Académique Documents
Professionnel Documents
Culture Documents
End User
Transaction Code
Menu Path
Purpose
SU3
SU53
System --> Utilities --> Display Display last authority check that failed
Authorization Check
SU56
SCDO(TCODE)
CHANGE DOC
OBJECTS STORED IN
THE TABLE TCDOB
CDHDR
Role Administration
Transaction Code
Menu Path
Purpose
PFCG
PFUD
<none>
SUPC
Purpose
SU01
Maintain Users
SU01D
SU10
SU02
SU03
Purpose
RZ10
SU25
IMG Activity:
Enterprise IMG --> Basis
Components --> System
Administration --> Users and
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values
SU24
Transport
Transaction Code
Menu Path
Purpose
SCCL
SCC9
SCC8
<none>
<none>
SU25
Point 3.
STMS
Menu Path
Purpose
System configuration
Transaction Code
RZ10
RZ11
SM01
Authorization Object
Transaction Code
Menu Path
Purpose
SU20
SU21
Audit
Transaction Code
Menu Path
SE84
Purpose
Tools --> Administration --> User Information System for SAP R/3
Maintenance --> Information
Authorizations
System
SECR*
<none>
Menu Path
Purpose
Table maintenance
Transaction Code
SM30
(Tables
V_BRG,
V_DDAT)
Table Group
Transaction Code
SE43
Menu Path
Purpose
SE15
Utilities for
SSM0 Menu
Dictionary Tables
Maintenance
and Test
ABAB/4
Repository Info
System
System Trace
SE38
ABAP/4 Editor
ST02
Setup/Tune
Buffers
SE54
Generate Table
ST03
Performance
Workload
View
SAP statistics,
Workload
AL06 Performance:
SE61
Upload/Download
R/3
Documentation
ST04
Select Database
Activities
ABAP/4
Development
Workbench
ST05
SQL Trace
Maintain
Messages
ST06
Operating
System Monitor
Application
Monitor
AL11 Directories
SE93
Maintain
ST08
Transaction Codes
Network
Monitor
SH01
Online Help: F1
Help Server
ST09
Network Alert
Monitor
SH03
Call Extended
Help
ST10
Table Call
Statistics
AL15 Customize
SAPOSCOL
destination
SICK
Display
Developer
Traces
Application
Monitor
Application
Analysis
SLW4 Translation:
Application
Hierarchy
ST14
ABAP/4
Runtime Error
Analysis
Local
Transaction
Statistics
STDR TADIR
Consistency
Check
STUN Performance
Monitor Menu
Maintain User
Records
DB12 Overview of
Backup Logs
SU02
Maintain
Authorization
Profiles
DB13 Database
Administration
Calendar
SM31 Table
Maintenance
SU03
Maintain
Authorizations
SU10
Mass Changes
to User Master
Records
SU12
Mass Changes
to User Master
Records
SU20
Maintain
Authorization
Fields
SU21
Maintain
Authorization
Objects
RZ03 Presentation,
Control SAP
Instances
SU22
Auth Objects
Usage in
Transactions
SM50 Workprocess
Overview
SU24
Maintain Profile
Generator
Tables
SU25
Copy SAP to
Customer Prof
Gen Tables
Overall
Authorization
Checks
RZ10 Maintenance of
SM64 Release of an
Profile Parameters
Event
SU50
Maintain User
Defaults
SU51
Maintain User
Address
SAR
SU52
Maintain User
Parameters
Maintain
SM66 System-wide
Transaction Codes
Work Process
Overview
SARA Archive
Management
SU53
Analyze
Authorization
Error
SM68 Job
Administration
SU56
Display list of
User
Authorizations
SMX
(test)
Menu
On/Off
SE02 Environment
Analyzer
SP01
TemSe
Administration
SE09 Workbench
Organizer
SPIT
SE10 Customizer
Organizer
SPAD Spool
Administration
SE11 ABAP/4
Dictionary
Maintenance
SE12 ABAP/4
SPAT
Dictionary Display
SWUF Workflow
Monitor
Spool
TU01
Administration test
Call Statistics
Active Instance
Profile
parameters
QucikViewer (SQVI)
QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a
whole range of options for defining reports. SAP Query also supports different
kinds of reports such as basic lists, statistics, and ranked lists. QuickViewer
(SQVI), on the other hand, is a tool that allows even relatively inexperienced
users to create basic lists. I have created a tutorial for SQVI. SQVI Tutorial
User assignment
Never insert generated profiles directly into the user master record (Transaction
SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose
the User tab in role maintenance (PFCG) and enter the user to whom you want to
assign the role or profile. If you then compare the user master records, the system
inserts the generated profile in the user master record.
