Según éste usuario, es más justo comparar Basis con WAS (que es sin ir más lejos Web Application Server). El trabajo del BASIS es más como un trabajo de administración, actúa como middleware, al igual que WAS. La diferencia viene aquí en términos de WEB y otros componentes nuevos que se comenzó a usar, que antes no estaba plenamente respaldado por BASIS.
SAP ABAP, Basis, WAS y Netweaver
Según éste usuario, es más justo comparar Basis con WAS (que es sin ir más lejos Web Application Server). El trabajo del BASIS es más como un trabajo de administración, actúa como middleware, al igual que WAS. La diferencia viene aquí en términos de WEB y otros componentes nuevos que se comenzó a usar, que antes no estaba plenamente respaldado por BASIS.
Manual SAP Basis: TADM10, TADM12 y TADM51
- TADM10 (parte 1)
- TADM10 (parte 2)
- TADM12 (parte 1)
- TADM12 (parte 2)
- TADM51
SAP Basis
Basis o Netweaver
TADM10 #1: SAP Netweaver AS Implementation & Operation I
TADM10 #2: SAP Netweaver AS Implementation & Operation I
TADM12 #1: SAP Netweaver AS Implementation & Operation II
TADM12 #2: SAP Netweaver AS Implementation & Operation II
TADM51: Database Administration Oracle
Finalmente los archivos en PDF
- Unirte a la lista #1 de SAP +1, sumate ahora!
- Dale "me gusta" a nuestra página de Consultoria-SAP en Facebook.
Y no te olvides de seguirnos en las redes sociales para no perderte ninguna novedad: - Copia la URL de éste artículo, e ingresa al foro de Ayuda SAP en español, ve a la parte de Manuales-SAP, y abre un tema nuevo explicando por qué te interesa aprender más sobre SAP, pega ahí la URL que has copiado, para que sepamos que estás cumpliendo estos tres puntos.
Recuerda que en nuestra comunidad de Ayuda SAP no es solo "pedir" y nada más, lee las normas de solicitudes que tendrás que cumplir para descargar gratis.
No te pierdas los beneficios de ser VIP en Consultoria-SAP
Más información SAP
Problemas de Rendimiento SAP
Trace de Autorizaciones SAP
Esta herramienta posee características que la hace ser una de las más importantes para auditar y obtener evidencia de accesos de los usuarios del sistema SAP:
- Herramienta de fácil uso y es recomendable dominar el concepto de autorización para su utilización e interpretación adecuada (capa 1, 2 y 3 de seguridad de autorizaciones)
- Herramienta que no merma el performance de la operación del ambiente en donde se tenga activada (no es invasiva). Este es el típico motivo por el cual se le bloquea el acceso a los auditores, perdiendo la oportunidad de obtener evidencia de muy buena calidad para la auditoría. Si el trace está activo solamente para la verificación de autorizaciones, no habría merma de performance. Eventualmente podríamos tener impacto, en la medida que activemos todas las opciones del trace (RFC, tablas, etc.)
Why Back Up the Database
Split-Mirror Backup
Why Back Up the #SAP's Database?For large global organizations spanning operations in many countries, a robust Information Technology Infrastructure supporting 24x7 365 days a year has become absolutely necessarily. Non-availability of Information Systems for however short time would cause these organization losses in Millions. The loss of Data due to system failures would even result in closure of these organizations. In such a scenario it is become absolutely necessary to not only have a mechanism to efficiently take Backup of the systems but also to be able to do it without any downtime and performance degradation.
The Split-Mirror technology helps in achieving High Availability of Database, by letting a system quickly take backup, typically in seconds, and it also helps in eliminating the use of System Resources of the Database Server for backing up the database, thus efficiently avoids System degradation (often experienced) while Backups are running.
