R/3 Security Tcodes

End User
Transaction Code
Menu Path

Purpose

SU3

System --> User Profile--> Own Set address/defaults/parameters

Data

SU53

System --> Utilities --> Display Display last authority check that failed
Authorization Check

SU56

Tools --> Administration -->

Monitor --> User Buffer

SCDO(TCODE)

Display user buffer

CHANGE DOC OBJECTS

CHANGE DOC
OBJECTS STORED IN
THE TABLE TCDOB
CDHDR

Change docs for header information

Role Administration
Transaction Code
Menu Path

Purpose

PFCG

Tools --> Administration -->

User Maintenance --> Roles

Maintain roles using the Profile Generator

PFUD

<none>

Compare user master in dialog.

This function can also be called in the
Profile Generator: Environment --> Mass
compare
The Job for user master comparison is:
PFCG_TIME_DEPENDENCY (to Release
4.0 RHAUTUP1)

SUPC

Tools --> Administration -->

User Maintenance --> Roles

Mass Generation of Profiles

--> Environment --> Mass

Generation
User Administration
Transaction Code
Menu Path

Purpose

SU01

Tools --> Administration -->

User Maintenance --> Users

Maintain Users

SU01D

Tools --> Administration -->

Display Users
User Maintenance --> Display
Users

SU10

Tools --> Administration -->

User Maintenance --> User
Mass Maintenance

SU02

Tools --> Administration -->

Manually create profiles
User Maintenance --> Manual
Maintenance --> Edit Profiles
Manually

SU03

Tools --> Administration -->

Manually create authorizations
User Maintenance --> Manual
Maintenance --> Edit
Authorizations Manually

User mass maintenance

Profile Generator Configuration

Transaction Code
Menu Path

Purpose

RZ10

Tools --> CCMS -->

Configuration --> Profile
Maintenance

Maintain system profile parameters.

(auth/no_check_in_some_cases = Y).

SU25

IMG Activity:
Enterprise IMG --> Basis
Components --> System
Administration --> Users and

Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values

SU24

Authorizations --> Maintain

2b. Reconcile affected transactions
authorizations and profiles
2c. Roles to be checked
using Profile Generator -->
2d. Display changed transaction codes
Work on SAP check indicators
and field values
Select: Copy SAP check IDs
and field values
Maintain Check Indicators
Same as for SU25:
Select: Change Check
Maintain Templates
Indicators

Transport
Transaction Code
Menu Path

Purpose

SCCL

Tools --> Administration -->

Local client copy (within one system,
Administration --> Client
between different clients)
Administration --> Client Copy
--> Local Copy

SCC9

Tools --> Administration -->

Remote Client Copy (between clients in
Administration --> Client
different systems) Data exchange over a
Administration --> Client Copy network (not files).
--> Remote Copy

SCC8

Tools --> Administration -->

Administration --> Client
Administration --> Client
Transport --> Client Export

Client transport (between clients in

different systems) Data exchange using a
data export at operating system level.

<none>

Tools --> Administration -->

User Maintenance --> Roles
--> Environment --> Mass
Transport

Mass transport of roles

<none>

Tools --> Administration -->

Upload/Download of Roles
User Maintenance --> Roles
--> Role --> Upload/Download

SU25

Point 3.

Transport of Check indicators

STMS

Tools -->Administration -->

Transports --> Transport
Management System

Transport Management System

Menu Path

Purpose

Tools --> CCMS -->

Configuration --> Profile
Maintenance

Maintain system profile parameters.

(auth/no_check_in_some_cases = Y). .

