Vous êtes sur la page 1sur 76

Brief Description About SAP Basis Implementation

Please give a brief description about implementation process carried out.


There is no standard Implementation process, it purely depends on which methodology
person have adopted for implementation. I will give you broad view of implementation
project... I am just starting from sizing of the servers ...
1. Identify the no of users and type of users
2. Design the technical system landscape of servers
3. Do the sizing based on users, documents created.
4. Convert your sizing requirement in to Hardware requiremnet
5. Consider the backup procedure also
6. Then start with the setup of development landscape
7. Define client strategy, transport strategy, User management.
8. Fix the support package levels.
9. Tune the system for performence
10. set up the QA systems
11. Define client copy strategy
12. Setup the PROD systems
13. Apply for Pre Golive report
14. Monitor system of db load
15. Apply post golive report

*-- Bajrang

SAP Administrator Daily Activities


SAP DAILY ACTIVITIES
1] Check that all the application servers are up:
sm51
SAP Servers
sm04/al08 Logon Users
2] Check that daily backup are executed without errors
db12 Backup logs: overview

3] SAP standard background jobs are running successfully. Review for cancelled and critical
jobs.
sm37 Background jobs--- Check for successful completion of jobs. Enter * in user-id field
and verify that all critical successful jobs and review any cancelled jobs.
4] Operating system Monitoring
st06
5] Extents monitoring
db02 Database monitoring--Check for max-extents reached
6] Check work-processes(started from sm51)
sm50 Process overview-- All work processes with a running or waiting status.
7] Check system log
sm21 System log-- Set date and time to before the last log review. Check for errors
,warning, security, message-bends, database events.
8] Review workload statistics
st03 Workload analysis of <sid>
sto2 tune summary instance
9] Look for any failed updates
sm13 update records
10] check for old locks
sm12 lock entry list
11] Check for spool problems
sp01 spool request screen-- check for spool that are in request for over an hour.
12] Review and resolve dumps
st22 ABAP Dump analysis
13] Checking .trc file in SAP trace directory for block corruption on daily basis.
C:\ORacle\sid\saptrace
14] Archive backup
brarchive -f force -cds -c
Insert the archive backup tape
15] Review NT system logs for problem
-> NT system log- look 4 errors or failures
-> NT security log- failed logon 2 sap servers
-> NT Application log -look 4 errors or failures

*-- Vijay Mehta

SAP BASIS INTERVIEW QUESTIONS & ANSWERS 5

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1.Can you kill a Job?
Yes - SM37 - select - kill
2.If you have a long running Job, how do you analyse?
Use transaction SE30.
3.What is private mode? When does user switch to private mode?
Private mode is a mode where the heap data is getting exclusively allocated by the user and is
no more shared across the system. This happens when your extended memory is exhausted.
4.How to uncar car/sar files in a single shot?
on Unix: $ for i in *.SAR; do SAPCAR -xvf $i; done
5.Which table contains the details related to Q defined in SPAM? Is there a way to
revert back the Q defined? If yes, How?
There is a "delete" button when you define the queue. If you already started the import it's no
more possible since the system will become inconsistent.
6.What is mysap?
It's a term for all the systems that in a contract (e. g. a MySAP business suite consist of
ERP2005, CRM2005, SRM2005).
7.What is ASAP?
It's an old term for an implementation strategy. Blueprint -> prototype -> goLive (if you want
to say it in one sentence).
8.Describe how SAP handles Memory Management?
ST02 / ST03 In general via table buffers, you could go into the whole Work Process, roll in,
roll out, heap (private) memory, etc. however just as a Unix or DBA admin would know, is
you look this up when needed for the exact specifics.
9.Using Tcode SGEN I have generated 74% job and later I have terminated the job. I
wish to start generating from where it stopped I have refreshed but to no chance
nothing was done. How should I further proceed so as to complete the remaining job ?
Start SGEN again and select the same you have selected before. It will popup and ask if you
want to start from scratch or generate the just the remaining.
10.When we should use Transactional RFC ?
A "transactional RFC" means, that either both parties agree that the data was correctly
transfered - or not. There is no "half data transfer".
11.What is osp$ mean? What if user is given with this authorisation?
OPS$ is the mechanism the <SID>adm users uses to connect to the database.
12.What is a developer key? and how to generate a developer key?
The developer key is a combination of you installation number, your license key (that you get

from http://service.sap.com/licensekey) and the user name. You need this for each person that
will make changes (Dictionary or programs) in the system.
13.How to see when were the optimizer stats last time run? We are using win2k, oracle
9, sapr/3 46c.
Assumed DB=Oracle
Select any table lets take MARA here but you should do the same for MSEG and few others
to see whether the dates match or not.Run the following command on the command prompt :
select last_analyzed from dba_tables where table_name like '%MARA%';
This gives you a straight answer .Else you can always fish around in DB14 for seeing when
the optimzer stats were updated.
14.I would like to know the version or name of SAP that is implemented in real time?
This is a very generic question and really depends on what you are implementing (modules).
The history of the "R/3" is
3.0D Basis 300
3.0E Basis 300
3.0F Basis 300
3.1H Basis 310
3.1I Basis 310
4.0B Basis 400
4.5B Basis 450
4.6C Basis 460
4.71 Basis 6.20
4.72 Basis 6.20
5.00 Basis 6.40 (ECC 5.0 - Enterprise Core components)
6.00 Basis 7.00 (ECC 6.0) - actually in RampUp
All of those have increased business functionality and interfaces to other systems (CRM, BW
etc.)
15.How should I set priority for Printing say like user, team lead, project manager?
There's nothing like "priority" settings for spool processes. Just define more (profile
parameter rdisp/wp_no_spool) processes so people don't need to wait.
16.What is the use of Trusted system. I know that there is no need of UID and PWD to
communicate with partner system. In what situation it is good to go for Trusted
system ?
E. g. if you have an R/3 system and a BW system and don't want to maintain passwords.
Same goes for CRM and a lot of other systems/applications.
17.Why do you use DDIC user not SAP* for Support Packs and SPAM?
Do _NOT_ use neither DDIC nor SAP* for applying support packages. Copy DDIC to a
separate user and use that user to apply them
18.What is the systems configuration required to implement SAP.. i.e for
production,development and QAS servers the hard disk space, RAM, Processor
This also depends on what your are implementing, how many users will work on the system,
how many records in what area are created etc.
We need a BIG database system and an even bigger application servers.

19.Let me know if my understanding below is correct:


1) By default the RFC destination is synchronous
2) Asynchronous RFC is used incase if the system initiated the RFC call no need to wait
for the response before it proceeds to something else.
Yes - that's right.
But keep in mind, that it's not only a technical issue whether to switch to asynchronous. The
application must also be able to handle that correctly.
20.What is the use of profile paramater ztta/roll_area?
The value specifies the size of the roll area in bytes. The roll area is one of several memory
areas, which satisfies the user requests of user programs. For technical reasons, however, the
first 250 KB or so of a user context are always stored in the roll area, further data
- up to the roll area limit ztta/roll_first,
- in the extended memory, up to the limit ztta/roll_extension or if extended memory is
exhausted, then
- again in the roll area, until the roll area is full, then
- in the local process area, up to the limit abap/heap_area_dia or abap/heap_area_total or until
the address space or the swap space is exhausted.
Followed by termination with errors like STORAGE_PARAMETERS_WRONG_SET an
error code, that points to memory bottleneck Minimum data transfer with context change;
however, the increase helps to avoid problems (address space, swap space, operating system
paging).

SAP BASIS NOTES -1

SAP R/3
SAP (Systems Application and Programs, Real time)
SAP is 3 Tier Architecture
SAP Standard version starts with 3.0, 4.6B, 4.7EE, NW.04 (came in 2004), NW.04S,
ECC5, ECC6
OTHER VERSIONS
SAP Industries (Business Related Industry)
SAP Applications (Collaborative for Cross Application)
MySap Business Suit OR MySAP.com: has been introduced for small and medium industries
SAP Netweaver Using Internet
SAP Netweaver is a combination of My SAP Business Suit and Sap Applications
MySapBS+SAP application
Steps to Install SAP
Operating System (OS)
Database (DB)
SAP

First we have to install OS , DB then SAP.


Java introduced in 4.7EE Versions. Real Java came in NW04 Version
SAP DATABASE using
SAO ORACLE SAP
SQL SERVER
DB2
ABAP Programming language designed by SAP
(ABAP+J2EE) - included in NW04
Components - NW.04
WAS-Web Application Server(ABAP+J2EE)
EP- Enterprise Portal
XI-exchange Infrastructure
MDM
Acrobat Reader
ECC5 and ECC6+Solution Manager
ECC5 ECC6 CRM SRM NW (are Web Application Server)
XI- Exchange Rate
MDM - Master Data Management (Manages Data)
SAP will consist:
Developers (ABAP) + Functional Consultants + Basis
BASIS is a Mediator for Database Administrator + Security
SAP Software Life Cycle
Ramp-up Phase (SERVICE.SAP.COM)
- What is Total Life Cycle
- What are the new Sap Products in the market
- PAM (Product Availability Matrix)
Software Maintenance two keys
- List of SAP packages
- Software Release New SAP S/W release
SAP Maintenance Strategy & Planning
5-1-2(Formula) (Total 8 Years)
5 years of standard maintenance
1 year of extended maintenance + with a free of 2% of standard maintenance
2 years of extended maintenance + 4% Standard maintenance
Navagation
3 types of GUI in SAP
Default
Windows Based GUI - SAP GUI for Windows
HTML Based GUI - SAP GUI for HTML
JAVA Based GUI - SAP GUI for JAVA

SAP Login
- Client:
- User Name:
- Password:
Two Types of Menus in SAP
1. Standard Menu(SAP Menu)
2. Roll Based Menu
Each User will get roll based menu
USER_SSM: is a table where all the menus related information is stored. (whether it is roll
based or standard based)
SMEM_BUFFC is a table where favorite information is stored
SMEN_BUFFI is a table where favorite information is stored
Downloading from SAP to desktop as well as Uploading desktop to SAP stepes are:
->System
->List
->Save
->Local file
Shortcut Commands
/n Takes to new session in session
/o New window in new session
/nend Logging of current session
/nex To close entire system (without saving)
/I unsaved session logout
Help SAP
In SAP there are two types of helps
F1 Technical Help
F4 It provides possible entries for a particular field. (Maximum 500 entries are allowed in
F4)
Filtering Data in SAP
SE16 Is the Transaction Code to view the contents of the particular table.
GUI - SAP
Two Types of GUI in SAP
- SAPgui.exe
- SAPlogin.exe
Button on GUI
- Group
- Server
- New item
- Delete
- Change
- Login
- Validation
- Change item
SAP log: Start SAP logon file.

Every System will have a port number 32 with (00-99)


3298 nipping
3299 SAP router
SAP Architecture:
Three types of Architecture
- Single Tier -> Presentation Layer
- Two Tier -> Application Layer
- Three Tier -> DB Layer
If P, A, and DB are in one box, it is called Single Tier architecture.
If P and A are in one box and DB in other box, it is called Two Tier architecture.
If P in one box and A in another box and DB in another box is called Three Tier architecture.
Presentation Layer:- Front End
Application Layer:- Real calculations and Computing
Database:- Database been stored

SAP BASIS NOTES -2

SAP Landscape (3 system landscape)


How SAP systems are arranged

Basis guy can accesses Development, Quality and Production boxes.


- Each box will have a system ID i.e. (SID NO)
- In Production box we have only one client (No changes are allowed in production box)
- In Development box we have three clients
- In Quality we have two clients
- All the changes are done in only in Development box
- Only testing is done in Quality box
- Changes done in Development box should be moved to quality box and get tested and
finally it is transformed to production box.

- End user have accesses to only production box and very few end users will have accesses
to separate training box.

- SAND box is used only for R&D purpose. Whatever changes you do in SAND box will
not be
transported out of the box i.e. the changes are stored under $TEMP (local server
only).
- Training box is used by end users for training purpose.
- Both SAND and Training box will have the exactly the data as production box.
Development Box
- MAST
- CUST
- SAND
MAST
000 001 066 Clients
000 to 999 client number names
Type of Changes in Development box
In SAP there are only two types of changes.
Workbench change: T.C. is SE09
Customizing Change: T.C. is SE10
Workbench Change: changes made to the default values provided by the SAP in the tables
is called workbench change.
Customizing Change: is a change which a totally new change in a system.ex. creating a new
program or modifying structure of a program.
Transaction code SE01 = SE09 + SE10
- What ever workbench changes are transported using the transport layer SAP
- Customizing transport layer Z<SID>
- Anything starting with Z in SAP its a customizing change.
- In SAP there will be always one export and N number of inputs.
Ratio of export to imports is E:I; 1:N
- In three system landscape one export and two imports.
- Data moved out of development box is called as export
- Data pulled into quality and production box is called as import.

- The process is called as transportation

CTD: is a physical location which has to be configured at the time of installation.


- CTD in most cases is configured in development box.
- Client number and user name will be same in all boxes
MAST Client

000
Master Client
Client
000
001
066

001
Backup Client
User ID
sap*
ddic
early watch

066
Early watch
Password
06071992
19920706
surpass/support

These all are SAP client user ID, Client and Password.
-

6th July 1992 when SAP moved from two Tier architecture to three Tier architecture.
R/2 is Mainframe
R/3 SAP

- Basis guys will have accesses to DDIC only.


