Mostrando las entradas con la etiqueta BASIS. Mostrar todas las entradas
// //

Sap_All vs. Sap_New

Most of the times you might have question in your mind that why you give sap_all and sap_new everytime we create admin user (Altough some people used to give sap_all to every one). So here i am sharing my knowledge about differnce between these 2 :

SAP_NEW:-
SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required.

SAP_ALL:-
SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues which may arise during the usage of SAP. It is used by Administrators/Developers only and is applied on a need to use basis, then withdrawn. It contains all SAP system objects and Transactions. SAP_ALL is very critical and only SAP* contains SAP_ALL attached to it in the production system. No other dialog users have SAP_ALL attached to them.
SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL shouldn’t be or not allowed be used in Production except where necessary, in a controlled manner with all proper approvals from the customer.

Reblogg from: SapTechies
Leer más ...
// //

Agregar texto en el logon de SAP

Me pareció interesantísimo el artículo para la consultoría SAP en general, saber como modificar el log-on de SAP. Creo que es importante para dejarle información de contacto (tal como voy a pasar a explicar) en la pantalla de acceso de todos los usuarios finales de SAP en la empresa.

Yo recomiendo que lean atentamente nuestro tutorial, y después accedan al sistema (recomiendo en ingles), para hacer los cambios.

Paso por paso tenemos que hacer lo siguiente:

1. Entrar a SAP.
2. Ejecutar la transacción SE61.

Cambiar la siguiente configuración:
  • En “Document Class” ponemos “Generat Text”
  • El “Language” lo podemos cambiar, o no. Yo dejo English.
  • En “Name” ponemos ZLOGIN_SCREEN_INFO
Después de eso, hacemos clic en el botón “CHANGE”.

3. Aquí tenemos que agregar la información que queremos que aparezca:

4. Hacemos “CTRL+S” y Activamos con “CTRL+F12” cuando hayamos terminado.
5. Salimos de SAP (cerramos todo, podemos usar “/nex” y darle enter)
Cuando volvamos a querer loguearnos en SAP, veremos la información que pusimos así:

Y eso es todo.
Espero que sepan aprovecharlo.
Saludos, ^Osw.


Imágenes y fuente de: FreeSapTutorial
Leer más ...
// //

SE16N: The security implications

Why you should not do this in any productive system, or any system that you don't wish to restore because you've messed up referential integrity....

  • Reason 1: If you are ISO certified, then you will be going against their instructions
  • Reason 2: If you are bound by SOX compliance then you will not be adhering to it
  • Reason 3: You can cause data inconsistencies between tables that have relationships with each other. It will not maintain referential integrity between the tables.
  • Reason 4: SAP will not support any inconsistencies brought about by this method

Leer más ...
// //

Transaction SE16N vulnerability

Este artículo se publicó a fines informativos en el año 2010, se mantiene únicamente por dicho motivo.

En aquel entonces nuestra web poseía artículos en inglés. Luego dejamos de publicar artículo en ese idioma.



Please restrict access to SE16N in your production systems.  If you're sufficiently paranoid, you may want to remove the transaction it completely

I've known for a while that, in some releases of SAP, transaction SE16N can be used to change SAP tables, regardless of authorisations or security settings. It's not something I've been keen to see widely disseminated, as there are major systemic risks in making changes this way. More dangerously, it provides a way to override authorisations by giving your userid (or your accomplice's userid) the SAP_ALL role.

Essentially, you run transaction SE16N, then type &SAP_EDIT into the command field and press enter.

In the example below, I've changed the User Group to SUPER.

Personally, I'd recommend making the transaction unavailable (perhaps even removing it from TSTC ?) in your production system - Your firefighter userid can be given authorisation to allow the appropriate people to add it back in, if necessary.

