Professional Documents
Culture Documents
Symbol Legend:
¬ Press Enter
<sid> System ID lower case
<SID> System ID upper case
How do I....?
Backups
Client Tasks
....add a client?
....add a logical system ID to be assigned to a client?
....change a client?
....copy one client to another in the same R/3 system?
....copy one client to another in different R/3 systems?
....copy only user master data from one client to another?
....delete a client?
....lock a client so configuration changes cannot be made?
....verify that a client copy ran successfully?
....view all past client copies for a client?
Communications Tasks
....add a RFC connection?
....delete a RFC connection?
....modify a RFC connection?
....verify one R/3 system is talking to another?
Database Tasks
....perform Database Stats, Check Database, and Backup Jobs – MS SQL Server?
....perform Database Stats, Check Database, and Backup Jobs – Oracle?
Job Tasks
....change the start time/date for a scheduled job?
....clean out old job logs?
....delete a scheduled job?
....delete a running job?
....schedule a new job to run?
....verify that a job has run successfully?
Printer Tasks
....add a printer?
....create a new Frontend aka Local aka Desktop Printer?
....reprint a document that has already printed?
....reroute a printer output request?
....reset the cache for a printer?
....view a list of all printer output requests?
This document is the intellectual property of Jo Spencer and may not be edited without permission.
....view a list of the output requests for one printer only?
Security Tasks
....attach a role to a user?
....attach a user to a role?
....copy an existing role to a new role?
....create a user role?
....delete a user role?
....grant a transaction to a user?
....modify a user role?
....move roles from one client to another?
....revoke an authorization from a user?
....revoke a transaction from a user?
System Tasks
....add a system parameter?
....apply a SAP (OSS) note?
....check that the system parameters are valid?
....delete a system parameter?
....generate a developer’s key for a programmer?
....generate an object key to change a SAP-owned object?
....how do I make server files viewable from SAP?
....keep all users out of a transaction?
....modify a system parameter?
....open a service connection for SAP to come into my system?
....reclaim system space from obsolete temporary objects?
....recompile all ABAP programs in a R/3 system?
....send a message to all connected users?
....send a message to one connected user?
....start R/3?
....start saprouter (OSS Link)?
....start the OS collector?
....stop a SAP work process?
....stop R/3?
....stop saprouter?
This document is the intellectual property of Jo Spencer and may not be edited without permission.
....stop the OS collector?
....stop the R/3 subsystem?
....verify that our link to SAP is up?
....verify that R/3 is up?
....verify the status of saprouter?
....view a short dump received by a user?
....view all processes currently running?
....view all system locks?
....view all table locks?
....view all update locks?
Transport Tasks
....add a change request to a transport queue?
....add a new SAP Instance to an Existing TMS Domain?
....automate the Transport Process?
....configure TMS – Transport Management System – for the First Time?
....configure TMS to Use SAP's Quality Assurance Functionality?
....re-Transport One or Several Change Requests at Once?
....transport a change from one R/3 system to another?
....transport several change requests at once?
....verify that the transport system is up and running?
....view a history of what changes have been transported?
....use Target Groups to Transport to Mulitple Clients to Different Instances?
User Tasks
....add a user?
....add an ITS user?
....change a user’s password?
....change several users at once?
....copy an existing user to a new user?
....delete a user?
....delete an ITS user?
....drop a connected user?
....get a list of all users in a client?
....lock a user?
....lock all users at once?
....modify a user?
....modify an ITS user?
....produce various user reports?
....start an audit trace for a specific user?
....view a list of all users currently connected?
What do I do if....
....my SAP instance won’t start?
....my SAPGui session won’t start?
....users say response is slow?
....I make user changes in the CUA Parent but they don’t show in QAS or PRD?
....a printer has stopped printing?
....I need to apply patches to my SAP instance?
....a support package was applied and now every time a user
moves from one screen to another they get a “compiling”
message?
....I downloaded a kernel patch. Now what?
....users are getting errors via the Internet when displaying pictures?
....the development staff says that the IGS server is down?
....a user is receiving multiple X_MESSAGE errors, partial
SAPGui screens, SAPLPAD errors when printing, or other
Seemingly SAPGui related errors. What do I do?
....how to find important pages in the SAP Marketplace?
This document is the intellectual property of Jo Spencer and may not be edited without permission.
System Tasks
Starting the SAP Instance
The normal SAP instance start up consists of three parts: starting the SAP OS
Collector, starting the Oracle Listener, and starting the SAP instance. The
process mainly goes like this: ora<sid> logs on and starts the Oracle Listener
then <sid>adm logs on and runs the startsap script.
What? You say we missed a step? What happened to the SAP OS Collector?
The startsap script takes care of the SAP OS Collector for us. When the SAP
Instance starts up via the startsap script, it checks to see if saposcol is up
and running – whether from the root user starting it manually or from another SAP
Instance already starting it up, it doesn’t matter. If saposcol is up and
running, the script simply moves on to the next step. If it is not, the script
starts saposcol as root and then proceeds. So the SAP OS Collector gets handled
one way or another.
Even if you have multiple SAP instances on a server, the process is pretty much
the same unless the Oracle databases were installed using the MCOD installation
option. Then only one Oracle Listener is used since both databases share one
Oracle listening port which is normally 1527. Normally each SAP database – ie
SAP instance - has it’s own listener.
lsnrctl start¬
startsap¬
If you only need to start the database and not the SAP instance too, type
instead:
startsap DB¬
And do not do the rest of the start up procedures listed below, you can stop
now.
6. Wait until the startup messages have scrolled by. There may be other minor
programs that start at the time as well. If you try to logon and are
refused connection, check the logs in the /home/<sid>adm for applicable
errors.
Return to Index...