- Initally all newly created client use dummy i.e. it will not have any data.
- We have to do a client copy in order to populate the data in the newly created client. This
process is called as client copy.
- In order to login into a newly created client should use user ID sap* password is pass.
- ddic is also called as god like user.
- Early watch is a user ID is used by SAP AG people for trouble shoots (ISDN line and router
configuration is require for early watch).
3 Tier + 3 system landscape (SAP-model)

Multi System Landscape

SAP BASIS INTERVIEW QUESTIONS :-

1) Which directory do we have the exe files?


2) Which directory do we have errors or logs or traces recorded?
3) What is the profile parameter for increasing the number of background work
process?
4) Difference between Central Instance and Application Server Instance?
5) How many Application server instances are there in your company?
6) How many modules did you support?

7) What is the version of OS, DB and R/3?


8) What is the patch level of R/3 used in your project?
9) What are the IP addresses of your R/3 systems?
10) If the dispatcher work process fails can I login to SAP system?
11) How to check the status of dispatcher from OS level?
12) What are the start/stop commands for SAP system from IS level?
13) If dialog work process fails where can I check the logs related to the dialog
Work Process?
14) What are the three types of profile parameters and what is their naming
convention?
15) What is the technology used by SAP systems to process user requests?
16) What is the transaction code to check whether all my instances are active or
not?
17) What is the transaction code for finding out number of work process present
in a particular instance?
18) How do I do manual switching of operation mode?
19) How many work processes are required in order to login to SAP system?
What are the types?
20) In what sequence does the system read system parameters?
21) What is the transaction code to check the consistency of individual profiles?
22) In which sequence we perform the setting up of operation modes?
23) Which SAP processes are started when the SAP system or an instance is
started?
24) How do I find out which are dynamically switched or static parameters?
25) How do I display current values of system parameters? What are the ways of
displaying current values of system parameters?
26) If I make any change to the startup profile do I need to restart SAP system?

Posted by Kumar SAP at 12/13/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis questions, sap interview questions, SAP INTERVIEW
QUESTIONS AND ANSWERS, sap questions
SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -2

SAP DATABASE INTERVIEW QUESTIONS &


ANSWERS -2

(Q) Can RMAN recover the Database automatically without Recovery


catalog ?
(A) NO
(Q) Is whole Backup can be consider as level 0 Backup ?
(A) Whole backup is not level 0 Backup and cant be used as basis for
Incremental Backup.
(Q) Why do we need to perform a preparatory run ?
(A) If Backup with RMAN is supposed to form sets then we need to run
Preparatory run.
Preparatory run can be run from DB13 prepare for RMAN Backup.
No Backup is created during preparation run, only estimates Compression rate
of BRTOOLS to compress the files and to determine compressed and
decompressed file sizes.
It is recommended to perform preparatory run per one Backup cycle.
(Q) What are the contents of tape lable after a tape is Initialized ?
(A) (i) Tape Name
(ii) Name of the Database
(iii) Time stamp of last backup recorded on the tape
(iv) Number of Backups performed with the tape
(Q) Before writing data to tape if the lable is Red to check the following
(A)(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)

If Expiration_period = 0 days, the Volume is not locked at all and can be over
written
If a lock occurs on a tape, it automatically expires at midnight.
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check
tape locks ?
(A) There are 2 types of locks
(i) Physical lock check: Physical lock check is done by checking tape label
parameter Expir_period. If the number of days passed since the tape was last
used is less than value of parameter Expir_period, then the tape is physically
locked.
(ii) Logical lock check: This value is derived from the time stamp written to
tables SDBAH, SDBAD
(Q) What are the various tape selection processes ?
(A) (i) Auto tape selection BRBACKUP and BRARCH
(ii) Manual selection by the Operator
(iii)By external tool
(Q) What is the option to select the tapes automatically by BRBACKUP
and BRARCH ?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE
(Q) What is the command to check which tape will be automatically
selected ?
(A) BR Backup | BRARCHIVE Q | Query { check }
(Q) How do we switch off automatic tape Management ?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the
value SCRATCH
(Q) How do I turnoff the tape management performed by SAP tools ?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
OR
UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.
(Q) How do we verify Backups ?
(A) Verification of backups is of 2 types
(i) Tape Verification: The files are restored file by file and compared with
original files to verify if the backup is redable.
(ii) DB Block consistency: This checks the Database block by block using
Oracle tool DBVERIFY to identify and restore from bad blocks.
PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of
Archive log Backup
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape
verification + DB Block Consistancy Check)

(Q) If SAP started and I am trying to switch to non-archive mode what


will happen.
(A) It will show an error showing that SAP instance is running. Please showdown
first or use force option.
(Q) If SAP is running and I try to shutdown the DB using BR tools what
will happen.
(A) It through an error saying that SAP is running please shutdown the SAP first
or force option and then continue.
(Q) If table space is full then what are the possibility to extend the
table spaces ?
(A) Option 1: Add another data file to table space
2: Existing data file can be manually resized
3: Properties of existing data file can be changed to auto extendable
(Q) What id the formula to increase the data files size ?
(A) Data file size = Expected DB/100
(Q) How many number of data files will be there by default ?
(A) Default there are 100 data files
(Q) What is the error related with table flow ?
(A) For table ORA1653, ORA1654 for indexes.
(Q) Create server parameter file from init<sid>.ora
(A) Login to oracle user (ora<sid>)

Posted by Kumar SAP at 12/13/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, database, DATABASE INTERVIEW QUESTIONS AND ANSWERS,
oracle, sap database, SAP DATABASE INTERVIEW QUESTIONS AND ANSWERS, SAP
INTERVIEW QUESTIONS AND ANSWERS, sap oracle, sap questions
SAP DATABASE INTERVIEW QUESTIONS & ANSWERS -1

SAP DATABASE INTERVIEW QUESTIONS &


ANSWERS -1
(Q) what is the size of oracle data block ?

(A) 8 KB (fixed size)


(Q) What are the situations in which DBWO writes dirty blocks to disks ?
(A) If the number of scanned buffers reaches a certain thresh hold.
At a specific time that is when check point occurs.
(Q) What are the conditions in which log writer writes redo log buffer
data to online redo log files ?
(A) There 4 conditions:
When transaction is committed.
For every three seconds.
When redo log is 1/3rd of full.
When DBWR is about to write modified buffers to disk and some of the
corresponding redo records have not at been written to online redo log i.e. write
ahead logging.
(Q)What are the entries in co files ?
(A) Physical structure of database
State of database
Table space information
Names and location of data files and redo log files.
Current log sequence number
(Q) Why do I need SPFILE<SID>.ora even though I have
init<SID>.ora ?
(A) From Oracle 9.i init<SID>.ora is replaced by SPfile<SID>.ora or SPfile.ora.
(Q) If a file is missing from the chain of offline Redo log files, then what
well do ?
(A) We have to perform a restore and recovery of Database. Recovery is
performed using the method Point In Time by which all the Offline Redo log
files older than the last one is used for recovery.
(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
(ii) Manually dropping Database Objects.
(iii) Manually dropping Application Objects.
(Q) Is Point in Time Recovery a standard Solution for logical errors in
production system ?
(A) NO
(Q) Where do we use the Point IN Time Recovery ?
(A) Point in Time is very critical in a system landscape with Data Dependencies
between Systems.
(Q) How do we verify Consistency of Oracle Database ?

(A) By performing by a logical data check.


(Q) Why do we need to perform a logical check ?
(A) In order to verify corrupted Data blocks (Ora 1578)
(Q) Why do we need to perform a physical Data check ?
(A) To verify the tapes used for Database backup.
(Q) How often we perform Online Backup and Offline Backups ?
(A) Online Backup = Daily
Offline Backup = Once in a Week
(Q) How do we perform Backup of Offline Redo log files ?
(A) (i) Backup of every Offline Redo log files is taken TWICE on separate tapes
before the files are deleted from Archive Directory.
(ii) Perform additional Backups after each system upgrade and also if
Database structure is Modified.
(Q) What are the tools used by Oracle Admin in an SAP System for
Backups ?
(A) Database Backups = BRBACKUP
Offline Redo log files = BRARCHIVE
(Q) What are the occasions in which changes to Tile Structure of
Database is made ?
(A) 1) When a Data file is added
2) When a Data file is moved to a Different Location.
3) When a Table Space and its Data files are reorganized.
(Q) What are the various Backup types ?
(A) There are 5 Backup types
1) Online Backup
2) Offline Backup
3) Complete Backup
4) Incremental Backup
5) Partial Backup
(Q) If the Corresponding Full Backup is already overwritten and can I
use Incremental Backup ?
(A) NO, Incremental Backup is useless.
(Q) Can I perform a Backup of Individual data files using Incremental
Backups ?
(A) NO
(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP

i) Complete Backup:- Restore missing Database files from complete Backup,


Restore Offline Redo Log files writte during and after this Backup.
ii) Incremental Backup:- Restore missing Data files from last Full Backup,
update them with restore from last Incremental Backup.
iii)Partial Backup:- Replace complete backup with partial Backups , we need a
longer time to perform a recovery from media crash.

Posted by Kumar SAP at 12/13/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, database, DATABASE INTERVIEW QUESTIONS AND ANSWERS,
oracle, sap database, SAP DATABASE INTERVIEW QUESTIONS AND ANSWERS, SAP
INTERVIEW QUESTIONS AND ANSWERS, sap oracle, sap questions
SAP SECURITY INTERVIEW QUESTIONS & ANSWERS -3

SAP SECURITY INTERVIEW QUESTIONS &


ANSWERS
Q) Where do all possible activities are stored?
A) In the table TACT
Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ
Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix SAP_. These roles are used as
templates for creating customized roles.
Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy
of pre-defined role and then add the user to the role.
Q) Is a role without Auth-profile considered as complete or not?
A) No
Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role
Q) What is the relationship between parent and derived roles?

A) In Parent role we maintain the list of Transaction Codes whereas in derived


role we assign the parent role name so that an inheritance hierarchy is being
maintained and hence the transactions are automatically pulled into derived
roles.
Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 99 = Activities
A1 VF = 69
Q) What is the default authorization object which is used to check for
any role?
A) S_TCODE
Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction
code is in parent role.
2) First time while creation of a new role, if any functional related Transactions
are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.
Q) Why should we not add organizational values directly in a role
without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we
try to add a new value and generate, an empty field appears i.e. when adjusting
derived roles authorization value is overwritten.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to
production. If I delete a role in dev box, the same role has to be deleted in prod
because these roles are finally used by the users in prod box only. Hence the
deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by
selecting transport role button.
Q) Unlock a user or track why the user is being locked?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute
Q) Where do the default value in a Role comes from i.e. activities under
auth object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of
profile generator after the trans has been selected.
Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.

Q) What is single sign-on?


1) Single sign-on, through which we create credential. Third party tool Eg: Keon,
later on logon to SAP without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for
the SNC String to be activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server,
go to properties network and check the secure network settings and enter the
SNC string.
Q) What are the Steps to Configure CUA?
CUA works with RFCs steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user
CUA_SID_CLIENT <number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFCs
Q) If all the users are locked mistakenly, how do we connect to SAP
system?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting
to Oracle DB
Select * from <Application Server name>.USR02 where bname=SAP*;
Delete from <Application Server name>.USR02 where bname=SAP*;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.

Posted by Kumar SAP at 12/13/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: sa basis, sap, SAP INTERVIEW QUESTIONS AND ANSWERS, sap questions,
SAP security, SAP SECURITY INTERVIEW QUESTIONS, SAP SECURITY INTERVIEW
QUESTIONS AND ANSWERS, SECURITY INTERVIEW QUESTIONS AND ANSWERS
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 6

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :Support :Q) What are the steps involved in stopping SAP system?

A) Before stopping SAP system we need to check the status of the following
Check if there are any logged on users. Use Transaction Code SM04
Check if there are any Background process is to define SM36
Check if there are any Background processing is going on. Use TC SM37
Check if there is any Batch input session. Use TC SM35
Check if there are any update processes running. Use TC SM13

Client Copy :Q) Why do we need to perform a test run?


A) Test run determines which tables are to be changed.
Q) What is the amount of storage space a client will occupy?
A) client without application data needs approximately 150-200 MB of storage
space in a DB
Q) Why do we need to do client copy?
A) To create new clients.
Q) Do we need to transport clients between systems (or) what is the
procedure for copying clients between systems?
A) We no longer require to transport clients instead we make a remote client
copy.
Q) Why should we not transport the client data?
A) this is explained with the help of a scenario. In target system, we have set up
clients whose data must not be affected. The cross client data must not be
imported into the system from outside, since the cross client data overwrites
existing data so that customizing data of other clients in the target system no
longer effects.
Q) what default user has all the authorizations?
A) SAP*. This is the reason for locking this user in different environments.