System configuration
Transaction Code

RZ10

RZ11
SM01

Description of system profile parameters

Tools --> Administration -->
Lock transaction codes from execution
Administration --> Transaction
Code Administration

Authorization Object
Transaction Code
Menu Path

Purpose

SU20

Tools --> ABAP Workbench --> List of authorization fields

Development --> Other Tools -->
Authorization Objects --> Fields

SU21

Tools --> ABAP Workbench --> List of authorization objects (Initial

Development --> Other Tools --> screen lists by object class)
Authorization Objects -->
Objects

Audit
Transaction Code
Menu Path
SE84

Purpose

Tools --> Administration --> User Information System for SAP R/3
Maintenance --> Information
Authorizations
System

SECR*

<none>

Audit Information System

Menu Path

Purpose

Table maintenance
Transaction Code

SM30
(Tables
V_BRG,
V_DDAT)

System --> Services --> Table

Create table authorization groups
Maintenance --> Extended Table (V_BRG)
Maintenance
Maintain assignments to tables
(V_DDAT)

Table Group
Transaction Code

SE43

Menu Path

Purpose

ABAP Workbench --> Development --> Other

Tools --> Area Menus

Maintain (Display) Area Menus

R/3 Basis Tcodes

Common Transaction Codes for Basis Administration

AL01
SAP Alert Monitor SE14

AL02 Database Alert

Monitor

SE15

Utilities for
SSM0 Menu
Dictionary Tables
Maintenance
and Test
ABAB/4
Repository Info
System

SSM1 SAP and

Company Menu
administration

AL03 Operating System SE30

Alert Monitor

ABAP/4 Run time ST01

Analysis

System Trace

AL04 Monitor Call

Distribution

SE38

ABAP/4 Editor

ST02

Setup/Tune
Buffers

AL05 Monitor Current

SE54

Generate Table

ST03

Performance

Workload

View

SAP statistics,
Workload

AL06 Performance:
SE61
Upload/Download

R/3
Documentation

ST04

Select Database
Activities

AL07 Early Watch ReportSE80

ABAP/4
Development
Workbench

ST05

SQL Trace

AL08 Users Logged On SE91

Maintain
Messages

ST06

Operating
System Monitor

AL10 Download to Early SE92

Watch

Maintain System ST07

Log Messages

Application
Monitor

AL11 Directories

SE93

Maintain
ST08
Transaction Codes

Network
Monitor

AL12 Display Table

Buffer (Exp
session)

SH01

Online Help: F1
Help Server

ST09

Network Alert
Monitor

AL13 Display Shared

Memory (Expert
mode)

SH03

Call Extended
Help

ST10

Table Call
Statistics

AL15 Customize
SAPOSCOL
destination

SICK

Installation Check ST11

Display
Developer
Traces

AL18 Local File System SLDB Logical Databases ST12

Monitor
(Tree Structure)

