Role Maintenance

We can use the role maintenance to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions. These are then presented for fine-tuning.

The role maintenance functions support you in performing your task by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to centrally maintain the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.

With the roles, you assign to your users the user menu that is displayed after they log on to the SAP System. Roles also contain the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu.

Single Role Creation:-

In the role maintenance you can:

•         Changing and Assigning Roles
•         Creating Roles
•         Creating Composite Roles
•         Transporting and Distributing Roles

1)Changing and Assigning Role

1.    Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access.
2.    Enter the name of the delivered standard role in the Role field .
3.    Copy the standard role by choosing Copy role and enter a name from the customer namespace.
Do not change the delivered standard roles (SAP_), but rather only the copies of these roles  (Z_). Otherwise, the standard roles that you have modified will be overwritten by newly delivered standard roles during a later upgrade or release change.

4.    Choose Change (the new name is in the Role field).
5.     You can change the user menu on the Menutab page. You can reduce, extend or restructure it.
6.     On the Authorizations tab choose Change authorization data.
7.    Maintain the authorization field values as required. To adjust the authorizations for the menu changes, choose the Profile generation expert modepushbutton on the Authorizations tab and thenRead old version and adjust to new data.
8.    Generate the profile for the role.
9.    Assign users on the User tab page and compare users if necessary.The users must already exist in the system before you can assign them.

2)   Creating Roles
1.    To start role maintenance, either choose Create Role in the SAP Easy Access transaction die or Tools ? Administration ? User Maintenance?Role Administration? Roles (transaction PFCG).
2.   Enter the name of the role. Roles delivered by SAP start with the prefix  “SAP_”. For your own user roles, instead of using the SAP namespace, use the customer namespace. This means that the prefix is “Y_” or “Z_”.  You cannot tell from the names of the delivered roles whether they are single or composite roles. You should therefore create a naming convention for your roles so that you can differentiate between single and composite roles.
3.   Choose Create.
4.    You can assign transactions, reports, and Web addresses to the role on the Menutab page
5.    To generate the profile for the role, choose Change Authorization Data on the Authorizations tab page.
An input window may appear, depending on which activities you selected You are prompted to enter the organizational levels. Organizational levels are authorization fields which occur in a lot of authorizations (an organizational level is, for example, a company code). If you enter a particular value in the dialog box, die authorization fields of the role are maintained automatically.The authorizations which are proposed automatically for the selected activities of the role are displayed in the following screen. Some authorization have default values.
Wherever traffic lights appear in the tree display, you must adjust the authorization values manually. You can maintain the authorization values by expanding the object classes and clicking on the white fields to the right of the authorization field name.
When you have maintained the values, the authorizations count as manually modified and are not overwritten when you copy more activities into the role and edit the authorizations again. You can assign the complete authorization  for the hierarchy level for all non-maintained fields by clicking on the traffic lights.

Wherever there are red traffic lights, there are organizational levels with no values. You can enter and change organizational levels with Org. levels.
If you want other functions in the tree display, such as copying or collecting authorizations, you can show them with Utilities ? Settings.
a.    Generate an authorization profile for the authorizations. To do this, Choose Generate.You are prompted for an authorization profile name. A valid name in the customer namespace is proposed.
b.    Leave the tree display after the profile generation.
If you change the menu and then call the tree display for the authorizations again, the authorizations of the new activities are mixed with those for the existing authorizations. There may then be a few yellow traffic lights, because there are authorizations in the tree that are incompletely defined. You must either manually assign values to these, or if you do not want to do this, delete them. To delete an authorization, deactivate it first and then delete it.
6.    You can also assign users to the role immediately.

7.    Save your entries.

User Groups

Transaction code SUGR is used to create and maintain user groups in SAP system. The user groups commonly used to to categorize user into a common denominator, sort users into logical groups and allow segregation of user maintenance, this is especially useful in a large organization. User groups can categorized as two types,
• Authorization user group : In conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in some group.
• General user group : In conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group. 

enter the name of New User Group in SUGR and click on create

then enter to user id of people which you want to add in group

Definition of SAP_NEW:-
SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified Roles as it has extensive authorizations than required.

Definition of SAP_ALL:-
SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues which may arise during the usage of SAP. It is used by Administrators/Developers only and is applied on a need to use basis, then withdrawn. It contains all SAP system objects and Transactions. SAP_ALL is very critical and only SAP* contains SAP_ALL attached to it in the production system. No other dialog users have SAP_ALL attached to them.

SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL shouldn’t be or not allowed be used in Production (for audit purposes obviously), except where necessary, in a controlled manner with all proper approvals from the customer.

Maintain User

How to Change/ Delete/ Lock/ Unlock/ Copy SAP Account & How to Change Password Of SAP Account

 Changing SAP Account (SU01)

Deleting SAP Account (SU01)

Locking/Unlocking SAP Account (SU01)

•Enter an existing user name and choose Lock/Unlock to grant or deny a user access to a system. Locking or unlocking a user master record takes effect the next time a user attempts to log on. Users who are logged on at the time that changes are made are not affected.

•The system automatically locks users if twelve successive unsuccessful attempts are made to log on. The lock is recorded in the system log, along with the terminal ID of the machine where the logon attempt took place.

