Mostrando las entradas con la etiqueta BASIS. Mostrar todas las entradas
// // 3 comentarios

Guia de Upgrade SAP

Upgrade Master Guide for SAP ERP

Encontré en la web un manual para hacer un upgrade de SAP.
Al ser documentación oficial, está PDF, y en inglés.

Les comentaré -a grandes rasgos- cómo deben usar este documento, y de qué se trata, para que puedan hacerse una idea del alcance, antes de descargarlo.

Es una guía central para realizar un upgrade técnico a SAP ERP versión 6.0. Contiene todas las actividades para realizar la actualización, y las configuraciones que son necesarias para SAP ERP 6.0 y los componentes requeridos por otras aplicaciones como por ejemplo SAP Netweaver 7.0 y SAP Business Suite. Dependiendo de la envergadura de la empresa que quiera actualizar SAP ERP, se tendrá que tener en cuenta cuantos key-users (usuarios clave) se van a contactar para la actualización, tanto del ERP, como de otros componentes como SAP HR, por ejemplo. La guía está dividida en secciones, que posibilitan una mejor comprensión de los pasos a seguir y evaluar mejor los riesgos durante el proceso de actualización. Sin lugar a dudas, es una guía que todo consultor SAP debe tener bajo el bolsillo, y es por ello que la comparto con ustedes.
Leer más ...
// // 7 comentarios

Transacciones utiles SAP BASIS

Me descargué las transacciones más comunes de la administración Basis desde el Wiki oficial de SAP, y me pareció mejor buscar el equivalente en español, o sea... me tomé el pequeño trabajo de traducirles qué era cada transacción. :)

IMPORTANTE: si tienes problemas con la administración del sistema SAP, estamos respondiendo a todas las consultas de SAP BASIS a través de nuestra comunidad. Puedes leer consultas SAP (respondidas) aquí, o bien leer los debates sobre administración de sistemas SAP en nuestro foro.
 
Para los casos en que SAP ECC 6.0 no presenta descripción, le dejé la descripción en ingles que dice en esta página: Useful SAP System Administration Transactions
  • AL01: SAP Alert Monitor
  • AL02: Database alert monitor
  • AL03: Operating system alert monitor
  • AL04: Monitor call distribution
  • AL05: Monitor current workload
Leer más ...
// // 1 comentario

Tablas: claves SAP

Alguna de las tablas donde se guardan claves de SAP son:

  • DEVACCESS: Registra todas las claves de desarrolladores
  • ADIRACCESS: Registra todas las claves de los objetos modificados
  • TDEVC y vista V_TDEVC: Registra todas las clases de desarrollos o paquetes


Fuente consultada: Sap-adm.blogspot.com

Leer más ...
// // 1 comentario

Security tables

Table Description Reports

  • USR02 Users Data (logon data) RSUSR020
  • USR04 User master authorization (one row per user)
  • UST04 User profiles (multiple rows per user)
  • USR10 Authorisation profiles (i.e. &_SAP_ALL)
  • UST10C Composit profiles (i.e. profile has sub profile)
  • USR11 Text for authorisation profiles
  • USR12 Authorisation values RSUSR030
  • USR13 Short text for authorisation
  • USR40 Tabl for illegal passwords
  • USGRP User groups
  • USGRPT Text table for USGRP
  • USH02 Change history for logon data
  • USR01 User Master (runtime data)
  • USER_ADDR Address Data for users
  • AGR_1016 Role and Profile RSUSR020
  • AGR_1016B Role and Profile
  • AGR_1250 Role and Authorization data
  • AGR_1251 Role Object, Authorization, Field and Value RSUSR040
  • AGR_1252 Organizational elements for authorizations
  • AGR_AGRS Roles in Composite Roles
  • AGR_DEFINE To See All Roles (Role definition) RSUSR070
  • AGR_HIER2 Menu structure information - Customer vers
  • AGR_HIERT Role menu texts
  • AGR_OBJ Assignment of Menu Nodes to Role
  • AGR_PROF Profile name for role
  • AGR_TCDTXT Assignment of roles to Tcodes
  • AGR_TEXTS File Structure for Hierarchical Menu – Cus
  • AGR_TIME Time Stamp for Role: Including profile
  • AGR_USERS Assignment of roles to users
  • USOBT Relation transaction to authorization object (SAP)
  • USOBT_C Relation Transaction to Auth. Object (Customer)
  • USOBX Check table for table USOBT
  • USOBXFLAGS Temporary table for storing USOBX/T* chang
  • USOBX_C Check Table for Table USOBT_C
  • TSTCA Transaction Code, Object, Field and Value