The reason for mentioning it at all is that SAP Mental Notes and IT-Toolbox SAP on DB2 for z/OS have stated that changes using this method are permanently logged in the tables listed below:


SE16N_CD_KEY : Change Documents – Header
SE16N_CD_DATA : Change Documents – Data

This means, in theory, that you can can query these tables to audit the usage of SE16N to change data. My attitude is that it's all well and good knowing Joe Bloggs has broken your system, but I would rather not have to deal with the broken system in the first place. However, there's a bigger issue.....

When I tested this out on an ECC6 IDES system (DB2 on Windows 2003), the SE16N_CD* tables were not updated.

1 - The knowledge of this method of changing data, which is available on production systems to anyone with access to the SE16N transaction is being more widely disseminated.

2 - There appears to be at least one major platform / release that does not support audit of the method of changing data.

Martin English - I am a Netweaver Technical Consultant for CSC Australia, supporting the complete SAP lifecycle from pre-sales planning through to decommissioning. The opinions expressed here very rarely coincide with those of my employer, customers, or indeed any one else. This is written by me, not them.

Leer más ...
// //

Changing time zones in SAP ECC 6.0

Our security team wants to implement the GRC package into our SAP system and the pre-requisite for this is to change the system time to UTC. We are running SAP ECC 6.0, and our current system time is based on EDT. We would like tounderstand the negative impacts this implementation may have - other than the obvious need to reschedule batch jobs. Forexample, what will happen to the date and time stamps of old documents?

Time stamps for documents can be stored in two different formats:
  • Using standard ABAP date and time fields (YYYYMMDD and HHMMSS). Here the time stamp corresponds to the system time, i.e. the time on the database server as returned by the ABAP system variable SY-DATUM and SY-UZEIT. Using the system time is necessary to avoid situations where, for instance, a financial document created by a user in Berlin (CET) would be modified a few minutes later by a user in New York (EDT). If the user’s time zone were stored in the document data, then it would seem as if the document had been changed before it was created. However, many applications will take the time zone into account when processing these documents. How this is done depends on the time zone-related information that is available for the document. The details are explained in the SAP online help (help.sap.com) in the guide “Time Zones” (CA-GTF-TIM). This same guide also describes various application-specific scenarios.
  • Another format that is frequently used is the ABAP time stamp format (handled in ABAP with the “GET TIME STAMP” and “CONVERT TIME STAMP” statements). A time stamp field is always in UTC and the application will automatically convert it to/from the user’s time zone.



Reblogged from SearchSap.
Leer más ...
// //

Custom transaction for Report Painter

In many organizations, the usage of transaction GR55 has been removed from end users and the usage of custom transaction for Report Painter report is preferred.

These transactions need to be added to roles & also transported via the SAP Transport system and go through change control.

One mistake is to create Variant Transactions that add another layer of objects to maintain and transactions that are not easily accepted by the end user community:

image003

The user will then have to navigate past the selection screen where the report group is selected.

image004

Another common mistake is that users create the transaction code with the SAP-generated program name of the Report Painter report.

image005

The users usually runs the report and via the menu path system status identifies the SAP generated report name, such as GP4D9W908VD93NG59JGEC5C4HE3200 in the development system or in the productive system as GP4D9W908VD93NG59JGEC5C4HE3400. Both program names look identical except for the last 3 digits, which represent the client in which the report was generated.

Because you don’t have control over the SAP-generated program name, you run into problems when the user tries to execute the program and a short dump may occur or the system may tell the user that the program doesn’t exist.

The right approach is to create a Parameter Transaction, map this transaction to the necessary objects in SU24 so that you can make sure that you won’t run into any authorization issues when the user runs the reports.

To create a custom transaction, you need to use transaction SE93 in the development client where your program development & configuration takes place.