Do not assign any authorizations for modules you have not yet installed
If you intend to gradually add modules to your system, it is important you do not
assign any authorizations for those modules you have not yet installed. This
ensures that you cannot accidentally change data in your production system you
may need at a later stage. Leave the corresponding authorizations or
organizational levels open.
Creating SPRO Display only.
You might be asked to give SPRO display while implementing your SAP.
Igenerally give these authoriztion to make it display only. Please test it.
Object
S_PROJECT
S_PROJECT
S_RFC
S_RFC
S_RFC
S_TABU_CLI
S_TABU_DIS
S_TABU_DIS
Field
Value
PROJECT_ID *
PROJ_CONF *
ACTVT
03
RFC_NAME *
RFC_TYPE *
CLIIDMAINT '
ACTVT
03
DICBERCLS *
Deactivate or
S_TRANSPRTTTYPE
remove PIEC and
TASK
S_CODE
REMOVE
SPRO
Creating Authorization Fields
In authorization objects, authorization fields represent the values to be tested
during authorization checks.
To create authorization fields, choose Tools --> ABAP Workbench -->
Development --> Other Tools --> Authorization Objects --> Fields.
To create an authorization field, proceed as follows:
Table
USR02
USR04
UST04
USR10
UST10C
USR11
USR12
USR13
USR40
USGRP
USGRPT
USH02
USR01
Ust10s
USER_ADDR
AGR_1016
AGR_1016B
AGR_1250
AGR_1251
AGR_1252
AGR_AGRS
AGR_DEFINE
Security Tables
Description
Logon data
User master authorization (one row per user)
User profiles (multiple rows per user)
I t will showAuthorisation profiles (i.e. &_SAP_ALL)
Composit profiles (i.e. profile has sub profile)
Text for authorisation profiles
Authorisation values
Short text for authorisation
Tabl for illegal passwords
User groups
Text table for USGRP
Change history for logon data
User Master (runtime data)
All single profiles with their authorization registered
Address Data for users
ROLES TOGETHER WITH THEIR PROFILES R STORED
Name of the activity group profile
List ofAuthorization objects for individual role
Authorization data corresponding field values
Organizational values for individual roles
OVERVIEW OF COMPOSITE ROLE AND THEIR
ASSIGNED ROLES
ALL ROLES
USOBX_C
USORG
Agr_hier
Agr_tcodes
Agr_prof
Agr_num_2
Agr_timeb
Agr_timec
Agr_timed
Agr_users
sapmenu
Usgrp_user
usrefus
Tutyp
Tobj_off
RSUSR_SYSINFO_PROFILE
(YOU NEED TO LOG ON TO
THE CENTRAL SYSTEM FOR
THIS)
RSUSRSUIM
RHAUTUPD_NEW
RSUSR402
RSUSR300
Description
Report cross-systm
information/role
STANDARD SELECTION,
User name, Receiving
system, SELECT ROLE
Role
Report cross-systm
information/profile
STANDARD CRITERIA
User Name, Receiving
system, Profile
Same as SUIM User
Information System
MASS COMPARISION
Download user data for CA
manager from Secude
Set External Security Name
RSUSR102
RSUSR000
RSUSR002
RSUSR002_ADDRESS
RSUSR004
RSUSR005
RSUSR006
RSUSR007
RSUSR008
RSUSR009
RSUSR010
RSUSR011
RSUSR012
Search authorizations,
profiles and users with
specified object value
(DISPLAY authorization
objects, DISPLAY
authorizations, DISPLAY
profiles, DISPLAY users)
RSUSR020
Profiles by Complex
Criteria SELECTION
CRITERIA Profile, Profile
test, ADDITIONAL
CRITERIA FOR
PROFILES, Composite
Profile, Single Profile,
Generated Profiles,
SELECTION BY
CONTAINED PROFILES
Profile, SELECTION BY
AUTHORIZATIONS,