Spool :Q) How to identify how many spool work process are setup in a
particular application server?
A) Trans-Code SM51 and select the application server.
Go to SM50 and count the number of work process with SPO
Q) How many spool processes are configured in out entire SAP system?
A) SM66 and check for SPO work process. In select process by choosing Type =
Spool and Status = Wait
Q) Can we change number of spool work process by operation mode

switching?
A) No. Only background and dialog work process can be modified.
Q) How to identify how many spool servers are available in your SAP
system?
A) SM51 or SM66 and check for application server with at least one spool
workprocess.
Q) How to make setting for an individual SAP user so that an output
request is not created immediately for a spool request?
A) SU3 go to Default tab and ensure that output immediately option is not
checked.
Q) How to find which printer is defined at OS level of your server?
A) Go to start -> Settings -> Printers (Revisit)

Transport :Q) What is a transport group?


A) SAP systems that share a common transport directory tree form a transport
group.
Q) What is transport domain controller?
A) R/3 system with the reference configuration is called as the transaction
domain controller.
Q) What is transport domain?
A) All R/3 systems that are planned to manage centrally using TMS form a
transport domain.
Q) What are the two editor modes in which we can configure the
transport routes?
A)
1. Graphical Editor
2. Hierarchical Editor
Q) What are the various configuration methods available in STMS?
A)
1. Single system configuration
2. Development and Production systems
3. Three systems in a group
Q) What is a standard transport layer?
A) This describes the transport route that the data from the development
systems follows.
Q) What is SAP transport layer?
A) It is a predefined transport layer for DEV classes of SAP standard objects

Q) What are the three approval steps you need to follow as a part of
approval procedure in QAS?
A)
1. To be approved by system administrator
2. To be approved by department
3. To be approved by request owner
Q) What are the various qualifier option or what are the various import
options?
A) There are six import options
1. Leave transport request in queue for later import
2. Import transport request again
3. Overwrite originals
4. Overwrite objects in unconfirmed repairs
5. Ignore unpermitted transport type
6. Ignore predecessor relations

Posted by Kumar SAP at 12/13/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, interview, interview questions, netweaver, sap,
sap ag, sap basis, sap interview, sap interview questions, sap netweaver

December 12, 2013


Sap Database Notes -4

Sap Database Notes 4:BR Tools:


1. Login to ORA<SID> using putty
2. Type BRTOOLS
3. There are totally 9 option in BR tools
a. Select Instant management, it is option 1
b. In Database instance management select option 2 to shutdown the database.
c. Type C and click enter to continue
d. In Database instance shutdown main menu select option 1 shutdown DB.
e. Under options for shutting down the DB instance we have to choose option 1,
that is close mode(Default mode is immediate)
f. Select option 1 and enter string value for mode (Immediate|normal|
transcations|abort).
Note: if the users are logged in to the SAP system then I cannot use immediate,
normal, transactional modes, using abort mode will forcefully shutdown and will
result to data loss hence never use this option so to be on the safest side always
shutdown using normal mode.

Alter DB Instance (Switching off archive mode):


1. Shut down SAP -> Stop SAP [SID<adm>]
2. Log on to ORA<SID> user and start BR tools
3. In BR tools -> Select option 1 (Instance Management)
4. Start up database -> Select option 1
5. Alter DB instance -> Option 3
6. Enter c to continue
7. Enter c to continue
8. Select option 4 for set non archive mode
9. Enter c to continue and select option 5 to show instance status
Note: while switching to archive mode and non-archive mode, it will shutdown
the DB instance first and then starts the DB instance. In each of these cases the
time stamp is recorded that is data and time. Once the DB is up and running
always check the status before performing any action.
(Q) If SAP started and I am trying to switch to non-archive mode what will
happen.
(A) It will show an error showing that SAP instance is running. Please showdown
first or use force option.
(Q) If SAP is running and I try to shutdown the DB using BR tools what will
happen.
(A) It through an error saying that SAP is running please shutdown the SAP first
or force option and then continue.
Table space administration:
1. Oracle stores data in table spaces, each table space consists of one or more
data files.
2. Data files are plain files stored on local system
3. Oracle has 4 segment types
a. Data -> This segment contains table data in rows
b. Index -> Each table has one primary index and n number of secondary
indexes (optional). This index is used for faster access to table data and to
enforce unique constrains.
c. Temp Segment -> This segment is used for sorts and to create indexes.
d. Roll back/undo segment -> this segment is used to provide read consistency
that is ability to roll back changed to tables for recovery.
4. To meet the demand of large DB, DB designers creates partition tables and
indexes.
5. An index segment in oracle DB used in SAP holds either all data for take that is
not partitioned or all data for a partition of partitioned table.
Common table spaces:
1. System -> Oracle data dictionary
2. PSAP ROLL -> Roll back segment
Note: From WAS 6.1 version we have SAP undo as roll back segment.

3. PSAP TEMP -> Temporary segment.


(Q) If table space is full then what are the possibility to extend the table spaces ?
(A) Option 1: Add another data file to table space
2: Existing data file can be manually resized
3: Properties of existing data file can be changed to auto extendable
(Q) What id the formula to increase the data files size ?
(A) Data file size = Expected DB/100
(Q) How many number of data files will be there by default ?
(A) Default there are 100 data files
(Q) Expected DB size and Data file size
Expected DB Size
Data File Size
Up to 200Gb
2Gb
200 to 400Gb
4Gb
400 to 800Gb
8Gb
Greater than 800Gb 60Gb
(Q) What is the error related with table flow ?
(A) For table ORA1653, ORA1654 for indexes.
(Q) What will happen if max extents are reached ?
(A) ORA1533 is the error forms extent reached. If max extent is reaching it limits,
then increase next extent. When extents are dripped they are marked as free
and their blocks can be used by new extents, but adjacent blocks are not
combined. The DBA must use COALEXE free extent into one large extent. There
are two options for COALEXE extent.
1. BRCONNECT f check -> COALEXE free extent automatically
2. BRSPACE f check -> COALEXE free extent use locally managed table
spaces.
To solve above problem with extent we must use locally managed table spaces.
Segment Sizes
Next segment Size Max.no.of Extent
Less than 1Mb
Less than 64Mb
16
1 to 64Mb
1Mb
63
64Mb to 1Gb
8Mb
126
Greater than 1Gb
64Mb
Unlimited
Advantage of LMTS (locally managed table spaces) is ORA1533 error eill no
longer occur. The only disadvantage of LMTS is, always it checks for used and
free space.
Increase the Table space:
1. Log on to ORA<SID> and enter into BR tools.
2. Space management (option 2)

3. Extent table space (option 1)


4. Enter c to continue
5. Enter c to continue
It will give Table space extension main menu
Note: First use option 2 to show the table spaces and percentage full and make
a note of a table space which is 80% and above fill and then add a data file as
per the specification using the option 1 that is extent table space.
6. Extend table space (option 1)
7. This will list all table spaces and percentage used
Example Table: PSAPR3700
8. Select the table space that is pos position
9. Enter 2 to select above example table
Note: options for extension of table space
a. Last added file name
b. Last added file size in MB
c. New file to be added
d. Raw disk/link target
e. Size of the new file in MB
f. File auto extend mode = YES
g. Max file size in MB = [10000]
h. File increment size in MB = [20]
i. SQL Command = [alter table space name]
Note: the last added data file name and new file to be added will show the exact
location where the data file is residing that is Oracle/<sid>/sapdata 1 to n/
10. Enter c to continue
11. Enter option 5 to change the size of new file in MB
12. Press c to continue
13. Select NO to continue with the current data file addition.
14. Select YES to add a new data file to the current table or add new data file to
a new table.
Note: this action will update the time stamp in co-file that is, it created a copy of
co-file in the location /oracle/<SID>/SAPREORA|[CNTRL<SID>.old]
Once co-file is created, extending of table space is done, one successfully
completed it switches to next online redo log file for database instance and
finally creates a copy of co-file with new time stamp that is CMTRL<SID>.news
Top 10 Oracle errors:
1. ORA1631 and ORA1632 -> Max extent full
2. ORA1653 -> Table space full
3. ORA1654 -> Index full
4. ORA1113 -> When backup is aborted
5. ORA1144 -> When back is shutdown immediately
6. ORA1578 -> Data block corrupted
7. ORA0255 -> Database struck

8. ORA1555 -> Buffer mode is OFF


9. ORA272 and ORA255 -> Archive struck
10. ORA600 -> Hardware Failure
Note: option 4 and 5 are also called as missing end backup.
Changing Oracle Parameters
Q) Create server parameter file from init<sid>.ora
A) -> Login to oracle user (ora<sid>)

Posted by Kumar SAP at 12/12/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, database, db01, db02, db12, db13, dbacockpit, oracle, pmon, sap,
sap basis, sap basis class notes, SAP BASIS NOTES, sap database, sap database
notes, sap notes, smon, sys dba
Sap Database Notes -3

Sap Database Notes 3:TAPE MANAGEMENT:(1) Each and every tape used for Backup, i.e. BRBACKUP and BRARCHIVE needs
to be initialized.
(2) During tape Initializing SAP specific label is written on label as First file
(Tape.hdro) containing the tape name.
(3) BRTOOLS-> Backup-> Dbcopy-> Additional Functions-> Init of BRBACKUP
tape Volume or Init of BRARCHIVE tape volumes.
The command to start the initialization is BRBACKUP or BRARCHIVE or I/Initialize.
(Q) What are the contents of tape label after a tape is Initialized ?
(A) (i) Tape Name
(ii) Name of the Database
(iii) Time stamp of last backup recorded on the tape
(iv) Number of Backups performed with the tape
Before writing data to tape if the label is Red to check the following
(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)
If Expiration_period = 0 days, the Volume is not locked at all and can be over

written
If a lock occurs on a tape, it automatically expires at midnight.
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape
locks?
(A) There are 2 types of locks
(i) Physical lock check: Physical lock check is done by checking tape label
parameter Expir_period. If the number of days passed since the tape was last
used is less than value of parameter Expir_period, then the tape is physically
locked.
(ii) Logical lock check: This value is derived from the time stamp written to
tables SDBAH, SDBAD
(Q) What are the various tape selection processes?
(A) (i) Auto tape selection BRBACKUP and BRARCH
(ii) Manual selection by the Operator
(iii)By external tool
(Q) What is the option to select the tapes automatically by BRBACKUP and
BRARCH?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE
(Q) What is the command to check which tape will be automatically selected?
(A) BR Backup | BRARCHIVE Q | Query { check }
(Q) How do we switch off automatic tape Management?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the
value SCRATCH
(Q) How do I turnoff the tape management performed by SAP tools?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
OR
UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.
(Q) How do we verify Backups?
(A) Verification of backups is of 2 types
(i) Tape Verification: The files are restored file by file and compared with
original files to verify if the backup is redable.
(ii) DB Block consistency: This checks the Database block by block using
Oracle tool DBVERIFY to identify and restore from bad blocks.
PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of
Archive log Backup
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification
+ DB Block Consistancy Check)
STATUS OF OFFLINE REDO LOG FILES:

(1) During Backup to tape= ARCHIVE


(2) First Status= SAVED
SECOND STATUS=COPIED
AFTER DELETION = DELETED
During BACKUP TO Disk = DISK
NOTE: All the above status are recorded in ARCH<SID>.log
ANALYZING Database PROBLEMS:
(1) Check Database alert log and trace files belonging to Bgprocess (SAP
Trace/Background)
(i) Check for status of Database = Available or NOT Available
(ii) Check for Error = Media or User error
(iii) Check for corrupted files and file types = Data, Cofile, Online Redo log Files
(iv) Check if Software or Hardware Mirroring = Available or Not
(2) Safest method is to perform a complete Offline Backup before the files are
copied back in restore place using BR Backup or any Backup Tools.
(3) The above step is Very Important for Point In Time Recovery or for Database
rest because these stratagies always involve Data loss.
(4) Save Offline Redo Log Files in ORARCH Directory using BRArchive only.
(5) To check the reliability of Backup strategy , run regularly restoration report in
SAP using DB12
(6) The above report is used to find out which backup to use for recovery as well
as it displays information about last successful Backup.
(7) If the list of RedoLog files after the last Database Backup is too long, then
perform a complete Database Backup.

Will update soon... Check next post...

Posted by Kumar SAP at 12/12/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, database, db01, db02, db12, db13, dbacockpit, oracle, pmon, sap,
sap basis, sap basis class notes, SAP BASIS NOTES, sap database, sap database
notes, sap notes, smon, sys dba
Sap Database Notes -2

Sap Database Notes 2:BR Tools (Used for entire backup administration)
BR tools is a package name which contain various tools.
These tools are divided into various ways based on their performance.
Note: If you get an error message while calling BR tools then your version might
be older. (Less than 4.7).