Authorization Objects for ALE EDI
Object ALE/EDI: Maintaining logical systemsAuthorization B_ALE_LS_ALL
————————————————————————-
| Field Values
| Logical system
| *
————————————————————————-
Object ALE/EDI: Distributing master dataAuthorization B_ALE_MA_ALL
————————————————————————-
| Field Values
————————————————————————-
| Logical message type
| *
————————————————————————-
SAP PM: authorisation objects
How to get the authorisation objects for SAP PM?
Check this for the common PM authorisation objects:
- I_ILOA - Change location and accounting data in the order
- I_CCM_ACT - Configuration Control authorization object
- I_ALM_ME - Mobile Asset Management
- I_VORG_MEL - PM/QM: Business Operation for Notifications
- I_QMEL - PM/QM: Notification Types
- I_BEGRP - PM: Authorization Group
Guia de Upgrade SAP
Upgrade Master Guide for SAP ERP
Encontré en la web un manual para hacer un upgrade de SAP.Al ser documentación oficial, está PDF, y en inglés.
Les comentaré -a grandes rasgos- cómo deben usar este documento, y de qué se trata, para que puedan hacerse una idea del alcance, antes de descargarlo.
Transacciones utiles SAP BASIS
Para los casos en que SAP ECC 6.0 no presenta descripción, le dejé la descripción en ingles que dice en esta página: Useful SAP System Administration Transactions
- AL01: SAP Alert Monitor
- AL02: Database alert monitor
- AL03: Operating system alert monitor
- AL04: Monitor call distribution
- AL05: Monitor current workload
Tablas: claves SAP
Alguna de las tablas donde se guardan claves de SAP son:
- DEVACCESS: Registra todas las claves de desarrolladores
- ADIRACCESS: Registra todas las claves de los objetos modificados
- TDEVC y vista V_TDEVC: Registra todas las clases de desarrollos o paquetes
Fuente consultada: Sap-adm.blogspot.com
Security tables
Table Description Reports
- USR02 Users Data (logon data) RSUSR020
- USR04 User master authorization (one row per user)
- UST04 User profiles (multiple rows per user)
- USR10 Authorisation profiles (i.e. &_SAP_ALL)
- UST10C Composit profiles (i.e. profile has sub profile)
- USR11 Text for authorisation profiles
- USR12 Authorisation values RSUSR030
- USR13 Short text for authorisation
- USR40 Tabl for illegal passwords
- USGRP User groups
- USGRPT Text table for USGRP
- USH02 Change history for logon data
- USR01 User Master (runtime data)
- USER_ADDR Address Data for users
- AGR_1016 Role and Profile RSUSR020
- AGR_1016B Role and Profile
- AGR_1250 Role and Authorization data
- AGR_1251 Role Object, Authorization, Field and Value RSUSR040
- AGR_1252 Organizational elements for authorizations
- AGR_AGRS Roles in Composite Roles
- AGR_DEFINE To See All Roles (Role definition) RSUSR070
- AGR_HIER2 Menu structure information - Customer vers
- AGR_HIERT Role menu texts
- AGR_OBJ Assignment of Menu Nodes to Role
- AGR_PROF Profile name for role
- AGR_TCDTXT Assignment of roles to Tcodes
- AGR_TEXTS File Structure for Hierarchical Menu – Cus
- AGR_TIME Time Stamp for Role: Including profile
- AGR_USERS Assignment of roles to users
- USOBT Relation transaction to authorization object (SAP)
- USOBT_C Relation Transaction to Auth. Object (Customer)
- USOBX Check table for table USOBT
- USOBXFLAGS Temporary table for storing USOBX/T* chang
- USOBX_C Check Table for Table USOBT_C
- TSTCA Transaction Code, Object, Field and Value
More User/Security tables
- DEVACCESS Table of development users including dev access key
- USR02 Logon data
- USR04 User master authorization (one row per user)
- UST04 User profiles (multiple rows per user)
- USR10 Authorisation profiles (i.e. &_SAP_ALL)
- UST10C Composit profiles (i.e. profile has sub profile)
- USR11 Text for authorisation profiles
- USR12 Authorisation values
- USR13 Short text for authorisation
- USR40 Tabl for illegal passwords
- OBJT Authorisation objetc table
Función TH_POPUP mensajes
¿Pero como avisar a un usuario especifico de algo en particular?, muy fácil disponemos de una función que podemos ejecutar desde la SM37, la TH_POPUP que nos brinda esta opción.