More User/Security tables

  • DEVACCESS Table of development users including dev access key
  • USR02 Logon data
  • USR04 User master authorization (one row per user)
  • UST04 User profiles (multiple rows per user)
  • USR10 Authorisation profiles (i.e. &_SAP_ALL)
  • UST10C Composit profiles (i.e. profile has sub profile)
  • USR11 Text for authorisation profiles
  • USR12 Authorisation values
  • USR13 Short text for authorisation
  • USR40 Tabl for illegal passwords
  • OBJT Authorisation objetc table
Leer más ...
// //

Función TH_POPUP mensajes

Con la transacción SM02 podemos poner un mensaje en el sistema, para avisar de posibles reinicios, posibles intervenciones... o demás incidencias que puedan afectar al servicio normal del servidor.

¿Pero como avisar a un usuario especifico de algo en particular?, muy fácil disponemos de una función que podemos ejecutar desde la SM37, la TH_POPUP que nos brinda esta opción.

Más información sobre el uso de la función en nuestros foros de ayuda SAP en español.
Leer más ...
// //

Gestion Autorizaciones HR

Gestión de autorizaciones a través de la estructura organizativa en SAP HR

Con esta autorización se limita la rama de la estructura organizativa a la cual pueden acceder los usuarios.

Es una autorización standard de SAP que por defecto asigna a todos los usuarios la rama principal de la estructura organizativa activa.

Para refinar estas autorizaciones, hay que seguir dos pasos:

1.- Definir perfiles estructurales (ramas de la estructura organizativa y tipos de objetos)

2.- Asignar perfiles estructurales a los usuarios.

Estas actividades se pueden ejecutar en la SPRO en la rama “Gestión de personal – Gestión de personal – Herramientas – Gestión de autorizaciones – Autorizaciones estructurales de la gestión de organización” . El funcionamiento en detalle se explica en el manual de SAP HR940 – Authorizations in HR – Unidad 7.

Definir perfiles estructurales

Esta actividad se corresponde a la transacción OOSP.

Se entiende como perfil un grupo de ramas de la estructura organizativa que se podrán asignar después a los usuarios.

Por defecto, existe un perfil “ALL” que se refiere a la rama principal de la estructura organizativa y es el que se asigna por defecto a los usuarios. Es decir, por defecto, los usuarios tienen acceso a la rama principal de la estructura organizativa.

Si queremos filtrar las ramas a las que pueden acceder los usuarios, tenemos que crear perfiles propios definiendo las ramas a las que pueden acceder.

Asignar autorizaciones estructurales

Esta actividad se corresponde a la transacción OOSB.

En esta actividad se asignan los usuarios a los perfiles que se hayan creado.

Hay una entrada standard SAP* a la cual se le aplica el perfil ALL. Esta entrada es la que hace que si un usuario no tiene un perfil concreto asociado, se le aplica este y tiene visibilidad completa de la estructura organizativa.

En esta tabla hay que indicar:

- Usuario

- Perfil asociado

- Fecha de inicio para aplicar el perfil

- Fecha de fin para aplicar el perfil

- Exclusión ( para hacer autorizaciones inversas )

También se dispone de un botón de “Visualizar objetos” con el que podemos validar el nivel de visibilidad de un usuario con un perfil asociado.