Application
Monitor

AL19 Remote File

System Monitor

Application
Analysis

SLW4 Translation:
Application
Hierarchy

ST14

AL20 Early Watch Data SM01 Lock Transactions ST22

Collector List

ABAP/4
Runtime Error
Analysis

DB01 Analyze Exclusive SM02 System Messages STAT

Lock Waits

Local
Transaction
Statistics

DB02 Analyze Tables and SM04 User Overview

Indexes

STDR TADIR
Consistency
Check

DB03 Parameter Changes SM12 Display and

in DB
Delete Locks

STUN Performance
Monitor Menu

DB11 Early Watch Profile SM13 Display Upgrade SU01

Maintenance
Records

Maintain User
Records

DB12 Overview of
Backup Logs

SM21 System Log

SU02

Maintain
Authorization
Profiles

DB13 Database
Administration
Calendar

SM31 Table
Maintenance

SU03

Maintain
Authorizations

DB14 Show DBA Action SM35 Batch Input

Logs
Monitoring

SU10

Mass Changes
to User Master
Records

PFCG Profile Generator SM36 Background Job

Activity Groups
Scheduler

SU12

Mass Changes
to User Master
Records

RZ01 Job Scheduling

Monitor

SU20

Maintain
Authorization
Fields

RZ02 Network Graphics SM38 Queue

for SAP Instances
Maintenance
Transaction

SU21

Maintain
Authorization
Objects

RZ03 Presentation,
Control SAP
Instances

SU22

Auth Objects
Usage in
Transactions

SM37 Background Job

Overview

SM39 Job Analysis

RZ04 Maintain SAP

Instances

SM50 Workprocess
Overview

SU24

Maintain Profile
Generator
Tables

RZ06 Alert Thresholds

Maintenance

SM51 List of SAP

Servers

SU25

Copy SAP to
Customer Prof
Gen Tables

RZ08 SAP Alert Monitor SM63 Display/Maintain SU30

Operation Mode
Sets

Overall
Authorization
Checks

RZ10 Maintenance of
SM64 Release of an
Profile Parameters
Event

SU50

Maintain User
Defaults

RZ11 Profile Parameters SM65 Background

Processing
Analysis Tool

SU51

Maintain User
Address

SAR

SU52

Maintain User
Parameters

Maintain
SM66 System-wide
Transaction Codes
Work Process
Overview

SARA Archive
Management

SM67 Job Scheduling

SU53

Analyze
Authorization
Error

SCAT Computer Aided

Test Tool

SM68 Job
Administration

SU56

Display list of
User
Authorizations

SCC0 Client Copy

SMGW Gateway Monitor SVER ABAP/4

Verification

SCU3 Table History

SMLG Logon Groups

SD11 Data Modeler

SMX

SVMC Start View

Maintenance
with Memory

Display Own Jobs SWT0 Configure

Workflow Trace

SDBE Matchcode Objects SOFF SAPoffice: Area

SWU8 Technical Trace

(test)

Menu

On/Off

SE01 Transports and

SP00
Correction System

Spool and Related SWU9 Display

Areas
Technical Trace

SE02 Environment
Analyzer

Output Controller SWUD Diagnostic

Tools

SP01

SE03 Transport Utilities SP11

TemSe Directory SWUE Initiate Event

SE07 Transport System SP12

Status Display

TemSe
Administration

SE09 Workbench
Organizer

SPIT

Output Controller SWUH Test Method

SE10 Customizer
Organizer

SPAD Spool
Administration

SWWD Switch on Work

Item Error
Monitoring

SE11 ABAP/4
Dictionary
Maintenance

SPAM SAP Patch

Manager

SYNT Display Syntax

Trace Output

SE12 ABAP/4
SPAT
Dictionary Display

SWUF Workflow
Monitor

Spool
TU01
Administration test

SE13 Maintain Technical SPDD Display Modified TU02

Settings (Tables)
DDIC objects

R/3 Security Tips

Call Statistics

Active Instance
Profile
parameters

QucikViewer (SQVI)
QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a
whole range of options for defining reports. SAP Query also supports different
kinds of reports such as basic lists, statistics, and ranked lists. QuickViewer
(SQVI), on the other hand, is a tool that allows even relatively inexperienced
users to create basic lists. I have created a tutorial for SQVI. SQVI Tutorial
User assignment
Never insert generated profiles directly into the user master record (Transaction
SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose
the User tab in role maintenance (PFCG) and enter the user to whom you want to
assign the role or profile. If you then compare the user master records, the system
inserts the generated profile in the user master record.
Do not assign any authorizations for modules you have not yet installed
If you intend to gradually add modules to your system, it is important you do not
assign any authorizations for those modules you have not yet installed. This
ensures that you cannot accidentally change data in your production system you
may need at a later stage. Leave the corresponding authorizations or
organizational levels open.
Creating SPRO Display only.
You might be asked to give SPRO display while implementing your SAP.
Igenerally give these authoriztion to make it display only. Please test it.
Object
S_PROJECT
S_PROJECT
S_RFC
S_RFC
S_RFC
S_TABU_CLI
S_TABU_DIS
S_TABU_DIS

Field
Value
PROJECT_ID *
PROJ_CONF *
ACTVT
03
RFC_NAME *
RFC_TYPE *
CLIIDMAINT '
ACTVT
03
DICBERCLS *
Deactivate or
S_TRANSPRTTTYPE
remove PIEC and
TASK
S_CODE
REMOVE
SPRO
Creating Authorization Fields
In authorization objects, authorization fields represent the values to be tested
during authorization checks.
To create authorization fields, choose Tools --> ABAP Workbench -->
Development --> Other Tools --> Authorization Objects --> Fields.
To create an authorization field, proceed as follows:

1. Choose Create authorization field.

2. On the next screen, enter the name of the field. Field names must be
unique and must begin with the letter Y or Z.
3. Assign a data element from the ABAP Dictionary to the field.
You can often use the fields defined by SAP in your own authorization objects. If
you create a new authorization object, you do not need to define your own fields.
For example, you can use the SAP field ACTVT in your own authorization
objects to represent a wide variety of actions in the system.
Creating Authorization Objects
An authorization object groups together up to ten authorization fields that are
checked together in an authorization check.
To create authorization fields, choose Tools --> ABAP Workbench, Development
--> Other tools --> Authorization objects --> Objects.
Enter a unique object name and the fields that belong to the object. Object names
must begin with the letter Y or Z in accordance with the naming convention for
customer-specific objects.
You can enter up to ten authorization fields in an object definition. You must also
enter a description of the object and documentation for it. Ensure that the object
definition matches the ABAP AUTHORITY-CHECK calls that refer to the
object.
Locking Security Holes through IMG transactions
Even though you have restricted your users from SU01 or PFCG (to modifiy
themselves or other people) they can get into these areas by the different IMG
transaction codes. If your core team or user community has access to:
OY20 - Authorizations
OY21 - User profiles
OY22 - Create subadministrator
OY24 - Client maintenance
OY25 - CS BC: Set up Client
OY27 - Create Super User
OY28 - Deactivate SAP*
R/3 Security Tables
Su21 or su03-list of authorization objects,activities wil store in tact table ,su02-profiles
displayed that exist in your system,su02-list of profiles, su22-maintain assignment of
authorization objects.

Table
USR02
USR04
UST04
USR10
UST10C
USR11
USR12
USR13
USR40
USGRP
USGRPT
USH02
USR01
Ust10s
USER_ADDR
AGR_1016
AGR_1016B
AGR_1250
AGR_1251
AGR_1252
AGR_AGRS
AGR_DEFINE

Security Tables
Description
Logon data
User master authorization (one row per user)
User profiles (multiple rows per user)
I t will showAuthorisation profiles (i.e. &_SAP_ALL)
Composit profiles (i.e. profile has sub profile)
Text for authorisation profiles
Authorisation values
Short text for authorisation
Tabl for illegal passwords
User groups
Text table for USGRP
Change history for logon data
User Master (runtime data)
All single profiles with their authorization registered
Address Data for users
ROLES TOGETHER WITH THEIR PROFILES R STORED
Name of the activity group profile
List ofAuthorization objects for individual role
Authorization data corresponding field values
Organizational values for individual roles
OVERVIEW OF COMPOSITE ROLE AND THEIR
ASSIGNED ROLES
ALL ROLES

AGR_HIER2 Menu structure information - Customer vers

AGR_HIERT Role menu texts
AGR_OBJ
Assignment of Menu Nodes to Role
AGR_PROF
Profile name for role
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TEXTS Text information stored in the table
It showsTime Stamp information for profiles ,menu
AGR_TIME
authorization
AGR_USERS Assignment of roles to users
USOBT
Relation between transaction to authorization object (SAP)
USOBT_C
Relation Transaction to Auth. Object (Customer)
USOBX
Check table for table USOBT
USOBXFLAGS Temporary table for storing USOBX/T* chang

USOBX_C
USORG
Agr_hier
Agr_tcodes
Agr_prof

Check Table for Table USOBT_C

ORGANIZATION VALUES ARE LISTED IN THE TALE
It shows menu information
Overview of role with transaction codes
Has all roles with their profiles and profile names

Agr_num_2

Internal counter for profiles in roles is stored

Agr_timeb
Agr_timec
Agr_timed
Agr_users
sapmenu
Usgrp_user
usrefus

Time stamp for profile generation

Time stamp for user assignments
Time stamp for profile comparision
Overview of roles and user assignments
Is stored in the table smensapnew,text wil store in smensapt
General user groups stored in this table
Assignment of ref users to users(RSUVMO13)
User measurement data serve as basis for calculation of license
fees
To disable authorization objects

Tutyp
Tobj_off

SAP Security Reports

SAP Security Report Name

RSUSR_SYSINFO_ROLE (YOU
NEED TO LOG ON TO THE
CENTRAL SYSTEM FOR THIS)