Enter a transaction with the naming convention that your organization has issued and select the ‘create’ button:

image006

Enter a short description (according to naming standards of your organization) and select the option ‘Transaction with parameters’:

image007

Enter transaction ‘START_REPORT’ as shown below (1) and select the ‘Skip Initial Screen) (2):

image008

In the lower section, enter Screen Field D_SREPOVARI-REPORTTYPE with the value RW for Report Writer and D_SREPOVARI-REPORT for your report name. If you should have extended a extended report name, you also can add this screen field with the appropriate value D_SREPOVARI-EXTDREPORT to the list of screen fields.

image009

After saving the transaction, the system asks you for a package & transport request. Follow the development standards & instructions from your organization.

Once you have created the transaction, you need to make sure that it will be fully functional from a SAP Security standpoint. Use transaction SU24 to map the object S_Program to the transaction you have just created. The authorization group is the name of the Library with the prefix of RW_. You can find out the library via the report group or by running a trace. (This is helpful if you did not create the report and don’t know what library the developer was using).

image010

If you want to run the authorization analysis via ST01, you can find out easily what the values for S_Program should be:

image011

Once you have identified the objects & values, you can then map the object to the transaction with transaction SU24:

image012

Add all objects needed to run this report (you can find out the objects via your trace analysis):

image013

Switch the indicator to check/maintain:

image014

Enter the values according to your findings

image015

Don’t forget to double-check the values. You may want to make selections regarding on how the user can run the report according to your company guidelines and development standards:

image016

When the SAP Security Administrator maps the newly created transaction to a role, the objects needed for this transaction will be automatically pulled into the role:

image017

Depending on your SAP Security setup, the values of the individual authorizations for Report Writer may be more granular or with access to a broader area.


Reblogged from home4sap.com

Leer más ...
// //

Client Copy

Client copy showing the status as "Post Processing Required".

Nearly 250 tables were not copied.
Giving Warning in FIN-BN component.

In SM37 the client copy job is Successfully Completed.

I am not sure whether the client copy is completed successfully or not..

Leer más ...
// // 1 comentario

Client Copy: Derivation rule tables

Client copy is completed with status "Post-Processing Required". There is an error in log for object FINB-TR-DERIVATION:
DA300 "No active nametab exists for *some db table*"

Name of db table is usually with naming convention:
xxyyyysssmmmnnnn (xx - application class, yyyy - strategy ID, sss - system indicator, mmm - client, nnnn - sequence number)

These db tables are part of some instance of derivation tool in your system and are used to store Derivation Rule Values.
Other terms

ABADR, FINB_TR_CC_EXIT, FINB_TR_CC_EXIT_TARGET, DA 300, DA300, CC, SCC9, SCCL, SCC3

Reason and Prerequisites

During processing CC there was huge workload into your system. CC processcreates new tables to store copied derivation rules. This is done in parallel asynchronous process. But due to workload into system, these tables weren't created as fast as needed by CC process.
CC process cannot access these tables to save derivation rules in target client, as mentioned also in log.
Solution


HOW TO FIX CURRENT CLIENT COPY
(All steps to be performed in target logical system)

      1. Decrease workload as much as possible

      2. Execute report ABADRCHECK with selected 'DELSTEPS'
      (see note 653314 for more details)

      3. Execute TCode FINB_TR_EXEC_AI (Postprocessing of Client Copy)   (Please note that any changes done between Client Copy and          executing TCode FINB_TR_EXEC_AI will be overwritten!)

      4. Result of FINB_TR_EXEC_AI execution

            a) Executed with same error DA 300
            The workload is still to high, make sure that workload is decreased and repeat steps 1. - 3.

            b) Executed without any errors
            Consider FINB-TR-DERIVATION part of Client Copy as completed successfully. Note, that status of Client Copy in TCode SCC3 "Post-Processing Required" is final and it's not updated based on successful execution of FINB_TR_EXEC_AI.

            Information about final Client Copy status need to be evaluated and kept outside of SAP system. Or optionally, the client can be protected against any further manually triggered post processing procedure (e.g. using TCodes FINB_TR_EXEC_AI, FINB_TR_DISPLAY etc.) using the IMG activity "Complete Postprocessing". It's suggested to do so, when Client Copy is successfully repaired by repetitive execution of post processing procedure.


