Sap-Basis & Sap-Security Tips n Tricks & info

Use Of SM35P and SM35

2010-05-17T01:40:00.000-07:00

Tcode SM35P use to display/monitor sessions. Using Tcode 
SM35 you the run/process the sessions in background or 
foreground.

Difference between Start Profile, Default Profile and Instance Profile

2010-05-17T01:38:00.001-07:00

default profile means all users data.
start profile means all servies of sap.
instatnce means all hostename of servers

Difference between se16 and sm31

2010-05-17T01:21:00.001-07:00

se16: table display
sm31: table ,view modification

Password related parameters

2010-05-17T01:18:00.000-07:00

login/min_password_lng (Defines minimum lengh for pwd)
login/min_password_digits
login/password_expiration_time

MAINTAINED via rz10

Delete 1000 users of a particular client

2010-05-17T01:17:00.000-07:00

Answer

You can create a SECATT script to delete the users which is 
easy to create and easy to execute or by using t-code su10.

How to assign same role to 200 users

2010-05-17T01:08:00.001-07:00

You can do using PFCG- >  enter the role -> change -> go to 
users tab -> paste the users -> click on user comparsion->  
complete comparsion -> Save the role

or

One can also use "Authorization Data" functionality in 
transaction SU10

Lock all the users except sap* and DDIC of a particular client

2010-05-17T01:07:00.000-07:00

we can do it by ewz5

Maximum no of profiles that can be assigned to one user

2010-05-17T01:04:00.000-07:00

WE CAN ASSIGN 312 PROFILE TO USER. The table USR04 contains the

User master authorizations.In this table the field XUPROFS contains

the profiles whose size is 3750 characters.
it also hold the change status of the user with 4 characters.

Each profile conains 12 characters
so number of profiles = 3750-4/1 nearly 312

Procedure to delete a role

2010-05-17T00:59:00.001-07:00

1.enter t.code pfcg in command window 
2.enter the role name
3.press shift+f2 or use the delete role button (trash bin)

How I can reset the DDIC user's password

2010-05-17T00:57:00.002-07:00

SU01, put DDIC in the User field. Change the 
password by clicking on the Change Password (Shift+F8)

SNC tab in SU01

2010-05-17T00:57:00.000-07:00

Secure Network Connection.

SNC tab is used to 
configure SNC name for an User.If you are not using SNC or 
have not enabled the SNC then it should not appear.The 
profile parameter is Change/Add SNC/enable.

Licence Data tab in SU01

2010-05-17T00:55:00.000-07:00

It is used for incurring costs for using SAP licensing. Different categories are used for internal purpose within a 
company for identification and like for developer the license cost will be high and for end user it might be low

and for basis admins it will be high. CAT(related)  - that type is used for the users who 
are just the timesheet entry or expense users. others belong to the developer, professional who much much 
other activities.

What is SAP Solution Mananger

2010-05-17T00:52:00.000-07:00

Purpose

The SAP Solution Manager supports you throughout the entire lifecycle of your solutions, from the Business Blueprint thru configuration to production operation. It provides central access to tools methods and preconfigured content, that you can use during the evaluation, implementation, and productive operation of your systems.
Features
Implementation of the mySAP Business Suite

· All phases of the implementation project (Business Blueprint, Configuration) are performed centrally in the Solution-Manager system.

· Central project documentation repository in the Solution Manager

· Integrated Project Administration allows you to manage planning schedules, human resources and other project data.
Customizing Synchronization

· The Customizing Scout, with which you can compare customizing in various SAP components, e.g. an ERP system with SAP MDM

· The Customizing Distribution, with which you can synchronize customizing in various SAP components.
Test

· You can use the Test Workbench to organize and perform tests at the end of a project phase.