Leer más ...
// //

SAPehpi for support pack upgrade

Since end of October 2010 a new version of SAP enhancement package installer is general available for customers via SAP Service Marketplace. You can use new SAPehpi for pure support pack upgrade:
We used SAPehpi to upgrade support pack in Solution Manager, ECC6.0 EHP4 dual stack, SRM,SUS and Net weaver components like BI and cFolders.
Following are the lesson learns during support pack upgrade:
  • SAPOSCOL will not be copied by SAPehpi. Make sure after upgrade you manually copy SAPOSCOL to exe directory.
  • Keep only relevant profiles in profile directory.
  • Before starting downtime phase system prompts for offline backup, if you have dual stack (ABAP+Java), it does not come after backup because ABAP stack is locked for upgrade
  • Don’t click back button after queue calculation. SAPehpi will not refresh the queue, and it will create inconsistency and prompt errors.
  • During upgrade SAP Kernel is overwritten. Make sure you created copy of existing kernel before upgrade for any third party executables.
  • Refer Note “1399846 - Deploy_online_Depl fails:No Qeueue with sapjup-queue id” before upgrade.
  • Keep latest kernel in the download directory SAPehpi will automatically implement it.
  • Create user in client ‘000’ before starting upgrade with development access.
  • Make sure you have sufficient desk space in /usr/sap and download directory
  • <sid>adm has require permission in download directory
  • Don’t stop or start shadow instance manually. During upgrade SAPehpi will automatically shutdown or restart instance if required.
Sanjay Hanspal - Specialist Master in Deloitte Consulting.
Reblogged from SDN SAP Blogs.
Leer más ...
// //

Sap_All vs. Sap_New

Most of the times you might have question in your mind that why you give sap_all and sap_new everytime we create admin user (Altough some people used to give sap_all to every one). So here i am sharing my knowledge about differnce between these 2 :

SAP_NEW:-
SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required.

SAP_ALL:-
SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues which may arise during the usage of SAP. It is used by Administrators/Developers only and is applied on a need to use basis, then withdrawn. It contains all SAP system objects and Transactions. SAP_ALL is very critical and only SAP* contains SAP_ALL attached to it in the production system. No other dialog users have SAP_ALL attached to them.
SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL shouldn’t be or not allowed be used in Production except where necessary, in a controlled manner with all proper approvals from the customer.

Reblogg from: SapTechies
Leer más ...
// //

Agregar texto en el logon de SAP

Me pareció interesantísimo el artículo para la consultoría SAP en general, saber como modificar el log-on de SAP. Creo que es importante para dejarle información de contacto (tal como voy a pasar a explicar) en la pantalla de acceso de todos los usuarios finales de SAP en la empresa.

Yo recomiendo que lean atentamente nuestro tutorial, y después accedan al sistema (recomiendo en ingles), para hacer los cambios.

Paso por paso tenemos que hacer lo siguiente:

1. Entrar a SAP.
2. Ejecutar la transacción SE61.

Cambiar la siguiente configuración:
  • En “Document Class” ponemos “Generat Text”
  • El “Language” lo podemos cambiar, o no. Yo dejo English.
  • En “Name” ponemos ZLOGIN_SCREEN_INFO
Después de eso, hacemos clic en el botón “CHANGE”.

3. Aquí tenemos que agregar la información que queremos que aparezca:

4. Hacemos “CTRL+S” y Activamos con “CTRL+F12” cuando hayamos terminado.
5. Salimos de SAP (cerramos todo, podemos usar “/nex” y darle enter)
Cuando volvamos a querer loguearnos en SAP, veremos la información que pusimos así:

Y eso es todo.
Espero que sepan aprovecharlo.
Saludos, ^Osw.


Imágenes y fuente de: FreeSapTutorial
Leer más ...
// //

SE16N: The security implications

Why you should not do this in any productive system, or any system that you don't wish to restore because you've messed up referential integrity....

  • Reason 1: If you are ISO certified, then you will be going against their instructions
  • Reason 2: If you are bound by SOX compliance then you will not be adhering to it
  • Reason 3: You can cause data inconsistencies between tables that have relationships with each other. It will not maintain referential integrity between the tables.
  • Reason 4: SAP will not support any inconsistencies brought about by this method

Leer más ...
// //

Transaction SE16N vulnerability

Este artículo se publicó a fines informativos en el año 2010, se mantiene únicamente por dicho motivo.

En aquel entonces nuestra web poseía artículos en inglés. Luego dejamos de publicar artículo en ese idioma.