Más información sobre el uso de la función en nuestros foros de ayuda SAP en español.
Gestion Autorizaciones HR
Gestión de autorizaciones a través de la estructura organizativa en SAP HR
Con esta autorización se limita la rama de la estructura organizativa a la cual pueden acceder los usuarios.
Es una autorización standard de SAP que por defecto asigna a todos los usuarios la rama principal de la estructura organizativa activa.
Para refinar estas autorizaciones, hay que seguir dos pasos:
1.- Definir perfiles estructurales (ramas de la estructura organizativa y tipos de objetos)
2.- Asignar perfiles estructurales a los usuarios.
Estas actividades se pueden ejecutar en la SPRO en la rama “Gestión de personal – Gestión de personal – Herramientas – Gestión de autorizaciones – Autorizaciones estructurales de la gestión de organización” . El funcionamiento en detalle se explica en el manual de SAP HR940 – Authorizations in HR – Unidad 7.
Definir perfiles estructurales
Esta actividad se corresponde a la transacción OOSP.
Se entiende como perfil un grupo de ramas de la estructura organizativa que se podrán asignar después a los usuarios.
Por defecto, existe un perfil “ALL” que se refiere a la rama principal de la estructura organizativa y es el que se asigna por defecto a los usuarios. Es decir, por defecto, los usuarios tienen acceso a la rama principal de la estructura organizativa.
Si queremos filtrar las ramas a las que pueden acceder los usuarios, tenemos que crear perfiles propios definiendo las ramas a las que pueden acceder.
Asignar autorizaciones estructurales
Esta actividad se corresponde a la transacción OOSB.
En esta actividad se asignan los usuarios a los perfiles que se hayan creado.
Hay una entrada standard SAP* a la cual se le aplica el perfil ALL. Esta entrada es la que hace que si un usuario no tiene un perfil concreto asociado, se le aplica este y tiene visibilidad completa de la estructura organizativa.
En esta tabla hay que indicar:
- Usuario
- Perfil asociado
- Fecha de inicio para aplicar el perfil
- Fecha de fin para aplicar el perfil
- Exclusión ( para hacer autorizaciones inversas )
También se dispone de un botón de “Visualizar objetos” con el que podemos validar el nivel de visibilidad de un usuario con un perfil asociado.
SAPehpi for support pack upgrade
Since end of October 2010 a new version of SAP enhancement package installer is general available for customers via SAP Service Marketplace. You can use new SAPehpi for pure support pack upgrade:
We used SAPehpi to upgrade support pack in Solution Manager, ECC6.0 EHP4 dual stack, SRM,SUS and Net weaver components like BI and cFolders.
Following are the lesson learns during support pack upgrade:
- SAPOSCOL will not be copied by SAPehpi. Make sure after upgrade you manually copy SAPOSCOL to exe directory.
- Keep only relevant profiles in profile directory.
- Before starting downtime phase system prompts for offline backup, if you have dual stack (ABAP+Java), it does not come after backup because ABAP stack is locked for upgrade
- Don’t click back button after queue calculation. SAPehpi will not refresh the queue, and it will create inconsistency and prompt errors.
- During upgrade SAP Kernel is overwritten. Make sure you created copy of existing kernel before upgrade for any third party executables.
- Refer Note “1399846 - Deploy_online_Depl fails:No Qeueue with sapjup-queue id” before upgrade.
- Keep latest kernel in the download directory SAPehpi will automatically implement it.
- Create user in client ‘000’ before starting upgrade with development access.
- Make sure you have sufficient desk space in /usr/sap and download directory
- <sid>adm has require permission in download directory
Sanjay Hanspal - Specialist Master in Deloitte Consulting.
