screen appears.
3. Choose the File tab.4. In the File path field, enter the path of the portal’s verify.der file.5. Set the file format to DER coded and confirm.6. In the Trust Manager, choose Add to PSE.
7. Save the new certificate list.
The new certificate list is automatically replicated to all application servers in thesystem. You do not have to import the portal certificate onto each applicationserver separately.
Creating a NewUser SU01
1. Log on to the SAP.2. In the command field, enter t-code SU01 and hit enter or from UserMenu
Tools > Administration>User Maintenance >Users
3. Choose and fill in all the required fields4. Fill in all the tabs password and last name are mandatory
5. In the logon tab make sure you choose the right user type. For end users you should choose Dialog user
6. Don’t forget to add roles to user in the role tab, if this is test box and you want to give all authorizations, add sap_all and sap_new profiles in the profile tab.
SAP Security Interview Questions
Q. SAP Security T-codesA. Frequently used security T-codes SU01 Create/ Change User SU01 Create/ Change User PFCG Maintain RolesSU10 Mass ChangesSU01D Display UserSUIM ReportsST01 TraceSU53 Authorization analysisClick here for all Security T-codes
Q List few security TablesClick here for security tables
Q How to create users?
Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Click here for turotial on creating sap user id
Q What is the difference between USOBX_C and USOBT_C?The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.
Solution Manager
In a distributed environment with systems and dependencies of business processes beyond single system boundaries, there is a need for a new and efficient support infrastructure. Integrating technical as well as business (applications) environments are more crucial than ever and must be mastered perfectly.
The SAP Solution Manager, which runs centrally in a customer's solution landscape as an integrated platform, ensures that distributed systems can be supported technically.The SAP Solution Manager introduces a new era of solution management covering all aspects relevant for technical implementation, operations, and continuous improvement.
SAP Solution Manager 4.0 offers functional areas to support the management of the entire customer solution:° Implementation: Groups Tools, Content, and Methodologies to Efficiently Implement SAP Solutions° Solution Monitoring: Ranges from System Monitoring to Business Process Monitoring° Operations: Offers Services to Manage Your SAP Solution° Support Area: To Support Every Step on the Way° Upgrade: Supporting the Upgrade of SAP Components
As of April 2, 2007, SAP Solution Manager will be the only source from which customers receive maintenance updates for applications based on SAP NetWeaver 2004s, such as mySAP Business Suite 2005 applications and higher. It will also serve as the source of maintenance updates for earlier releases of
SAP applications.
Release 4.0 of SAP Solution Manager will offer significant enhancements for maintenance processes and activities, such as:- End-to-end and fully pre-configured maintenance management process- Planning and deployment dashboard for all maintenance-related activities- Source for all Support Packages provided by SAP as part of customers maintenance agreements
Solution Manager training courses offered by SAP:° SMO010 - Solution Manager Concept & Strategy° SMO100 - System Administration with SAP Solution Manager° SMO610 - Business Process Management and Monitoring° SMO150 - Service Desk° SMO155 - Change Request Management° SMI210 - Implementation Methodology Overview° SMI310 - Implementation Tools in Detail
Creating installation key
First you have to create the system. This can be done using tcode. SMSY > Landscape component > Systems. Scroll down to choose your system. In this case we will choose SAP ERP. Right click and choose Create New System with Assistant. Follow the instruction and create the system
System : <SID>Short Description :SAP Product : SAP ERPProduct Version : SAP ERP 2005Installation Number : Your Installation number
Choose Next and check Relevant in front of SAP ECC Server, then enter system number in the next screen and complete this following the instruction.
Now go back to the tcode SMSY and select system > other object...Select radio button for system and put the SID you created above hit generate installation /Upgrade key (Ctrl+Shift+F10) and click generate key.
Short cut for creating installation key:If you don't want to create system. You can still choose Solution Manager system from the drop down and hit generate key. Once you get to the screen 'Generate Installation / Upgrade Key. You can put any system you want. System ID will be the SID of new installation. It also requires system number and also
message server. Click Generate key.
Solution Manager- Installation on Windows / Oracle
Binary Download Preparation : Download the Binaries form hereDownload >> Installations and Upgrades >> My Company’s Application Components >> SAP solution Manager >> SAP Solution Manager 4.0 >> Installation and Upgrade >>Windows Server >>Oracle >>Downloads tab
Once the download is done. Unzip all the necessary files. I generally make folder with sensible name than using the default 510...
Hardware and Software Requirements: Make sure you install Windows 2003 Server Edition as it is a requirement for Netweaver 2004s.
Follow SAP's guidelines for file system layout. Since my install is a Sandbox environment. I made two additional file system other than C: Drive. One drive will be used to put the oracle mirror logs files, or else if you choose default install, SAP puts the mirror logs on C: Drive. I made the data drive 70 GB.
Make sure you patch OS and apply the latest support packs.
Install Java SDK: Download JAVA SDK and Cryptographic file from here.Once you install Java SDK, make sure that the path variable is set correctly. This should include %JAVA_HOME%\bin; at the begining of the PATH string. You can verify this by typing command java -version. This should show the version you have installed.
Installation of SAP
Start the install as a root directory: Logon to the host as user administratorGo to Installation_Master DVD and run sapinst. Select central instance. Complete the installtion.
Applying JAVA Patch and Kernel PatchMaintain company address.Profile Parameter setup Setting up Transport (STMS) Client Copy Set Up Time ZoneSet Up LOCL Printer Activate Solution Manager. Configure SLD Changing the saplogon image