KEMBAR78
SAP System Administration Guide | PDF | User (Computing) | Password
Scribd
Upload
520 views23 pages

SAP System Administration Guide

The document discusses SAP system architecture including SID, client, and instance. It explains that the SID is a 3 letter code that identifies the system, and clients like 000, 001, and 066 are used for different environments. Users are assigned to clients for functional unit testing, quality acceptance testing, and user acceptance testing. The document also summarizes roles in user and role administration, authorization concepts, and important transaction codes used for managing users, roles, and authorizations in SAP.

Uploaded by

sravan kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
520 views23 pages

SAP System Administration Guide

The document discusses SAP system architecture including SID, client, and instance. It explains that the SID is a 3 letter code that identifies the system, and clients like 000, 001, and 066 are used for different environments. Users are assigned to clients for functional unit testing, quality acceptance testing, and user acceptance testing. The document also summarizes roles in user and role administration, authorization concepts, and important transaction codes used for managing users, roles, and authorizations in SAP.

Uploaded by

sravan kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 23

SAP: SID, Client, Instance

SID: System Identifier

3 letters

AAA -- HPE, HDE, HQE

AAN --- HP1, HQ1, HD1

NNA --- 11D, 11Q, 11P

ANA --- H1D, H1Q, H1P

DEV QAS PRD

IT users IT users IT users

Business/End users Business/End users

FUT: Functional unit/user testing (Developers/functional team)

QAT: Quality acceptance testing (Functional people from Business)

UAT: User acceptance testing (Business/End users)

ECC – DEV, QAS, PRD

HR – DE1, QE1, PE1

GRC- GD1, GQ1, GP1

Client: 000, 001, 066, 030, 060

000 – Standard/Golden Client – SAP standard data.

001 – Copy of Golden Client

066 – Early Watch

030 – Standard data + customize data


ECC 6.0 EHP 4-- current ECC version 2030

GRC

BI

S4 HANA

SOLMAN

HANA STUDIO

SOLMAN
HR
CRM, SRM, IBP, IDM….

S4 HANA 2.0

ECC:
Versions of SAP
 4.6 C
 4.7 EE
 ECC 5.0 - Enterprise core/central component.
 ECC 6.0 EHP 1, EHP 2,3,4,5,6,7,8…
Flavours in SAP:

SAP Flavours
 IDES -- Training System (000, 001, 066, 800)
 Non IDES -- Real time system (000, 001, 066, 100)
Projects:
 Implementation
 Support
 Upgrade
 Roll out
 Migration

Default users in SAP (Standard users in SAP)


 SAP*
 DDIC
 EARLYWATCH

USER 000 001 066


SAP* YES YES YES
DDIC YES YES NO
EARLYWATCH NO NO YES

 SAP* ---- 06071992


 DDIC ---- 19920706
 EARLYWATCH --- support
 SAP* ----- pass (other than 3 default clients (000, 001, 066))

Powerful Profiles:
 SAP_ALL
 SAP_NEW
 S_A.DEVELOP
 S_A.CUSTOMIZ
 S_A.SYSTEM
SAP ECC 6.0 EHP7 -- EHP 8
Instance: 00 to 99

HPE 030 00 + HPE 030 01 + HPE 030 + 02

T-code: will give permissions to perform an activity in SAP system


T-codes are minimum 4 letters maximum 10 mostly 4 letters.

 T-codes
 Tables
 Reports

SU01: User Administration


USER CREATION
USER CHANGE
USER DELETION
LOCK/UNOCK
PASSWORD RESET
COPY USER
User Types:
 Dialog: All human users are called as Dialog users.
Password policy & License applicable
GUI Login possible.
Multiple logins possible.

 Service : FFID’s are Service users


Password policy & License are not applicable
GUI Login possible. Multiple logins not possible.