- Don’t stop or start shadow instance manually. During upgrade SAPehpi will automatically shutdown or restart instance if required.
Sap_All vs. Sap_New
SAP_NEW:-
SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required.
SAP_ALL:-
SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues which may arise during the usage of SAP. It is used by Administrators/Developers only and is applied on a need to use basis, then withdrawn. It contains all SAP system objects and Transactions. SAP_ALL is very critical and only SAP* contains SAP_ALL attached to it in the production system. No other dialog users have SAP_ALL attached to them.
SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL shouldn’t be or not allowed be used in Production except where necessary, in a controlled manner with all proper approvals from the customer.
Agregar texto en el logon de SAP
Yo recomiendo que lean atentamente nuestro tutorial, y después accedan al sistema (recomiendo en ingles), para hacer los cambios.
Paso por paso tenemos que hacer lo siguiente:
1. Entrar a SAP.
2. Ejecutar la transacción SE61.
Cambiar la siguiente configuración:
- En “Document Class” ponemos “Generat Text”
- El “Language” lo podemos cambiar, o no. Yo dejo English.
- En “Name” ponemos ZLOGIN_SCREEN_INFO
3. Aquí tenemos que agregar la información que queremos que aparezca:
4. Hacemos “CTRL+S” y Activamos con “CTRL+F12” cuando hayamos terminado.
5. Salimos de SAP (cerramos todo, podemos usar “/nex” y darle enter)
Cuando volvamos a querer loguearnos en SAP, veremos la información que pusimos así:
Y eso es todo.
Espero que sepan aprovecharlo.
Saludos, ^Osw.
SE16N: The security implications
- Reason 1: If you are ISO certified, then you will be going against their instructions
- Reason 2: If you are bound by SOX compliance then you will not be adhering to it
- Reason 3: You can cause data inconsistencies between tables that have relationships with each other. It will not maintain referential integrity between the tables.
- Reason 4: SAP will not support any inconsistencies brought about by this method
Transaction SE16N vulnerability
En aquel entonces nuestra web poseía artículos en inglés. Luego dejamos de publicar artículo en ese idioma.
Please restrict access to SE16N in your production systems. If you're sufficiently paranoid, you may want to remove the transaction it completely
I've known for a while that, in some releases of SAP, transaction SE16N can be used to change SAP tables, regardless of authorisations or security settings. It's not something I've been keen to see widely disseminated, as there are major systemic risks in making changes this way. More dangerously, it provides a way to override authorisations by giving your userid (or your accomplice's userid) the SAP_ALL role.
Essentially, you run transaction SE16N, then type &SAP_EDIT into the command field and press enter.
In the example below, I've changed the User Group to SUPER.
Personally, I'd recommend making the transaction unavailable (perhaps even removing it from TSTC ?) in your production system - Your firefighter userid can be given authorisation to allow the appropriate people to add it back in, if necessary.
The reason for mentioning it at all is that SAP Mental Notes and IT-Toolbox SAP on DB2 for z/OS have stated that changes using this method are permanently logged in the tables listed below:
SE16N_CD_KEY : Change Documents – Header
SE16N_CD_DATA : Change Documents – Data
This means, in theory, that you can can query these tables to audit the usage of SE16N to change data. My attitude is that it's all well and good knowing Joe Bloggs has broken your system, but I would rather not have to deal with the broken system in the first place. However, there's a bigger issue.....
When I tested this out on an ECC6 IDES system (DB2 on Windows 2003), the SE16N_CD* tables were not updated.
1 - The knowledge of this method of changing data, which is available on production systems to anyone with access to the SE16N transaction is being more widely disseminated.
2 - There appears to be at least one major platform / release that does not support audit of the method of changing data.
Martin English - I am a Netweaver Technical Consultant for CSC Australia, supporting the complete SAP lifecycle from pre-sales planning through to decommissioning. The opinions expressed here very rarely coincide with those of my employer, customers, or indeed any one else. This is written by me, not them.