Authorization Object,
Authorization, SELECTION
BY VALUES, Auth obj,
auth obj2, auth obj3,
SELECTION BY
ROLE(this report allows
searching for profiles that
correspond with the entered
selection criteria)
We can evaluate
Authorizations by Complex
RSUSR030
RSUSR040
RSUSR050
RSUSR070
Selection Criteria
SELECTION CRITERIA,
Auth Object, Authorization,
BY VALUES
Authorization Objects by
Complex Criteria,
STANDARD
SELECTIONS,
Authorization object,
ADDITIONAL CRITERIA
Object class, Obj class text,
Field(it helps to search
authorization objects)
COMPARISIONS, Compare
Users, USER A -----USER B--------, ROLES,
PROFILES<
AUTHORIZATIONS,
Across Systems(.its a good
tool to check and validate
role changes in development
phase or user setups across
the system)
Roles by Complex Selection
Criteria STANDARD
SELECTION Role,
Description, SELECTION
BY USER
Assignments(excellent tool
for role research)
RSUSR100
RSUSR101
PFCG_ORGFIELD_CREATE
PFCG_ORGFIELD_UPDATE
ORGANIZATIONAL
FIELDS CAN BE
MAINTAINED IN
PROFILE GENERATOR
PFCG_ORGFIELD_FIELD
RSUVMOO2
RSUVMOO5
RSDELSAP
RSABAPSC
RSUSR060OBJ
RSSCD100_PFCG
RSTBHIST
RSCSAUTH
RSANAL00
RSABAPSC
RPR_ABAP_SOURCE_SCAN
RSABABSC
RSTMS_SYSTEM_OVERVIEW
RSSCD100
RSSCD110
RSSCD150
RSTXPDFT4
System measurement
calculation of license fees
To review which user is
which user type
Deletes the user sap* in 066
client
To check source code of
program
Authorization object in
transactions and programs
Display change docs for
role administration
Evaluation of log history
Assignment of reports to
authorization group
Analyze abap programs
Source code analysis
Scan abap report sources
Statistical prog analysis to
find abap lang commands
SETTING CAN BE
REVIEWED
Overview of change docs
Cross client evaluation of
change docs
Detail view of change docs
PDF CREATION
Single Sign On
If you are one of those admin who faces any of the issues listed below, then SSO is for
you.
Users access multiple systems, including SAP and non-SAP Systems. Some
systems reside in a dedicated network zone in the intranet but many systems
reside on different networks or on the Internet.
Users need to have different IDs and passwords to access these systems.
Each of these systems also maintains its own password policy. For example, in the
SAP HR system, the user has to change his or her password every 30 days. In the
next system, the user has to change the password every 90 days. In another
system, the user does not need to regularly change his or her password at all.
What does this lead to? Users forget their passwords. The administrator is constantly
resetting passwords. Keep in mind that this makes social engineering much easier.
Solution is Single Sing On. SSO users access multiple systems based on single
authentication.
Verify the following profile parameters are set correctly in the backend using rz11
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 0
Make sure that in the portal the connector to back end is defined with following setting
and permission is set correct.
Authentication Ticket Type - SAP Logon Ticket
Logon Method - SAPLOGONTICKET
User Mapping Type - useradmin,user
Fix certificate
The PSE status frame on the left displays the PSEs that are defined for the
system.