The easiest way to confirm that the SAP instance has started successfully is to
log on to the instance. If it has not had a successful start up, look at the
logs in the /home/<sid>adm directory. Sort them witj “ls – ltr” is see the list
sorted in descending order for the ease of viewing.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
If nothing obvious is found, go to the /usr/sap/<SID>/DVEBMGS00/work directory
and do the same thing in this directory. The most useful information can be
found in the dev_wx, dev_ms, dev_disp, dev_rfcx, and stderrx files.
If you need further assistance, please refer to the section SAP System Start Up
Troubleshooting.
Return to Index...
stopsap¬
If you only need to stop the SAP instance and not the database too, type
instead:
stopsap R3¬
And do not do the rest of the start up procedures listed below, you can stop
now.
3. Log on to the same server as ora<sid>.
4. Type in the following:
lsnrctl stop¬
cd /usr/sap/<SID>/SYS/exe/run¬
./saposcol -k¬
Return to Index...
cd /usr/sap/<SID>/SYS/exe/run¬
./saposcol¬
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Stopping the SAP OS Collector
cd /usr/sap/<SID>/SYS/exe/run¬
./saposcol -k¬
Return to Index...
Backups
Backup and recovery for a SAP instance is best handled along with the other
backup and recovery needs of your company’s computer systems. But for those
company’s who do not yet possess a solid backup and recovery solution, or who
simply want to segragate the SAP landscape from all other internal IT solutions,
here are a few things you need to know.
Online versus offline, high availability, frequency, are all decisions your IT
staff need to make based on their history with similar procedures at your
company, the recommendations of SAP, and the guidance of your implementation
Basis consultant. Enforced backups, and detailed and tested recovery procedures
should be part of any Disaster Recovery plan, and a documented part of any SAP
implementation project.
If your company falls into the latter category, SAP does supply tools for your
uses which can be used in either line command form or from within the SAP
instance. If you SAP server contains a tape drive or has access to the network
tape unit, transaction DB13 can be used to schedule periodic backups. This is
the same transaction where weekly statistics, log cleanup, and database
verification jobs are scheduled in the post-installation work after installation
of a new SAP instance. DB13 scheduled BRCONNECT runs which can also be CRONed in
command line form by the IT staff.
For more information, please see the SAP Online Documentation for DB13 by going
to the DB13 transaction and clicking Help -> Application Help or referring to the
section Creating Database Statistics, Index Rebuilds, and Log Backup Jobs –
Oracle. More information regarding BRCONNECT can be found in the SAP BRCONNECT
Guide which can be found at http://service.sap.com/instguides.
Return to Index...
/usr/sap/<SID>
/sapmnt/<SID>
/usr/sap/trans on the TMS Domain Controller Server
Any directories containing flat files that are used by the SAP instance
Root
/etc
/dev
For Oracle, the entire /oracle directory should be backed up daily if there is
only one Oracle Instance on the server, and each separate /oracle/<SID> directory
if there is more than one instance on the server.
It is also recommended that a full offline image of the entire server be made
before the monthly closing cycle.
/usr/sap/<SID>
/sapmnt/<SID>
Any directories containing flat files that are used by the SAP instance
/oracle
Directory holding redo logs if not in the /oracle structure
Root
/etc
/dev
For Oracle, the entire /oracle directory should be backed up daily if there is
only one Oracle Instance on the server, and each separate /oracle/<SID> directory
if there is more than one instance on the server.
It is also recommended that a full offline image of the entire server be made at
the same time every month.
Return to Index...
Return to Index...
Return to Index...
Stopping saprouter
Return to Index...
If you do not have a working OSS connection, you can download an OSS note from
the SAP Marketplace using the SAP Download Manager and use the upload feature in
SNOTE to load it into the SAP instance instead.
Return to Index...
The license key request process has been drastically overhauled by SAP over the
past. Normally, if you request a new SAP license key, the information will be e-
mailed to you in the form of a script. But in case you don’t receive this e-mail
promptly, it is important to know how to obtain the newly generated key “the old-
fashioned way”.
saplicense -get
Return to Index...
Return to Index...
Return to Index...
1. Log on to the server that contains the new SAP system as <sid>adm.
saplicense -install
2. You will be prompted for the <SID>, hardware key, expiration date of the new
license, and the new license. Press Enter after the entry of each piece of
data.
3. Once the new license key has been accepted, you will received a License key
applied message. If you have the TXT file SAP e-mailed you, you can place
it somewhere on your server and use the following syntax to install the
license as well:
Return to Index...
1. Log on to client 000 in the SAP system in which the new license key is to be
installed.
2. Go to transaction SLICENSE.
3. From the top-most menu bar on the SAP License Administration screen, click
Edit → Install license.
4. On the Install New License popup, fill in the new license key you obtained
from SAP. Click network picture-icon to finish the new license
installation.
5. You will receive a License key successfully installed message. You may now
leave the SLICENSE transaction.
Return to Index...
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Generating an Object Key to Change a SAP-owned Object
Return to Index...
Before opening a service connection for SAP, be sure that the SAPAG client has
been added to the appropriate SAP system and Client, and that a Security Audit
Trace has been activated for the SAPAG ID.
Before a Service Connection to a SAP server via your saprouter can be created,
the saprouter must run the LOP – Line Opener Program – to initiate the mode of
SAP connection. Please LOPInstalltion.exe on your saprouter server before trying
to add and open any Service Connections.
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
If resetting the printer cache does not clear your printing problem, try using
some a non-SAP application to print to it to see if it working correctly on the
network. This should at least narrow down the possibilities.
Return to Index...
Printer Output
Creating a Local aka Frontend Printer aka Desktop Printer
Using this printer will cause print to go to SAPLPD which will use the default
printer of the current workstation.
Return to Index...
Return to Index...
Return to Index...
Reprinting a Document
This document is the intellectual property of Jo Spencer and may not be edited without permission.
1. Log on to any client in the appropriate SAP system.
2. Go to transaction SP01.
3. On the Output Controller: Spool request selection Screen screen, fill in any
information needed to filter the selection results. Then click on the clock
picture-icon.
