Académique Documents
Professionnel Documents
Culture Documents
*-- Bajrang
3] SAP standard background jobs are running successfully. Review for cancelled and critical
jobs.
sm37 Background jobs--- Check for successful completion of jobs. Enter * in user-id field
and verify that all critical successful jobs and review any cancelled jobs.
4] Operating system Monitoring
st06
5] Extents monitoring
db02 Database monitoring--Check for max-extents reached
6] Check work-processes(started from sm51)
sm50 Process overview-- All work processes with a running or waiting status.
7] Check system log
sm21 System log-- Set date and time to before the last log review. Check for errors
,warning, security, message-bends, database events.
8] Review workload statistics
st03 Workload analysis of <sid>
sto2 tune summary instance
9] Look for any failed updates
sm13 update records
10] check for old locks
sm12 lock entry list
11] Check for spool problems
sp01 spool request screen-- check for spool that are in request for over an hour.
12] Review and resolve dumps
st22 ABAP Dump analysis
13] Checking .trc file in SAP trace directory for block corruption on daily basis.
C:\ORacle\sid\saptrace
14] Archive backup
brarchive -f force -cds -c
Insert the archive backup tape
15] Review NT system logs for problem
-> NT system log- look 4 errors or failures
-> NT security log- failed logon 2 sap servers
-> NT Application log -look 4 errors or failures
SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1.Can you kill a Job?
Yes - SM37 - select - kill
2.If you have a long running Job, how do you analyse?
Use transaction SE30.
3.What is private mode? When does user switch to private mode?
Private mode is a mode where the heap data is getting exclusively allocated by the user and is
no more shared across the system. This happens when your extended memory is exhausted.
4.How to uncar car/sar files in a single shot?
on Unix: $ for i in *.SAR; do SAPCAR -xvf $i; done
5.Which table contains the details related to Q defined in SPAM? Is there a way to
revert back the Q defined? If yes, How?
There is a "delete" button when you define the queue. If you already started the import it's no
more possible since the system will become inconsistent.
6.What is mysap?
It's a term for all the systems that in a contract (e. g. a MySAP business suite consist of
ERP2005, CRM2005, SRM2005).
7.What is ASAP?
It's an old term for an implementation strategy. Blueprint -> prototype -> goLive (if you want
to say it in one sentence).
8.Describe how SAP handles Memory Management?
ST02 / ST03 In general via table buffers, you could go into the whole Work Process, roll in,
roll out, heap (private) memory, etc. however just as a Unix or DBA admin would know, is
you look this up when needed for the exact specifics.
9.Using Tcode SGEN I have generated 74% job and later I have terminated the job. I
wish to start generating from where it stopped I have refreshed but to no chance
nothing was done. How should I further proceed so as to complete the remaining job ?
Start SGEN again and select the same you have selected before. It will popup and ask if you
want to start from scratch or generate the just the remaining.
10.When we should use Transactional RFC ?
A "transactional RFC" means, that either both parties agree that the data was correctly
transfered - or not. There is no "half data transfer".
11.What is osp$ mean? What if user is given with this authorisation?
OPS$ is the mechanism the <SID>adm users uses to connect to the database.
12.What is a developer key? and how to generate a developer key?
The developer key is a combination of you installation number, your license key (that you get
from http://service.sap.com/licensekey) and the user name. You need this for each person that
will make changes (Dictionary or programs) in the system.
13.How to see when were the optimizer stats last time run? We are using win2k, oracle
9, sapr/3 46c.
Assumed DB=Oracle
Select any table lets take MARA here but you should do the same for MSEG and few others
to see whether the dates match or not.Run the following command on the command prompt :
select last_analyzed from dba_tables where table_name like '%MARA%';
This gives you a straight answer .Else you can always fish around in DB14 for seeing when
the optimzer stats were updated.
14.I would like to know the version or name of SAP that is implemented in real time?
This is a very generic question and really depends on what you are implementing (modules).
The history of the "R/3" is
3.0D Basis 300
3.0E Basis 300
3.0F Basis 300
3.1H Basis 310
3.1I Basis 310
4.0B Basis 400
4.5B Basis 450
4.6C Basis 460
4.71 Basis 6.20
4.72 Basis 6.20
5.00 Basis 6.40 (ECC 5.0 - Enterprise Core components)
6.00 Basis 7.00 (ECC 6.0) - actually in RampUp
All of those have increased business functionality and interfaces to other systems (CRM, BW
etc.)
15.How should I set priority for Printing say like user, team lead, project manager?
There's nothing like "priority" settings for spool processes. Just define more (profile
parameter rdisp/wp_no_spool) processes so people don't need to wait.
16.What is the use of Trusted system. I know that there is no need of UID and PWD to
communicate with partner system. In what situation it is good to go for Trusted
system ?
E. g. if you have an R/3 system and a BW system and don't want to maintain passwords.
Same goes for CRM and a lot of other systems/applications.
17.Why do you use DDIC user not SAP* for Support Packs and SPAM?
Do _NOT_ use neither DDIC nor SAP* for applying support packages. Copy DDIC to a
separate user and use that user to apply them
18.What is the systems configuration required to implement SAP.. i.e for
production,development and QAS servers the hard disk space, RAM, Processor
This also depends on what your are implementing, how many users will work on the system,
how many records in what area are created etc.
We need a BIG database system and an even bigger application servers.
SAP R/3
SAP (Systems Application and Programs, Real time)
SAP is 3 Tier Architecture
SAP Standard version starts with 3.0, 4.6B, 4.7EE, NW.04 (came in 2004), NW.04S,
ECC5, ECC6
OTHER VERSIONS
SAP Industries (Business Related Industry)
SAP Applications (Collaborative for Cross Application)
MySap Business Suit OR MySAP.com: has been introduced for small and medium industries
SAP Netweaver Using Internet
SAP Netweaver is a combination of My SAP Business Suit and Sap Applications
MySapBS+SAP application
Steps to Install SAP
Operating System (OS)
Database (DB)
SAP
SAP Login
- Client:
- User Name:
- Password:
Two Types of Menus in SAP
1. Standard Menu(SAP Menu)
2. Roll Based Menu
Each User will get roll based menu
USER_SSM: is a table where all the menus related information is stored. (whether it is roll
based or standard based)
SMEM_BUFFC is a table where favorite information is stored
SMEN_BUFFI is a table where favorite information is stored
Downloading from SAP to desktop as well as Uploading desktop to SAP stepes are:
->System
->List
->Save
->Local file
Shortcut Commands
/n Takes to new session in session
/o New window in new session
/nend Logging of current session
/nex To close entire system (without saving)
/I unsaved session logout
Help SAP
In SAP there are two types of helps
F1 Technical Help
F4 It provides possible entries for a particular field. (Maximum 500 entries are allowed in
F4)
Filtering Data in SAP
SE16 Is the Transaction Code to view the contents of the particular table.