These are two modes while calling the various options in BR Tools.
-Main Menu Mode
-Quick Mode
BRConnect: is must, be called in main menu mode.
BRSPACE and BRRECOVER always make a CONNECT/AS SYS DBA, because
their actions require SYSDBA privilege.
Once you connect a SYSDBA, if you do not want to enter a user name,
password, while calling SQL* PLUS call the interactive program using the
command SQLPLUS/NO LOG
SQLSTARPLUS by default connects to the db defined in enhancement oracle
database.
Changing the password for SAP user is done using BR CONNECT
Note: Passwords for DB user SAP SCHEMA ID or SAPR3 should not be changed
using oracle methods.
Database Transaction Codes:
1. DB13: Schedule backups and other administrative jobs.
Note: DB13C : This is used to schedule backups and admin activities centrally
for all SAP systems and database.
2. DB14: To check the status and logs of all database operations.
3. DB16: Overview of database system checks.
4. Db17: View and maintain check conditions for database system check.
5. DB20: Maintain Statistics.
6. DB21: Configuration of Statistics
7. DB26: Database parameter overview with history.
8. DB02: Table and index monitor
9. ST04: Database performance monitor
10. RZ20 DB Alert Monitor (Optional)
11. DB13 is used as an interface to schedule back ground jobs starting with
DBA*. These background jobs look into table SDBAC
12. SPfile.ora is server side initialization parameter file (oracle database server)
Do not make parameter changes on oracle level, because if only changes
parameter values in SPfile, hence always use BR* tools, because it monitors
consistency by copying the contents in both files.
The transaction code DB02 and ST04 still use init<SID>.ora
SAP installation tool do not create SPfile. SPfile is created using SQL*plus
CREATE SPFILE.
SPfile is stored in oracle_home directory same as init<SID>_ora.
RZ20: Database alert monitor.
Start and Stop Commands
BRSPACE_C FORCE_F dbstand_S <State>
BRSPACE_C FORCE_F dbstand_S <State>
Starting of Database
1. No mount = reads parameter files, database instance started and allocated

memory buffers.
2. Mount face: opens cofiles.
3. Open: opens all data files and online redo log files.
Mount face is used for database recovery, for changing archive log mode, for
removing and moving data file and also for adding, dropping, renaming online
redo log files.
Do not use BRCONNECT to start and shutdown database, instead use
BRSPACE because it tried logfile actions.
No mount space is used for creation of database and for recreation of lost
cofiles.
Stopping of Database
1. Normal: Oracle waits till all users are disconnected from the database. All files
are closed and database is dis mounted and instance is shutdown.
2. Transactional: Oracle waits till all open transactional to finish and then it
disconnects users and shutdown database.
3. Immedaite: No new connections and transaction are allowed. PMON ends all
user sessions and performance roll back of any open transactions then only
shutdown database.
4. Abort: no new connection and transactional allowed. No roll back of open
transactions. Users are disconnected and oracle processes are stopped.
Note: With all the above first three methods, database is shutdown in a
consistent state and does not need recovery at next restart.
Default mode for oracle shutdown is normal
Oracle commands shutdown immediate and shutdown abort stage oracle
instance even if work process still has connections of database.
Oracle info messages, warnings and errors are logged in oracle dump files i.e.
background, user trace which is located in SAPDATA_NAME directory.
Background directory store alert log file. Alert_<SID>.log. Whereas user
directory store trace files written on behalf of shadow process.
(Q) Why do I need SPFILE<SID>.ora even though I have init<SID>.ora ?
(A) From Oracle 9.i init<SID>.ora is replaced by SPfile<SID>.ora or SPfile.ora.
(Q) If a file is missing from the chain of offline Redo log files, then what well do ?
(A) We have to perform a restore and recovery of Database. Recovery is
performed using the method Point In Time by which all the Offline Redo log
files older than the last one is used for recovery.
(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
(ii) Manually dropping Database Objects.
(iii) Manually dropping Application Objects.
(Q) Is Point in Time Recovery a standard Solution for logical errors in production
system ?
(A) NO

(Q) Where do we use the Point IN Time Recovery ?


(A) Point in Time is very critical in a system landscape with Data Dependencies
between Systems.
(Q) How do we verify Consistency of Oracle Database ?
(A) By performing by a logical data check.
(Q) Why do we need to perform a logical check ?
(A) In order to verify corrupted Data blocks (Ora 1578)
(Q) Why do we need to perform a physical Data check ?
(A) To verify the tapes used for Database backup.
(Q) How often we perform Online Backup and Offline Backups ?
(A) Online Backup = Daily
Offline Backup = Once in a Week
(Q) How do we perform Backup of Offline Redo log files ?
(A) (i) Backup of every Offline Redo log files is taken TWICE on separate tapes
before the files are deleted from Archive Directory.
(ii) Perform additional Backups after each system upgrade and also if Database
structure is Modified.
(Q) What are the tools used by Oracle Admin in an SAP System for Backups ?
(A) Database Backups = BRBACKUP
Offline Redo log files = BRARCHIVE
(Q) What are the occasions in which changes to Tile Structure of Database is
made ?
(A) 1) When a Data file is added
2) When a Data file is moved to a Different Location.
3) When a Table Space and its Data files are reorganized.
(Q) What are the various Backup types?
(A) There are 5 Backup types
1) Online Backup
2) Offline Backup
3) Complete Backup
4) Incremental Backup
5) Partial Backup
Complete Backup:
All the Data in the Database is backed up. Complete Backup is again divided into
2 Types
1) Full Backup:- After data backup an additional information , i.e. Catalog is
Written into Cofile by Recovery Manager.

2) Whole Backup:- It creates a Backup of all the data without the Catalog.
Incremental Backup:
i) This Backup Is used for taking needed Data blocks that have changed since the
time of Full Backup.
ii) During Incremental Backup the amount of data to be backed up to get shorten
and not for The Backup time.
iii) During Incremental Backup is only based on previous Full Backup.
(Q) If the Corresponding Full Backup is already overwritten and can I use
Incremental Backup ?
(A) NO, Incremental Backup is useless.
(Q) Can I perform a Backup of Individual data files using Incremental Backups ?
(A) NO
Partial Backup:
The backup of Database in smaller parts is called as Partial Backup.
NOTE:- Sum of individual partial Backups form an Entire Complete Backup.
NOTE:- Recovery Backup using partial Backup data is very much time
consuming, because it needs all oldest Backup Offline and Online recovery
Processes.
(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP
i) Complete Backup:- Restore missing Database files from complete Backup,
Restore Offline Redo Log files writte during and after this Backup.
ii) Incremental Backup:- Restore missing Data files from last Full Backup,
update them with restore from last Incremental Backup.
iii)Partial Backup:- Replace complete backup with partial Backups , we need a
longer time to perform a recovery from media crash.
TOOLS:
(1) BRBACKUP: Backup of Oracle Data files , Cofiles, Db Redolog files, Oracle
Software Directories and SAP System directories.
(2) BRARCHIVE: Backup of Redo log files.
(3) BRRESTORE: Restore all Db files and Offline Redo log files
(4) BRRECOVER: Checks for Database for missing files , it calls BRRESTORE for
restoration of missing Data and Offline redo log files.
NOTE:
(1) Both BRBACKUP and BRARCHIVE records their actions in log files, BRRESTORE
uses above logs for restoration of missing files.
(2) Both BRBACKUP and BRARCHIVE supports Backup to Tapes, Disks as well as
Backups with Third party Tools.
Important Parameters for Configuration of BRBACKUP and
BRARCHIVE(Init<SID>.SAP)

(A) Backup_mode = All(Whole)


Full(full backup)
Incremental Backup
Partial(Table space name, Dir path, File id.s)
(B) Backup_type = Online and Offline Backup
(C) Backup_dev_type = Tape or Disk or External Interface
(D) Util_file = BACKINT(External Backup program through Interface BACKINT)
(E) TAPE_COPY_CMD = CPIO or DD or RMAN(Copying files from Disk to Tapes)
NOTE:
DD = Raw devices are copied with this option
CPIO = Directories are copied with this option
The Profiles init<SID>.ora and init<SID..sap and Summary and detail logs are
copied with this CPIO.
(F) DISK_COPY_CMD = cp, copy (Copying files to disks)
Cp is used in UNIX
Copy is used in WINDOWS
(G) Expire_period = (1)We have to specify the expiry period of a tape
(2)Tape_use_count = Max number of times, volumes can be written to
tapes.
(H) Volume_Backup: Names of volumes used for backups(BRBACKUP)
Volume_Archive: Names of volume used for backups of Offline redo log
files(BRARCHIVE)
(I)Tape_Address = Identifies device address of tapes.
(J) DD_Flags and DD_IN_FLAGS= Specify block ( Size of at least 64kb)
Integration of Oracle Recovery Manager (RMAN) into SAP Tools:
(1) RMAN is Default Oracle Backup and Restore Program
(2) RMAN executables run in Client process and connection to Database
(3) Backup with RMAN is done in 2 ways
(i) RMAN classifies complete backup level 0 Backup
(ii) Level 0 serves as basis for Level 1 (Incremental)
(4) Backups performed without RMAN call CPIO or DD to save Database files to
tape
NOTE: RMAN always writes the information in a separate file recovery catalog
(Q) Can RMAN recover the Database automatically without Recovery catalog ?
(A) NO
(5) RMAN performs Backups directly to Disks and not to Tapes
(6) RMAN uses Oracle shadow process to check for data block corruptions and
filters those blocks and then writes used blocks to backup media.
(7) The Parameter to set the controls of copying data to Backup media to RMAN
is TAPE_COPY_CMD or DISK_COPY_CMD= RMAN_DISK (RMAN Value)
(8) Advantages of using RMAN:
I) All blocks are checked for block corruption to ensure the consistency state.
II) Only used blocks are copied to Backup media
III) Empty blocks used before are always backed up

(Q) Is whole Backup can be consider as level 0 Backup ?


(A) Whole backup is not level 0 Backup and cant be used as basis for
Incremental Backup.
(9) RMAN writes Header, tailer and blocks of atleast one Database or one raw
disk file to a file called SAVESETS
(10) Using SAVESETS speeds up Backup Process.
PREPARATORY RUN:
Preparatory run is used to determine the optimal SAVESET distribution of data
files we want to backup.
(Q) Why do we need to perform a preparatory run ?
(A) If Backup with RMAN is supposed to form sets then we need to run
Preparatory run.
Preparatory run can be run from DB13 prepare for RMAN Backup.
No Backup is created during preparation run, only estimates Compression rate
of BRTOOLS to compress the files and to determine compressed and
decompressed file sizes.
It is recommended to perform preparatory run per one Backup cycle.

Will update soon... Check next post...


Posted by Kumar SAP at 12/12/2013
Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, database, db01, db02, db12, db13, dbacockpit, oracle, pmon, sap,
sap basis, sap basis class notes, SAP BASIS NOTES, sap database, sap database
notes, sap notes, smon, sys dba
Sap Database Notes -1

Sap Database Notes 1:Database :Oracle database: is a collection of data stored in one or more data files on disks.
Oracle manages database data in logical units called table spaces.

Table space: One or more data files.


Instance: Set of oracle background process and memory buffers form an
instance.
Q) What happen when oracle instance is stored ?
Shared global are allocated (SAG is allocated)
Oracle background processes are started.
* In unix we can identify oracle process as individual system process
* In windows these processes run as threads with one common oracle OS process
i.e. Oracle.exe.
* When an oracle instance starts a special process called listener, process opens
and establish communication between net weaver and oracle.
* Listener process is not part of oracle instance; it is rather part of network
process that works with oracle.
* In SAP dedicated server configuration is used. i.e. for each work process we
have dedicated server processor called as shadow processes.
* The ratio of work process to shadow process is 1:1
* To handle database request for SAP uses a work process communicate with its
core shadow process.
* Database data is permanently stored in datafiles or disks.
* To accelerate read and write access data it is cached in database buffer cache
in SGA
* Shared pool divided into executable SQL statements which are stored in shared
SQL area of the shadow pool.
* Oracle data dictionary is stored in row cache of shared pool.
* Data processing never takes place directly on disk, it is first copied by
associated shadow process from disk to the database buffer cache in SGA.
* Oracle keeps most recently used data blocks in the database buffer cache.
* Sometimes oracle writes the least recently used data blocks in buffer cache.
* Modified data blocks are call as Dirty blocks.

* Shadow process never copies modified data into disk.


* Coping data into disk is done by a special background process called as DBWO
(DW writer).
Q) What are the situations in which DBWO writes dirty blocks to disks ?
if the number of scanned buffers reaches a certain thresh hold.
At a specific time that is when check point occurs.
* Scanning of the buffers is done by shadow process.
* Changes are done in two ways:
Roll forward changes.
Roll backward changes.
* Redo events are stored in redo.log files and performs roll forward recovery.
* Undo entries stored in undo table space performs rollback.
* Redo changes = committed changes = new value = after images.
* Undo changes = un committed changes = old value = before image.
* Oracle shadow process records redo changes and stores in redo log buffer of
SGA temporarily.
* Oracle background process log writer LGWR writes data in redo log buffer to
online redo log files which are stored physically on disk.
* Redo log buffers is also called as circular buffer.
* Circular buffers records all committed and un-committed changes made to the
database.
Q: What are the conditions in which log writer writes redo log buffer data to
online redo log files ?
Ans: There 4 conditions:
When transaction is committed.
For every three seconds.
When redo log is 1/3rd of full.
When DBWR is about to write modified buffers to disk and some of the
corresponding redo records have not at been written to online redo log i.e. write
ahead logging.
* Each committed transaction will have a system change number (SCN) stored in
redo log file.
* Size of Oracle redo log file is 40MB (fixed number). These are four predefined
collections of online redo log files.
* At every log switch oracle will increase the log sequence number.
* Current online redo log file, LGWR is writing into is call active online redo logo
file.
Control files
This file is used to start and operate database.
Q) What are the entries in co files ?.
Physical structure of database
State of database
Table space information

Names and location of data files and redo log files.