4. A list of all spool requests will be displayed. Double click on the spool
request that is to be reprinted.
5. Click on the printer picture-icon. An Output request created message should
appear in the bottom status bar.
6. You may now leave the SP01 transaction.
Return to Index...
Return to Index...
Return to Index...
Return to Index...
cd /usr/sap/<SID>/DVEBMGS00/igs¬
./bin/startigs -p . ¬
cd /usr/sap/<SID>/DVEBMGS00/igs¬
./bin/stopigs¬
Return to Index...
Requesting A New SAP Marketplace User ID aka “S” Number aka OSS ID
1. You will need the first and last name, function, department, department
title, language, telephone number, language, and email address of the
person(s) being added as these are all required fields.
2. Log on to the SAP Marketplace using an OSS ID with Administration rights –
http://service.sap.com/user-admin.
3. From the left navigational tree, click on Maintain User Data → Request new
users. You may be asked for your OSS ID and password again, dependently on
your point of original logon.
4. On the User Data Maintenance screen, fill in the gathered information from
step #1. Then press Save. You may or may not receive a confirmation
message.
5. You may now log off the SAP Marketplace.
Return to Index...
Checking A New SAP Marketplace User ID aka “S” Number aka OSS ID
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
If this does not kill the process, you can go to transaction SM04 and kill the
user’s session. If this does not kill the process, you can log on to the server,
open a Task Manager session, and End the Process. If this does not kill the
session, there is an executable in the RUN directory on the server called
sapntkill.exe. Run it providing the process ID number. If none of the above
work, you have no choice but to “bounce” the SAP instance and/or possibly the
serve.
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Sending a System Message to a Single User
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
The SAP directory structure on a Linux server can be viewed via SAP using the
AL11 transaction. All the usual SAP directories are accessible as well as any
custom data views. Text files can be accessed and ported in and out of the SAP
instance. Directories can be sorted by Name or Date/Timestamp.
Return to Index...
Transport Tasks
Note: if you already have a TMS configured, do not use this section to add a new
instance to the existing TMS configuration. You could severely damage any pre-
existing transports, making them untransportable. Instead, use the following
section Adding New Instance to TMS Setup.
1. Log on to client 000 of the SAP instance to serve as the Domain Controller.
2. Go to transaction SE06.
3. Click on the Perform Post Installation Actions button.
4. Go to transaction STMS.
5. You should see a popup box with the title TMS: Configure Transport
Domain. If the popup doesn't say that, press F6 to change to the
correct popup box.
6. Fill in the TMS: Configure Transport Domain popup with the
Description, Name of DOMAIN_<SID>, and the description of the
Transport Domain. Then click Save.
7. On the Transport Management System screen (if you aren’t there, back out until
you are), assuming that this is the first SAP instance and there are no other
installed SAP instances in your landscape yet, and assuming that you
want your transport requests to be transportable and not local only,
click on Overview → Systems.
8. On the System Overview – Domain Domain_<SID> screen, click SAP System → Create
→ External System. Fill in QAS if you are going to have a three system
configuration or PRD if you are going to have a two system configuration, or
make up a <SID> if you are never really going to have another SAP system. Fill
in the rest of the information including the Path which is assumed to be
\\<current server>:\usr\sap\trans for NT or /usr/sap/trans for UNIX. Click
Environment → Transport Routes.
9. On the Display Transport Routes screen, click the User Settings button, turn
“on” the Hiergraphical List Editor, and click the √ Continue button. Back out
This document is the intellectual property of Jo Spencer and may not be edited without permission.
of the screen and then go back in – you should see the list in a text mode
which makes it easier to handle.
10. On the Display Transport Routes screen, click the Display<>Change button to
toggle into Change Mode.
11. On the Change Transport Routes screen, click Configuration → Standard
Configuration → Development and Production System.
12. Fill in the Development and Production System popup, using your current SAP
system SID as the Development system and the SAP instance you created in step
#8 as the Production system. Click the √ mark to Continue.
13. Back on the Change Transport Routes screen, click the Save icon and confirm
all the popup questions.
14. On the Change Transport Routes screen, back out until you can once more see
the Transport Management System screen. Click Overview → Systems.
15. On the Display TMS Configuration: System XXX screen, double-click the TMS
Domain domain controller SAP instance.
16. On the Display TMS Configuration: System XXX screen, click the Display<>Change
button to toggle into Change Mode. Click the Communication tab and make sure
that the Transport Group Name is correct. It should contain of the Domain
Controller in the format of DOMAIN_<SID> where <SID> is the System ID of the
SAP Domain controller. Use the dropdown to find the correct entry it the
field is blank. Click the Transport Tool tab. Verify that the information on
the tab is correct and click the Insert Row button. Add a Parameter of CTC
and a Value of 1. Click the Save button.
17. Do step #16 for every system in your TMS Domain, making sure to change all
Transport Group Names are the same and the CTC row is added to each with a
value of 1.
18. Save your way back the the main STMS screen.
19. You may now leave STMS.
Return to Index...
1. Log on to client 000 in the SAP instance you want to add to the existing TMS
Domain.
2. Go to transaction SE06.
3. Click on the Perform Post Installation Actions button.
4. Go to transaction STMS.
5. You should see a popup box with the title TMS: Configure Transport
Domain. Press F6 until you see a TMS: Include System in
Transport Domain popup.
6. Fill in the TMS: Include System in Transport Domain popup with the
Description, Target Host, and System number of the TMS Domain
Controller then click Save.
7. You should see a message that says SAP System waiting to be
included in the Transport Domain.
8. Log on to client 000 of the Transport Domain Controller and go to transaction
STMS, keeping your original session in the other SAP instance open.
9. On the Transport Management System screen, click Overview → Systems.
Highlight the System you just added and then click SAP System → Approve.
Then confirm all the messages.