GUI - SAP
Two Types of GUI in SAP
- SAPgui.exe
- SAPlogin.exe
Button on GUI
- Group
- Server
- New item
- Delete
- Change
- Login
- Validation
- Change item
SAP log: Start SAP logon file.
- End user have accesses to only production box and very few end users will have accesses
to separate training box.
- SAND box is used only for R&D purpose. Whatever changes you do in SAND box will
not be
transported out of the box i.e. the changes are stored under $TEMP (local server
only).
- Training box is used by end users for training purpose.
- Both SAND and Training box will have the exactly the data as production box.
Development Box
- MAST
- CUST
- SAND
MAST
000 001 066 Clients
000 to 999 client number names
Type of Changes in Development box
In SAP there are only two types of changes.
Workbench change: T.C. is SE09
Customizing Change: T.C. is SE10
Workbench Change: changes made to the default values provided by the SAP in the tables
is called workbench change.
Customizing Change: is a change which a totally new change in a system.ex. creating a new
program or modifying structure of a program.
Transaction code SE01 = SE09 + SE10
- What ever workbench changes are transported using the transport layer SAP
- Customizing transport layer Z<SID>
- Anything starting with Z in SAP its a customizing change.
- In SAP there will be always one export and N number of inputs.
Ratio of export to imports is E:I; 1:N
- In three system landscape one export and two imports.
- Data moved out of development box is called as export
- Data pulled into quality and production box is called as import.
000
Master Client
Client
000
001
066
001
Backup Client
User ID
sap*
ddic
early watch
066
Early watch
Password
06071992
19920706
surpass/support
These all are SAP client user ID, Client and Password.
-
6th July 1992 when SAP moved from two Tier architecture to three Tier architecture.
R/2 is Mainframe
R/3 SAP
If Expiration_period = 0 days, the Volume is not locked at all and can be over
written
If a lock occurs on a tape, it automatically expires at midnight.
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check
tape locks ?
(A) There are 2 types of locks
(i) Physical lock check: Physical lock check is done by checking tape label
parameter Expir_period. If the number of days passed since the tape was last
used is less than value of parameter Expir_period, then the tape is physically
locked.
(ii) Logical lock check: This value is derived from the time stamp written to
tables SDBAH, SDBAD
(Q) What are the various tape selection processes ?
(A) (i) Auto tape selection BRBACKUP and BRARCH
(ii) Manual selection by the Operator
(iii)By external tool
(Q) What is the option to select the tapes automatically by BRBACKUP
and BRARCH ?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE
(Q) What is the command to check which tape will be automatically
selected ?
(A) BR Backup | BRARCHIVE Q | Query { check }
(Q) How do we switch off automatic tape Management ?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the
value SCRATCH
(Q) How do I turnoff the tape management performed by SAP tools ?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
OR
UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.
(Q) How do we verify Backups ?
(A) Verification of backups is of 2 types
(i) Tape Verification: The files are restored file by file and compared with
original files to verify if the backup is redable.
(ii) DB Block consistency: This checks the Database block by block using
Oracle tool DBVERIFY to identify and restore from bad blocks.
PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of
Archive log Backup
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape
verification + DB Block Consistancy Check)
SAP BASIS INTERVIEW QUESTIONS & ANSWERS :Support :Q) What are the steps involved in stopping SAP system?
A) Before stopping SAP system we need to check the status of the following
Check if there are any logged on users. Use Transaction Code SM04
Check if there are any Background process is to define SM36
Check if there are any Background processing is going on. Use TC SM37
Check if there is any Batch input session. Use TC SM35
Check if there are any update processes running. Use TC SM13
Spool :Q) How to identify how many spool work process are setup in a
particular application server?
A) Trans-Code SM51 and select the application server.
Go to SM50 and count the number of work process with SPO
Q) How many spool processes are configured in out entire SAP system?
A) SM66 and check for SPO work process. In select process by choosing Type =
Spool and Status = Wait
Q) Can we change number of spool work process by operation mode
switching?
A) No. Only background and dialog work process can be modified.
Q) How to identify how many spool servers are available in your SAP
system?
A) SM51 or SM66 and check for application server with at least one spool
workprocess.
Q) How to make setting for an individual SAP user so that an output
request is not created immediately for a spool request?
A) SU3 go to Default tab and ensure that output immediately option is not
checked.
Q) How to find which printer is defined at OS level of your server?
A) Go to start -> Settings -> Printers (Revisit)
Q) What are the three approval steps you need to follow as a part of
approval procedure in QAS?
A)
1. To be approved by system administrator
2. To be approved by department
3. To be approved by request owner
Q) What are the various qualifier option or what are the various import
options?
A) There are six import options
1. Leave transport request in queue for later import
2. Import transport request again
3. Overwrite originals
4. Overwrite objects in unconfirmed repairs
5. Ignore unpermitted transport type
6. Ignore predecessor relations
Sap Database Notes 3:TAPE MANAGEMENT:(1) Each and every tape used for Backup, i.e. BRBACKUP and BRARCHIVE needs
to be initialized.
(2) During tape Initializing SAP specific label is written on label as First file
(Tape.hdro) containing the tape name.
(3) BRTOOLS-> Backup-> Dbcopy-> Additional Functions-> Init of BRBACKUP
tape Volume or Init of BRARCHIVE tape volumes.
The command to start the initialization is BRBACKUP or BRARCHIVE or I/Initialize.
(Q) What are the contents of tape label after a tape is Initialized ?