 System: for RFC connections, Background jobs and system


workflows.
Password policy & License are not applicable
GUI Login not possible. Communicate b/w SAP to SAP

 Communication: for RFC connections, Background jobs and


system workflows.
Password policy & License are not applicable
GUI Login not possible. Communicate b/w SAP to SAP, SAP
to Non SAP.

 Reference: To provide additional access to profile exceeded


user.
Password policy & License are not applicable
GUI Login not possible.
RFC : Remote function call
SAP System RFC SAP COMM RFC NON SAP (JAVA)

S4HCLNT800--------- ABCCLNT800 -------- JAVCLNT123

SNC: Enable SSO to user.


SSO: Single Sign On

Security roles & Responsibilities:


User Administration
Role Administration
Troubleshooting authorization issues
Reports extraction based on the client requirement
Audit support
Day to Day tickets support

/n to open new session with closing existing screen


/o open new session without closing the current session
/nex exit from the sap

SU01: User Administration


SU01D: Display user
SU0,SU1,SU2,SU3….End user t-codes
SUGR: To create user groups in SAP
SU10 : Mass User Administration
SUIM : System Information
SE16 : Table browser/ Data browser
SU53: Last missing authorization check

TABLES: Data Browser in SAP – SE16/SE16N


User Admin Tables:
USR02: User Last logon data info
USR03: User address data info
USR04: User Profile info
USR05: User parameter info
USGRP: list of user groups in system
USGRP_USER: Users vs user groups
USR06: User license data
USR21 & ADR6: user mail address
TSTC: List of all the t-codes in the system
TACT: List of all the activities in the system.

UFLAG (Lock Status) values in SAP:


0: User not locked
64: Admin Lock
128: Incorrect logons lock
192: Incorrect + admin lock

USR40: Illegal Passwords


SM30: To modify the table.
SM04: List of all the active users in the current server/instance.
AL08: List of all the active users in all the servers/instances.

Role Administration: PFCG


 Role Creation
 Role modification
 Role Deletion
Role Types:
 Single Role -- > Y or Z---> ZS:
 Composite Role ZC: Contains single roles.
 Master/Derived Role ZM/ZD:

Authentication: Gives permissions to Login.


Authorization: Gives Permission to perform an activity.
Single Role: Contains T-codes, authorization Objects, fields &
Values.
Composite Role:
 Contains Single & Derived Roles.
 Doesn’t have any authorizations & Profiles.
 We can’t add Comp role to comp role.
 We should not add Master role to Comp role.
Master/Derived: We use this Master role for same job function
but different job locations.
 We should not assign master role to user.
 We should only assign Derived role to user.
Single Role concept:-
ZS_LEN_MGR_HYD – VA01, GS01, HYD
ZS_LEN_MGR_BAN – VA01, GS01, BAN
ZS_LEN_MGR_KOL – VA01, GS01, KOL
ZS_LEN_MGR_MUM – VA01, GS01, MUM
ZS_LEN_MGR_CHN – VA01, GS01, CHN
Master role: T-codes, authorization objects, fields & Values.
Derived role: T-codes, authorization objects, fields & Values
and we maintain Org values.
ZM_LEN_MGR_ALL – VA01, GS01, GST1
ZD_LEN_MGR_HYD01 – VA01, GS01, GST1, 01
ZD_LEN_MGR_HYD02 – VA01, GS01, GST1, 02
ZD_LEN_MGR_BAN – VA01, GS01, GST1, 03
ZD_LEN_MGR_KOL – VA01, GS01, GST1
ZD_LEN_MGR_MUM – VA01, GS01, GST1
ZD_LEN_MGR_CHN – VA01, GS01, GST1
Lenovo store: Manager, Ass manager

SAP Hierarchy:
System
Client
User
Role
Profile
Object Class
Authorization Object Authorization Hierarchy
Fields
Values

SU24:
Role MENU:
System will check objects assigned to t-code
Add t-code SE16 in role Menu.
like below

Authorization tab in role: Objects


pulled from SU24 which are
maintained as YES S_TABU_DIS - YES
S_TABU_DIS S_TABU_NAM - YES
S_TABU_NAM S_TABU_LIN - NO
SU56: Reset user buffer

SU01 User Buffer DATABAS


PFCG, SU01 , PFCG SU01
PFCG, SU10, SUGR

Authorization concept:
Authorization Object: are control user activities.