10. Back on the Transport Management System screen, click Environment →
Transport Routes.
11. On the Display Transport Routes screen, click the Display<>Change button
to toggle into Change Mode. Click on Edit → Transport Route → Create.
11. On the Create Transport Route popup, use the Consolidation boxes to enter
the SID of the transport domain, create a Z* transport layer, and the SID
This document is the intellectual property of Jo Spencer and may not be edited without permission.
of the system you are adding. Click Save and confirm. Back out to the main
Transport Management Screen.
12. Back on the Transport Management System screen, click Overview → Systems.
Double-click on the new system, and click on the Communications tab. Make
sure that the Transport Group name is the name of the original transport
domain. If not, change it. Click the Transport Tool tab. Verify that the
information on the tab is correct and click the Insert Row button. Add a
Parameter of CTC and a Value of 1. Click the Save button.
13. You can switch back to the new instance, and confirm that the SAP System
waiting to be included in the Transport Domain has disappeard.
14. You may now log out of both SAP instances.
Return to Index...
Sometimes, mistakes just happen. For this example, we will use a transport
SM1K00047 as the erroneous change request. Make sure to release SM1K00047 before
beginning this procedure.
1. Log on to the client who is the owner of the local transports that needs
fixed.
2. Go to SE03.
3. On the Transport Organizer List screen, click on Merge Object Lists which is
in the Requests/Tasks section.
3. On the Merge Objects List screen, put SM1K00046 in the first Request/Task
field. Make sure that the Released check box is "on" in the Request Status
section and click the Execute icon.
4. On the Merge Objects List screen, click on the Merge icon.
5. On the Enter Transport Request popup, click the Create Request icon.
6. On the Select Request Type popup, click "on" radio buttion Workbench Request.
7. On the Create Request popup, fill in the necessary information and make sure
that the fill in the Target field so that the transport request is NOT local.
Click the Save, OK, √ icon, etc. until everything is done. You will
get a new transport request number, in our case SM1K00050. This new request
can be released using one of the transport organizer Transactions like SE10,
etc. Once it is released, you can go to /usr/sap/trans on the OS level and in
directory cofiles copy K00050.SM1 to K00046.SM1, and in directory data copy
R00050.SM1 to R00046.SM1.
8. You may now leave SE03.
Once you have control of your session again, the transports are done. Verify
their return code in the Import Queue list. It shoud have been updated
automatically.
Return to Index...
1. Make sure the change request(s) has been released via Se10 or one of the other
Transport Organizer Transactions.
2. Go to transaction STMS and click Overview → Imports. Double-click the PRD
queue.
3. Click the refresh button to make sure you have the most current view of the
PRD queue. Make sure the change request(s) you want to transport shows in the
queue.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
4. Using the F9 button, highlight all the transactions you want to manually
transport.
5. Click on Extras → Activate Inactive Requests. Confirm the popup. This
bypasses the STMS_QA process.
6. Leave the change requests highlighted. Click Request → Import. On the popup,
make sure that the target is client 300. Make sure that Synchronous radio
button is "on" in the Execution tab. Make sure that the first three options
are checked "on" in the Options tab. When you are done, click on the green √
and confirm the next popup.
Once you have control of your session again, the transports are done. Verify
their return code in the Import Queue list. It shoud have been updated
automatically.
Return to Index...
1. Make sure the change request(s) has been released via Se10 or one of the other
Transport Organizer Transactions.
2. Go to transaction STMS and click Overview → Imports. Double-click the PRD
queue.
3. Click on Extras → Other Requests → Add. Fill in the Number of the Transport
Request to be added to the queue and then press Enter.
4. Confirm the Add Transport Request popup. The transport request should now
appear at the bottom of the queue list.
Return to Index...
Return to Index...
1. Go to transaction STMS and click Overview → Imports. Highlight the queue into
which the transport(s) to be moved again were originally transported – the
“FROM” queue - and click the Import History button or press Ctrl+F7.
2. If your SAP instance is older, you may have a very long Import History list in
the next screen. Use some of the available filters and sort options to create
a more controllable list of transports. Use the F9 to select and/or unselect
as many as you need to transport.
3. Once all choices have been made, click Request → Forward → System. Fill in
the “TO” system and click on the Execute green √ mark.
4. Now you can go to the “TO” queue and refresh the list. Your imports should
all be there.
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
User Tasks
Creating, Modifying, and Deleting Users
Creating a User
1. Log on to the appropriate SAP system and the client where the new user is to
be added.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, type in the new User name
and click the blank page picture-icon.
4. On the Maintain User screen, fill in at least the following information for
each tab:
When all necessary data has been entered, click the Save
picture-icon.
5. You will receive a User saved message in the status bar at the bottom of the
screen. You may now leave the SU01 transaction.
Return to Index...
1. Log on to the appropriate SAP system and the client where the user is to be
changed.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, type in the User name to be
copied and click the double blank page picture-icon.
4. On the Copy User popup, type in the To for the new user and click the Copy
button.
5. On the Maintain User screen, click on the tabs and make the changes to the
user’s information. When you are done, click the Save picture-icon. You
will receive a User saved message in the status bar at the bottom of the
screen.
6. You may now leave the SU01 transaction.
Return to Index...
Modifying a User
7. Log on to the appropriate SAP system and the client where the user is to be
changed.
8. Go to transaction SU01.
9. On the User Maintenance: Initial Screen screen, type in the user’s name and
click the pencil picture-icon.
10. On the Maintain User screen, click on the tabs and make your user
information changes. When you are done, click the Save picture-icon.
11. You will receive a User saved message in the status bar at the bottom of the
screen. You may now leave the SU01 transaction.
Return to Index...
Deleting a User
1. Log on to the appropriate SAP system and the client where the user is to be
deleted.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, type in the user’s name and
click the trash can picture-icon.
4. On the Delete user popup, click the Yes button.
5. You will receive a User deleted message in the status bar at the bottom of
the screen. You may now leave the SU01 transaction.