RSUSR_SYSINFO_PROFILE
(YOU NEED TO LOG ON TO
THE CENTRAL SYSTEM FOR
THIS)
RSUSRSUIM
RHAUTUPD_NEW
RSUSR402

RSUSR300

Description
Report cross-systm
information/role
STANDARD SELECTION,
User name, Receiving
system, SELECT ROLE
Role
Report cross-systm
information/profile
STANDARD CRITERIA
User Name, Receiving
system, Profile
Same as SUIM User
Information System
MASS COMPARISION
Download user data for CA
manager from Secude
Set External Security Name

for all Users

RSUSR200

List of Users According to

Logon Date and Password
Change

RSUSR102

Change Documents for

Authorizations

RSUSR000

Currently Active Users

Tcodes SU04 and AL08

RSUSR002

(its a core tool for user

authorization
evaluation)Users by
Complex Selection Criteria
(search by User, Group,
User Group, Reference
User, User ID Alias, Role,
Profile Name, Tcode,
SELECTION BY FIELD
NAME, Field Name,
SELECTION BY
AUTHORIZATIONS
Authorizatrion Object,
Authorization, SELECTION
BY VALUES, Authorization
Object 1, AND
Authorization Object 2,
AND Authorization
Object3, ADDITIONAL
SELECTION CRITERIA,
Account number, Start
Menu, Output Device, Valid
Until, Locked Users ONLY,
Unlocked Users Only,
CATT Check ID

RSUSR002_ADDRESS

Select User According to

Address, NAMES, First
Name, Last Name, User,
COMMUNICATION
PATHS, Company, City,
Buildings, Room,

Extension, OTHER DATA,

Department, Cost Center
RSUSR003

Check the Passwords of

Users SAP* and DDIC in
All Clients (SAP* DDIC
SAPCPIC )

RSUSR004

Restrict User Values to the

following Simple Profiles
and Auth Objs SELECTION
CRITERIA Single Profiles,
Authorization Objs

RSUSR005

List of Users with Critical

Authorizations (SAME AS
RSUSR009 but difference is
here you can't chose)

RSUSR006

List of Users According to

Logon Date and Password
Change

RSUSR007

List Users Whose Address

Data is Incomplete (here
give the Required Address
Data)
Critical Combinations of
Authorizations at
Transaction Start (Can view
either Critical Combinations
or Users)

RSUSR008

RSUSR009

List of User with Critical

Authorizations SAME AS
RSUSR005 but here you can
(Check using either
customer data of Check
using SAP data)

RSUSR010

Transaction for User with

Profile or Authorization
(Transaction executable

either by, User, with Role,

Profile, Authorization
It provides a list of
transactions that are
assigned in the context of
selected category

RSUSR011

Lists of transactions after

selection by User, profile or
obj SELECTION FOR User

RSUSR012

Search authorizations,
profiles and users with
specified object value
(DISPLAY authorization
objects, DISPLAY
authorizations, DISPLAY
profiles, DISPLAY users)

RSUSR020

Profiles by Complex
Criteria SELECTION
CRITERIA Profile, Profile
test, ADDITIONAL
CRITERIA FOR
PROFILES, Composite
Profile, Single Profile,
Generated Profiles,
SELECTION BY
CONTAINED PROFILES
Profile, SELECTION BY
AUTHORIZATIONS,
Authorization Object,
Authorization, SELECTION
BY VALUES, Auth obj,
auth obj2, auth obj3,
SELECTION BY
ROLE(this report allows
searching for profiles that
correspond with the entered
selection criteria)
We can evaluate
Authorizations by Complex

RSUSR030

RSUSR040

RSUSR050

RSUSR070

Selection Criteria
SELECTION CRITERIA,
Auth Object, Authorization,
BY VALUES
Authorization Objects by
Complex Criteria,
STANDARD
SELECTIONS,
Authorization object,
ADDITIONAL CRITERIA
Object class, Obj class text,
Field(it helps to search
authorization objects)
COMPARISIONS, Compare
Users, USER A -----USER B--------, ROLES,
PROFILES<
AUTHORIZATIONS,
Across Systems(.its a good
tool to check and validate
role changes in development
phase or user setups across
the system)
Roles by Complex Selection
Criteria STANDARD
SELECTION Role,
Description, SELECTION
BY USER
Assignments(excellent tool
for role research)