Please restrict access to SE16N in your production systems.  If you're sufficiently paranoid, you may want to remove the transaction it completely

I've known for a while that, in some releases of SAP, transaction SE16N can be used to change SAP tables, regardless of authorisations or security settings. It's not something I've been keen to see widely disseminated, as there are major systemic risks in making changes this way. More dangerously, it provides a way to override authorisations by giving your userid (or your accomplice's userid) the SAP_ALL role.

Essentially, you run transaction SE16N, then type &SAP_EDIT into the command field and press enter.

In the example below, I've changed the User Group to SUPER.

Personally, I'd recommend making the transaction unavailable (perhaps even removing it from TSTC ?) in your production system - Your firefighter userid can be given authorisation to allow the appropriate people to add it back in, if necessary.

The reason for mentioning it at all is that SAP Mental Notes and IT-Toolbox SAP on DB2 for z/OS have stated that changes using this method are permanently logged in the tables listed below:


SE16N_CD_KEY : Change Documents – Header
SE16N_CD_DATA : Change Documents – Data

This means, in theory, that you can can query these tables to audit the usage of SE16N to change data. My attitude is that it's all well and good knowing Joe Bloggs has broken your system, but I would rather not have to deal with the broken system in the first place. However, there's a bigger issue.....

When I tested this out on an ECC6 IDES system (DB2 on Windows 2003), the SE16N_CD* tables were not updated.

1 - The knowledge of this method of changing data, which is available on production systems to anyone with access to the SE16N transaction is being more widely disseminated.

2 - There appears to be at least one major platform / release that does not support audit of the method of changing data.

Martin English - I am a Netweaver Technical Consultant for CSC Australia, supporting the complete SAP lifecycle from pre-sales planning through to decommissioning. The opinions expressed here very rarely coincide with those of my employer, customers, or indeed any one else. This is written by me, not them.

Leer más ...
// //

Changing time zones in SAP ECC 6.0

Our security team wants to implement the GRC package into our SAP system and the pre-requisite for this is to change the system time to UTC. We are running SAP ECC 6.0, and our current system time is based on EDT. We would like tounderstand the negative impacts this implementation may have - other than the obvious need to reschedule batch jobs. Forexample, what will happen to the date and time stamps of old documents?

Time stamps for documents can be stored in two different formats:
  • Using standard ABAP date and time fields (YYYYMMDD and HHMMSS). Here the time stamp corresponds to the system time, i.e. the time on the database server as returned by the ABAP system variable SY-DATUM and SY-UZEIT. Using the system time is necessary to avoid situations where, for instance, a financial document created by a user in Berlin (CET) would be modified a few minutes later by a user in New York (EDT). If the user’s time zone were stored in the document data, then it would seem as if the document had been changed before it was created. However, many applications will take the time zone into account when processing these documents. How this is done depends on the time zone-related information that is available for the document. The details are explained in the SAP online help (help.sap.com) in the guide “Time Zones” (CA-GTF-TIM). This same guide also describes various application-specific scenarios.
  • Another format that is frequently used is the ABAP time stamp format (handled in ABAP with the “GET TIME STAMP” and “CONVERT TIME STAMP” statements). A time stamp field is always in UTC and the application will automatically convert it to/from the user’s time zone.



Reblogged from SearchSap.
Leer más ...
// //

Custom transaction for Report Painter

In many organizations, the usage of transaction GR55 has been removed from end users and the usage of custom transaction for Report Painter report is preferred.

These transactions need to be added to roles & also transported via the SAP Transport system and go through change control.

One mistake is to create Variant Transactions that add another layer of objects to maintain and transactions that are not easily accepted by the end user community:

image003

The user will then have to navigate past the selection screen where the report group is selected.

image004

Another common mistake is that users create the transaction code with the SAP-generated program name of the Report Painter report.

image005

The users usually runs the report and via the menu path system status identifies the SAP generated report name, such as GP4D9W908VD93NG59JGEC5C4HE3200 in the development system or in the productive system as GP4D9W908VD93NG59JGEC5C4HE3400. Both program names look identical except for the last 3 digits, which represent the client in which the report was generated.

Because you don’t have control over the SAP-generated program name, you run into problems when the user tries to execute the program and a short dump may occur or the system may tell the user that the program doesn’t exist.