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Locking a User
1. Log on to the appropriate SAP system and the client where the user is to be
locked.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, type in the user’s name and
click the lock/unlock picture-icon.
4. On the Lock user popup, click the lock picture-icon.
5. You will receive a User locked message in the status bar at the bottom of
the screen. You may now leave transaction SU01.
Return to Index...
1. Log on to the appropriate SAP system and the client where the user’s
password is to be changes.
2. Go to transaction SU01.
3. On the User Maintenance: Initial Screen screen, type in the user’s name and
click the lock/unlock picture-icon.
4. On the Change Password popup, enter the new password in both the New
password and Repeat password boxes. Click the green √ picture-icon.
5. You will receive a The password was changed message in the status bar at the
bottom of the screen. You may now leave the SU01 transaction.
Return to Index...
1. Log on to the appropriate SAP system and the client where the user needs the
role. Go to transaction SU01.
2. On the User Maintenance: Initial Screen screen, type in the user’s name and
press Enter to confirm that the user exists.
3. Click the Change button or press Shift+F6.
4. On the Maintain User screen, click on the Roles tab. Fill in the name(s) in
the field(s) provided, and when done press Enter.
5. Click the Save button.
6. Go to transaction PFCG, and on the Role Maintenance screen, type in the name
of the role to which the users where added and press Enter to confirm exist
of the role.
7. Click the Change role little yellow pencil button.
8. On the Change Roles screen, click the User tab. Click on User Comparison
and then Complete Comparison. Once the comparision is done, click Save one
more time and you are done!
Return to Index...
Making user changes one-at-a-time can be extremely time consuming not to mention
boring. SAP has provided mass change transaction to help eleviate the
tediousness of making many user changes. It should be noted, however, that the
mass change transaction is limited as to the changes that can be made. For
example, you cannot change the password for multiple users. Also note that it is
best to make one type of mass change at a time. For example, you need to add a
new role to and delete an existing role from 20 users. The best method to
This document is the intellectual property of Jo Spencer and may not be edited without permission.
achieve this would be to first do a mass change to add the new role. Save the
changed users. Then delete the existing role from the same 20 users.
1. Log on to the appropriate SAP system and the client where the user changes
are to take place.
2. Go to transaction SU10.
3. On the User Maintenance: Mass Changes Initial Screen screen, you need to
select whether you will select users based on Address Data or Authorization
Data and click the appropriate button. If you click Address Data, you can
find users with any combination of First name, Last name, User ID, Company,
City, Building, Room, Extension, Department, and Cost Center. If you opt to
use Authorization Data, you can specify a combination of Groups, Reference
User, Authorizations, Athorization Objects, and many other fields. For
either method, fill in the fields you want to search on in the Users by
Complex Selection Criteria screen, and click the Execute button.
4. On the Users by Complex Selection Criteria screen, you can click “on” the
users to be changed, or click the Select All button. Once all the users you
want to change have been selected, click the Transfer button.
5. Back on the Maintenance: Mass Changes Initial Screen screen, you can select
all the users on the screen again by clicking the Select All button or
change your mind and make any last minute corrections. Once you have all
the users selected that you want to change, click User → Change.
6. On the Mass User Changes screen, scroll through the tabs, changing data and
clicking the Add or Remove button for each correction. Please note, each
SU10 batch run must use all Adds or all Removes but never a mixture. Do all
Adds in one run and then all Removes in another. Once all your changes have
been made, click the Save button.
7. On the Mass changes popup, you will see how many users you are about to
change. To make the changes, click on Yes.
8. On the Log Display screen, you will see a log of the changes you made.
Expand the list to see the transactional details.
9. You may now leave the SU10 transaction.
Return to Index...
1. Log on to the appropriate SAP system and client where the user reports are
to be generated.
2. Go to transaction SUIM.
3. On the User Information System screen, click the Infosystem authorizations
entry on the navigation tree and click the double arrows pointing down
picture-icon to expand the list of available reports.
4. Click on the clock picture-icon to the left of the report you want to run.
You will be taken to a selection filter screen to customize the data you
need to see on your report. Once your report has been produced, you can
print it or send it to your hard disk.
5. You may now leave the SU01 transaction.
Return to Index...
6. Log on to the appropriate SAP system and client where the user reports are
to be generated.
7. Go to transaction SU01.
8. On the User Maintenance: Initial Screen screen, from the top-most menu bar
click Information → Information system.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
9. On the User Information System screen, click the Infosystem authorizations
entry on the navigation tree and click the double arrows pointing down
picture-icon to expand the list of available reports.
10. Click on the clock picture-icon to the left of the report you want to run.
You will be taken to a selection filter screen to customize the data you
need to see on your report. Once your report has been produced, you can
print it or send it to your hard disk.
11. You may now leave the SU01 transaction.
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Security Tasks
Creating a User Role
The easiest way to create a new user role is to copy an already existing user
role, either one of your own or one of the ones provided to you in the
installation of SAP. So let’s assume that you have none of your own and use one
This document is the intellectual property of Jo Spencer and may not be edited without permission.
of the SAP role templates provided. It might assist you with picking one of
these roles if you have someone dump the appropriate information into a
spreadsheet containing the Role Name, Role Description, Transactions contained in
the Role, and the Transaction description. The SQL query would be something like
this:
This query should be changed based on the details of your SAP instance. Identify
the roles(s) to be used as the source for your role copy.
Return to Index...
Return to Index...
Return to Index...
When a modification is made to a role in the 100 client, the roles must be
transported to the 800 client. One role, several roles, or all roles can be done
if needed. They can all be added to the same transport change request. After
the roles have been moved to other clients, you will need to log on to each of
those clients and do a user comparison. You will also need to do a text
comparison in client 100 of the appropriate SAP system.
Return to Index...
Return to Index...
Return to Index...
Return to Index...