Current log sequence number
* if physical structure of database is occurred then co.files get updated
automatically.
* SAP stores co.files in three locations during installation of SAP. It is
recommended to store the files in three physically separated hard disk.
* If database = open then co.file available for writing.
* Normally caches are small and dont grow.
* RMAN for backups, cofiles may grow by factor 10, because they contain
information about RMAN backup.
Check point Functions:
* Checkpoint wakes up the database writer to copy all buffers that are dirty to
the disk.
* It also updates header of all data files to record details of the check point.
* If writers information about the check point position in online redo log files into
the cofile. This information is used during database recovery.
* Less frequently the checkpoint occurs the longer is the time the instance need
for recovery.
* Checkpoints occurs at log switch.
Database Recovery:
* Online redo log files used for database recovery (instance recovery). After
restart, the system performs automatic recovery.
* If online redo log files are lost during a crash, a complete recovery is not
possible. Hence online redo log files must be mirrored i.e. two or more copies
needs to be maintained.
* Oracle it self mirrors online redo log files by default.
* Online redo log fines are limited in size, and cannot grow automatically.
* Automatic instance recovery of online redo log files is possible.
* To manually restore and recover data files which are missing, we need both a
database backup and all redo log information written after the backup.
* Archiving must be exclusively activated by tuning on archived log mode i.e.
LOG_ARCHIVE_START is true.
* Archiving is take care by an oracle background process called as ARCO
(archive)
* Oracle cannot mirror offline redo log files, hence we must use RAID.
* Offline redo log files and data files should be on different disk.
SMON (System Monitor)
* SMON performs recovery at instance startup
* It writers alert log information if any instance process fails.
* If cleans up temporary segments that are no longer in use.
PMON (Process Monitoring)
* This monitors shadow process.
* PMON roll backs, its uncommitted data, stops shadow process and frees

resources incase of a client process crash.


Oracle Directory Structure in SAP
In Unix all directories are present under one single tree, where as in windows all
directories are present under separate drive letters. They have 3 files inside the
directories
/database (Windows) init<SID>.ora
/database (Unix)
init<SID>.sap
Spfile<SID>.ora (only from oracle 9i)
Online redo log file = original log and mirror log.
Define redo log files: original arch, SAP arch.
Note: All previous versions till oracle 8i has saparch directory.
SAP trace = Alert <SID> log = SAP trace/background/user trace
Data files = SAP data1
...
...
...
SAP data <n>
There are 3 environment variables on database server
1. Oracle_SID = system ID for DB instance
2. Oracle_HOME = the directory for BR* tools.
3. SAP DATA_HOME = the data file directory.
The home directory for oracle is ORACLE_HOME
The location for cofiles and offline redo logs is configured in the oracle profile
init<SID>.ora.
The location for data files and online redolog files is stored in database.
The oracle tool to ping is TNSPING
Oracle System Privileges
SYS DBA and SYSOPR are oracle system privileges.
Control at this privileges is outside the database.
The privileges allow accesses to database instance even when database is not
open.
Operating System Users and Groups (Start->programs->Admin tools->
Configure Management -> users, groups)
Users:
<SAP SID> Admin and ORAdb<SID> are the two users which are created in unix
system,
where as <SAPSID> admin, <SAP service.SAP<SID> created in windows system.
Groups:
1. ora_dba = Member of this groups can connect to oracle database as dba
without a password.
2. ora_<SID>_dba = admin group

3. ora_<SID>_OPER = db operate group


Extra Groups:
SAP_<SID>_Global Admin = SAP Global Admin Group.
SAP_<SID>_Local Admin = SAP Local Admin Group
SAP_Local Admin = SAP local Admin Group
Operating System group DBA will have administrative privileges, where as OS
group OPER will have restricted privileges.
Note: Always assign database rates to users.
Data base rolls have privileges.
Rolls:
DBA, SAPDBA are the two rolls.
DBA rolls is created by oracle
SAP DBA rolls is created by SAP.
The Roll DBA has all admin privileges except the SYS DBA and SYS OPER
system privileges
Note: The privileges SAPDAB provides accesses for administrating certain
tables.
SYSOPER has all SYSDBA privileges except create DB and without ability to look
at user data.
Database Users:
1. SYS and SYSTEM are created by oracle.
2. SAP <SID> are SAP <SCHEMA_id> is created by SAP.
3. Default user used by SAP to connect to database is system.
4. During installation oracle database, you will be promoted to enter the
password for the user SYS, System, and SAP <SCHEMA_ID>
Note: OPS$ is an user which is created by SAP and doesnot need a password.
SAP workprocess at OS level connect oracle with the user name
SAP<SCHEMA_ID>.
The password for this user is stored in oracle system table SAPUSER
Workprocess first connect to OPS$ user and get the password for SAP
SCHEMA_ID from the table SAP USER.
Never change the password for SAP SCHEMA_ID, always use BR* tools, ie.
BRCONNECT to change the password.
OS files stored in ORACLE_HOME directory.
Listener_ora = contains all oracle system ID and protocol address.
TNSNAME.ORA = Contains all the list of server names for all the databases
that can be accessed in the network.
SQL NET.ORA = Contains client side information.
Oracle has one listener i.e. LSNRCTL
Options:
OS level : lnsnrctl_help
OS level : lnsnrctl_status = oracle.
Location of parameters and listener log files.

Note: Listener_Ora = Listener tracing files.


Options:
1. Off = Offered
2. User = Limited Trace
3. Admin = Detail Trace

Will update soon... Check next post...

Posted by Kumar SAP at 12/12/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, database, db01, db02, db12, db13, dbacockpit, oracle, pmon, sap,
sap basis, sap basis class notes, SAP BASIS NOTES, sap database, sap database
notes, sap notes, smon, sys dba

December 11, 2013


SAP BASIS NOTES -15

Security (Part-4) :Single Sign-On (SSO)


SAP GUI
3rd Party Tool (Keon)
HR Secure
UID
HR Unsecure
PIN
FI Secure
PWD
FI Unsecure
SU01 (SNC) -> tab
What is single sign-on ?
1) Single sign-on, through which we create credential. Third party tool Eg: Keon,
later on logon to SAP without entering any credentials.
2) We can even logon through internet using SSO.
3) SSO is represented in form of SNC (Secured Network Connection) string for
the SNC String to be activated we need to configure certain DLL files at OS files.
4) Once we confirm DLL files then we need to go to SAPGUI, select one server,
go to properties network and check the secure network settings and enter the
SNC string.
We need to go to SU01 and check allow access for the string.

Steps to configure SSO


1) Go to OS services, select service NTLM security provider, change the start up
type of the service from manual to automatic NT LM support provides.
2) Copy the GSSNTLM.DDL file to the dir on our central instance, i.e.
/usr/SAP/SID/SYS/exe/run
3) Set the environment variable snc_lib to the location of the library.
4) Edit the central instance profile and set the toll parameters
/SNC/Data_protection/max = 1
/SNC/Data_protection/min = 1
/SNC/Data_protection/use = 1
/SNC/enable = 1
/SNC/GSSapp_lib=C:\usr\SAP\SID\SYS\EXE\run\GSSNTLM
/SNC/Identity/as = P:/SID/sap service <SID>
/SNC/Accept_Insecure_CPIC=1
/SNC/Accept_Insecure_GUI=1
/SNC/Accept_Insecure_RFC=1
/SNC/Permit_Insecure_start=1
/SNC/Permit_Insecure_comm=1
Preparing SAP GUI for single Sign on
In SAP logon window choose edit -> advance/network Advance secure network
communication
P:\<Domain Name>\sap service <SID>
Mapping sap system users to windows users for single sign-on
Go to SU01, choose SNC user uppercase to enter the name of windows user i.e.
to assign to sap system user
P:\<Domain Name>\<User Name> and select insecure communication permitted
and save our entries.

Central User Administration


Administering users centrally from one central system
CUA works with RFCs.
Steps to Configure CUA
CUA works with RFCs steps to config CUA.
1) Create logical systems to all the clients (using BD54/SALE)
2) Attach logical system to clients using SCC4
3) Create user CUA_SID in central system with 3 roles and create user
CUA_SID_CLIENT <number>/name in child system with 2 roles.
4) Create RFCS to child systems from central and central to child using SM59
5) Log on to central system using SCUA to config CUA (Central User Admin)
6) Enter the model view and enter all child system RFCs
Note: RFC naming convention must be same as central sys naming convention

of logical system.
7) Save the entries
8) Once we expand test for individual systems we normally see the message for
each system. ALE distribution was saved, central user admin activated and then
comparison was started and should be in green.
Note: If any problem messages refer to sap note 333441 in market place.
9) User transaction SCUG in central system to perform the synchronization
activities between the central and child system.
10) Use transaction SUCOMP to administer company address data.

Q) If all the users are locked mistakenly, how do we connect to SAP system ?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to
Oracle DB
Select * from <Application Server name>.USR02 where bname=SAP*;
Delete from <Application Server name>.USR02 where bname=SAP*;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.
Note:
USR02 is a table in which all user master records are stored.
Killing SAP* will automatically recreate a user master record in USR02 table.
Portal Security
All security related activities like Creation of User accounts and Creation of roles
which are normally performed using SU01 and PFCG can be done using portal.
In Portal administration there are two ways of maintaining users and roles
information.
1) Accessing portal using an URL
2) Accessing portal using Active Directory Service
Note:
1) Any portal URL, the ports will be in the 50000 series.
2) For portal we need J2EE engine to be installed and no need of ABAP engine to
run.
3) All roles are configured in active directory service which are related with only
portal i.e. users need to enter travel expenses and file their timesheets using
portal, then separate roles are provided which are related with portal. These
roles provide access to users to display the screens as well as store the
information in DB.
4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of
logging into SAP system we use the portal screens from which the user provide
the inputs and gets automatically saved in SAP DB.
Problems in Portal
Problem 1) Global page missing

Solution:
Check in Active Directory whether the user is been correctly added under the
role which is considered as global
Note:
In active directory services we have 2 types of roles
1) Global roles -> Provide access for an user to login to portal i.e. for the initial
screen to appear. They are classified based on region the user belongs to. For
example: Africa, Europe etc.
2) Local Roles -> Provide access for certain T Codes or activities which the user
needs to perform. Eg: Time sheet filling, travel expenses. Local roles are
categorized based on the location the user is situated. Eg: Country Wise IN, USA,
AF
3) Every user who access portal must have one global role and n of local roles.
Problem 2) User reports Not able to access ESS
Solution:
Check the global role
Check the exact local role, assigned to a user
Problem 3) User reports He us able to access other global screens instead of
his own screen
Solution:
Find which global screens user is able to access.
Go to AD service and then to particular global role.
Edit the role and check if the user ID is been added to that particular role.
If it is added then remove the user ID and add the user ID to the correct global
role and inform the user to restart his system in order to access new changes.
Note:
1) Assigning users using AD service is considered as a direct assignment where
as assigning users using portal is considered as indirect assignment. This is
similar to assigning users in SAP using PFCG (Direct assignment) and SU01
(Indirect Assignment).
2) Unicode in SAP supports 13 languages. All character sets of these languages
are embedded in the software. Non-unicode is language specific.
3) The upgrade of SAP system from non-unicode to Unicode is possible whereas
the other way is not. To achieve the transition from non-unicode to Unicode we
need to have Non-Unicode export kernel CD and Unicode import kernel CD.
4) SU3 is the transaction code for maintaining user own data.
5) SCAT, T-code is used for running CATT scripts.
6) ACTVT field indicates the type of activity i.e. creates, change, generate and
delete.
7) In PFCG transaction code, a profile indicates a unique identifier generated by
system to identify a role.
8) Notation for parent role is Z> and for Child / Derived Role it is Z:
9) Any role starting with SAP_ or SAP defined roles, they should not be generated
instead they are used as Templates, hence if we want to use any SAP role first
copy a role to a customized role and generate it.
10) SAP_ roles are used mainly during implementation.

11) All roles are of type Basic maintenance only whereas HR related roles and
work flow related roles are of type complete view. By default the roles are of type
basic maintenance.
12) Before we delete a role, it has to be added to a transport because these
actions are performed in DEV system.
13) Profile names come by default if it has to be changed then it has to start with
Z.
14) Color indications in authorizations
a. Red -> No organization values
b. Green -> All fields have values
c. Yellow -> Some field values are missing.
Role Distribution
Distribution of a role can be done using
-> Go to transaction code PFCG -> Menu tab -> Distribute button
-> Enter the target system i.e. an RFC connection needs to be created between
source and target system.
-> This procedure is distributing the roles between source and target using RFC
connections
-> If a role is being distributed to a target system only the structure is being
copied and not authorizations. Hence we need to maintain the authorization for a
role in the target system.

