Professional Documents
Culture Documents
Organizational level fields should only be created before you start setting up your
system. If you create organizational level fields later, you might have to do an impact
analysis. The authentication data may have to be postprocessed in roles.
The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into
an organizational level field.
In addition, all affected roles are analyzed and the authorization data is adjusted. The values of
the authorization field which is now to become the organizational level field are removed and
entered into the organizational level data of the role.
Note: Table for Org Element- USORG
Refer to Note 323817 for more detail.
Q. How many profiles can be assigned to any user master record.
A. Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile
assignments for users). This table contains both information on the change status of a user and
also the list of the profile names that were assigned to the user.
The field PROFS is used for saving the change flag (C = user was created, M = user was
changed), and the name of the profiles assigned to the user. The field is defined with a length
of 3750 characters. Since the first two characters are intended for the change flag, 3748
characters remain for the list of the profile names per user. Because of the maximum length of
12 characters per profile name, this results in a maximum number of 312 profiles per user.
Q. Can you add a composite role to another composite role?
A. No
Q. How to reset SAP* password from oracle database.
A. Logon to your database with orasid as user id and run this sql
delete from sapSID.usr02 where bname='SAP*' and mandt='XXX';
commit;
Where mandt is the client.
Now you can login to the client using sap* and password pass
Q. What is difference between role and profile.
A. A role act as container that collect transaction and generates the associated profile. The
profile generator (PFCG) in SAP System automatically generates the corresponding
authorization profile. Developer used to perform this step manually before PFCG was introduced
bySAP. Any maintenance of the generated profile should be done using PFCG.
Q. What is user buffer?
A. When a user logs on to the SAP R/3 System, a user buffer is built containing all
authorizations for that user. Each user has their own individual user buffer. For example, if user
Smith logs on to the system, his user buffer contains all authorizations of role
USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56.
A user would fail an authorization check if:
auth/number_in_userbuffer.
End User
Transaction Code
Menu Path
Purpose
SU3
Set address/defaults/parameters
SU53
SU56
Role Administration
Transaction Code
Menu Path
Purpose
PFCG
Tools --> Administration --> User Maintain roles using the Profile
Maintenance --> Roles
Generator
PFUD
<none>
SUPC
User Administration
Transaction Code
Menu Path
Purpose
SU01
SU01D
SU10
SU02
SU03
Purpose
RZ10
SU25
IMG Activity:
Enterprise IMG --> Basis
Components --> System
Administration --> Users and
Authorizations --> Maintain
authorizations and profiles
using Profile Generator -->
Work on SAP check indicators
and field values
Select: Copy SAP check IDs
and field values
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP
values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction
codes
SU24
Transport
Maintain Templates
Transaction Code
Menu Path
Purpose
SCCL
SCC9
SCC8
<none>
<none>
SU25
Point 3.
STMS
System configuration
Transaction Code
RZ10
Menu Path
Purpose
RZ11
SM01
Authorization Object
Transaction Code
Menu Path
Purpose
SU20
SU21
Audit
Transaction Code
Menu Path
Purpose
SE84
Tools --> Administration --> User Information System for SAP R/3
Maintenance --> Information
Authorizations
System
SECR*
<none>
Menu Path
Purpose
Table maintenance
Transaction Code
SM30
(Tables
V_BRG,
V_DDAT)
Table Group
Transaction Code
Menu Path
SE43
Purpose
AL01
SAP Alert Monitor
SE14
SSM0
Menu
Maintenance and
Test
AL02
SAP and
Company Menu
administration
AL03
ST01
System Trace
AL04
ABAP/4 Editor
ST02
Setup/Tune
Buffers
AL05
Monitor Current
Workload
SE54
ST03
Performance
SAP statistics,
Workload
AL06
Performance:
Upload/Download
SE61
R/3 Documentation
ST04
Select Database
Activities
AL07
SE80
ABAP/4 Development
Workbench
ST05
SQL Trace
AL08
Users Logged On
SE91
Maintain Messages
ST06
Operating
System Monitor
AL10
Download to Early
Watch
SE92
ST07
Application
Monitor
AL11
Directories
SE93
Maintain Transaction
Codes
ST08
Network Monitor
AL12
SH01
ST09
Network Alert
Monitor
AL13
ST10
Table Call
Statistics
AL15
Installation Check
ST11
Display
Developer Traces
AL18
SLDB
Application
Monitor
AL19
SLW4
Application
Analysis
AL20
SM01
Lock Transactions
ST22
ABAP/4 Runtime
Error Analysis
DB01
System Messages
STAT
Local Transaction
Statistics
DB02
DB03
SM04
User Overview
STDR
TADIR
Consistency
Check
STUN
Performance
Monitor Menu
DB11
SM13
Display Upgrade