S_DEVELOP
ACTVT
Create or generate
Change
Display
Delete
Activate, generate
Execute
Create in DB
Delete in DB
Convert to DB
Administer
Copy
All Functions
Deactivate Mod. assistant
DEVCLASS
Single Value or Value Range
OBJNAME
Single Value or Value Range
OBJTYPE
Single Value or Value Range
P_GROUP
Single Value or Value Range
All authorization objects and authorizations are grouped into profiles before
being attached to users. Profiles use a combination of authorization objects and
their respective authorizations, and their creation can be complex as well as
tedious. In order to simplify the creation of profiles, the Profile Generator
(transaction PFCG) was created. Roles are created via a more user-friendly
interface which generates profiles based on the information added via this
interface.
Manually creating profiles is the “old” way of doing things. There are times,
such as the start of a new SAP landscape where no roles exist, that the use of
profiles is handy. But once the landscape has been completed all users, with the
exception of the Basis team, should be attached to roles. There should never be
a need to manually create a SAP new profile. To add a new role, the easiest
method is to copy an existing role that matches your needs as closely as possible
and make the changes you need for the new role.
Remember that profiles are NOT the standard way to implement SAP security
Return to Index...
Return to Index...
*** Since SAP R/3 4.5, this is not the standard for user authorizations.
***
Return to Index...
Return to Index...
*** Since SAP R/3 4.5, this is not the standard for user authorizations.
***
Return to Index...
Return to Index...
*** Remember that profiles are NOT the standard way to implement SAP security.
***
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Attaching a Profile to a User
*** Since SAP R/3 4.5, this is not the standard for user authorizations.
***
Return to Index...
Return to Index...
Client Tasks
Client Copies within the Same SAP System
*** SAP’s terms for the sending and receiving clients can be confusing. The
“target” client is the client into which data is to be copied. The “source”
client is the client which contains the data to be copied. Also, remember that
all client copies are destructive and will delete all data before copying in the
new data. The only exception is when the SAP_USER profile is used. In this
case, only user master data is deleted from the target client before the new user
master data is copied. ***
Return to Index...
*** SAP’s terms for the sending and receiving clients can be confusing. The
“target” client is the client into which data is to be copied. The “source”
client is the client which contains the data to be copied. Also, remember that
all client copies are destructive and will delete all data before copying in the
new data. The only exception is when the SAP_USER profile is used. In this
case, only user master data is deleted from the target client before the new user
master data is copied. ***
Return to Index...
Sometimes you need to retain the data residing in a client but refresh the roles,
users, and other security components that have changed in DEV client 100. Since
role changes don’t transport across the other clients maintained via Central User
Administration, a user master client copy can be used on any client in the SAP
landscape.
Return to Index...
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Viewing the Client Copy Logs
Return to Index...
Creating a Client
*** Before adding a new client you should first ask if it will be used in
communications with other clients (Central User Administration, source for client
copies, etc.) If so, the new client will need to be assigned a Logical System ID
that is unique among all the SAP systems in the landscape. It is recommended
that all new clients be assigned to a Logical System ID as soon as they are
created. ***
Deleting a Client
Return to Index...
Client role:
* Production client
* Test client
* Training client
* Demo client
* Customizing client
* SAP reference client
Return to Index...
A logical system gives a client a unique “name” which can be referenced by other
clients within the SAP landscape. Once you have created a logical system, use
the SCC4 transaction to assign the logical system to a client. Normally, you
create the logical system before creating a client so that both start out
together. Adding a logical system to a client after the client has been in
existence and in use to a long time period could cause referencing problems
between that client and the rest of the SAP systems.
Return to Index...
Communications Tasks
Creating, Modifying, and Deleting RFC Connections
Return to Index...
Return to Index...
Return to Index...
Return to Index...
Database Tasks
Creating Database Statistics, Index Rebuilds, and Log Backup Jobs – MS SQL Server
Database statistics refresh jobs should be scheduled to run twice daily on all
the SAP systems. But occasionally a manual refresh needs to be done due to table
reorganization, index rebuild, etc.
Creating Database Statistics, Index Rebuilds, and Log Backup Jobs – Oracle
Return to Index...
Return to Index...
1. Log on to the appropriate SAP instance and client as either the user ID
owning the job or an administrator ID.
2. Go to transaction SM37.
3. On the Simple Job Selection screen, fill in the Job name field or use any of
the screens filtering options to produce a list from which you can see the job to
be changed. In order for a job to be changed, it has to have a status of
Schedule or Released so turn those statuses “on” and turn the rest “off”. Click
on the Execute button.
4. On the Job Overview screen, click “on” the line containing the job to be
changed and then click Job → Change.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
5. On the Change Job screen, make your changes and then click Save. If you have
more than one occurance of the same job in your list, you must change each job
scheduled to run earlier than that job you just changed. Once the job you
changed runs, all occurences of the jobs running after that date will be changed
as well.
Return to Index...
1. Log on to the appropriate SAP instance and client as either the user ID
owning the job or an administrator ID.
2. Go to transaction SM37.
3. On the Simple Job Selection screen, fill in the Job name field or use any of
the screens filtering options to produce a list from which you can see the job to
be deleted. In order for all occurances of a job to be deleted, all statuses of
the job should be checked “on”. And enter an all-encompassing date like 01-01-
1990 through 12-31-2010. Click on the Execute button.
4. On the Job Overview screen, click “on” all the perpetent line containing the
job(s) to be deleted and then click on the Delete job from database button.
5. On the Delete Scheduled Jobs? popup, confirm the deletion.
Return to Index...
1. Log on to the appropriate SAP instance and client as either the user ID
owning the job or an administrator ID.
2. Go to transaction SM37.
3. On the Simple Job Selection screen, fill in the Job name field or use any of
the screens filtering options to produce a list from which you can see the job
you want to view. In order for all occurances of a job to be viewed, all
statuses of the job should be checked “on”. Click on the Execute button.