· Reuse of the project structure for process-oriented tests
Global rollout

Integrated authoring environment, with which customers and partners can create their own templates, which they can reuse in subsidiaries, e.g. in a global rollout
E-Learning management

Creation of training material and learning maps (computer-supported self-tuition courses) to train end users after the implementation of new functions
Solution Monitoring

· Central system administration

· Analyze your system landscape with Service Level Reporting

· System monitoring in real time

· Business Process Monitoring
Services

Access to programs and Services, which help you to monitor and optimize the performance and availability of your system landscapes, and minimize your operational system risks
Service Desk

Solution support with workflow to create and handle problem messages
Change Management

Management of change requests, with workflow for the monitoring and audit of changes and transports in your system landscape, with the Change Request Management.

Sap Security General Jobs, Guideines & Info

2010-05-17T00:49:00.000-07:00

SAP Security

1. Security Administration

* Determine how security administration is organized

2. Help Desk

* Determine if the help desk is effective

+
Records incidents reports

3. Determine if proper system monitoring is performed

4. Determine if training is properly administrated

5. Determine if key system interfaces are properly controlled.

6. Obtain a list of all system users

7. Obtain a list of custom transactions

* List off all transactions within the TSTC table beginning with the letters Y or Z

o Tables>Data Display>Y*, and then Z*

8. Obtain a listing of all Clients

* List table T001

9. Obtain a listing of all group companies

* List table T042G

10. Obtain a listing of all business areas

* List table TGSB and TGSBT

11. Obtain a listing of all credit control areas

* List table T014 and T014T

12. Obtain a list of all charts of accounts

* List table T004 and T004T

13. Obtain a listing of all plants

* List tables T001W and TVKWZ

14. Obtain a listing of storage locations

* List table T001L

15. Obtain a listing of all purchasing organizations

* List table T024W

16. Obtain a listing of all purchasing groups

* List table T024

17. Obtain a listing of all sales organizations

* List table TVKO and TVKOT

18. Obtain a listing of distribution channels

* List table TVTW, TVTWT, and TVKOV

19. Obtain a listing of all divisions

* List tables TSPA, TSPAT, and TVKOS

20. Obtain a listing of sales areas

* List table TVTA

21. Obtain a listing of sales offices

* List tables TVBUR, TVKBT, and TVKBZ

22. Obtain a listing of sales groups

* List tables TVKGR, TVBVK, and TVGRT

23. ABAP programs

Review ABAP programs to ensure that all system function calls are authorized. System function calls allow are Unix commands that are passed to the operating system to perform a task at the operating system level such as using Oracle SQL commands to query the database during the execution of an ABAP program.

24. Review all SAP userids at the Unix operating system level. (etc/passwd and etc/group files)

SIDADM system administration

ORASID Oracle administration

PCTEMU Terminal administration

25. Review all relevant SAP change control directories under Unix

/usr/sap/trans

26. Ensure that all default passwords have been changed.

27. Determine that only authorized users have direct access to the Oracle database management system. And determine that all default system passwords have been changed.

28. Correction and Transport (CTS)

Control types

Default Changes are allowed in corrections. Changes to SAP-provided objects require a repair correction

No Change Changes are not allowed

Repairs Repairs are allowed but all must have corrections and all corrections are flagged as repairs. Other types of changes are allowed with or without corrections.

Unlimited Any changes are allowed with or without corrections. No corrections are flagged as repairs

CTS Type CTS Changes

Development Default

Integration No Change

Consolidation No Change

Recipient No Change

Determine if change control procedures are formally documented.