Records
SU01
Maintain User
Records
DB12
Overview of Backup
Logs
SM21
System Log
SU02
Maintain
Authorization
Profiles
DB13
Database
SM31
Administration Calendar
Table Maintenance
SU03
Maintain
Authorizations
DB14
Mass Changes to
User Master
Records
PFCG
Profile Generator
Activity Groups
SM36
Background Job
Scheduler
SU12
Mass Changes to
User Master
Records
RZ01
Background Job
Overview
SU20
Maintain
Authorization
Fields
RZ02
SM38
Queue Maintenance
Transaction
SU21
Maintain
Authorization
Objects
RZ03
Presentation, Control
SAP Instances
SM39
Job Analysis
SU22
Auth Objects
Usage in
Transactions
RZ04
Maintain Profile
Generator Tables
RZ06
Alert Thresholds
Maintenance
SM51
SU25
Copy SAP to
Customer Prof
Gen Tables
RZ08
SM63
Display/Maintain
Operation Mode Sets
SU30
Overall
Authorization
Checks
RZ10
Release of an Event
SU50
Maintain User
Defaults
RZ11
Profile Parameters
SM65
Maintain User
Address
SAR
Maintain Transaction
Codes
SM66
System-wide Work
Process Overview
SU52
Maintain User
Parameters
SARA
Archive Management
SM67
Job Scheduling
SU53
Analyze
Authorization
Error
SCAT
SM68
Job Administration
SU56
Display list of
User
Authorizations
SCC0
Client Copy
SVER
ABAP/4
Verification
SCU3
Table History
SD11
Data Modeler
SMX
SWT0 Configure
Workflow Trace
SDBE
Matchcode Objects
(test)
SOFF
SE01
Transports and
Correction System
SP00
SE02
Environment Analyzer
SP01
Output Controller
SE03
Transport Utilities
SP11
TemSe Directory
SE07
Transport System
Status Display
SP12
TemSe Administration
SE09
Workbench Organizer
SPIT
Output Controller
SE10
Customizer Organizer
SPAD
Spool Administration
SE11
ABAP/4 Dictionary
Maintenance
SYNT
Display Syntax
Trace Output
SE12
ABAP/4 Dictionary
Display
SPAT
TU01
Call Statistics
SE13
Maintain Technical
Settings (Tables)
Active Instance
Profile
parameters
Q What authorization are required to create and maintain user master records?
The following authorization objects are required to create and maintain user master records:
S_USER_GRP: User Master Maintenance: Assign user groups
Dialog users are used for individual user. Check for expired/initial passwords Possible
to change your own password. Check for multiple dialog logon
A Service user - Only user administrators can change the password. No check for
expired/initial passwords. Multiple logon permitted
System users are not capable of interaction and are used to perform certain system
activities, such as background processing, ALE, Workflow, and so on.
A Reference user is, like a System user, a general, non-personally related, user.
Additional authorizations can be assigned within the system using a reference user. A
reference user for additional rights can be assigned for every user in the Roles tab.
Derived roles refer to roles that already exist. The derived roles inherit the menu
structure and the functions included (transactions, reports, Web links, and so on) from
the role referenced. A role can only inherit menus and functions if no transaction codes
have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default values
which can be changed afterwards. Organizational level definitions are not passed on.
They must be created anew in the inheriting role. User assignments are not passed on
either.
Derived roles are an elegant way of maintaining roles that do not differ in their
functionality (identical menus and identical transactions) but have different
characteristics with regard to the organizational level. Follow this link for more info
A composite role is a container which can collect several different roles. For reasons of
clarity, it does not make sense and is therefore not allowed to add composite roles to
composite roles. Composite roles are also called roles.
Composite roles do not contain authorization data. If you want to change the
authorizations (that are represented by a composite role), you must maintain the data
for each role of the composite role.
Creating composite roles makes sense if some of your employees need authorizations
from several roles. Instead of adding each user separately to each role required, you
can set up a composite role and assign the users to that group.
The users assigned to a composite role are automatically assigned to the
corresponding (elementary) roles during comparison. Follow the link to learn more
A.
Organizational level fields should only be created before you start setting up your system. If you
create organizational level fields later, you might have to do an impact analysis. The
authentication data may have to be postprocessed in roles.
The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an
organizational level field.
In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the
authorization field which is now to become the organizational level field are removed and entered into
the organizational level data of the role.
Note: Table for Org Element- USORG
Refer to Note 323817 for more detail.