RSUSR100

Change Documents for

Users(change history for
user authorizations)

RSUSR101

Change Document for

Profiles

PFCG_ORGFIELD_CREATE
PFCG_ORGFIELD_UPDATE

ORGANIZATIONAL
FIELDS CAN BE
MAINTAINED IN
PROFILE GENERATOR

PFCG_ORGFIELD_FIELD

RSUVMOO2
RSUVMOO5
RSDELSAP
RSABAPSC
RSUSR060OBJ
RSSCD100_PFCG
RSTBHIST
RSCSAUTH
RSANAL00
RSABAPSC
RPR_ABAP_SOURCE_SCAN
RSABABSC
RSTMS_SYSTEM_OVERVIEW
RSSCD100
RSSCD110
RSSCD150
RSTXPDFT4

System measurement
calculation of license fees
To review which user is
which user type
Deletes the user sap* in 066
client
To check source code of
program
Authorization object in
transactions and programs
Display change docs for
role administration
Evaluation of log history
Assignment of reports to
authorization group
Analyze abap programs
Source code analysis
Scan abap report sources
Statistical prog analysis to
find abap lang commands
SETTING CAN BE
REVIEWED
Overview of change docs
Cross client evaluation of
change docs
Detail view of change docs
PDF CREATION

Single Sign On

If you are one of those admin who faces any of the issues listed below, then SSO is for
you.

Users access multiple systems, including SAP and non-SAP Systems. Some
systems reside in a dedicated network zone in the intranet but many systems
reside on different networks or on the Internet.
Users need to have different IDs and passwords to access these systems.
Each of these systems also maintains its own password policy. For example, in the
SAP HR system, the user has to change his or her password every 30 days. In the
next system, the user has to change the password every 90 days. In another
system, the user does not need to regularly change his or her password at all.

What does this lead to? Users forget their passwords. The administrator is constantly
resetting passwords. Keep in mind that this makes social engineering much easier.
Solution is Single Sing On. SSO users access multiple systems based on single
authentication.

Implementing SSO in Netweaver 2004s

Verify the following profile parameters are set correctly in the backend using rz11
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 0
Make sure that in the portal the connector to back end is defined with following setting
and permission is set correct.
Authentication Ticket Type - SAP Logon Ticket
Logon Method - SAPLOGONTICKET
User Mapping Type - useradmin,user
Fix certificate

Login in to Visual Administrator

1. Select the Key Storage Service.
2. Select the TicketKeystore view.
3. Delete the SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert entries.
4. Under Entry, choose Create . The Key and Certificate Generation dialog appears.
5. Enter the Subject Properties in the corresponding fields.
The entries in these fields build a Distinguished Name in the form:
CN= , OU= , O=, L=, ST= , C=
Use capital letters for the Country Name.
6. Enter SAPLogonTicketKeypair as the Entry Name.
Do not enter a different name. This J2EE Engine uses the entry with this name to sign
logon tickets.
7. Select the Store certificate option and choose DSA as the algorithm to use.
8. Choose Generate .
Now downloaded the J2EE Ticket via Visual Admin Tool
Login to Visual Admin Tool
open tree "Server # > Services > Key Storage"
Within the "Key Storage" choose view "Ticket Keystore" and entry
"SAPLogonTicketKeypair-cert"
click on "Export" and save the ticket to a propper location
Finaly uploaded the new ticket to STRUST
Implementing SSO (R/3 / Enterprise portal)
Implementing Single signon for Enterprise Portal and R/3 Backend
Procedure
Download public-key certificate of Portal Server
Use the Keystore Administration tool to download the verify.der file from the
portal.
Set profile parameters

On all of the component system's application servers:

1. Set the profile parameters login/accept_sso2_ticket = 1 and
login/create_sso2_ticket = 0 in every instance profile.
Import public-key certificate of Portal Server to component system's
certificate list and
add Portal Server to ACL of component system
Both of these steps can be performed with transaction STRUSTSSO2, which is an
extended
version of transaction STRUST. For detailed documentation on transaction
STRUST, see the
Web Application Server documentation under Security > Trust Manager.
In the SAP System, start transaction STRUSTSSO2.
A screen with the following layout appears

The PSE status frame on the left displays the PSEs that are defined for the
system.
The PSE maintenance section on the top right displays the PSE information for
the
PSE selected in the PSE status frame.
Below that, the certificate section displays certificate information for a
certificate that
you have selected or imported.
The Single Sign-On ACL section on the bottom right displays the entries in the
ACL of
the system.
Note that the layout of the transaction will vary slightly, depending on the
release of the SAP System.

2. In the PSE status frame on the left, choose the system PSE.
3. In the certificate section, choose Import Certificate.
The Import Certificate screen appears.
4.
5.
6.
7.
8.
9.

Choose the File tab.

In the File path field, enter the path of the portals verify.der file.
Set the file format to DER coded and confirm.
In the Trust Manager, choose Add to PSE.
Choose Add to ACL, to add the Portal Server to the ACL list.
In the dialog box that appears, enter the portals system ID and client. By
default, the portals system ID is the common name (CN) of the
Distinguished Name entered during installation of the portal. The default
client is 000.

If necessary, you can change these default values by changing the properties
login.ticket_issuer and login.ticket_client respectively in user
management properties.
The other values are taken from the certificate.
10. Save your entry.
11. Do not forget to set profile parameters and ITS service parameters as
described in Configuring SAP Systems to Accept and Verify SAP Logon
Tickets .
Result
The SAP component systems are able to accept SAP logon tickets and verify the
Portal
Server's digital signature when they receive a logon ticket from a user.
Importing Portal Certificate into SAP System
Prerequisites
You have downloaded the public-key certificate of the portal server (verify.pse
file). Use
the Keystore Administration tool for this.
Procedure
1. In the component system, start transaction STRUST.
The following screen appears.

This screen displays a list of the certificates contained in the PSE of the
component system.
2. In the certificate group box, choose Import Certificate.
The Import Certificate screen appears.

3.
4.
5.
6.
7.

Choose the File tab.

In the File path field, enter the path of the portals verify.der file.
Set the file format to DER coded and confirm.
In the Trust Manager, choose Add to PSE.
Save the new certificate list.

The new certificate list is automatically replicated to all application servers in the
system. You do not have to import the portal certificate onto each application
server separately.

Creating a NewUser SU01

1. Log on to the SAP.
2. In the command field, enter t-code SU01 and hit enter or from UserMenu
Tools > Administration>User Maintenance >Users

3. Choose
and fill in all the required fields
4. Fill in all the tabs password and last name are mandatory

5. In the logon tab make sure you choose the right user type. For end users you
should choose Dialog user

6. Dont forget to add roles to user in the role tab, if this is test box and you want to give
all authorizations, add sap_all and sap_new profiles in the profile tab.
SAP Security Interview Questions
Q. SAP Security T-codes
A. Frequently used security T-codes
SU01 Create/ Change User SU01 Create/ Change User
PFCG Maintain Roles
SU10 Mass Changes
SU01D Display User
SUIM Reports
ST01 Trace
SU53 Authorization analysis
Click here for all Security T-codes
Q List few security Tables
Click here for security tables
Q How to create users?