The right approach is to create a Parameter Transaction, map this transaction to the necessary objects in SU24 so that you can make sure that you won’t run into any authorization issues when the user runs the reports.

To create a custom transaction, you need to use transaction SE93 in the development client where your program development & configuration takes place.

Enter a transaction with the naming convention that your organization has issued and select the ‘create’ button:

image006

Enter a short description (according to naming standards of your organization) and select the option ‘Transaction with parameters’:

image007

Enter transaction ‘START_REPORT’ as shown below (1) and select the ‘Skip Initial Screen) (2):

image008

In the lower section, enter Screen Field D_SREPOVARI-REPORTTYPE with the value RW for Report Writer and D_SREPOVARI-REPORT for your report name. If you should have extended a extended report name, you also can add this screen field with the appropriate value D_SREPOVARI-EXTDREPORT to the list of screen fields.

image009

After saving the transaction, the system asks you for a package & transport request. Follow the development standards & instructions from your organization.

Once you have created the transaction, you need to make sure that it will be fully functional from a SAP Security standpoint. Use transaction SU24 to map the object S_Program to the transaction you have just created. The authorization group is the name of the Library with the prefix of RW_. You can find out the library via the report group or by running a trace. (This is helpful if you did not create the report and don’t know what library the developer was using).

image010

If you want to run the authorization analysis via ST01, you can find out easily what the values for S_Program should be:

image011

Once you have identified the objects & values, you can then map the object to the transaction with transaction SU24:

image012

Add all objects needed to run this report (you can find out the objects via your trace analysis):

image013

Switch the indicator to check/maintain:

image014

Enter the values according to your findings

image015

Don’t forget to double-check the values. You may want to make selections regarding on how the user can run the report according to your company guidelines and development standards:

image016

When the SAP Security Administrator maps the newly created transaction to a role, the objects needed for this transaction will be automatically pulled into the role:

image017

Depending on your SAP Security setup, the values of the individual authorizations for Report Writer may be more granular or with access to a broader area.


Reblogged from home4sap.com

Leer más ...
// //

Client Copy

Client copy showing the status as "Post Processing Required".

Nearly 250 tables were not copied.
Giving Warning in FIN-BN component.

In SM37 the client copy job is Successfully Completed.

I am not sure whether the client copy is completed successfully or not..

Leer más ...
// // 1 comentario

Client Copy: Derivation rule tables

Client copy is completed with status "Post-Processing Required". There is an error in log for object FINB-TR-DERIVATION:
DA300 "No active nametab exists for *some db table*"

Name of db table is usually with naming convention:
xxyyyysssmmmnnnn (xx - application class, yyyy - strategy ID, sss - system indicator, mmm - client, nnnn - sequence number)

These db tables are part of some instance of derivation tool in your system and are used to store Derivation Rule Values.
Other terms

ABADR, FINB_TR_CC_EXIT, FINB_TR_CC_EXIT_TARGET, DA 300, DA300, CC, SCC9, SCCL, SCC3

Reason and Prerequisites

During processing CC there was huge workload into your system. CC processcreates new tables to store copied derivation rules. This is done in parallel asynchronous process. But due to workload into system, these tables weren't created as fast as needed by CC process.
CC process cannot access these tables to save derivation rules in target client, as mentioned also in log.
Solution


HOW TO FIX CURRENT CLIENT COPY
(All steps to be performed in target logical system)

      1. Decrease workload as much as possible

      2. Execute report ABADRCHECK with selected 'DELSTEPS'
      (see note 653314 for more details)

      3. Execute TCode FINB_TR_EXEC_AI (Postprocessing of Client Copy)   (Please note that any changes done between Client Copy and          executing TCode FINB_TR_EXEC_AI will be overwritten!)

      4. Result of FINB_TR_EXEC_AI execution

            a) Executed with same error DA 300
            The workload is still to high, make sure that workload is decreased and repeat steps 1. - 3.

            b) Executed without any errors
            Consider FINB-TR-DERIVATION part of Client Copy as completed successfully. Note, that status of Client Copy in TCode SCC3 "Post-Processing Required" is final and it's not updated based on successful execution of FINB_TR_EXEC_AI.