(A) (i) Tape Name
(ii) Name of the Database
(iii) Time stamp of last backup recorded on the tape
(iv) Number of Backups performed with the tape
Before writing data to tape if the label is Red to check the following
(i) Tape Name
(ii) Tape Locked or Expired(Expire_period)
(iii) No. of times the tape already been read(Tape_use_count)
If Expiration_period = 0 days, the Volume is not locked at all and can be over
written
If a lock occurs on a tape, it automatically expires at midnight.
(Q) What are the methods used by BRBACKUP and BRARCHIVE to check tape
locks?
(A) There are 2 types of locks
(i) Physical lock check: Physical lock check is done by checking tape label
parameter Expir_period. If the number of days passed since the tape was last
used is less than value of parameter Expir_period, then the tape is physically
locked.
(ii) Logical lock check: This value is derived from the time stamp written to
tables SDBAH, SDBAD
(Q) What are the various tape selection processes?
(A) (i) Auto tape selection BRBACKUP and BRARCH
(ii) Manual selection by the Operator
(iii)By external tool
(Q) What is the option to select the tapes automatically by BRBACKUP and
BRARCH?
(A) Set the parameter Volume_Backup and Volume_archive to TAPE
(Q) What is the command to check which tape will be automatically selected?
(A) BR Backup | BRARCHIVE Q | Query { check }
(Q) How do we switch off automatic tape Management?
(A) By setting up the parameter(Volume Backup and Volume Archive) to the
value SCRATCH
(Q) How do I turnoff the tape management performed by SAP tools?
(A) Configure the parameter Backup_dev_type= UTIL_FILE
OR
UTIL_FILE_ONLINE and also configure BACKINT interface in init<SID>.sap
NOTE: BackINT Interface program is only supported for external Backup.
(Q) How do we verify Backups?
(A) Verification of backups is of 2 types
(i) Tape Verification: The files are restored file by file and compared with
original files to verify if the backup is redable.
(ii) DB Block consistency: This checks the Database block by block using
Oracle tool DBVERIFY to identify and restore from bad blocks.
PATH: BRTOOLSBackup & DBcopyVerification of DB Backup, Verification of
Archive log Backup
The option USE_DBV(DBVERIFY=NO), only tape is verified (If yes Tape verification
+ DB Block Consistancy Check)
STATUS OF OFFLINE REDO LOG FILES:
Sap Database Notes 2:BR Tools (Used for entire backup administration)
BR tools is a package name which contain various tools.
These tools are divided into various ways based on their performance.
Note: If you get an error message while calling BR tools then your version might
be older. (Less than 4.7).
These are two modes while calling the various options in BR Tools.
-Main Menu Mode
-Quick Mode
BRConnect: is must, be called in main menu mode.
BRSPACE and BRRECOVER always make a CONNECT/AS SYS DBA, because
their actions require SYSDBA privilege.
Once you connect a SYSDBA, if you do not want to enter a user name,
password, while calling SQL* PLUS call the interactive program using the
command SQLPLUS/NO LOG
SQLSTARPLUS by default connects to the db defined in enhancement oracle
database.
Changing the password for SAP user is done using BR CONNECT
Note: Passwords for DB user SAP SCHEMA ID or SAPR3 should not be changed
using oracle methods.
Database Transaction Codes:
1. DB13: Schedule backups and other administrative jobs.
Note: DB13C : This is used to schedule backups and admin activities centrally
for all SAP systems and database.
2. DB14: To check the status and logs of all database operations.
3. DB16: Overview of database system checks.
4. Db17: View and maintain check conditions for database system check.
5. DB20: Maintain Statistics.
6. DB21: Configuration of Statistics
7. DB26: Database parameter overview with history.
8. DB02: Table and index monitor
9. ST04: Database performance monitor
10. RZ20 DB Alert Monitor (Optional)
11. DB13 is used as an interface to schedule back ground jobs starting with
DBA*. These background jobs look into table SDBAC
12. SPfile.ora is server side initialization parameter file (oracle database server)
Do not make parameter changes on oracle level, because if only changes
parameter values in SPfile, hence always use BR* tools, because it monitors
consistency by copying the contents in both files.
The transaction code DB02 and ST04 still use init<SID>.ora
SAP installation tool do not create SPfile. SPfile is created using SQL*plus
CREATE SPFILE.
SPfile is stored in oracle_home directory same as init<SID>_ora.
RZ20: Database alert monitor.
Start and Stop Commands
BRSPACE_C FORCE_F dbstand_S <State>
BRSPACE_C FORCE_F dbstand_S <State>
Starting of Database
1. No mount = reads parameter files, database instance started and allocated
memory buffers.
2. Mount face: opens cofiles.
3. Open: opens all data files and online redo log files.
Mount face is used for database recovery, for changing archive log mode, for
removing and moving data file and also for adding, dropping, renaming online
redo log files.
Do not use BRCONNECT to start and shutdown database, instead use
BRSPACE because it tried logfile actions.
No mount space is used for creation of database and for recreation of lost
cofiles.
Stopping of Database
1. Normal: Oracle waits till all users are disconnected from the database. All files
are closed and database is dis mounted and instance is shutdown.
2. Transactional: Oracle waits till all open transactional to finish and then it
disconnects users and shutdown database.
3. Immedaite: No new connections and transaction are allowed. PMON ends all
user sessions and performance roll back of any open transactions then only
shutdown database.
4. Abort: no new connection and transactional allowed. No roll back of open
transactions. Users are disconnected and oracle processes are stopped.
Note: With all the above first three methods, database is shutdown in a
consistent state and does not need recovery at next restart.
Default mode for oracle shutdown is normal
Oracle commands shutdown immediate and shutdown abort stage oracle
instance even if work process still has connections of database.
Oracle info messages, warnings and errors are logged in oracle dump files i.e.
background, user trace which is located in SAPDATA_NAME directory.
Background directory store alert log file. Alert_<SID>.log. Whereas user
directory store trace files written on behalf of shadow process.
(Q) Why do I need SPFILE<SID>.ora even though I have init<SID>.ora ?
(A) From Oracle 9.i init<SID>.ora is replaced by SPfile<SID>.ora or SPfile.ora.
(Q) If a file is missing from the chain of offline Redo log files, then what well do ?