Execute transaction SU01 and fill in all the field. When creating a new user, you
must enter an initial password for that user on the Logon data tab. All other data
is optional. Click here for turotial on creating sap user id
Q What is the difference between USOBX_C and USOBT_C?
The table USOBX_C defines which authorization checks are to be performed
within a transaction and which not (despite authority-check command
programmed ). This table also determines which authorization checks are
maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization
object which default values an authorization created from the authorization
object should have in the Profile Generator.
Solution Manager
In a distributed environment with systems and dependencies of business
processes beyond single system boundaries, there is a need for a new and
efficient support infrastructure. Integrating technical as well as business
(applications) environments are more crucial than ever and must be mastered
perfectly.
The SAP Solution Manager, which runs centrally in a customer's solution
landscape as an integrated platform, ensures that distributed systems can be
supported technically.
The SAP Solution Manager introduces a new era of solution management
covering all aspects relevant for technical implementation, operations, and
continuous improvement.
SAP Solution Manager 4.0 offers functional areas to support the management of
the entire customer solution:
Implementation: Groups Tools, Content, and Methodologies to Efficiently
Implement SAP Solutions
Solution Monitoring: Ranges from System Monitoring to Business Process
Monitoring
Operations: Offers Services to Manage Your SAP Solution
Support Area: To Support Every Step on the Way
Upgrade: Supporting the Upgrade of SAP Components
As of April 2, 2007, SAP Solution Manager will be the only source from which
customers receive maintenance updates for applications based on SAP
NetWeaver 2004s, such as mySAP Business Suite 2005 applications and higher.
It will also serve as the source of maintenance updates for earlier releases of SAP

applications.

Release 4.0 of SAP Solution Manager will offer significant enhancements

for maintenance processes and activities, such as:
- End-to-end and fully pre-configured maintenance management process
- Planning and deployment dashboard for all maintenance-related
activities
- Source for all Support Packages provided by SAP as part of customers
maintenance agreements

Solution Manager training courses offered by SAP:

SMO010 - Solution Manager Concept & Strategy
SMO100 - System Administration with SAP Solution Manager
SMO610 - Business Process Management and Monitoring
SMO150 - Service Desk
SMO155 - Change Request Management
SMI210 - Implementation Methodology Overview
SMI310 - Implementation Tools in Detail
Creating installation key
First you have to create the system. This can be done using tcode. SMSY >
Landscape component > Systems.
Scroll down to choose your system. In this case we will choose SAP ERP.
Right click and choose Create New System with Assistant. Follow the instruction
and create the system
System : <SID>
Short Description :
SAP Product : SAP ERP
Product Version : SAP ERP 2005
Installation Number : Your Installation number
Choose Next and check Relevant in front of SAP ECC Server, then enter system
number in the next screen and complete this following the instruction.
Now go back to the tcode SMSY and select system > other object...
Select radio button for system and put the SID you created above hit generate
installation /Upgrade key (Ctrl+Shift+F10) and click generate key.
Short cut for creating installation key:
If you don't want to create system. You can still choose Solution Manager system
from the drop down and hit generate key. Once you get to the screen 'Generate
Installation / Upgrade Key. You can put any system you want. System ID will be
the SID of new installation. It also requires system number and also message

server. Click Generate key.

Solution Manager- Installation on Windows / Oracle

Binary Download Preparation : Download the Binaries form here
Download >> Installations and Upgrades >> My Companys Application
Components >> SAP solution Manager >> SAP Solution Manager 4.0 >>
Installation and Upgrade >>Windows Server >>Oracle >>Downloads tab
Once the download is done. Unzip all the necessary files. I generally make folder
with sensible name than using the default 510...
Hardware and Software Requirements: Make sure you install Windows 2003
Server Edition as it is a requirement for Netweaver 2004s.
Follow SAP's guidelines for file system layout. Since my install is a Sandbox
environment. I made two additional file system other than C: Drive. One drive
will be used to put the oracle mirror logs files, or else if you choose default
install, SAP puts the mirror logs on C: Drive. I made the data drive 70 GB.
Make sure you patch OS and apply the latest support packs.
Install Java SDK: Download JAVA SDK and Cryptographic file from here.
Once you install Java SDK, make sure that the path variable is set correctly. This
should include %JAVA_HOME%\bin; at the begining of the PATH string. You
can verify this by typing command java -version. This should show the version
you have installed.
Installation of SAP
Start the install as a root directory: Logon to the host as user administrator
Go to Installation_Master DVD and run sapinst.
Select central instance. Complete the installtion.
Applying JAVA Patch and Kernel Patch
Maintain company address.
Profile Parameter setup
Setting up Transport (STMS)
Client Copy
Set Up Time Zone
Set Up LOCL Printer
Activate Solution Manager.
Configure SLD
Changing the saplogon image