Changing time zones in SAP ECC 6.0
Time stamps for documents can be stored in two different formats:
- Using standard ABAP date and time fields (YYYYMMDD and HHMMSS). Here the time stamp corresponds to the system time, i.e. the time on the database server as returned by the ABAP system variable SY-DATUM and SY-UZEIT. Using the system time is necessary to avoid situations where, for instance, a financial document created by a user in Berlin (CET) would be modified a few minutes later by a user in New York (EDT). If the user’s time zone were stored in the document data, then it would seem as if the document had been changed before it was created. However, many applications will take the time zone into account when processing these documents. How this is done depends on the time zone-related information that is available for the document. The details are explained in the SAP online help (help.sap.com) in the guide “Time Zones” (CA-GTF-TIM). This same guide also describes various application-specific scenarios.
- Another format that is frequently used is the ABAP time stamp format (handled in ABAP with the “GET TIME STAMP” and “CONVERT TIME STAMP” statements). A time stamp field is always in UTC and the application will automatically convert it to/from the user’s time zone.
Custom transaction for Report Painter
In many organizations, the usage of transaction GR55 has been removed from end users and the usage of custom transaction for Report Painter report is preferred.
These transactions need to be added to roles & also transported via the SAP Transport system and go through change control.
One mistake is to create Variant Transactions that add another layer of objects to maintain and transactions that are not easily accepted by the end user community:
The user will then have to navigate past the selection screen where the report group is selected.
Another common mistake is that users create the transaction code with the SAP-generated program name of the Report Painter report.
The users usually runs the report and via the menu path system status identifies the SAP generated report name, such as GP4D9W908VD93NG59JGEC5C4HE3200 in the development system or in the productive system as GP4D9W908VD93NG59JGEC5C4HE3400. Both program names look identical except for the last 3 digits, which represent the client in which the report was generated.
Because you don’t have control over the SAP-generated program name, you run into problems when the user tries to execute the program and a short dump may occur or the system may tell the user that the program doesn’t exist.
The right approach is to create a Parameter Transaction, map this transaction to the necessary objects in SU24 so that you can make sure that you won’t run into any authorization issues when the user runs the reports.
To create a custom transaction, you need to use transaction SE93 in the development client where your program development & configuration takes place.
Enter a transaction with the naming convention that your organization has issued and select the ‘create’ button:
Enter a short description (according to naming standards of your organization) and select the option ‘Transaction with parameters’:
Enter transaction ‘START_REPORT’ as shown below (1) and select the ‘Skip Initial Screen) (2):
In the lower section, enter Screen Field D_SREPOVARI-REPORTTYPE with the value RW for Report Writer and D_SREPOVARI-REPORT for your report name. If you should have extended a extended report name, you also can add this screen field with the appropriate value D_SREPOVARI-EXTDREPORT to the list of screen fields.
After saving the transaction, the system asks you for a package & transport request. Follow the development standards & instructions from your organization.
Once you have created the transaction, you need to make sure that it will be fully functional from a SAP Security standpoint. Use transaction SU24 to map the object S_Program to the transaction you have just created. The authorization group is the name of the Library with the prefix of RW_. You can find out the library via the report group or by running a trace. (This is helpful if you did not create the report and don’t know what library the developer was using).
If you want to run the authorization analysis via ST01, you can find out easily what the values for S_Program should be:
Once you have identified the objects & values, you can then map the object to the transaction with transaction SU24:
Add all objects needed to run this report (you can find out the objects via your trace analysis):
Switch the indicator to check/maintain:
Enter the values according to your findings
Don’t forget to double-check the values. You may want to make selections regarding on how the user can run the report according to your company guidelines and development standards:
When the SAP Security Administrator maps the newly created transaction to a role, the objects needed for this transaction will be automatically pulled into the role:
Depending on your SAP Security setup, the values of the individual authorizations for Report Writer may be more granular or with access to a broader area.
Reblogged from home4sap.com