(A) We have to perform a restore and recovery of Database. Recovery is
performed using the method Point In Time by which all the Offline Redo log
files older than the last one is used for recovery.
(Q) What are the causes for logical errors related to Database ?
(A) (i) Manually deleting parts of Database objects such as Rows in a table.
(ii) Manually dropping Database Objects.
(iii) Manually dropping Application Objects.
(Q) Is Point in Time Recovery a standard Solution for logical errors in production
system ?
(A) NO
2) Whole Backup:- It creates a Backup of all the data without the Catalog.
Incremental Backup:
i) This Backup Is used for taking needed Data blocks that have changed since the
time of Full Backup.
ii) During Incremental Backup the amount of data to be backed up to get shorten
and not for The Backup time.
iii) During Incremental Backup is only based on previous Full Backup.
(Q) If the Corresponding Full Backup is already overwritten and can I use
Incremental Backup ?
(A) NO, Incremental Backup is useless.
(Q) Can I perform a Backup of Individual data files using Incremental Backups ?
(A) NO
Partial Backup:
The backup of Database in smaller parts is called as Partial Backup.
NOTE:- Sum of individual partial Backups form an Entire Complete Backup.
NOTE:- Recovery Backup using partial Backup data is very much time
consuming, because it needs all oldest Backup Offline and Online recovery
Processes.
(Q) What are the various Backup strategies used in SAP ?
(A) There are 3 Backup strategies in SAP
i) Complete Backup:- Restore missing Database files from complete Backup,
Restore Offline Redo Log files writte during and after this Backup.
ii) Incremental Backup:- Restore missing Data files from last Full Backup,
update them with restore from last Incremental Backup.
iii)Partial Backup:- Replace complete backup with partial Backups , we need a
longer time to perform a recovery from media crash.
TOOLS:
(1) BRBACKUP: Backup of Oracle Data files , Cofiles, Db Redolog files, Oracle
Software Directories and SAP System directories.
(2) BRARCHIVE: Backup of Redo log files.
(3) BRRESTORE: Restore all Db files and Offline Redo log files
(4) BRRECOVER: Checks for Database for missing files , it calls BRRESTORE for
restoration of missing Data and Offline redo log files.
NOTE:
(1) Both BRBACKUP and BRARCHIVE records their actions in log files, BRRESTORE
uses above logs for restoration of missing files.
(2) Both BRBACKUP and BRARCHIVE supports Backup to Tapes, Disks as well as
Backups with Third party Tools.
Important Parameters for Configuration of BRBACKUP and
BRARCHIVE(Init<SID>.SAP)
Sap Database Notes 1:Database :Oracle database: is a collection of data stored in one or more data files on disks.
Oracle manages database data in logical units called table spaces.
of logical system.
7) Save the entries
8) Once we expand test for individual systems we normally see the message for
each system. ALE distribution was saved, central user admin activated and then
comparison was started and should be in green.
Note: If any problem messages refer to sap note 333441 in market place.
9) User transaction SCUG in central system to perform the synchronization
activities between the central and child system.
10) Use transaction SUCOMP to administer company address data.
Q) If all the users are locked mistakenly, how do we connect to SAP system ?
A) Follow the steps
Step 1) Go to OS level and execute the following SQL scripts after connecting to
Oracle DB
Select * from <Application Server name>.USR02 where bname=SAP*;
Delete from <Application Server name>.USR02 where bname=SAP*;
Step 2) Then Login using SAP* user
Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.
Note:
USR02 is a table in which all user master records are stored.
Killing SAP* will automatically recreate a user master record in USR02 table.
Portal Security
All security related activities like Creation of User accounts and Creation of roles
which are normally performed using SU01 and PFCG can be done using portal.
In Portal administration there are two ways of maintaining users and roles
information.
1) Accessing portal using an URL
2) Accessing portal using Active Directory Service
Note:
1) Any portal URL, the ports will be in the 50000 series.
2) For portal we need J2EE engine to be installed and no need of ABAP engine to
run.
3) All roles are configured in active directory service which are related with only
portal i.e. users need to enter travel expenses and file their timesheets using
portal, then separate roles are provided which are related with portal. These
roles provide access to users to display the screens as well as store the
information in DB.
4) Some portal screens will be integrated with SAP system i.e. PROS. Instead of
logging into SAP system we use the portal screens from which the user provide
the inputs and gets automatically saved in SAP DB.
Problems in Portal
Problem 1) Global page missing
Solution:
Check in Active Directory whether the user is been correctly added under the
role which is considered as global
Note:
In active directory services we have 2 types of roles
1) Global roles -> Provide access for an user to login to portal i.e. for the initial
screen to appear. They are classified based on region the user belongs to. For
example: Africa, Europe etc.
2) Local Roles -> Provide access for certain T Codes or activities which the user
needs to perform. Eg: Time sheet filling, travel expenses. Local roles are
categorized based on the location the user is situated. Eg: Country Wise IN, USA,
AF
3) Every user who access portal must have one global role and n of local roles.
Problem 2) User reports Not able to access ESS
Solution:
Check the global role
Check the exact local role, assigned to a user
Problem 3) User reports He us able to access other global screens instead of
his own screen
Solution:
Find which global screens user is able to access.
Go to AD service and then to particular global role.
Edit the role and check if the user ID is been added to that particular role.
If it is added then remove the user ID and add the user ID to the correct global
role and inform the user to restart his system in order to access new changes.
Note:
1) Assigning users using AD service is considered as a direct assignment where
as assigning users using portal is considered as indirect assignment. This is
similar to assigning users in SAP using PFCG (Direct assignment) and SU01
(Indirect Assignment).
2) Unicode in SAP supports 13 languages. All character sets of these languages
are embedded in the software. Non-unicode is language specific.
3) The upgrade of SAP system from non-unicode to Unicode is possible whereas
the other way is not. To achieve the transition from non-unicode to Unicode we
need to have Non-Unicode export kernel CD and Unicode import kernel CD.
4) SU3 is the transaction code for maintaining user own data.
5) SCAT, T-code is used for running CATT scripts.
6) ACTVT field indicates the type of activity i.e. creates, change, generate and
delete.