Activities:
01-Create
02-Change
03-Display
04-Print
05-Lock/Unlock
06-Delete
16- Execute
22- Enter, Include, Assign
78 – Assign.
S_USER_GRP S_USER_AGR S_USER_PRO

User creation Role Creation Profile related tasks

Role change : S_USER_AGR ACTVT: 02


Profile assign : S_USER_PRO ACTVT: 22, 78
User Delete : S_USER_GRP ACTVT:06
USER ROLE assign: S_USER_AGR ACVT: 22,

Create a user admin role with only lock/unlock and password


reset. Z_USER_ADMIN_RES
SU01
Traffic Signals in PFCG:
MENU Tab:
GREEN: T-codes are added
RED : T-codes not added

Authorizations Tab:
GREEN: Profiles generated
YELLOW: Profiles partially maintained
RED: Profiles not generated

USER Tab:
GREEN: Users assigned to role
YELLOW: User comparison required
RED: Users not assigned

Inside the Authorization Tab:


GREEN: Values are maintained
YELLOW: Values not maintained
RED: Org values not maintained
Authorization Status:
 Standard
 Maintained
 Changed
 Manually

Standard: Fields & Values Are Proposed By SAP


Maintained: Fields Proposed By SAP
Values Maintained By User
Changed: Fields & Values Proposed By SAP
Values Changed By User
Manually: Fields & Values Are Proposed By User

Tables related to Role Admin:


AGR_USERS: Role vs Users
AGR_TCODES: Role vs t-codes
AGR_AGRS: Single role v composite role
AGR_DEFINE: Master role vs Derived role
AGR_1251: Role vs Authorization Objects & Values
AGR_1252: Role vs Org values
AGR_PROF: Role VS Profiles
Reports: SA38: To execute reports
SE38: To View & edit the report.
 RSUSR200
 RSUSR003
 RSUSR405
 RSAUDITC
SU22, SU24, SU25
Troubleshooting Authorization Issues: SU53, ST01,
STAUTHTRACE:
TABLE Security:
Transport concept:
Real time process for user admin & role admin.

TOBJ: stores authorization objects. (Table)


TOBC: stores objects class. (Table)
SU21: To see all the authorization objects.

Imp authorization objects:


S_TCODE
S_USER_AUT
S_USER_GRP
S_USER_AGR
S_USER_SYS
S_USER_PRO
S_GUI: It will give download & upload access in SAP
S_RFC: RFC authorizations
S_DEVELOP
S_PROGRAM
ABAP team need developer key access
Code Build: Developer key access.
Standard object change: Object key access.
DEVACCESS: stores all developer keys
ADIRACESS: Stores all Objects keys.

SU25: To copy SU22 data to SU24 & Upgrade activities


SU22: Standard authorization data
USOBX: T-codes, authorization objects.
USOBT: T-codes, authorization objects, fields & Values.
SU24: Standard authorization + Custom Authorization data.
SU22 SU24
USOBX USOBX_C
USOBT SU25 USOBT_C

USOBX_C: T-codes, authorization objects.


USOBT_C: T-codes, authorization objects, fields & Values.
Check Indicators:
 Check
 Do not check
Check Proposals:
 Yes
 Yes without values
 No
 New/unmaintained

Expert Mode:
 Delete & recreate profile & authorization.
 Edit old status
 Read old status & merge with new data

PFCGMASVAL: Mass role changes


SUPC: Mass role generation
PFUD: Mass user Comparison & delete invalid assignments
EWZ5: Mass lock/unlock users.