            Information about final Client Copy status need to be evaluated and kept outside of SAP system. Or optionally, the client can be protected against any further manually triggered post processing procedure (e.g. using TCodes FINB_TR_EXEC_AI, FINB_TR_DISPLAY etc.) using the IMG activity "Complete Postprocessing". It's suggested to do so, when Client Copy is successfully repaired by repetitive execution of post processing procedure.


WHAT TO DO BEFORE NEXT CLIENT COPY
Make sure that there will be no performance issues during Client Copy processing in target logical system.
Leer más ...
// //

FAQ: Upgrade PREPARE

1. When should I start the PREPARE?

Start the PREPARE as early as possible before the upgrade so that you can set up or carry out the necessary preparations in good time.

2. Can I repeat the PREPARE?

You can repeat most of the PREPARE modules as often as you like without resetting the entire PREPARE. You must reset PREPARE only when you make bigger changes to the source release, for example, if you import software such as SAP Support Packages, languages or add-ons (including add-on updates) after the PREPARE is started. In general, however, you should ensure that the relevant modules are completely executed before resetting the PREPARE as described in the upgrade guide. Keep in mind that resetting only changes the status for the upgrade and does not undo any PREPARE database operations.

3. Must I include Support Packages in the upgrade?

We generally recommended that you include Support Packages; otherwise, depending on the Support Package level of the source release, the system carries out a downgrading of objects. This may cause data losses and/or problems in some upgrade phases. For more information, see Notes 73510 and 119738. Furthermore, this is often the quickest method of importing Support Packages.

Leer más ...
// //

ST03N y STAD

Esto lo tengo que comprobar, pero existen dos transacciones en SAP que loguean -segun explican- las veces que se usan, en un periodo de tiempo determinado, las transacciones en el sistema..


En Vistas de Análisis --> Perfil Transacción.
(...)
...las transacciones que se utilizan son ST03N y STAD...Aunque dudo mucho que guarden un control de un período tan largo como una año...


Leer más ...
// //

FAQ: Client copy

Symptom

1. Which authorizations are required to execute a client copy?
2. Which data is actually copied with a client copy?
3. Can I only copy the Customizing and therefore receive the application data in the target client?
4. Can I copy between systems with different R/3 releases/add-ons?
5. Can I create client copies in a heterogeneous system landscape?
6. How can I improve the performance of a client copy?
7. Which is better or faster, a client transport or a remote copy?
8. How much space does the new client require?
9. Can I exclude certain tables from a client copy?
10. Where do I find the cause of an error or a copy termination?
11. How does a client copy behave during a termination or database error? When does the system offer a restart?
12. How do I create a new client? Which copy profile and which source client should I use?
13. Why does a remote copy terminate, referring to DDIC differences?
14. Why there are still differences between the systems, for instance with the programs, even after I copy with the copy profile SAP_ALL?
15. What is client 001 used for?
16. Can I delete client 001?
17. Can I use client 001 in production?
18. Can I use more than one client for production in a system?
19. After a client copy, there are problems with number ranges in the target client. Why is this?

Other terms

FAQ, Q+A, CC-INFO, CC_ADMIN, SCCL, SCC5, SCC7, SCC8, SCC9

Leer más ...
// //

Role Comparing in SAP

For role comparison both the roles must be in the same system, in same client.
   
Transaction code SUIM -> Comparison-> Roles
   
If the roles are in different system, then transport the role into one of the system and do comparison.  If no transport connection defined then, you can use the upload and download option in the PFCG.

Steps for Role Comparing:

1. Run the t-code SUIM
   
2. Go To Comparison and select the option of roles
   
3. Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.
   
4. If there are any difference between then the  t-codes it will be in red color otherwise in yellow?
<source>

Leer más ...
// //

Data Archiving

Data archiving removes bulk data which is no longer required in the System, but which must be retained accessibly, from the database. Data in the R/3 database can only be archived via archiving objects, which describe the data structure. Financial accounting documents, for example are archived via the archiving object FI_DOCUMNT, which comprises the document header, company-code-dependent postings, change documents, SAPscript texts and other elements. The application archiving objects are pre-defined in the system. The archiving programs are scheduled as background jobs, but can run during on-line processing. The system need not be shutdown.
Leer más ...