7) In PFCG transaction code, a profile indicates a unique identifier generated by
system to identify a role.
8) Notation for parent role is Z> and for Child / Derived Role it is Z:
9) Any role starting with SAP_ or SAP defined roles, they should not be generated
instead they are used as Templates, hence if we want to use any SAP role first
copy a role to a customized role and generate it.
10) SAP_ roles are used mainly during implementation.
11) All roles are of type Basic maintenance only whereas HR related roles and
work flow related roles are of type complete view. By default the roles are of type
basic maintenance.
12) Before we delete a role, it has to be added to a transport because these
actions are performed in DEV system.
13) Profile names come by default if it has to be changed then it has to start with
Z.
14) Color indications in authorizations
a. Red -> No organization values
b. Green -> All fields have values
c. Yellow -> Some field values are missing.
Role Distribution
Distribution of a role can be done using
-> Go to transaction code PFCG -> Menu tab -> Distribute button
-> Enter the target system i.e. an RFC connection needs to be created between
source and target system.
-> This procedure is distributing the roles between source and target using RFC
connections
-> If a role is being distributed to a target system only the structure is being
copied and not authorizations. Hence we need to maintain the authorization for a
role in the target system.
Security (Part-3) :As part of our daily activities we might receive the tasks as follows
1) Changes in form of tickets. (Various 3rd party tools are available)
2) Changes in form of CR
Each ticket has its own priority i.e. SLA. Based on the priority there will be
response time and resolution time for each request.
SLA(Service Level Aggrement)
Priority
1
2
3
4
Type
Very Critical
High
Medium
Low
Response Time
10 min
30 min
60 min
4 hrs
Resolution Time
30 min
1 day
4 days
----
Note:
Response time is time in which we acknowledge the user request, i.e. once a
ticket comes into our queue the first major priority is to accept the ticket on our
name, once this is done we have to send an acknowledgement to the user
informing that someone is working on this issue via email, chatting tool or phone.
Resolution Time: This is the time in which we have to solve the issue.
Note: By default the status of any ticket is in Open status
Stages of ticket:
1) Open
2) Working / In-progress + Assigned to our Name + Inform the user + Copy
the comments in the tool under notes column.
3) Closed + Issue Resolved + Inform the user + communicate + Copy the
comments in the tool under notes column.
4) Waiting + Needed some inputs from the user to solve the issue + inform the
user + Copy the comments in the tool under notes column.
5) Hold + Waiting due to user unavailability i.e. user has gone for vacation +
Copy the auto response regarding user unavailability and paste the notes
6) Cancelled: If there are duplications or same request being raised then we can
cancel one of the requests by mentioning the previous request no under the
notes column. (Or) If the user wishes to cancel his /her request then copy the
confirmation under the notes and select cancel button.
Types of CR ( Change Requests)
Work bench / Customizing
1) New functionality CR: This CR carries new functionality changes which are
done for the first time i.e. creation of totally new roles.
2) Operational CR: This CR carries the changes which are done on a day to day
basis i.e. modification of roles and deletion of roles.
3) Defect CR: This comes in form of ticketing request i.e. based on the ticketing
request raised by the user using the ticketing tool we decide whether we need to
create a defect CR.
Eg: Some access is already there for a user, but it was lost due to some reason
and we investigate and find out that these changes have to be there for users. In
this scenario we raise a defect CR.
To rectify a defect CR
CR forms are created based on the quarterly release i.e. we have 4 quarterly
releases in a year. During this release different people i.e. technical + functional
consultants + security administrators get involve and analyze various roles
based on the inputs provided by the auditors
This is where SOX policies come into play. In order to indentify the various
defects and conflicts in roles and between transactions we use various SOD
(Segregation of duty) tools like VIRSA, BIZRights. The process of identifying the
defects or conflicts among the existing transactions and rectifying them as
mitigation.
Ex: MM01 x MM02
1) Create X Change
2) Change X Delete
3) Create X Delete
Note: Default access is Display
HR Security Activities
There are two types of HR security Activity
1) Delegation of Authority
2) Structural Authorizations
Delegation of Authority:- Is a process by which a delegate delegates/assigns
his/her access to a delegator for certain period of time i.e. during this period all
the POS (Purchase Orders) or any items coming into owners inbox will go to the
delegators inbox.
Note: The delegator can delegate the access only to a person to a same
hierarchy or higher hierarchy.
The only issues which we get here is the problem with workflow. i.e.
Items not appearing in the inbox
An item appearing in inbox even after the period is expired
Dont have access to approve the POS appearing in the inbox.
The first two problems are rectified by workflow administrator. The last issue is
related with the approve access. Before we provide the approval access we have
to identify that particular person having an access or not.
If hes having an access then keep on email notifying him that as per the security
policy any user can have either create/approve access and not both.
Steps related with delegation of Authority
1) Log into HR box, go to PA20, i.e. display HR master data
Enter the personal details
Select the organization assignment and period today
Output will be position number or personal number
Copy Position No, Go to PO13 (Maintain Position)
December 5, 2013
SAP BASIS NOTES -13
7) Once the role is generated then we have to assign the role to a user using
SU01 (or) Add a user to a role using PFCG -> User tab
8) Always assign only derived roles to a user whenever add a user in a Role
always compare with user compare.
9) In order to refresh user buffer with new values we have to always go for user
compare.
Compare User Master Record:
Comparing user master record can be done in 2 ways
1) A default background job i.e. Report called pfcg_time_dependency is
executed before start of the business day, but after mid night, meaning that the
authorization profile the user master record always have the most up to date in
the morning.
2) Using transaction pfud (User master record reconciliation). As an admin, we
should regularly execute this transaction, in this way we can manually process
errors that have occurred.
Authorization Troubleshooting for a User
Whenever a user tries to execute a Transaction which is not assigned or tries to
perform an activity which is not defined for existing Transaction, then the user
gets Not Authorized To error.
In such a case ask the user for SU53 screenshot for any authorization issues.
SU53 Analysis
SU53 has 2 parts
1) Authorization check failed: It captures actual cause of the error.
2) Users authorization data: It captures the existing access to the users
Note: In order to check SU53 analyses of other users go to SU53, click on display
for different users authorization object.