WHAT TO DO BEFORE NEXT CLIENT COPY
Make sure that there will be no performance issues during Client Copy processing in target logical system.
Leer más ...
// //

FAQ: Upgrade PREPARE

1. When should I start the PREPARE?

Start the PREPARE as early as possible before the upgrade so that you can set up or carry out the necessary preparations in good time.

2. Can I repeat the PREPARE?

You can repeat most of the PREPARE modules as often as you like without resetting the entire PREPARE. You must reset PREPARE only when you make bigger changes to the source release, for example, if you import software such as SAP Support Packages, languages or add-ons (including add-on updates) after the PREPARE is started. In general, however, you should ensure that the relevant modules are completely executed before resetting the PREPARE as described in the upgrade guide. Keep in mind that resetting only changes the status for the upgrade and does not undo any PREPARE database operations.

3. Must I include Support Packages in the upgrade?

We generally recommended that you include Support Packages; otherwise, depending on the Support Package level of the source release, the system carries out a downgrading of objects. This may cause data losses and/or problems in some upgrade phases. For more information, see Notes 73510 and 119738. Furthermore, this is often the quickest method of importing Support Packages.

Leer más ...
// //

ST03N y STAD

Esto lo tengo que comprobar, pero existen dos transacciones en SAP que loguean -segun explican- las veces que se usan, en un periodo de tiempo determinado, las transacciones en el sistema..


En Vistas de Análisis --> Perfil Transacción.
(...)
...las transacciones que se utilizan son ST03N y STAD...Aunque dudo mucho que guarden un control de un período tan largo como una año...


Leer más ...
// //

FAQ: Client copy

Symptom

1. Which authorizations are required to execute a client copy?
2. Which data is actually copied with a client copy?
3. Can I only copy the Customizing and therefore receive the application data in the target client?
4. Can I copy between systems with different R/3 releases/add-ons?
5. Can I create client copies in a heterogeneous system landscape?
6. How can I improve the performance of a client copy?
7. Which is better or faster, a client transport or a remote copy?
8. How much space does the new client require?
9. Can I exclude certain tables from a client copy?
10. Where do I find the cause of an error or a copy termination?
11. How does a client copy behave during a termination or database error? When does the system offer a restart?
12. How do I create a new client? Which copy profile and which source client should I use?
13. Why does a remote copy terminate, referring to DDIC differences?
14. Why there are still differences between the systems, for instance with the programs, even after I copy with the copy profile SAP_ALL?
15. What is client 001 used for?
16. Can I delete client 001?
17. Can I use client 001 in production?
18. Can I use more than one client for production in a system?
19. After a client copy, there are problems with number ranges in the target client. Why is this?

Other terms

FAQ, Q+A, CC-INFO, CC_ADMIN, SCCL, SCC5, SCC7, SCC8, SCC9

Leer más ...
// //

Role Comparing in SAP

For role comparison both the roles must be in the same system, in same client.
   
Transaction code SUIM -> Comparison-> Roles
   
If the roles are in different system, then transport the role into one of the system and do comparison.  If no transport connection defined then, you can use the upload and download option in the PFCG.

Steps for Role Comparing:

1. Run the t-code SUIM
   
2. Go To Comparison and select the option of roles
   
3. Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.
   
4. If there are any difference between then the  t-codes it will be in red color otherwise in yellow?
<source>

Leer más ...
// //

Data Archiving

Data archiving removes bulk data which is no longer required in the System, but which must be retained accessibly, from the database. Data in the R/3 database can only be archived via archiving objects, which describe the data structure. Financial accounting documents, for example are archived via the archiving object FI_DOCUMNT, which comprises the document header, company-code-dependent postings, change documents, SAPscript texts and other elements. The application archiving objects are pre-defined in the system. The archiving programs are scheduled as background jobs, but can run during on-line processing. The system need not be shutdown.
Leer más ...