Determine if separate instances have been defined for development and testing

Determine who is responsible for transport administration

Ensure that control tables are properly established

TSYST defines all systems to be used in CTS

TASYS defines all recipient systems

TDEVC defines all development classes

Use transaction code SE06 for CTS verification

Use Transaction code SE38 to review the placement of programs in authorization groups

o SE38 select attributes and select display

29. Determine who has the capability to add user master records.

S_USER_GRP and S_USER_ALL

30. Determine who can maintain profiles.

S_USER_PRO

31. Determine who can maintain autorizations.

S_USER_AUT

32. List all SAP supplied profiles and authorizations that have been modified and review for completeness.

33. List off the system parameter file (RSPARAM) and review the authentication controls

o login/min_password_lng
o login/password_expiration_time
o login/fails_to_session_end
o login/fails_to_user_lock

34. Determine how the profile SAP_NEW is being used.

35. Review SAP for any new objects/values that have been defined

Review changes to table AUTH for new fields and table TOBJ for new objects

36. Determine if all users have been assigned to a group. (Table USR02)

37. Determine that the SAP* profile has a user master record and that SAP* has had its password changed and added to the SUPER group. Also determine if the password has been stored in a secured location in case of an emergency.

38. Determine who are the members of the SUPER group and ensure that their membership is required.

39. Determine how many users have SAP_ALL access in the production environment. List all users with the following standard system profiles:

SAP_ALL All R/3 privileges

S_A.SYSTEM All SAP system functions

S_A.ADMIN System administration

S_A.CUSTOMIZ SAP customizing system

S_A.DEVELOP SAP development environment

S_ABAP_ALL All authorizations for ABAPs

TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT

40. List all users with special SAP system administration

S_ADMI_FCD Access to ABAP/4 Data Dictionary

S_BDC_ALL Batch Input

S_DDIC_ALL DYNPRO and ABAP/4

S_EDI_BUK Creating and modifying ABAP/4 programs and use of screen painter

S_EDITOR Ability to edit and modify ABAP’s programs

S_PROG_ADM Running ABAP/4 programs and submitting background processing

S_PROGRAM Ability to run ABAPs

S_TABU_ADM System Table – table maintenance

S_BTCH_ADMS_ENQ_ALL Background Processing

S_TSKH_ADMS_ENQ_ALL Transactions – lock management for processing

41. Determine who has access to the ABAP/4 Data Dictionary

S_ADMI_FCD For this object list users that have the following values:

REPL, SE01 (CTS requests) and/or DDIC in the System Administration Function field

SM21 in the Field Administration Function field (allows access to the system log)

TCOD which allows the user to change additional authorization checks

Versions for a particular object are maintained as: Utilities>Version Management Menu.

Temp

Historical

Active

Revised

Use Transactions:

SE16 Data Browser

SE12 Dictionary Display

SE80 Object Browser

SCU3 Table history transaction

42. Determine who has batch access

S_BDC_MONI

S_BDC_ALL

S_BTCH_ADM

S_BTCH_ALL

S_BTCH_USR

Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or abended sessions subject to investigation and should be secured through the correct use of the operating system security.

43. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction locking function. Determine which transactions are locked on the production system by viewing additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that at a minimum the following transactions are locked:

SE01 Correction and transports

SE38 Ability to execute ABAP programs

SE11 Maintain data dictionary objects

44. Determine if the parameters for the trace and log files are adequate

With the RSPARAM report, review the rstr/* and rslg/* parameters

If a transaction cannot finish correctly, the system rolls it back. The dialog program first generates a log record in the VBLOG table.

Transaction SM21 or Tools>Administration>Monitoring>System Log

Selection Criteria:

Date/Time – To – Date/Time

By User, Trans Code, SAP Process, Problem Classes (Messages)

45. Determine if Spool access is properly restricted.

Verify who has the authorization object S_ADMI_FCD, S_SPO_ACT, and S_SPO_DEV

46. Determine if backup procedures are appropriate for data and programs

On-line and off-line backups of all the file servers can be controlled through the CCMS. Access to these transactions should be restricted, because these transactions can causes all file servers to shut down.

Is access to the SAP archiving function restricted. (Verify which profiles have access to transaction F040).

47. Determine who has access to the SAP customizing system (IMG, menu customizing)

S_A.CUSTOMIZ The profile gives all authorizations required for the Basis activities in the customizing menu. (Table USR10 gives an overview of all authorization objects in a profile.)