Analysis using SUIM
Scenario 1: User is having access to plant 1000 in MM01, now he is trying to
create for plant 0001 and he got the error no authorization to the plant 0001.
Solution: Request for SU53 screenshot. Once you receive the screenshot
Go to SUIM
In SUIM check the roles which are having access to plant 0001.
SUIM -> Go to Roles -> Roles by complex selection criteria and deselect the user.
Go to Authorization Object 1 from SU53 screenshot and select entry values
button
Enter the values as per SU53 under the authorization Object and select Execute
button.
Double click on the role on which we want to assign.
It will automatically take us to PFCG transaction.
Go to Authorization tab -> Select Display authorization data.
Go to Find Button (Cntrl +F)
Enter the authorization object in authorization field and clicks enter on Find
Object.
Go to Utilities and select Technical names on
Second Method of Role Maintenance
1) Create a parent role and Add Transaction codes in menu tabs and generate
the role.
2) Create child roles and assign the parent and generate the child nodes.
Note: The generation of child roles/derived is always done from the parent role.
Process:
Go to Authorization
Edit Read old/merge with data.
Make changes in parent role
Generate Parent
Finally generate derived roles button (or) select Auth -> Just Derived -> Generate
derived roles
This will generate automatically all the derived roles from the parent role.
Note: In this method org values cannot be maintained using parent role, we
have to individually maintain org values in the derived roles.
Mass Generation of Derived Roles:
Copy all the derived roles into a notepad
Goto PFCG -> Go to utilities -> Select mass generation -> In mass generation
screen
Select all roles under presentation
Select Display data when created and changed
Click on Role -> Multiple Selection
Note:
Go to notepad, select all and copy
Come back to multiple role selection and select upload from click board button
Select check entries button
And select copy button & select execute button.
Deletion of a Role:Before deletion of any role first add to a role to transport and proceed with
deletion.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to
production. If I delete a role in dev box, the same role has to be deleted in prod
because these roles are finally used by the users in prod box only. Hence the
deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting
transport role button.
Note:
1) In choose objects options never check user assignment. Assignments of users
to a role are done only in production box.
2) Changes done using SU24 is of type work bench
3) Changes using PFCG is type customizing.
SUIM change documents:For users:1) In order to find when the user is created, deleted as well as password reset
and user lock/unlock information. Besides this we can track info regarding the
roles like when the roles are added and deleted and who has performed this
action/date of action.
Scenario 1:
Q) Unlock a user or track why the user is being locked ?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute
Note: Locks are of 2 types
1) Locked due to incorrect log on
2) Locked by admin
If the lock is of type Admin lock, then we need to contact the admin for the
reason for locking hence never unlock directly.
If lock is due to incorrect logon then go to SU01. Select the user and press unlock
button.
Scenario 2: Mass user locking during upgrade:
1) Go to SU01, select * under user column
2) This will give entire list of user in my system
3) Copy the usernames in a notepad
4) Got to SU10, copy/paste the users and select the lock
Note: In SU10 we cannot set the password for all the users
Reference User is for internet purpose.
Note: Assignment of reference user
Go to SU01 -> Under roles tab -> ref user for additional rights where we enter ref
username.
Process steps followed in security - Requests coming in form of CR / Templates
1) Request comes in form of Approved CR form (Unique ID = CR Name)
2) Login to DEV and perform the action as per CR form requirement
3) Put the completed task in DEV under a TP ( CUST/WORKBENCH)
4) Transport / Move the TP to QAS for testing
5) Create a test id in QAS with the above changes and send the test id details to
the CR Owner.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) How do I assign roles to a specific group, not to a specific user, and
apply the roles to all users in that group? This particular group has four
users?
Go to suim,enter the user group name in user by complex selection criteria,
execute user's list,execute su10 enter list of user's and assign role to them
2) What is fire fighter? When we are using fire fighter?
Fire Fighter is used if you have implemented Virsa/GRC
Fire Fighter is Virsa tool, this used to execute critical tcode when doing
configuration
Fire fighter is also a normal user ID but having some specific access [Say Su01 or
SAP_ALL] as per the needs. User type is kept as "service user'
When it is used: Say, in your project you are security administrator who
Does not have access to direct SU01 but you needs the access urgently.
Then FFID owner/administrator assigns you a FFID for limited period so that you
can perform the task from your login ID and pwd, using tcode /n/virsa/vfat and
login with that FFID.
While logging you will be prompted to give business reason for access.
Everything you perform in that period [Using FFID]gets recorded for auditing.
3) I need to give authorization to a user to su01 tcode but the delete
options should not work..i.e. the user should be able to Create, disp,
change etc but not delete on su01. How cam i do this?
delete the 06 activity from s_user_grp,
4) What are the components in VIRSA tool and GRC?
In GRC we have these tools:
Access Enforcer
Complaince Caliber
Role expert
Fire Fighter
In VERAS Tool we have: VRAT and VFAT
5) How to create new authorization object?
Using SU21 we can create the New Authorization Object
6) Can anyone tell me what the use of SU24 and SU25 transaction code
is exactly?
SU25: A transaction that copies SAP defaults from USBOT & USOBX to USOBT_C
and USOBX_C.
USOBT is a table that consists of transactions and authorization objects. It stores
default values of authorization from authorization objects.
USOBX is a table that defines the necessary authorization checks that needs to
be performed within a transaction.
Initially both tables USOBT and USOBX consist of default values. These two
tables are then used for fill up of the customer tables USBOT_C and USOBT_X
through the transaction SU25.
SU24: A transaction that maintains the assignment of authorization objects in the
customer tables USOBT_C and USOBX_C.
7) What is the difference b/w Copy Roles and Derived Roles?
In derived role, all the transactions of parent role r copied but not the org
structure and auth. and we cant add more transactions in derived role.
In copy roles all the transactions with auth are copied
8) What is temp role and copy role?
Temp role: - it is the sap standard role, which is defined by sap.
Copy role: - copy from an existing role is copy role.
9) How to transport roles?
1. Create a transport request in SE10.
2. PFCG - please specify the role name - press the transport button(truck icon).
*** In case of multiple roles, go to utilities-mass transport**
3. There will be three info screens. Give tick mark.
4. Give the transport request number, which you created in SE10.
5. Press ok.
6. To confirm the changes, go to se10 and see your request number, right click
and verify the roles are attached.