Q. How many profiles can be assigned to any user master record.
A. Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for
users). This table contains both information on the change status of a user and also the list of the profile
names that were assigned to the user.
The field PROFS is used for saving the change flag (C = user was created, M = user was changed), and
the name of the profiles assigned to the user. The field is defined with a length of 3750 characters. Since
the first two characters are intended for the change flag, 3748 characters remain for the list of the
profile names per user. Because of the maximum length of 12 characters per profile name, this results in
a maximum number of 312 profiles per user.
Q. Can you add a composite role to another composite role?
A. No
Q. How to reset SAP* password from oracle database.
A. Logon to your database with orasid as user id and run this sql
delete from sapSID.usr02 where bname='SAP*' and mandt='XXX';
commit;
Where mandt is the client.
Now you can login to the client using sap* and password pass
You can put multiple composite roles using the more button
Q. How to find out all the derived roles for one or more Master (Parent) roles?
A. Execute SE16N
Table
AGR_DEFINE
Role
You can always download all the information to spreadsheet also using
Q. What is SAP?
A. SAP is the name of the company founded in 1972 under the German name (Systems, Applications,
and Products in Data Processing) is the leading ERP (Enterprise Resource Planning) software package.
Q. Explain the concept of Business Content in SAP Business Information Warehouse?
A. Business Content is a pre-configured set of role and task-relevant information models based on
consistent Metadata in the SAP Business Information Warehouse. Business Content provides selected
roles within a company with the information they need to carry out their tasks. These information
models essentially contain roles, workbooks, queries, InfoSources, InfoCubes, key figures,
characteristics, update rules and extractors for SAP R/3, mySAP.com Business Applications and other
selected applications.
Q. What is IDES?
A. International Demonstration and Education System. A sample application provided for faster learning
and implementation.
Q. What is SAP R/3?
A. A third generation set of highly integrated software modules that performs common business function
based on multinational leading practice. Takes care of any enterprise however diverse in operation,
spread over the world. In R/3 system all the three servers like presentation, application server and
database server are located at different system.
Q. What are presentation, application and database servers in SAP R/3?
A. The application layer of an R/3 System is made up of the application servers and the message server.
Application programs in an R/3 System are run on application servers. The application servers
communicate with the presentation components, the database, and also with each other, using the
message server. All the data are stored in a centralized server. This server is called database server.
Q. How do I change the name of master / parent role keeping the name of derived/child role
same? I would like to keep the name of derived /child role same and also the profile
associated with the child roles.
A. First copy the master role using PFCG to a role with new name you wish to have. Then you have to
generate the role. Now open each derived role and delete the menu. Once the menus are removed it
will let you put new inheritance. You can put the name of the new master role you created. This will help
you keep the same derived role name and also the same profile name. Once the new roles are done you
can transport it. The transport automatically includes the Parent roles.
What is the difference between C (Check) and U (Unmaintained)?
A. Background:
When defining authorizations using Profile Generator, the table USOBX_C defines which authorization
checks should occur within a transaction and which authorization checks should be maintained in the PG.
You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a
Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.
CM (Check/Maintain)
- An authority check is carried out against this object.
- The PG creates an authorization for this object and field values are displayed for changing.
- Default values for this authorization can be maintained.
C (Check)
- An authority check is carried out against this object.
- The PG does not create an authorization for this object, so field values are not displayed.
- No default values can be maintained for this authorization.
N (No check)
- The authority check against this object is disabled.
- The PG does not create an authorization for this object, so field values are not displayed.
- No default values can be maintained for this authorization.
U (Unmaintained)
- No check indicator is set.
- An authority check is always carried out against this object.
- The PG does not create an authorization for this object, so field values are not displayed.
- No default values can be maintained for this authorization..
Q. What does user compare do?
A. Comparing the user master: This is basically updating profile information into user master record. So
that users are allowed to execute the transactions contained in the menu tree of their roles, their user
master record must contain the profile for the corresponding roles.
You can start the user compare process from within the Profile Generator (User tab and User compare
pushbutton). As a result of the comparison, the profile generated by the Profile Generator is entered into
the user master record. Never enter generated profiles directly into the user master record (using
transaction SU01, for example)! During the automatic user compare process (with report
pfcg_time_dependency, for example), generated profiles are removed from the user masters if they do
not belong to the roles that are assigned to the user.
If you assign roles to users for a limited period of time only, you must perform a comparison at the
beginning and at the end of the validity period. You are recommended to schedule the background job
pfcg_time_dependency in such cases
Q. Can wildcards be used in authorizations?
A. Authorization values may contain wildcards; however, the system ignores everything after the
wildcard. Therefore, A*B is the same as A*.