Posted by Kumar SAP at 12/11/2013


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, sap, sap basis, sap basis class notes, SAP BASIS NOTES, SAP BASIS
NOTES -15, sap notes, sap stms, stms
SAP BASIS NOTES -14

Security (Part-3) :As part of our daily activities we might receive the tasks as follows
1) Changes in form of tickets. (Various 3rd party tools are available)
2) Changes in form of CR
Each ticket has its own priority i.e. SLA. Based on the priority there will be
response time and resolution time for each request.
SLA(Service Level Aggrement)

Priority
1
2
3
4

Type
Very Critical
High
Medium
Low

Response Time
10 min
30 min
60 min
4 hrs

Resolution Time
30 min
1 day
4 days
----

Note:
Response time is time in which we acknowledge the user request, i.e. once a
ticket comes into our queue the first major priority is to accept the ticket on our
name, once this is done we have to send an acknowledgement to the user
informing that someone is working on this issue via email, chatting tool or phone.
Resolution Time: This is the time in which we have to solve the issue.
Note: By default the status of any ticket is in Open status
Stages of ticket:
1) Open
2) Working / In-progress + Assigned to our Name + Inform the user + Copy
the comments in the tool under notes column.
3) Closed + Issue Resolved + Inform the user + communicate + Copy the
comments in the tool under notes column.
4) Waiting + Needed some inputs from the user to solve the issue + inform the
user + Copy the comments in the tool under notes column.
5) Hold + Waiting due to user unavailability i.e. user has gone for vacation +
Copy the auto response regarding user unavailability and paste the notes
6) Cancelled: If there are duplications or same request being raised then we can
cancel one of the requests by mentioning the previous request no under the
notes column. (Or) If the user wishes to cancel his /her request then copy the
confirmation under the notes and select cancel button.
Types of CR ( Change Requests)
Work bench / Customizing
1) New functionality CR: This CR carries new functionality changes which are
done for the first time i.e. creation of totally new roles.
2) Operational CR: This CR carries the changes which are done on a day to day
basis i.e. modification of roles and deletion of roles.
3) Defect CR: This comes in form of ticketing request i.e. based on the ticketing
request raised by the user using the ticketing tool we decide whether we need to
create a defect CR.
Eg: Some access is already there for a user, but it was lost due to some reason
and we investigate and find out that these changes have to be there for users. In
this scenario we raise a defect CR.

To rectify a defect CR
CR forms are created based on the quarterly release i.e. we have 4 quarterly
releases in a year. During this release different people i.e. technical + functional
consultants + security administrators get involve and analyze various roles
based on the inputs provided by the auditors
This is where SOX policies come into play. In order to indentify the various
defects and conflicts in roles and between transactions we use various SOD
(Segregation of duty) tools like VIRSA, BIZRights. The process of identifying the
defects or conflicts among the existing transactions and rectifying them as
mitigation.
Ex: MM01 x MM02
1) Create X Change
2) Change X Delete
3) Create X Delete
Note: Default access is Display
HR Security Activities
There are two types of HR security Activity
1) Delegation of Authority
2) Structural Authorizations
Delegation of Authority:- Is a process by which a delegate delegates/assigns
his/her access to a delegator for certain period of time i.e. during this period all
the POS (Purchase Orders) or any items coming into owners inbox will go to the
delegators inbox.
Note: The delegator can delegate the access only to a person to a same
hierarchy or higher hierarchy.
The only issues which we get here is the problem with workflow. i.e.
Items not appearing in the inbox
An item appearing in inbox even after the period is expired
Dont have access to approve the POS appearing in the inbox.
The first two problems are rectified by workflow administrator. The last issue is
related with the approve access. Before we provide the approval access we have
to identify that particular person having an access or not.
If hes having an access then keep on email notifying him that as per the security
policy any user can have either create/approve access and not both.
Steps related with delegation of Authority
1) Log into HR box, go to PA20, i.e. display HR master data
Enter the personal details
Select the organization assignment and period today
Output will be position number or personal number
Copy Position No, Go to PO13 (Maintain Position)

Paste under position number


Under Infotype (Select Name and Relationships)
Under Time period select All and Press Overview button
Select the Row where the object type=P and End date = 31-12-9999 and Press
Copy button
Under related object change the type of related Object from person to user
Under ID of related Object, enter the delegates
User ID and Press Enter
Make changes in dates
Valid From to Valid To
Select Save Button
Structural Authorization: Is a concept under HR security using which we
assign roles to user based on this organization object.
Structure of organization management:
1) Organization Unit
2) Position
3) Job
4) Task = Description of an activity i.e. performed within organization units. Here
we assign any roles to positions and not to user.
The users are called as Holders; holders are assigned to position and not to jobs
Whenever we create an organization unit structure we have to create first the
root, i.e. organization unit and then only create additional lower level
organization units.
Steps Related with Assignment of HR Roles i.e. Structural Assign
1) Go to PFCG select over all under view.
2) Select inheritance hierarchy.
Go to PFCG, enter New Role Name, in maintenance
Go to -> settings -> Complete View (Org management and Workflow)
Create role
Authorization
Go to User Tab -> Select org.mgt. Button
Choose create assignment button
Select the job [Object Type]
After completion select user comparison.
Special PFCG Roles:
1) Customizing roles: We can assign projects/views of the implementation guide
(IM) to this role.
2) Composition Roles
Steps:Go to PFCG -> Menu -> Go to Utilities, select Cust_Authorization -> Select Add

Tab -> Img Project / Img Project view


Select the customized object based on our requirement Continue.
If a project/Project view has been assigned to view, we are no longer possible
manually assign transaction to roles
This means that the role can only be used for generating and assigning
customized authorizations.
Note:Any role to which transactions have been manually assigned. These roles are
used only during implementation period, we should maintain end date for the
role. When it is assigned to the user, once implementation is completed normally
we delete this.
Installation and Upgrade
The basic profile parameter Auth_no_check_in_some_cases=Y has to be set if we
want to user profile generator (PFCG).
Q) Where do the default value in a Role comes from i.e. activities under auth
object?
A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of
profile generator after the trans has been selected.
SAP delivers tables USOBX_C and USOBT_C. These tables are filled with default
values and used for Initial fill of custom tables.
After the initial we can modify the custom tables.
Table USOBX_C table defines which auth are to be performed in a transaction and
which should not be.
Table USOBT_C defines for each transaction and each authorization object, which
default values and authorization created from the auth. Object should have in
the profile generator.
During implementation we use transaction SU25 for security related settings
besides this we also use SU24.
Note: Any workbench changes in security are done in SU24. Modifying values in
SU24. Go to SU24, enter the transaction code and select execute.
Select the particular authorization object, which we want to modify.
Select the object and click on change button.
Go to proposal column and select YES.
Select the object again and change field values.
Note:Under check indicator column if no check is there, then select the auth object
and check indicator.
After changes in particular field select save. It will automatically prompt us to

place a request under a transport.


Go to own request select the transport of type work bench.
Note:- If the transaction request number is created by another team member
then go to Other requests button and enter the user ID
Output = All the requests created using the user id will be displayed.
Select the Workbench request based.
Select the button change owner and go to SC01 to release the request.
SU25:- Profile generator for upgrade and first installation.
This transaction code is used only during implementation and during an upgrade.
The main purpose of this transaction code is to move the default changes which
are maintained in the current version to new version.
Versions are 2 types
1) Version in which no PFCG tool
2) Version in which PFCG tool. (4.6 B)
Upgrade Scenario 1: Release without PFCG tool:
Always use step 6 in SU25 to convert manually created profiles and
authorizations into roles
Scenario 2: Versions with PFCG
1) Execute the profile generator with comparison with SAP values i.e. comparing
by tables USOBX_C, USOBT_C tables.
2) Add affected transactions
3) Update the existing roles with new authorization values
4) Display all values for where changed transaction codes
Note: Do not execute step 1 (Initially customer table)
Step 3: Once the above steps are done transport these changes using step 3.
Q) How do I deactivate authorization object globally?
A) Go to SU25 select step 5 deactivate authorization globally.

Will update soon... Check next post...


Posted by Kumar SAP at 12/11/2013
Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, sap, sap basis, sap basis class notes, SAP BASIS NOTES, SAP BASIS
NOTES -14, sap notes, sap stms, stms

December 5, 2013
SAP BASIS NOTES -13

Security (Part-2) :STEPS to CREATE a ROLE (PFCG)


Creation of parental Role: Any customized role should start with Z or Y.
Enter the role name and select role name button.
Enter a valid description.
Go to Menu tab to add the transactions
Click on Save
Select add transaction
Note: Default transaction to be added for every user of SAP SU53
Assign Transaction and Save the Role
Creation of Child / Derived Role:
Select the derived role name and
Under Transaction Inheritance in Derive from Role and Click on Yes
Note:
1) In derive role we cant make any changes under menu tab. Eg: Adding
transaction, report, Deletion
2) Relationship between Parent and Derived role is 1:n
3) First time creation of role, always go to export mode.
Go to Authorization tab to generate the derived role.
List of Tabs:Manually: Adding authorization objects manually to a role.
Open: To view all open fields, i.e. the fields in which the values are not
maintained (Represented by color yellow)
Changed: To view the changed authorization objects.
Maintained: It will show the fields of the authorization objects for which the
missing values are maintained.
Organization Levels: This field is used to maintain organizational hierarchy
like Plant, warehouse, comp code and call center.
Note:
1) Always maintain a value in the open field
2) If any standard value is changed, then automatically the status is changed
from standard to changed.
3) By default all the auth objects the type will be standard.
4) Always maintain the organization values using organizational levels button
only.

Hierarchy in a Role:Role Name: Blue


Class = Orange
Auth Object = Green
Authorization = Yellow
Fields = White
Q) What is the default authorization object which is used to check for any role ?
A) S_TCODE
Note:
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction
code is in parent role.
2) First time while creation of a new role, if any functional related Transactions
are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.
Note:
All roles will be created in development system. Any modifications will be done in
Dev system only. The developed changes are then transported to quality and get
tested and approved in Quality and then only moved to production.
Q) Why should we not add organizational values directly in a role without using
org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we
try to add a new value and generate, an empty field appears i.e. when adjusting
derived roles authorization value is overwritten.
Rules to be followed in editing the standard Objects:
1) Copy the standard object
2) Inactivate the standard, i.e. the first one.
3) Make the changes only in the copied one.
Note:
1) Once we make changes in the copied one, the status changed to maintained.
2) If we do not follow the above steps, then during the regeneration of a role next
time, a new open field appears. Hence, in order to avoid the duplication of fields
we need to follow the above rule/procedure.
3) If we make any changes to a parent role like add, delete or Transaction Code,
we have to generate all the child roles under the parent role.
4) Whenever we generate a derived role, always choose maintenance as read old
status and merge with the new data.
5) If we choose edit old status then it will not reflect in any open fields even
though they are present.
6) Never try to select delete and recreate profile.

7) Once the role is generated then we have to assign the role to a user using
SU01 (or) Add a user to a role using PFCG -> User tab
8) Always assign only derived roles to a user whenever add a user in a Role
always compare with user compare.
9) In order to refresh user buffer with new values we have to always go for user
compare.
Compare User Master Record:
Comparing user master record can be done in 2 ways
1) A default background job i.e. Report called pfcg_time_dependency is
executed before start of the business day, but after mid night, meaning that the
authorization profile the user master record always have the most up to date in
the morning.
2) Using transaction pfud (User master record reconciliation). As an admin, we
should regularly execute this transaction, in this way we can manually process
errors that have occurred.
Authorization Troubleshooting for a User
Whenever a user tries to execute a Transaction which is not assigned or tries to
perform an activity which is not defined for existing Transaction, then the user
gets Not Authorized To error.
In such a case ask the user for SU53 screenshot for any authorization issues.
SU53 Analysis
SU53 has 2 parts
1) Authorization check failed: It captures actual cause of the error.
2) Users authorization data: It captures the existing access to the users
Note: In order to check SU53 analyses of other users go to SU53, click on display
for different users authorization object.
Analysis using SUIM
Scenario 1: User is having access to plant 1000 in MM01, now he is trying to
create for plant 0001 and he got the error no authorization to the plant 0001.
Solution: Request for SU53 screenshot. Once you receive the screenshot
Go to SUIM
In SUIM check the roles which are having access to plant 0001.
SUIM -> Go to Roles -> Roles by complex selection criteria and deselect the user.
Go to Authorization Object 1 from SU53 screenshot and select entry values
button
Enter the values as per SU53 under the authorization Object and select Execute
button.
Double click on the role on which we want to assign.
It will automatically take us to PFCG transaction.
Go to Authorization tab -> Select Display authorization data.
Go to Find Button (Cntrl +F)
Enter the authorization object in authorization field and clicks enter on Find

Object.
Go to Utilities and select Technical names on
Second Method of Role Maintenance
1) Create a parent role and Add Transaction codes in menu tabs and generate
the role.
2) Create child roles and assign the parent and generate the child nodes.
Note: The generation of child roles/derived is always done from the parent role.
Process:
Go to Authorization
Edit Read old/merge with data.
Make changes in parent role
Generate Parent
Finally generate derived roles button (or) select Auth -> Just Derived -> Generate
derived roles
This will generate automatically all the derived roles from the parent role.
Note: In this method org values cannot be maintained using parent role, we
have to individually maintain org values in the derived roles.
Mass Generation of Derived Roles:
Copy all the derived roles into a notepad
Goto PFCG -> Go to utilities -> Select mass generation -> In mass generation
screen
Select all roles under presentation
Select Display data when created and changed
Click on Role -> Multiple Selection
Note:
Go to notepad, select all and copy
Come back to multiple role selection and select upload from click board button
Select check entries button
And select copy button & select execute button.
Deletion of a Role:Before deletion of any role first add to a role to transport and proceed with
deletion.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to
production. If I delete a role in dev box, the same role has to be deleted in prod
because these roles are finally used by the users in prod box only. Hence the
deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting
transport role button.