10) What are various user types?
Dialog (A)
System (B)
Communication (C)
Service (S)
Reference (L)
Dialog users are used for individual user. Check for expired/initial
passwords.Possible to change your own password. Check for multiple dialog
logon
A Service user - Only user administrators can change the password.No check for
expired/initial passwords. Multiple logon permitted
System users are not capable of interaction and are used to perform certain
system activities, such as background processing, ALE, Workflow, and so on.
A Reference user is, like a System user, a general, non-personally related, user.
Additional authorizations can be assigned within the system using a reference
user. A reference user for additional rights can be assigned for every user in the
Roles tab.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) Under description; in creating a role what should be written over
there ....what does your company follows ?
Description of role defines the role related activity in short. Just seeing the
description of the role, one can easily know the role details, like
Role belongs to which SAP module (MM/PP/FICO)
The Company code/Org level values
Restricted values can also be mentioned there
Activity performed after assigning that particular role.
2) What is the correct procedure for Mass Generation of Roles ?
1)Tcode SPUC is for mass generation of roles. Or you can use scripts
2)Program SAPPROFC_NEW inserted roles to be generated and execute.
3)PFCG > Utilities > Mass Generation
3) Can we assign generated profiles to users directly ?
No, we can't assign a generated profile to user directly; we have to as the role
If the role is deleted without adding it to a transport then we will not be able to
delete the same role in other systems like Acceptance / Quality / Production in
CUA Environment.
10) What is the main difference between role and profile ?
Roles are the set of authorizations.
Profiles are sub component of roles.
We can assign role to user but not profile.
Roles are collection of different transactions, reports/web links where its profile is
nothing but set of authorizations which defines the behavior of transactions
listed in Role Menu. And another difference could be we canassign roles to user
using PFCG but we cannot assign manually created or generated profile directly
to users using PFCG.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) A user is asking for a t-code to assign? How do you assign the t-code?
First we have to check if user has access to particular tcode. If not then run suim with roles by complex
selection criteria -->put object1 as S_tcode as the required tcode and hit execute button. The query will
fetch you a result of roles. Select a role that has minimum authorization and satisfy the user requirement.
And assign the role to user.
2) A user is not able to execute a t-code; how do you solve that? What are
the different reasons that might be existing?
Reason:
1. Tcode does not exist
2. User context missing auth for that tcode
3. User comparison is not current
How to solve:
1.check if the user is having the tcode or not.
4) What are the authorization objects which are always present in user
master record?
For user master record as u must be knowing that different tabs of UMR..So as per my understanding As
UMR stores information of users...Like his name, roles assigned to him, License data.
Objects which are always present for UMR are:
S_USER_AGR, S_USER_GRP,S_USER_AUT,S_USER_PRO and each of this object has its own importance...
bcoz S_USER_AGR helps to maintain roles assigned, S_USER_GRP helps to maintain Auth. group
in Logon Data and S_USER_AUT AND S_USER_PRO helps to maintain set of Auth. profiles and different
Authorizations included in each profile.
10) How to find the already locked users list before a particular date?
Example: list of users already locked before 01/01/2010
Goto SUIM - USERS - USERS BY COMPLEX SELECTION CRITERIA,scroll down to the bottom,
goto ADDTIONAL SELECTION CRITERIA, then give the validity date and check the check box of the option
LOCKED USERS ONLY, then execute, u will get the list of the locked users.
SAP BASIS INTERVIEW QUESTIONS & ANSWERS :1) What is difference between 4.7, ECC 5 and ECC6 from SAP Security
point of view?
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE.
SAP 4.7 is an ABAP based system, here we can see only about R/3 security.
SAP ECC5.0 and SAP ECC6.0 included both ABAP + JAVA stacks, means enterprise portal also
included here we can have both R/3 security for ABAP stack and JAVA stack security which includes in
portal concept(Enterprise Portal Security).
SAP GRC which is a security tool can be implemented only to ECC 5.0 and ECC 6.0 but not to the 4.7EE.
2) What do you mean by profile and object?
Well, profile is a authorization profile and where as object can be an authorization class or authorization
object or field and value. So, to make up a profile it requires several objects.....
More precisely profile is set of different authorizations for different objects. It means when you create role
and go for generating profile whatever the list of transactions you have added in role menu its corresponding
objects automatically fetch up by profile generator. For which transaction which objects get fetch up this you
can check using SU24 tcode only objects with check/maintain status get fetch up by profile generator during
profile generation. And for better understanding you just keep in mind for every tcode there are certain set of
objects. And Each objects has different fields and its value is called its value i.e. 01, 02, 03 create, change,
display respectively.
4) I want a list of users along with roles for a client? How to do it?
We can use tcode se16 in it AGR_USERS uname: enter the user ids and AGRname: role name
Youcan get in SUIM also.
5) In an environment of derived roles; a user is asking for a t-code; which is not found in suim
in search of roles? What will u do?
1. Check if the tcode exists or not.
2. Try to search the role with S_tcode and then putting the tcode in "roles by complex selection criteria"
3. You should at least get SAP standard role which should not be assigned.
So after doing all these you are not able to find any end user role available in system.
Next step is the proposal of adding the tcode to a suitable role.
as it's a derived role envi---> need to add the tcode in template / parent role
Take approval from BPR/role owner for role modification. They will decide which parent role to change.
Change role [by adding the tcode] in Dev and transport to rest of the sys in landscape
6) Can u secure profiles? If so , how to do it ?
Yes you can. Secure Profile S_User_PRF
7) I want to lock all the users except sap* and DDIC of a particular client ?
SU10
F4 on user id field
Change the hit list restriction according to users present
Enter
It will bring all available users
Remove SAP* and DDIC from list
Select all and enter
It will bring u back to SU10
With all users except SAP* and DDIC
Select all
Lock
it will lock your user also
(OR)
We can do it by ewz5
You can create a SECATT script to delete the users which is easy to create and easy to execute.
You can also delete users of a particular client by using t-code su10.