Overview of Sap basis and Security

2009-07-23T13:30:00.001-07:00

This is a nice pdf giving overview of sap security..
http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/SAP_BASIS_and_Security_Administration.pdf

How to know or get the Kernel Version of SAP system

2009-01-11T13:21:00.000-08:00

There are many ways through which you can get the Version Number of SAP Kernel.
One of the method is from any window in the top menu go to
system--> status and click on the other kernel info button which is between the navigate and cancel buttons.

Another method is to login as administrator and enter the following disp+work -v. in command field on left top corner. This will show you the kernel version of SAP.

You can also check the log or trace files at os level /usr/sap/work/dev_disp.

You can also get this kernel information from sm51 screen. Go to transaction sm51 then click on database server (single click only. Not double click) and then click on release notes. Then you will see the kernel information and patch level.

If you guys are interested checkout out our new php tutorials website
Php Tutorials

How to restrict Multiple Logins of Users in SAP

2009-01-11T13:04:00.000-08:00

This is a critical and security feature. You can know whether some one is logon using your user id from any other computer. Multiple logons of users must be set to 1 in sap production systems. This can be allowed in DEV systems. But in production it must be restricted.
Go to rz10 and change the paramenter
login/multi_login_users. By default the value is 0 which is inactive. If you want to activate mupltiple logons for some users in sap like service users you have to change the parameter
login/disable_multi_gui_login = you have to enter the user names in the values seperated by semi colon ; and dont leave spaces between the userids. Now you have to restart the instance.

How to Delete a Scheduled Background Job in SAP

2009-01-11T12:34:00.000-08:00

To deleted scheduled jobs in SAP you need to go to Tcode SM37. Now you select the jobs that you want to delete. Click on the check button left side of each job name and now in the menu go to job->delete.

Precaution must be taken when dealing with dependent jobs. If the completion of job1 starts the job2 and if you delete job1 then job2 will not start.
When deleting the jobs the system will inform you of any such dependent jobs and you need to reschedule them to start again

Maximum Number of Session Per User in SAP

2009-01-11T12:24:00.000-08:00

What are the maximum no of sessions per user in SAP?
This is the maximum no of windows which you can open in SAP for that system.
By default the value is 6. So a user can open 6 sessions in 4.7x.
You set this values in rdisp/max_alt_modes parameter.
You can change this parameter using RZ10 in instance profile and use extended maintenance for changing this.
Mos of the companies restrict this no of sessions since they can cause unecessary load..

Most Important Tables to Remember in SAP Security

2009-01-11T00:08:00.000-08:00

These are the most importatn tables you need to remember. The last one is a file. These tables comes in handy when you need to extract data. There are instances in which data taken from suim is inaccurate. Using this tables and sqvi you can extract any data you need.

AGR_AGRS - Shows simple roles within composite roles
AGR_USERS - Shows user information for roles
AGR_TCODES - Shows transactions assigned to roles "through the menu"
AGR_1251 - Shows authorizations for roles; if you restrict it to authobj
S_TCODE, you can see more than table AGR_TCODES shows you

Difference Between SAP_ALL and SAP_NEW

2008-09-15T11:51:00.000-07:00

What is the difference between SAP_ALL and SAP_NEW

Definition of SAP_NEW:-
SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required.

Definition of SAP_ALL:-
SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues which may arise during the usage of SAP. It is used by Administrators/Developers only and is applied on a need to use basis, then withdrawn. It contains all SAP system objects and Transactions. SAP_ALL is very critical and only SAP* contains SAP_ALL attached to it in the production system. No other dialog users have SAP_ALL attached to them.

SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL shouldn't be or not allowed be used in Production (for audit purposes obviously), except where necessary, in a controlled manner with all proper approvals from the customer.

SAPOSCOL - SAP Operating System Collector

2008-07-25T04:55:00.002-07:00

what is saposcol?
A)SAPOSCOL is SAP Operating System Collector
is a standalone program that runs in background at OS level. It
collects information about operatin system resource usage like

CPU Utilization
Main Memory and Virtual Memory utilization.
Physical Disk and File System utilization.
Resource usage by running processes.