The PSE maintenance section on the top right displays the PSE information for
the
PSE selected in the PSE status frame.
Below that, the certificate section displays certificate information for a
certificate that
you have selected or imported.
The Single Sign-On ACL section on the bottom right displays the entries in the
ACL of
the system.
Note that the layout of the transaction will vary slightly, depending on the
release of the SAP System.
2. In the PSE status frame on the left, choose the system PSE.
3. In the certificate section, choose Import Certificate.
The Import Certificate screen appears.
4.
5.
6.
7.
8.
9.
If necessary, you can change these default values by changing the properties
login.ticket_issuer and login.ticket_client respectively in user
management properties.
The other values are taken from the certificate.
10. Save your entry.
11. Do not forget to set profile parameters and ITS service parameters as
described in Configuring SAP Systems to Accept and Verify SAP Logon
Tickets .
Result
The SAP component systems are able to accept SAP logon tickets and verify the
Portal
Server's digital signature when they receive a logon ticket from a user.
Importing Portal Certificate into SAP System
Prerequisites
You have downloaded the public-key certificate of the portal server (verify.pse
file). Use
the Keystore Administration tool for this.
Procedure
1. In the component system, start transaction STRUST.
The following screen appears.
This screen displays a list of the certificates contained in the PSE of the
component system.
2. In the certificate group box, choose Import Certificate.
The Import Certificate screen appears.
3.
4.
5.
6.
7.
The new certificate list is automatically replicated to all application servers in the
system. You do not have to import the portal certificate onto each application
server separately.
3. Choose
and fill in all the required fields
4. Fill in all the tabs password and last name are mandatory
5. In the logon tab make sure you choose the right user type. For end users you
should choose Dialog user
6. Dont forget to add roles to user in the role tab, if this is test box and you want to give
all authorizations, add sap_all and sap_new profiles in the profile tab.
SAP Security Interview Questions
Q. SAP Security T-codes
A. Frequently used security T-codes
SU01 Create/ Change User SU01 Create/ Change User
PFCG Maintain Roles
SU10 Mass Changes
SU01D Display User
SUIM Reports
ST01 Trace
SU53 Authorization analysis
Click here for all Security T-codes
Q List few security Tables
Click here for security tables
Q How to create users?
Execute transaction SU01 and fill in all the field. When creating a new user, you
must enter an initial password for that user on the Logon data tab. All other data
is optional. Click here for turotial on creating sap user id
Q What is the difference between USOBX_C and USOBT_C?
The table USOBX_C defines which authorization checks are to be performed
within a transaction and which not (despite authority-check command
programmed ). This table also determines which authorization checks are
maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization
object which default values an authorization created from the authorization
object should have in the Profile Generator.
Solution Manager
In a distributed environment with systems and dependencies of business
processes beyond single system boundaries, there is a need for a new and
efficient support infrastructure. Integrating technical as well as business
(applications) environments are more crucial than ever and must be mastered
perfectly.
The SAP Solution Manager, which runs centrally in a customer's solution
landscape as an integrated platform, ensures that distributed systems can be
supported technically.
The SAP Solution Manager introduces a new era of solution management
covering all aspects relevant for technical implementation, operations, and
continuous improvement.
SAP Solution Manager 4.0 offers functional areas to support the management of
the entire customer solution:
Implementation: Groups Tools, Content, and Methodologies to Efficiently
Implement SAP Solutions
Solution Monitoring: Ranges from System Monitoring to Business Process
Monitoring
Operations: Offers Services to Manage Your SAP Solution
Support Area: To Support Every Step on the Way
Upgrade: Supporting the Upgrade of SAP Components
As of April 2, 2007, SAP Solution Manager will be the only source from which
customers receive maintenance updates for applications based on SAP
NetWeaver 2004s, such as mySAP Business Suite 2005 applications and higher.
It will also serve as the source of maintenance updates for earlier releases of SAP
applications.