Update your SAP Kernel in a SAP ECC system :1. First of all, go to the SAP Service Marketplace (service.sap.com), and download your
desired kernel version:
Downloads --> SAP Support Packages --> Entry by Application Group --> SAP NetWeaver
--> SAP Netweaver --> SAP Netweaver <version> --> Entry by Component --> <select
component> --> <select your system version> --> #Database independent (this is the part I.
In the same step, select your database to download the part II of the package).
2. After you have the two parts downloaded, log into the OS level and uncar the 2 parts in
separate directories. Copy the part I in a new folder, and copy the part II into the same folder
(there are cases that files may need to be replaced. replace them, don't worry).
3. Stop the database, SAP and the services related to them (SAPSID##, SAPOSCOL).
5. Delete the old backed up kernel, and copy the new kernel there.
Now
just
confirm
the
new
kernel
version
in
SAP.
ST03N is used to analyze statistical data for the ABAP kernel and monitor
the performance of a system. You can display the total values for all instances,
and compare the performance of particular instances over a period of time.
The workload overview provides system administrators with various detailed
information about the most important workload data, such as the CPU time, the
number of database changes, the response times, and so on. You can
display the workload overview for all task types (Dialog, Background, RFC,
ALE, and Update), or only for one particular task type.
Workload Overview :-
Processing time This is equivalent to response time minus the sum of wait
time, database request time, load time, roll time, and enqueue time
Hint: > 2x of CPU time
Probs: Hardware
when user request is entered in the dispatcher queue; and ends when the
request starts being processed.
Hint: < 10% of response time
Probs: long running tasks, locked tasks, not enough work process
Solution:
In SM50,
Look for all the configured work processes are in Waiting or Running state. If all
the wotk processes are running state, then increase the number of Dialog work
processes.
In SM66,
This monitor will help to analyse the total work processes configured in all the
servers and instances.
Average load & generation The time needed to load and generate objects.
Hint: < 10% of response time, < 50ms
Probs: Program buffer, CUA buffer, screen buffer too small
GUI time Response time between the dispatcher and the GUI during the
roundtrips (roundtrips are communication steps between the SAP system and the
front end during a transaction step).
Hint: < 200ms
Probs: network between GUI & SAP]
Solution:
In ST06,
Go to Detail Analysis Menu -> LAN Check by PING. If there is high Avg. time
or Loss time for any presentation servers, means there are some settings need to
Roll in time - The time needed to roll user context information into the work
process.
Hint: < 20ms
Probs: SAP memory configuration (extended memory, roll buffer)
Post Installation Steps :After Installing R/3 into a new system, Basis has to perform some post
Installation steps before handing over to end users for operation. Post Installation
steps make sure that System is ready, properly configured, Tuned and take load
of user requests.
Below are some standard steps which has to perform immediately after the
installation is finished.
PART 1:-
9. Login as SAP*/000
10. Execute SCC4 -> Click on change button -> Confirm the warning and click
on new entries to create a new client.
11. Execute RZ10 -> Utilities -> Import profiles -> Of Active Servers
PART 2:-
2. Perform local client copy procedure to copy new client from 000 client.
3. Once client copy is over , login to new client using SAP* and password of
SAP* which was
used in client 000
4. Execute RZ10 -> Select Instance Profile -> check Extended maint -> click
on change.
8. Create one or two super users using SU01 with profiles SAP_ALL and SAP_NEW
10. Stop and Start SAP R/3 for profile parameter to be in effect.
14. Follow the kernel, SPAM and support pack application methods
15. Now system is ready to login and work for developers and administrator
17. Run SGEN to regenerate the objects . In this process SAP keeps all the
required objects access in SAP buffer. So that transaction accessing becomes
faster.
Support Pack Upgrade Process :Support Pack Application:1. Check the current patch in your system.
2. Find out what is the latest patch level available for above components.
Download -> Support Packages and Patches -> Entry by Application Group-> Application
Components ->SAP R/3 Enterprise -> SAP R/3 Enterprise 47 X 110 -Entry by component
-> SAP R/3 Enterprise Server-> SAP_BASIS620 ->
3. From the list select which component you want and click on it.
E.g.click on SAP BASIS 6.20 and select the patch level 25 you want comparing your
current patchlevel. Select all the patches you are behind to current and add to download
basket.
Repeat the same step for all components you want to apply for your system.
4. Download all the patches you added to download basket by using SAP Download
Manager.
5. Save all the .CAR files to your local hard drive say C:\supportpacks
6. now transfer all these .CAR files to Your Unix Server where your SAP is running using
ftp.
ftp steps
go to command prompt
cd c:\supportpacks
c:\supportpacks\> ftp solsrv (solsrv is the unix servername)
username : SIDADM
password : (Password of SIDADM)
ftp> cd /downloads/supp_pack
ftp> bin
ftp> mput *.CAR (press y for all the confirmations)
ftp> bye
#cd /download/supp_pack
# CAR -xvf <Filename1>.CAR (files are extracted to .../EPS/in folder)
Repeat extraction for all .CAR files
You will get the files with extension .ATT and .PAT
8. Now go to /usr/sap/trans/EPS/in directory and remove the existing files out there.
# cp /download/supp_pack/* /usr/sap/trans/EPS/in
# ls l
10. Login to SAP using a superuser other than SAP* and DDIC to 000 client.
12. Click on Support Package -> Load Packages -> From Application Server.
Here all the .ATT and .PAT files are converted into proper Patch format and available on
SAP level to apply suuport packs as per the requirement.
Click on Back button
14. Ask all the users to logoff from the system OR lock all the users in all business clients
using customizing program or SAP tool.
15. Make sure you have full backup of system before applying the patch
and enough downtime to apply the patch
SPAM Update
16. Select support package ->Import SPAM update to update the SPAM version.
Applying Patch
Before Applying the Patch to system, we have to check if there are any objects under
modification or any Transport Request in modification condition. IF any then we may have
to adjust those prior to applying
the SAP Patch.
Basis Information
A set of middle ware programs and tools that provide the underlying base that enable
applications to be inter-operable across operating systems. SAP Basis includes a RDBMS,
GUI, and client server architecture. It's a piece of middle ware which links the application
with the database and the operating system. Basis is most commonly associated with the GUI
interface to the SAP.