Note:
1) In choose objects options never check user assignment. Assignments of users
to a role are done only in production box.
2) Changes done using SU24 is of type work bench
3) Changes using PFCG is type customizing.
SUIM change documents:For users:1) In order to find when the user is created, deleted as well as password reset
and user lock/unlock information. Besides this we can track info regarding the
roles like when the roles are added and deleted and who has performed this
action/date of action.
Scenario 1:
Q) Unlock a user or track why the user is being locked ?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute
Note: Locks are of 2 types
1) Locked due to incorrect log on
2) Locked by admin
If the lock is of type Admin lock, then we need to contact the admin for the
reason for locking hence never unlock directly.
If lock is due to incorrect logon then go to SU01. Select the user and press unlock
button.
Scenario 2: Mass user locking during upgrade:
1) Go to SU01, select * under user column
2) This will give entire list of user in my system
3) Copy the usernames in a notepad
4) Got to SU10, copy/paste the users and select the lock
Note: In SU10 we cannot set the password for all the users
Reference User is for internet purpose.
Note: Assignment of reference user
Go to SU01 -> Under roles tab -> ref user for additional rights where we enter ref
username.
Process steps followed in security - Requests coming in form of CR / Templates
1) Request comes in form of Approved CR form (Unique ID = CR Name)
2) Login to DEV and perform the action as per CR form requirement
3) Put the completed task in DEV under a TP ( CUST/WORKBENCH)
4) Transport / Move the TP to QAS for testing
5) Create a test id in QAS with the above changes and send the test id details to
the CR Owner.

6) Once testing is completed in QAS the CR Owner will send an approval


regarding the test results
a) If test results are positive then move to PR13 else rectify the changes needed.
b) Rectification of changes is done again in development.
c) The rectified change has to be kept in a new TP with description of above CR
Name and moved to QAS.
7) Based on approval, we move the changes to production.
8) Once changes are in production, the CR owner or the end user tests and
confirms the final status.
9) Once we get the final confirmation i.e 2nd approval in PRD then we can close
the CR.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 4

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) How do I assign roles to a specific group, not to a specific user, and
apply the roles to all users in that group? This particular group has four
users?
Go to suim,enter the user group name in user by complex selection criteria,
execute user's list,execute su10 enter list of user's and assign role to them
2) What is fire fighter? When we are using fire fighter?
Fire Fighter is used if you have implemented Virsa/GRC
Fire Fighter is Virsa tool, this used to execute critical tcode when doing
configuration
Fire fighter is also a normal user ID but having some specific access [Say Su01 or
SAP_ALL] as per the needs. User type is kept as "service user'
When it is used: Say, in your project you are security administrator who
Does not have access to direct SU01 but you needs the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you
can perform the task from your login ID and pwd, using tcode /n/virsa/vfat and
login with that FFID.
While logging you will be prompted to give business reason for access.
Everything you perform in that period [Using FFID]gets recorded for auditing.
3) I need to give authorization to a user to su01 tcode but the delete
options should not work..i.e. the user should be able to Create, disp,
change etc but not delete on su01. How cam i do this?
delete the 06 activity from s_user_grp,
4) What are the components in VIRSA tool and GRC?
In GRC we have these tools:
Access Enforcer

Complaince Caliber
Role expert
Fire Fighter
In VERAS Tool we have: VRAT and VFAT
5) How to create new authorization object?
Using SU21 we can create the New Authorization Object
6) Can anyone tell me what the use of SU24 and SU25 transaction code
is exactly?
SU25: A transaction that copies SAP defaults from USBOT & USOBX to USOBT_C
and USOBX_C.
USOBT is a table that consists of transactions and authorization objects. It stores
default values of authorization from authorization objects.
USOBX is a table that defines the necessary authorization checks that needs to
be performed within a transaction.
Initially both tables USOBT and USOBX consist of default values. These two
tables are then used for fill up of the customer tables USBOT_C and USOBT_X
through the transaction SU25.
SU24: A transaction that maintains the assignment of authorization objects in the
customer tables USOBT_C and USOBX_C.
7) What is the difference b/w Copy Roles and Derived Roles?
In derived role, all the transactions of parent role r copied but not the org
structure and auth. and we cant add more transactions in derived role.
In copy roles all the transactions with auth are copied
8) What is temp role and copy role?
Temp role: - it is the sap standard role, which is defined by sap.
Copy role: - copy from an existing role is copy role.
9) How to transport roles?
1. Create a transport request in SE10.
2. PFCG - please specify the role name - press the transport button(truck icon).
*** In case of multiple roles, go to utilities-mass transport**
3. There will be three info screens. Give tick mark.
4. Give the transport request number, which you created in SE10.
5. Press ok.
6. To confirm the changes, go to se10 and see your request number, right click
and verify the roles are attached.
10) What are various user types?
Dialog (A)
System (B)
Communication (C)
Service (S)
Reference (L)

Dialog users are used for individual user. Check for expired/initial
passwords.Possible to change your own password. Check for multiple dialog
logon
A Service user - Only user administrators can change the password.No check for
expired/initial passwords. Multiple logon permitted
System users are not capable of interaction and are used to perform certain
system activities, such as background processing, ALE, Workflow, and so on.
A Reference user is, like a System user, a general, non-personally related, user.
Additional authorizations can be assigned within the system using a reference
user. A reference user for additional rights can be assigned for every user in the
Roles tab.

Posted by Kumar SAP at 11/22/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, interview, interview questions, netweaver, sap,
sap ag, sap basis, sap interview, sap interview questions, sap netweaver
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 3

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) Under description; in creating a role what should be written over
there ....what does your company follows ?
Description of role defines the role related activity in short. Just seeing the
description of the role, one can easily know the role details, like
Role belongs to which SAP module (MM/PP/FICO)
The Company code/Org level values
Restricted values can also be mentioned there
Activity performed after assigning that particular role.
2) What is the correct procedure for Mass Generation of Roles ?
1)Tcode SPUC is for mass generation of roles. Or you can use scripts
2)Program SAPPROFC_NEW inserted roles to be generated and execute.
3)PFCG > Utilities > Mass Generation
3) Can we assign generated profiles to users directly ?
No, we can't assign a generated profile to user directly; we have to as the role

associated with that particular profile


The best practice is not to assign profile to a user master record. But then we can
assign...
Check it for example, assign sap_all to a user master record and can actually
work.
So, yes a profile can be assigned to user and can work.
4) How many maximum profiles we can assign to one user ?
apprx 312
5) In which way we can assign single role to many users (more than
5000 users) ?
Go to Su10
Click on authorization data
Click on multiple selection button beside user input field a pop up will appear->click on green import from text file
Give the destination of the excel sheet where you have already kept 5000 users
Execute-->execute-->select all -->transfer this will bring all 5000 users in su10
Now change--> role tab--> assign the single role-->save
6) I want to see list of roles assigned to 10 different users. How do you
do it ?
1.Go to SE16 Transaction
2.Type agr_users and go to next screen
3.in the users field I have the list of user ids
4.Result
(OR)
GO to suim -->ROLES-->By user assignment
Click multiple selection
Select users ans execute
Now you get a list roles assign to selected users
7) What is the advantage of CUA from a layman/manager point of view ?
CUA - Central User Administration
Advantage of CUA is to lessen the time by creating users in one single system,
and distribute it to the respective systems (where the user id is requested)Helps
in avoiding logging to each individual systems. Layman point of view we dont
have any advantage, But SAP security admin point it takes lesser time for user
Admin.
8) how do we create firefigter Id in VIRSAs VRAT ?
First create service user and mapp this user in /n/virsa/vFat
9) What is the procedure to delete a role ?
First add the role that need to be deleted in a Transport.
Then delete it. If there is no transport already, then create one for it and then
add the role marked for deletion to it and then only we have to delete the role.

If the role is deleted without adding it to a transport then we will not be able to
delete the same role in other systems like Acceptance / Quality / Production in
CUA Environment.
10) What is the main difference between role and profile ?
Roles are the set of authorizations.
Profiles are sub component of roles.
We can assign role to user but not profile.
Roles are collection of different transactions, reports/web links where its profile is
nothing but set of authorizations which defines the behavior of transactions
listed in Role Menu. And another difference could be we canassign roles to user
using PFCG but we cannot assign manually created or generated profile directly
to users using PFCG.

Posted by Kumar SAP at 11/22/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, interview questions, netweaver, sap, sap ag, sap
basis, sap interview, sap interview questions, sap netweaver
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 2

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) A user is asking for a t-code to assign? How do you assign the t-code?
First we have to check if user has access to particular tcode. If not then run suim with roles by complex
selection criteria -->put object1 as S_tcode as the required tcode and hit execute button. The query will
fetch you a result of roles. Select a role that has minimum authorization and satisfy the user requirement.
And assign the role to user.

2) A user is not able to execute a t-code; how do you solve that? What are
the different reasons that might be existing?
Reason:
1. Tcode does not exist
2. User context missing auth for that tcode
3. User comparison is not current
How to solve:
1.check if the user is having the tcode or not.

by SUIM--> role by complex selection criteria [s_bce_68001425]


2. if the tcode is not assigned to user -->assign suiatablle role after taking approval. Make sure to user
compare to update the user master record
3.if the tcode is available for the user and user still cant access--> ask for result of SU53 screen shot,
there might be some other authorization which is missing for the user
4.we can also trace the user's auth check by use of st01 fine searching user's missing access by analyzing
st01 report and rc.

3) What is difference between se16 and sm31?


SE16: table display
SM31: table, view modification

4) What are the authorization objects which are always present in user
master record?
For user master record as u must be knowing that different tabs of UMR..So as per my understanding As
UMR stores information of users...Like his name, roles assigned to him, License data.
Objects which are always present for UMR are:
S_USER_AGR, S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its own importance...
bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP helps to maintain Auth. group
in Logon Data and S_USER_AUT AND S_USER_PRO helps to maintain set of Auth. profiles and different
Authorizations included in each profile.

5) What is use of System Task Tab on menu bar in PFCG?


Role creation, change and delete.
6) How can we Lock transaction? What happens exactly?
In SM01 transaction we can lock the transactions; we can lock one or many at a time in the system.
After locking transactions, it wont allow any body to use the transaction.
(OR)
SM01 transaction can use to lock the transactions; we can lock one or many at a time in the system.
When a user starts a transaction, the system checks in table TSTC whether the transaction code is valid and
whether the system administrator has locked the transaction.
7) What is Use of SM35P and SM35 is there any difference between these two?
Tcode SM35P use to display/monitor sessions. Using Tcode SM35 you the run/process the sessions in
background
or foreground.

8) Is there any transaction to see Transport Log.? Means, Which data or


roles have been transported from which system at what time?
SE01 transaction is use to see Transport Log.
By clicking tab "DISPLAY" you can able to see the logs.
You can also see the roles or data has been transported from which system at what time.
9) Which role is commonly used?
Composite and single role commonly used.

10) How to find the already locked users list before a particular date?
Example: list of users already locked before 01/01/2010
Goto SUIM - USERS - USERS BY COMPLEX SELECTION CRITERIA,scroll down to the bottom,
goto ADDTIONAL SELECTION CRITERIA, then give the validity date and check the check box of the option
LOCKED USERS ONLY, then execute, u will get the list of the locked users.

Posted by Kumar SAP at 11/22/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, interview, interview questions, netweaver, sap,
sap ag, sap basis, sap interview, sap interview questions, sap netweaver
SAP BASIS INTERVIEW QUESTIONS & ANSWERS 1

SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) What is difference between 4.7, ECC 5 and ECC6 from SAP Security
point of view?
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE.
SAP 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also
included here we can have both R/3 security for ABAP stack and JAVA stack security which includes in
portal concept(Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE.
2) What do you mean by profile and object?
Well, profile is a authorization profile and where as object can be an authorization class or authorization
object or field and value. So, to make up a profile it requires several objects.....
More precisely profile is set of different authorizations for different objects. It means when you create role
and go for generating profile whatever the list of transactions you have added in role menu its corresponding
objects automatically fetch up by profile generator. For which transaction which objects get fetch up this you
can check using SU24 tcode only objects with check/maintain status get fetch up by profile generator during
profile generation. And for better understanding you just keep in mind for every tcode there are certain set of
objects. And Each objects has different fields and its value is called its value i.e. 01, 02, 03 create, change,
display respectively.

3) What is the profile?


Profile is what a user can do within that role that is assigned to the user.
When a role is created; a profile is created based on the authorization data i.e. object class, authorization
object, filed and values.
The word "profile" is used in 2 different concepts.
1) Authorization Profiles
2) System Profiles
Authorization Profile:This profile is the one created when a role is created and is called as
authorization profile.
System Profile: This profile exists to change the parameters for the instances...