Return to Index...
Opinions on this topic vary so these are good guidelines to use. These are
pretty much in the order they should be tried:
Return to Index...
• Checking for new SPAM updates, support packages and kernel patches
• Downloading the new SPAM updates, support packages, and kernel patches
• Preparing the new SPAM updates, support packages, and kernel patches for
application
• Applying the new SPAM updates, support packages, and kernel patches
• Mass recompiling all programs used in patched components
Be aware that SPAM/SAINT update and support package application occurs within the
SAP system using the SPAM transaction. These corrections are changes to ABAP
program code and must be handled in a special way by SAP. Kernel patches, on the
other hand, are fixes to SAP executables found on the SAP server. Kernel patches
must be applied when the SAP instance is down.
Please refer to the Check for New SPAM Updates, Support Packages and Kernel
Patches.
Return to Index...
Checking for New SPAM Updates, Support Packages and Kernel Patches
To check if SAP has released any new software fixes for your release of SAP, you
need to know your current support package and kernel release levels.
Return to Index...
Method Two:
Return to Index...
Method One:
Method Two:
1. Log on to the SAP instance sever using a Telnet session as user <sid>adm.
2. Change the Telnet windows properties to use a Screen Buffer Size of 9999.
3. At the Linux prompt, type:
disp+work –v
Return to Index...
It should be noted here that sometimes an older SAP may run on a newer SAP Basis
level. For example, CRM 4.0 has a Basis level of a 6.20 instance but runs on a
6.40 kernel. So make sure that the kernel patches you download match the SAP R/3
Kernel located via SM51.
3. Scroll down the Download screen until you find your current package level.
Any support packages after your current level will need to be applied to
your SAP System.
4. You may now leave the SAP Marketplace.
Return to Index...
3. Click the Download tab of the SPAM/SAINT UPDATE screen. Find the SPAM/SAINT
Update – Version XXX value. If this SPAM version is higher than you current
SPAM version, you will need to download and apply the latest SPAM update.
4. You may leave the SAP Marketplace.
Return to Index...
3. Scroll down the Download screen until under the File Name column you find
SAPEXEDB*.SAR files. Unless SAP has instructer you to use a different
This document is the intellectual property of Jo Spencer and may not be edited without permission.
kernel, the most recent SAPEXEDB*.SAR is the one you need to download. You
may leave the SAP Marketplace.
4. Now go to the @Database independent section in the same list as ORACLE was
displayed. Scroll down the page until you find the SAPEXE*.SAR that matches
the same number as the SAPEXEDB*.SAR you found in the previous step. These
two files will give you a complete kernel replace.
5. You may leave the SAP Marketplace.
Return to Index...
Return to Index...
Return to Index...
Unlike SPAM/SAINT updates, support packages, and kernel patches, the storage
location for other SAP binary patches can be either SAP Marketplace or sapserv1.
SAP Marketplace is the normal respository but if you can’t find your patch there,
go look on sapserv1.
***Due to the shutdown of the sapserv1x servers in April, this section has been
discontinued. Everything should now to accessible via SAP Marketplace.***
Return to Index...
Once you have downloaded your SPAM/SAINT Update and/or support package(s), they
must be moved to the appropriate transport directory and uncompressed.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
1. For a SAP instance, move the downloaded K*.?AR file to the
/usr/sap/trans/tmp directory on the SAP Transport Domain Server which is
normally the DEV server of a SAP “Flavor”.
2. Log on to the appropriate server as <sid>adm.
3. Type the following:
cd /usr/sap/trans ¬
SAPCAR.EXE -xvf “tmp\*.?AR” ¬
This will unCAR all CAR and SAR files in the \usr\sap\trans\tmp directory to
the /usr/sap/trans/EPS/in.
4. Log off the server.
5. Log on client 000 of the appropriate SAP system.
6. Go to transaction SPAM.
7. From the menu bar of the Support Package Manager screen, click Support
Package → Load Packages → From application server.
8. On the SPAM: Confirm upload popup, click the green √ picture-icon. The
progress of the support package loads will show in the status bar at the
bottom of the screen.
9. Scroll down the SPAM: Uploading Packages from the file system screen to make
sure your SPAM/SAINT update is listed. Use the Go Back icon to return to
the previous screen.
10. You may now leave the SPAM transaction.
Return to Index...
Kernel patches must be applied on the SAP server. The SAP instance must be down
before a kernel patch can be applied.
Return to Index...
Return to Index...
Before you apply the most current SPAM/SAINT, please pull the OSS Note 484219 -
Known problems with transaction SAINT in Basis Release 6.20 or for whatever
version you are using and review any problems you may have adding the SPAM/SAINT
patch.
Once you have loaded the latest SPAM/SAINT update into your support Package
manager buffer, you need to apply the update to your SAP system.
Return to Index...
Before applying any support packages to your SAP system, release all “repair”
change requests to prevent error messages due to locked resources. Repairs are
usually advanced corrections obtained from SAP Notes that are eventually
accumulated into support packages. So the same objects “repaired” in the
advanced corrections will be “repaired” during the application of the support
package. Releasing the repair change requests allows the support package to
overlay the temporary advanced correction “fix”.
Before you apply the most current SPAM/SAINT, please pull the OSS Note 782140 -
OCS: Known problems with Support Packages in Basis Rel.6.20 or for whatever
version you are using and review any problems you may have adding the SPAM/SAINT
patch.
Once you have loaded the latest support packages into your support
Package manager buffer, you need to apply the packages to your SAP
system.
1. Log on client 000 of the appropriate SAP system using a adminitrator user ID
that is not DDIC or SAP*.
2. Go to the SPAM transaction.
3. On the Support Package Manager screen, click the Display/Define button to
build your import queue. On the Component Selection popup, click on the
Comp. ID having support packages you want to install. The component order
support packages should be applied is SAP_BASIS, SAP_ABA, SAP_APPL, and PI.