Q. What does the PFCG_TIME_DEPENDENCY clean up?
A. The 'PFCG_TIME_DEPENDENCY' background report only cleans up the profiles (that is, it does not
clean up the roles in the system). Alternatively, you may use transaction 'PFUD'.
Q. What happens to change documents when they are transported to the production system?
A. Change documents cannot be displayed in transaction 'SUIM' after they are transported to the
production system because we do not have the 'befor input' method for the transport. This means that if
changes are made, the 'USR10' table is filled with the current values and writes the old values to the
'USH10' table beforehand. The difference between both tables is then calculated and the value for the
change documents is determined as a result. However, this does not work when change documents are
transported to the production system. The 'USR10' table is automatically filled with the current values
for the transport and there is no option for filling the 'USH10' table in advance (for the history) because
we do not have a 'befor input' method to fill the 'USH10' table in advance for the transport.
Q. What is the difference between the table buffer and the user buffer?
A. The table buffers are in the shared memory. Buffering the tables increases performance when
accessing the data records contained in the table. Table buffers and table entries are ignored during
startup. A user buffer is a buffer from which the data of a user master record is loaded when the user
logs on. The user buffer has different setting options with regard to the 'auth/new_buffering' parameter.
Q. What does the Profile Generator do?
A. The Profile Generator creates roles. It is important that suitable user roles, and not profiles, are
entered manually in transaction 'SU01'. The system should enter the profiles for this user automatically.
Q. How many authorizations fit into a profile?
A. A maximum of 150 authorization fit into a profile. If the number of authorizations exceed this marker,
the Profile Generator will automatically create more profiles for the role. A profile name consists of
twelve (12) characters and the first ten (10) may be changed when generated for the first time.
Q. What authorization objects are needed for PFCG?
SAP Transport Authorization
To release Task
S_TRANSPRT
ACTVT=43, 03, 75
TTYPE=TASK
Other type:CLCP Client Transports
CUST Customizing Requests
DTRA Workbench Requests
MOVE Relocation transports
PATC Preliminary Corrections and Deliveries
PIEC Piece lists
TASK Tasks
TRAN Transport of copies
S_DATASET
PROGRAM=SAPLSTRF, SAPLSLOG
ACTVT=34
FILENAME=*
To release Customizing Requests
S_TRANSPRT
TTYPE=CUST
ACTVT=43, 03, 75
S_DATASET
PROGRAM=SAPLSCTS_RELEASE, SAPLSLOG, SAPLSTRF
ACTVT=33, 34
FILENAME=*
S_RFC
FC_TYPE=FUGR
RFC_NAME=STPA
ACTVT=16;
Dialog (D): each dispatcher needs at least 2 dialog work processes (not shown above)
Spool (S): at least 1 per R/3 System (more than 1 per dispatcher allowed)
Update (V): at least 1 per R/3 System (more than 1 per dispatcher allowed)
Background (B): at least 2 per R/3 System (more than 1 per dispatcher allowed)
Enqueue (E): exactly 1 per R/3 System (only 1 E work process is required and allowed)
startsap calls the script startdb, which starts the database if it is not already started.
startsap then starts the central instance.
The R/3 System administrator can start additional instances and application servers. To start the
instances independently of the database, use the script startsap.
startsap has the following options:
startsap r3:
startsap db:
startsap all:
Default entry; starts both the database and the R/3 instance
Before the R/3 System is stopped, the R/3 System administrator should check the:
Check if any background jobs from any application server are active or have been triggered
externally. Use transaction SM37
Check if the background work process BTC is running in any application server.
Check if any update records are open when the system is stopped, the records are rolled back
and set to status init. At startup, the records are processed again.
The administrator must decide whether to interrupt the jobs or wait until they are finished.
Give system users advance warning of the system shutdown. To create a system message, you
can use transaction SM02.
Before shutting down the system, use transaction SM04 to check whether users are still logged
on, and ask them to log off.
The R/3 System administrator and administrators of external systems should also inform one
another about data transfers between their respective systems.
Q. The enqueue server is a single-point-of-failure in the SAP System. Can I guarantee high
availability for the Enqueue Server?
A. To guarantee this you must use the standalone Enqueue Server with the Replication Server. This is
described in the documentation Standalone Enqueue Server.
SAP note 524816 contains the prerequisites that must be fulfilled for using the standalone Enqueue
Servers with the Replication Server.
Q. Where is the lock table stored?
A. In the main memory (shared memory) of the enqueue server. All work processes on the enqueue
server has access to the table. External application servers execute their lock operations in the enqueue
process on the enqueue server. Communication in this case takes place via the relevant dispatchers and
the message server.