4) I want a list of users along with roles for a client? How to do it?
We can use tcode se16 in it AGR_USERS uname: enter the user ids and AGRname: role name
Youcan get in SUIM also.
5) In an environment of derived roles; a user is asking for a t-code; which is not found in suim
in search of roles? What will u do?
1. Check if the tcode exists or not.
2. Try to search the role with S_tcode and then putting the tcode in "roles by complex selection criteria"
3. You should at least get SAP standard role which should not be assigned.
So after doing all these you are not able to find any end user role available in system.
Next step is the proposal of adding the tcode to a suitable role.
as it's a derived role envi---> need to add the tcode in template / parent role
Take approval from BPR/role owner for role modification. They will decide which parent role to change.
Change role [by adding the tcode] in Dev and transport to rest of the sys in landscape
6) Can u secure profiles? If so , how to do it ?
Yes you can. Secure Profile S_User_PRF

7) I want to lock all the users except sap* and DDIC of a particular client ?
SU10
F4 on user id field
Change the hit list restriction according to users present
Enter
It will bring all available users
Remove SAP* and DDIC from list
Select all and enter
It will bring u back to SU10
With all users except SAP* and DDIC
Select all
Lock
it will lock your user also
(OR)
We can do it by ewz5

8) I want to delete 1000 users of a particular client, how can I do it?

You can create a SECATT script to delete the users which is easy to create and easy to execute.
You can also delete users of a particular client by using t-code su10.

9) Can u tell me some of the password related parameters ?


Password related parameters are:
login/min_password_lng (Defines minimum length for password)
login/min_password_digits
login/password_expiration_time
These are the main parameters - which can be maintained via RZ10
(OR)
You can go to t-code se16
Write login/* and enter ... then u will get all login parameters
Here there is no need of remembering
10) How can I assign a same role to 200 users?
You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on user
comparison-> complete comparison -> Save the role - it's done
(OR)
One can also use "Authorization Data" functionality in transaction SU10 to complete this task.

Posted by Kumar SAP at 11/22/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, interview, interview questions, netweaver, sap,
sap ag, sap basis, sap interview, sap netweaver

November 16, 2012


Update your SAP Kernel in a SAP ECC system

Update your SAP Kernel in a SAP ECC system :1. First of all, go to the SAP Service Marketplace (service.sap.com), and download your
desired kernel version:
Downloads --> SAP Support Packages --> Entry by Application Group --> SAP NetWeaver
--> SAP Netweaver --> SAP Netweaver <version> --> Entry by Component --> <select
component> --> <select your system version> --> #Database independent (this is the part I.
In the same step, select your database to download the part II of the package).

2. After you have the two parts downloaded, log into the OS level and uncar the 2 parts in
separate directories. Copy the part I in a new folder, and copy the part II into the same folder
(there are cases that files may need to be replaced. replace them, don't worry).

3. Stop the database, SAP and the services related to them (SAPSID##, SAPOSCOL).

4. Backup the old kernel. Usually it is located in: </usr/sap/SID/SYS/exe/<uc or


nuc>/<system>.

5. Delete the old backed up kernel, and copy the new kernel there.

6. Start the services related, database and SAP.

Now

just

confirm

the

new

kernel

version

Posted by Kumar SAP at 11/16/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: kernel, sap, sap kernel, saposcol, sapsid

November 11, 2012


ST03N: Workload Monitor [Monitoring]

ST03N: Workload Monitor


[Monitoring]

in

SAP.

ST03N is used to analyze statistical data for the ABAP kernel and monitor
the performance of a system. You can display the total values for all instances,
and compare the performance of particular instances over a period of time.
The workload overview provides system administrators with various detailed
information about the most important workload data, such as the CPU time, the
number of database changes, the response times, and so on. You can
display the workload overview for all task types (Dialog, Background, RFC,
ALE, and Update), or only for one particular task type.

Workload Overview :-

Processing time This is equivalent to response time minus the sum of wait
time, database request time, load time, roll time, and enqueue time
Hint: > 2x of CPU time
Probs: Hardware

CPU time A work process uses the CPU.


Hint: 40% of response time]
Probs: CPU bottleneck
Solution:
In ST06,
Go to Detail Analysis Menu -> Top CPU , check existence of Non-SAP
(external) programs by sorting by CPU time. Try to run these external programs
in offline hours.
In ST02,
Check for any swapping happening in all the buffers. If there is high swapping for
any buffer, increase the size of the buffer.

Response time The time when a dialog process sends a request to a


dispatcher work process, and the dialog is complete and the data is transferred
to the presentation layer. The response time does not include the time for
transferring the data from the SAP front end to the application server.
Hint: 1 second (dialog), <1 second (update)
Wait time The time when a user request sits in the dispatcher queue. It starts

when user request is entered in the dispatcher queue; and ends when the
request starts being processed.
Hint: < 10% of response time
Probs: long running tasks, locked tasks, not enough work process
Solution:
In SM50,
Look for all the configured work processes are in Waiting or Running state. If all
the wotk processes are running state, then increase the number of Dialog work
processes.
In SM66,
This monitor will help to analyse the total work processes configured in all the
servers and instances.

DB calls Number of parsed accesses to the database.


Hint: DB calls/requests good ratio is 1:10 = efficiency table buffering

DB requests/DB Time The time when a database request is put through to


the database interface & when the database interface has delivered the result.
Hint: 40% of response time
Probs: CPU/memory bottleneck on DB server, expensive SQL statement, missing
indexes, small buffer, missing statistics
Solution:
In ST04,
- Database buffer quality (> 95%), if <, increase database buffer cache size.
- Reads/User Calls (< 30), if >, the expensive SQL statements need to be tune.
Some of expensive SQLs statement problems:
i) incorrect index access (Solution = create new index or reorganize the index)
ii) high table size (Solution = archive the old entries)

Average load & generation The time needed to load and generate objects.
Hint: < 10% of response time, < 50ms
Probs: Program buffer, CUA buffer, screen buffer too small

GUI time Response time between the dispatcher and the GUI during the
roundtrips (roundtrips are communication steps between the SAP system and the
front end during a transaction step).
Hint: < 200ms
Probs: network between GUI & SAP]
Solution:
In ST06,
Go to Detail Analysis Menu -> LAN Check by PING. If there is high Avg. time
or Loss time for any presentation servers, means there are some settings need to

be change for the presentation server.


In SE38,
Execute PROFGEN_CORR_REPORT_5 report. From the output check if any user
assigned with > 1000 user menu nodes.

Roll in time - The time needed to roll user context information into the work
process.
Hint: < 20ms
Probs: SAP memory configuration (extended memory, roll buffer)

Roll wait time Queue time in the roll area.


Hint: < 200ms
Probs: network between GUI & SAP

Posted by Kumar SAP at 11/11/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, netviewer, sap, sap ag, sap basis, sap netviewer,
sap workload, st03, st03n, st06, st22, work process, workload
Post Installation Steps

Post Installation Steps :After Installing R/3 into a new system, Basis has to perform some post
Installation steps before handing over to end users for operation. Post Installation
steps make sure that System is ready, properly configured, Tuned and take load
of user requests.

Below are some standard steps which has to perform immediately after the
installation is finished.

PART 1:-

1. Login to SAP system using DDIC/000

2. Execute SE06 , Select Standard Installation and click on execute Perform


Post Installation Steps. Click yes on each next screen.

3. Execute STMS , to configure TMS configuration system. If there is no


Domain controller in organization then configure this new system as DC.

4. Execute SICK to check for any Installation error , If anything is reported


then trouble shoot those errors.

5. Execute sapdba or brtools to check/increase tablespace size if any is >90%

6. IF sapdba then check the tablespace utilization by selecting c.


Tablespace Adminitration - c. Free space fragmentation of Tablespaces

7. List out all the tablespaces filled above 90%

8. Add datafiles to corresponding tablespaces to increase the tablespace size


and bring the utilization of tablespaces below 80%

9. Login as SAP*/000

10. Execute SCC4 -> Click on change button -> Confirm the warning and click
on new entries to create a new client.

11. Execute RZ10 -> Utilities -> Import profiles -> Of Active Servers

12. check the system log in SM21

13. Check any dumps in ST22

14. Login at command prompt using ora<sid> or <SID>adm

PART 2:-

1. login to new client to perform a client copy using SAP*/<new client


number>/PASS

2. Perform local client copy procedure to copy new client from 000 client.

3. Once client copy is over , login to new client using SAP* and password of
SAP* which was
used in client 000

4. Execute RZ10 -> Select Instance Profile -> check Extended maint -> click
on change.

5. Add parameter login/system_client parameter to make new <client_number>


as default client to login.

6. Make changes to dialog process and background if you need to change


than default one.

7. Save the profile and activate it.

8. Create one or two super users using SU01 with profiles SAP_ALL and SAP_NEW

9. Create some developer users if you can, else leave it.

10. Stop and Start SAP R/3 for profile parameter to be in effect.

11. Upgrade the kernel to the latest level

12. Upgrade the SPAM version to latest level

13. Apply latest support pack to components SAP_BASIS, SAP_ABAP,


SAP_APPL and some other components if it is required.

14. Follow the kernel, SPAM and support pack application methods

15. Now system is ready to login and work for developers and administrator

16. Keep on changing the parameters , system configuration as per requirement


later.

17. Run SGEN to regenerate the objects . In this process SAP keeps all the
required objects access in SAP buffer. So that transaction accessing becomes
faster.

Posted by Kumar SAP at 11/11/2012


Email ThisBlogThis!Share to TwitterShare to Facebook
Labels: basis, basis materials, kernel, netviewer, POST INSTALLATION ACTIVITIES,
rz10, sap, sap ag, sap basis, sap netviewer, sap post installation activities, se03,
se06, sgen, sick, sm28, spam, st22, stms
Support Pack Upgrade Process

Support Pack Upgrade Process :Support Pack Application:1. Check the current patch in your system.

a. Check SPAM Version


b. Check SAP_BASIS patch level
c. check SAP_ABAP patch level
d. Check SAP_APPL Patch level.

To get all the above information follows the following steps:-

Execute SPAM - Check the SPAM level at the top.


Click on Package Level to display all the patches in the system

Note down SAP_BASIS, SAP_ABAP, SAP_APPL patch level in the display.

2. Find out what is the latest patch level available for above components.

Download -> Support Packages and Patches -> Entry by Application Group-> Application
Components ->SAP R/3 Enterprise -> SAP R/3 Enterprise 47 X 110 -Entry by component
-> SAP R/3 Enterprise Server-> SAP_BASIS620 ->

3. From the list select which component you want and click on it.

E.g.click on SAP BASIS 6.20 and select the patch level 25 you want comparing your
current patchlevel. Select all the patches you are behind to current and add to download
basket.

All the patches are in .CAR format.

Repeat the same step for all components you want to apply for your system.

4. Download all the patches you added to download basket by using SAP Download
Manager.

5. Save all the .CAR files to your local hard drive say C:\supportpacks

6. now transfer all these .CAR files to Your Unix Server where your SAP is running using
ftp.

ftp steps
go to command prompt
cd c:\supportpacks
c:\supportpacks\> ftp solsrv (solsrv is the unix servername)
username : SIDADM
password : (Password of SIDADM)
ftp> cd /downloads/supp_pack
ftp> bin
ftp> mput *.CAR (press y for all the confirmations)
ftp> bye

7. Now extract the .CAR files by using executable CAR.EXE

#cd /download/supp_pack
# CAR -xvf <Filename1>.CAR (files are extracted to .../EPS/in folder)
Repeat extraction for all .CAR files
You will get the files with extension .ATT and .PAT

8. Now go to /usr/sap/trans/EPS/in directory and remove the existing files out there.

login as <SID>adm and pasword


# cd /usr/sap/trans/EPS/in
# rm -rf *

9. Now Copy all .ATT and .PAT files to /usr/sap/trans/EPS/in directory

# cp /download/supp_pack/* /usr/sap/trans/EPS/in
# ls l

10. Login to SAP using a superuser other than SAP* and DDIC to 000 client.

11. Execute SPAM in SAP command line

12. Click on Support Package -> Load Packages -> From Application Server.

Here all the .ATT and .PAT files are converted into proper Patch format and available on
SAP level to apply suuport packs as per the requirement.
Click on Back button

13. Now Click on Display/define

14. Ask all the users to logoff from the system OR lock all the users in all business clients
using customizing program or SAP tool.

15. Make sure you have full backup of system before applying the patch
and enough downtime to apply the patch

SPAM Update

16. Select support package ->Import SPAM update to update the SPAM version.

Applying Patch

Before Applying the Patch to system, we have to check if there are any objects under
modification or any Transport Request in modification condition. IF any then we may have
to adjust those prior to applying
the SAP Patch.

Execute SPAU and see if any objects are there to adjust


Execute SPDD to see if any dictionary objects are there to adjust.
Execute SPAM
Click on display/Define
Select the component (e.g. SAP_BASIS)
Select the Patch number (e.g. SAPKB62012)
Click on confirm Queue (\/)
Select Import queue by selecting truck button
Confirm it by clicking on (\/) mark
Patch application is started.
If you encounter error during patch application, start applying again.
Confirm the message
SPAM status is in yellow
Click "confirm queue button to confirm the queue.
Check the spam status. It should be green.
Support pack application is successful
Click on Package level to see the change.

Basis Information
A set of middle ware programs and tools that provide the underlying base that enable
applications to be inter-operable across operating systems. SAP Basis includes a RDBMS,
GUI, and client server architecture. It's a piece of middle ware which links the application
with the database and the operating system. Basis is most commonly associated with the GUI
interface to the SAP.

Vous aimerez peut-être aussi