4. A list of all application support packages for the selected component will
appear in the Define Queue popup. Select the support packages you want to
apply. See SAP Note 782140 for information on restrictions to grouping
support packages into queues. The Package ID with the green √ to the left
is the highest support package to be placed in the queue. All lower number
support packages for this component will be applied as well. Click the
green √ picture-icon to confirm the queue.
5. From the menu bar of the Support Package Manager screen, click Support
Package → Import queue.
6. On the SPAM: Import Queue popup, read the displayed information and then
click the green √ picture-icon to continue.
7. The progress of the support package application will be displayed in the
status bar at the bottom of the screen. These messages look very similar to
the messages generated during a change request transport.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
8. When the Imported successfully Information popup displays, click the green √
picture-icon to continue.
9. On the Support Package Manager screen, verify that the SPAM status in the
Status section of the screen contains a yellow light and the Next action
value is Confirm queue. To confirm that your support packages applied
completely, click the green √ picture-icon. A Support Package queue was
confirmed message will appear in the status bar at the bottom of the screen.
10. You are ready to build another support package queue, or if you have applied
all the necessary support packages, you may now leave the SPAM transaction.
Return to Index...
5. After the successful completion of the kernel patch, you may bring the
instance back up and log off the server.
Return to Index...
Return to Index...
Performance Standards:
Database Standards:
Return to Index...
Whether you are trying to start a brand new SAP instance, or an old one, there
are some very specific places to look for information.
If this is a brand new SAP instance, and the installation completed 100%
successfully, you know that the instance itself must be viable. If your
installaion was never able to complete due to the instance not being able to
start up, the issue is probably due to lack of resources. Use the sapinst
directory to search the installation logs and find your problem. Sort them with
“ls – ltr” is see the list sorted in descending order for the ease of viewing.
If you have a test searching tool, look for “error” in all files with the suffix
“.log”.
If your SAP instance has been up and running fine for a good while, then
something has probably changed that makes it not come up.
Return to Index...
Searching SAP Notes (formerly known as OSS notes) is a science as well as an art.
Lets use this error message as an example:
First, you should search the specific error message "BR602W No valid SAP license
found". If you get at least one hit, you should read the SAP Note even if it
didn't look as if it pertained 100%. Why? Because it might contain information
leading to other notes that did pertain, or give you new ideas for more search
terms to help narrow the scope of my query.
If you didn't find a note that matched the problem, you could make your next
search a little less specifc, like "brbackup No valid SAP license found". First
you could search for the phrase, and if you had no luck, you could search for all
words. And if that produced nothing tangible, you could make it even less
specific as in "brbackup SAP license error" or "SAP license error".
Normally a very specific query will get you the results you need. But sometimes
things get lost in translation. For example, you are applying support packages
and get an import error with the following message "Panic! Panic! Panic! there's
no object header". Since we speak English and we realize that the SAP product was
designed and implemented in Germany, we have to guess that the English word
"Panic!" somehow was translated from the German word "Warning!" and that we can
temporarily delay a panick attack until we can research the error. Moral of the
story? Realize that some things just don't translate correctly from language to
language, and search accordingly. If you searched for "Panic! Panic! Panic!" and
got no hits, you could try "warning message no object header".
Last, and not least, read and become familiar with your SAP Notes. There are
certain notes that you pull over and over again due to some task that needs
fresh, current and precise information. These are mostly lists of supported
printer devices, known problems with applying patches, etc.
Return to Index...
SAPGui Troubleshooting
Make sure that these lines were added to the services file on the user’s
workstation:
After you have successfully configured your SAPGui, add these three lines to the
bottom of your \Windows\system32\drivers\etc\services file:
sapdp00 3200/tcp
sapmsR3I 3600/tcp
#
If you have SAP Instances using System Numbers other than 00, you will have to
add their equivalents to the services file as well. Also, check if you are
having connection problems due to firewall restrictions. And, be sure that your
Insert Key is set so that you can type your password in properly – you can delete
whatever is in the password field in order to enter your password.
If you have never tested connectivity to a SAP instance on the workstation having
the connection problem, first you need to make sure that the workstation can
connect to the SAP server in some non-SAPGui way. Let’s say your user us trying
to connect to System ID (SID) DEV, System Number 00, and IP address 10.1.10.11.
Open a DOS-Windows and type this:
If the screen rolls and goes totally blank then your dispatcher is reachable. You
can close the DOS session. If your window never goes completely blank and you set
a "Connecting To 10.1.10.11... Could not open connection to the host, on port
3200: Connect failed" error message right under the command you entered, the
dispatcher is not reachable. Also, make sure the
\Windows\system32\drivers\etc\hosts file on the workstation is correct.
Return to Index...
Central User Administration is Not Transferring Change from the CUA Parent Client
If CUA stops sending changes from DEV to QAS or PRD, something in the RFC setup
has changed. Either the password or the user type for RFC_USER was changed, or
the SM59 RFC connection to was changed and is no longer working.
Use SCUL in DEV in your DEV CUA parent to list the errors that are occurring.
Look for the user you tried to transport but could not. You might see “You are
not authorized to change users in group” or “No authorization for group users in
role”. This does not mean that YOU are not authorized, it means that the
RFC_USER doing the ALE communication between the SAP systems is not authorized.
First, reset the RFC_USER password in DEV, QAS, and PRD. And make sure that the
user type is Communication and not dialog. Now go to sm59 and do remote logins
using the QAS RFC connections. If they work (ie nothing seems to happen after
you click the remote logon button) everything should now be fixed. If you get a
logon screen for QAS, change the password in the sm59 screen to the same password
you changed RFC_USER to in DEV and QAS.
This document is the intellectual property of Jo Spencer and may not be edited without permission.
Retry your user change. If it still doesn’t go to QAS, maybe the QAS system is
hosed and down.
Return to Index...