How many instances of SAPOSCOL to be run?
A)Only
one instance of SAPOSCOL needed to be run per hardware. Even if there
are multiple instances running on a single hardware only one SAPOSCOL
process is needed.

What is the frequency of data collection by SAPOSCOL?
A) Data is collected every ten seconds.

Where is the data collected by SAPOSCOL stored?
A)The data is stored in shared memory and for long & future usage data is stored in tables MONI & OSMON.
Tha data collected by SAPOSCOL copied to tables MONI & OSMON by background job COLLECTOR_FOR_PERFMONITOR

What are the SAP level tcodes to view this data?
A) At SAP level you can view the information collected by SAPOSCOL using tcodes/transactions ST06, OS06 & OS07.

What is Heap Memory?

2008-07-25T04:55:00.001-07:00

Heap Memory stores User Context when Extended Memory allocated to a work process gets exhausted and the work process requires more space to continue. Heap Memory stores contains same type of Data as Extended Memory. Heap Memory is allocated dynamically according to requirement and not during system startup. When the workprocess starts using heap area it enters in to PRIV mode.

Important categories of Profile Parameters in SAP

2008-07-25T04:54:00.001-07:00

These are important categories of system parameters. You can access and change them using RZ11.
to
display you can use report RSPFPAR which can be run thorough SA38. Not
all parameters can be changed.Using RZ10 (profile maintainance)
you can change parameters that are dynamically switchable and they are
activated immediately.

ES/* : Related to extended memory settings
INSTANCE* : Identify an instance or server
ABAP/* : Related to program execution, including heap settings
AUTH/* : Related to authorization
DBS/<DB Type/* : Database specific parameters
EM/* : General system related settings
ENQUE/* : Settings for the enqueue WP (or standalone ENQ server)
GW/* : SAP Gateway related settings
ICF/* & ICM/* : Settings for the Internet control framework and ICM
LOGIN/* : Controls the logon environment (such a multiple sessions etc)
MS/* : Message server related settings
RDISP/* : Controls the dispatcher & dispatcher controlled processes
STAT/* : Statistics collector related parameters
SCSA/* : Shared common system area parameters
ZTTA/* : Extended memory related parameters

Tcode SM50

2008-07-25T04:52:00.002-07:00

Tcode SM50.
Sm50
tcode is used to see the workprocess overview in application
server you are logged in.
There are several fields diplayed in the work
process overview screen.
Each of the field value is described in below
table.

Menu path for this tcode is
Tools --> Administration--> Monitor -->System monitoring --> Process --> overview

No	This is the work process number and is unique to each work process.
Type	This denotes the type of work process. These are the possible values for type field DIA: Dialog UPD: Update BGD: Background ENQ: Enqueue SPO: Spool
PID	Process ID which is a unique no to identify the process at os level.
Status	This shows the status of work process like PRIV mode etc..
Ended	Work process has been terminated because of some error in SAP kernel. Running – work process is busy processing user request. Waiting – work process is ready to accept user request. PRIV – Work process running with heap memory (noramally basis admins terminate the dia wp if it enters priv mode).
Completed	The work process has been terminated and they can not be restarted.
Reason	If a work process status is stopped, this field gives the reason why it is stopped.
Start	This field tells if the dispatcher can restart the work process if it gets terminated.
Err	Err field gives the no of times the work process .
Sem	Number of semaphore. With Green background =>Process is holding the semaphore. With Red background => Process is waiting for the semaphore.
CPU	The CPU Time utilization by each work process format minutes:seconds
Time	The time that has been consumed processing the current request (in seconds).
Report	The name of report which is being executed
Clie	Client No.
User	Name of user whose request is currently being executed.
Action	For the work process with status “running”, this displays the current action.
Table	The DB tables that is accessed previously by work process.