Q. Can locks exist directly after startup?
A. Yes, the saved locks, which were inherited by the update task, are reloaded to the lock table during
startup (see first question).
Q. How fast are lock operations?
A. In work processes on the enqueue server, a few 100 microseconds. In work processes of external
application servers you have to include network communications and process changes. Depending on
CPU and network load this amounts to a few milliseconds.
Q. What should I do first if a problem arises?
A. Use the diagnosis functions:
sm12 Extras Diagnosis and then
sm12 Extras Diagnosis in update
If a problem is reported, back up the trace files dev_w*, dev_disp, dev_eq* and check the
Syslog.
Q. The following message is displayed in the diagnosis details in SM12:
Lock management operation mode
Internal lock management in same process
What does this message mean and what are the other options?
A. "Internal lock management in same work process" in the diagnosis function means that you are
logged onto the enqueue server and your work process can access the lock table straight away. You do
not have to delegate enqueue requests to an enqueue process on a remote enqueue server. If you are
logged onto an application server that is not an enqueue server, the diagnosis function will provide you
server, dispatchers, and work processes are occupied simultaneously. Due to asynchronous system
processes (for example, syncer), using more processors can further enhance throughput.
Q. The Syslog often contains messages such as "Enqueue: total wait time during locking:
2500 seconds". How should I analyze this problem? Or is the entry not critical? (There are no
records of terminations or timeouts.)
A. The message is output for information purposes only but may indicate parallel processing errors with
ABAP programs. The specified wait time is the time that has elapsed since startup due to the use of the
WAIT parameter when the enqueue function module was called.
The WAIT parameter enables a lock attempt to be repeated a number of times, for example, so that the
update task does not have to be cancelled when a lock is set temporarily by other programs. The work
process remains busy between the lock attempts.
Q. User cannot connect to SAP
A. Check SAP logon settings, ping the host, check message server, check dispatcher, etc
Q. User cannot print
A. See if the user has proper authoriztion. check SAP user setup, check SPAD, check spools, check unix
queue or print queue at the os level, etc
Q. Why do you get "GetProcessList failed: 80004005" error while starting SAP console
management
A. You have selected one of the Process List nodes in the tree. Then you closed MMC and clicked "Yes" in
the dialog "Save console settings to SAPMMC?". Now when you open again the MMC and those processes
are not started, you get this error.
Solution: Start MMC and select SAP Systems in the tree. Then close it and choose "Yes" in the dialog
"Save console settings to SAPMMC?". Now you won't get this annoying error on every start.
6) Explain how you can delete multiple roles from QA, DEV and Production System?
To delete multiple roles from QA, DEV and Production System, you have to follow below
steps
USOBT_C: This table consists the authorization proposal data which contains the
authorization data which are relevant for a transaction
USOBX_C: It tells which authorization check are to be executed within a transaction
and which must not
9) Mention what is the maximum number of profiles in a role and maximum number of
object in a role?
Maximum number of profiles in a role is 312, and maximum number of object in a role is
150.
10) What is the t-code used for locking the transaction from execution?
For locking the transaction from execution t-code SM01, is used.
11) Mention what is the main difference between the derived role and a single role?
For the single role, we can add or delete the t-codes while for a derived role you cannot do
that.
12) Explain what is SOD in SAP Security?
SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent
error or fraud during the business transaction. For example, if a user or employee has the
privilege to access bank account detail and payment run, it might be possible that it can divert
vendor payments to his own account.
13) Mention which t-codes are used to see the summary of the Authorization Object and
Profile details?
Description: The tab is used to describe the changes made like details related to the
role, addition or removal of t-codes, the authorization object, etc.
Menu: It is used for designing user menus like addition of t-codes
Authorization: Used for maintaining authorization data and authorization profile
User: It is used for adjusting user master records and for assigning users to the role
21) Which t-code can be used to delete old security audit logs?
SM-18 t-code is used to delete the old security audit logs.
22) Explain what reports or programs can be used to regenerate SAP_ALL profile?
To regenerate SAP_ALL profile, report AGR_REGENERATE_SAP_ALL can be used.
23) Using which table transaction code text can be displayed?
Table TSTCT can be used to display transaction code text.
24) Which transaction code is used to display the user buffer?
User buffer can be displayed by using transaction code AL08
25) Mention what SAP table can be helpful in determining the single role that is
assigned to a given composite role?
Table AGR_AGRS will be helpful in determining the single role that is assigned to a given
composite role.
26) What is the parameter in Security Audit Log (SM19) that decides the number of
filters?
Parameter rsau/no_of_filters are used to decide the number of filters.