Troubleshooting Authorization Issues: SU53, ST01,


STAUTHTRACE:

SU53: Last missing authorization check


ST01: authorization trace for Users (Missing & Successful)
STAUTHTRACE: System wide trace for User (Missing &
Successful)
RC values in Trace:
 RC=0 : Authorization Successful
 RC=4 : Object available with different values
 RC=12: Object itself is missing

Table Security: TDDAT, DD02L, SE54


 S_TABU_DIS: To restrict table access to user at Auth group
level.
 S_TABU_NAM: To restrict table access to user at table
level.
 S_TABU_LIN: To restrict table access at line level
 S_TABU_CLI: To restrict table access at Client level.
Z_TABLE – Auth Group : USR02, AGR_AGRS, TSTC, RSECVAL
SC, SA Z_TABLE

USR01, TSTC ZUSR01


USR02 ZTSTC

&NC&: Stores the tables which are not part of any authorization
group
Background Jobs:
SM36: To schedule Background Job
SM37: To monitor Background Job

PFCG_TIME_DEPENDENCY:
 MASS user comparison
 Remove invalid role assignments
PRGN_COMPRESS_TIMES:
 It removes all expired roles
 Compress the roles validity

Dialog
BACKGROUND
ENQUEUE
SPOOL
Update

DD D DD D B B B U S E

Transport: To Move changes from one system to another system.


SE01, SE09, SE10.
Workbench: Standard sap data changes. Exp: SU24 changes,
Table modifications.
Customize: Stores customize data. Exp: roles
DEV QAS PRD
Z_SEC_01 su01 Z_SEC_01 su01 Z_SEC_01 su01
ZC_SEC_01 del delete delete
GRCK900102 GRCK900102 GRCK900102

GRCK900102 GRCK900102

DEVCLNT100 ------ QASCLNT100


Role Deletion Process:
 Add Role ZC_SEC_01 into TR
 Delete the role
 Release the TR
 Move TR -- QA-- PRD

SM01_DEV/SM01_CUS: To Lock/Unlock T-code.


SM59: To Create RFC connection. S_RFC, S_RFCACL
SIDCLNT-client number
GRCCLNT400

What will happen when user execute a T-code?


 T-code available in TSTC or not
 T-code locked or not (SM01_DEV/SM01_CUS)
 T-code is available in S_TCODE or not
 Authorization Objects related to T-code
 Authority check in t-code.
What will happen when we add t-code in role?
 System will check SU24 changes for that particular T-code
vs objects.
SU01
S_USER_GRP, S_USER_PRO, S_USER_AUT,
S_USER_AGR, S_USER_SYS, S_USER_SAS.
 Pull all the authorization objects to the role.

User Creation Process: (Service Now (SNOW) or Remedy)


 User will raise the ticket in SNOW
 Ticket will go to Manager approval
 Ticket comes to security queue once Manger approved
 Security team verify the User details & roles
 Security team verify the role owner for roles in role matrix
 Security team will send mail to role owner.
 Based on role owner approval we will provide access to
user in SU01
 Credentials will be shared to user separately.
Role Creation or Change process: (Service Now (SNOW) or
Remedy).
 Requestor will raise the ticket in SNOW
 Ticket will go to Manager approval
 Ticket comes to security queue once Manger approved
 Security team verify the role change details & roles
 Security team verify the role owner for the role in role
matrix.
 Security team will send mail to role owner.
 Based on role owner approval we will start security changes
in development system.
 We need to check the role dependency
 Start the changes in Dev system
 Create the TR request and release the TR
 Contact Basis to Move the TR from DEV to QAS.
 Ask user to perform UAT (User acceptance test) in QAS
system and ask user to provide the UAT signoff.
 Contact Basis to Move the TR from QAS to PRD.
 We will inform the requestor and close the ticket.

You might also like