•You can set the number of permissible unsuccessful logon attempts in a system profile parameter.

•This automatic lock is released by the system at midnight. You can also remove the lock manually before this time. Locks that you specifically set yourself apply indefinitely until you release them.

Changing Password of SAP Account

•Enter the user name and choose Change password.

•This new password must fulfill the standard conditions regarding permissible passwords.

•The new password is effective immediately. If users forget their password, they can use the new one as soon as it has been set.

•Users may change their passwords no more than once a day. System administrators, on the other hand, may change user passwords as often as necessary.

Copying an existing user (SU01)

•Choose Copy. Enter the name of a reference user and the new user name.
You can specify whether you want to copy only some of the user data or all of it. On the following screen you can edit the new user master record as required.

•You can also rename user master records if you simply want to replace one record with an identical one of a different name.

Creation of new user

SAP users can be created using transaction code SU01. While creating SAP users there are only 2 mandatory fields User name on the Address tab and Initial Password field on the Logon Data tab page. Main tasks that can be performed using transaction code SU01 are:-

• Creating a User –

 Enter a user name and choose Create

• Modifying Existing user –

 Enter an existing user name or an alias and choose Change.

• Copy an Existing user to a new user- 
  •  Enter the name of the user to be copied and choose Copy.The system displays the Copy User dialog box.
  • In the From field, enter the user to be copied, and in the To field, enter the new user. In the Choose parts group box, you can specify the user data to be copied using the checkboxes. Logon data (password, SNC) is, of course, not copied.User maintenance appears, and you can edit the new user

• Deleting a User –

 Enter a user name or an alias and choose Delete.

• Lock/Unlock a User-Enter an existing user name and choose Lock/Unlock to grant or deny a user access to a system. Locking or unlocking a user master record takes effect the next time a user attempts to log on. Users who are logged on at the time that changes are made are not affected.

  The system automatically locks users if twelve successive unsuccessful attempts are made to log on. The lock is recorded in the system log, along with the terminal ID of the machine where the logon attempt took place.

  You can set the number of permissible unsuccessful logon attempts in a system profile parameter .

  This automatic lock is released by the system at midnight. You can also remove the lock manually before this time. Locks that you specifically set yourself apply indefinitely until you release them

• Modifying a User’s Password-Enter the user name and choose Change password.

  This new password must fulfill the standard conditions regarding permissible passwords. 

  The new password take effect immediately, meaning that the user can use the new password immediately after the change.

  Users can change their own passwords no more than once a day. System administrators, on the other hand, may change user passwords as often as necessary.

• Add a Role to a User

 

SAP Users

There are five types of users in sap

Dialog users (A)

A normal dialog user is used for all logon types by exactly one person. This is used to logon using SAP GUI. During a dialog logon, the system checks for expired/initial passwords. The user can change his or her own password. Multiple dialog logons are checked and, if appropriate, logged. These users are used for carrying out normal transactions. This is an interactive type of logon. The initial multiple logons are 6. They are set according to companies policy.

System Users (B)

These are non interactive users. They are used for background processing and internal communication in the system (such as RFC users for ALE, Workflow, TMS, and CUA). Their passwords cannot be changed by the end users. Only the user administrator can change their passwords. Multiple logon is permitted in these type of users. Dialog logon is not possible for these type of users.

Communication Users (C)

Used for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon. Their passwords are valid for certain period of time so they expire. The users have option to change their own passwords.

Service User (S)

Dialog user available to a larger, anonymous group of users. The system does not check for expired/initial passwords during logon. Only the user administrator can change the passwords. Generally, highly restricted authorizations are given to this type of users.

Reference User (L)

A reference user is, like the service user, a general non-person-related user. Dialog logon is not possible with this kind of user. A reference user is used only to assign additional authorizations. To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page.

Checking the size of the client

How to check the size of the client in SAP

1. Execute report RSSPACECHECK in transaction code SE38.

Put the client number and execute.

it can take 2-3 hour to calculate size 

Result will be,

SAP Clients

Client 000 – Client 000 is a special client in SAP since it has client independent settings. Client 000 in SAP R/3 comes with a simple organizational structure. It is a sort of test company. Client 000 contains all standard configurations, parameters, standard transactions, etc that are normally used in the SAP R/3 business environment.

Client 001 – Client 001 is a copy of client 000. Client 001 also includes a test company. Client 001 can be customized to prepare it to move it into the production environment. However, once client 001 is customized, it does not behave like client 000.

Client 066 – Client 066 is used to perform “Early Watch” service for customer systems. One important thing to remember is that during SAP R/3 implementation, once SAP is installed, the first thing to be done is copy a standard client included in SAP R/3 package. With the help of this, SAP users can start using SAP for creating tests, training, or even start using it for customization. 

Within one SAP instance, a number of Clients can be created. No need to install separate software’s for each and every customer.It provides isolation ,one client cannot see the data of other client.

Client Deletion

Deleting a Client  

• From the SAP login screen, login as any super user in any existing client (which you want to delete)
• Access the menu path Tools -> Administration -> Client admin.-> Special functions -> Delete client. Alternately run transaction SCC5.
• In the resulting screen select the option ‘Delete from T000’ and click on ‘Online’ pushbutton in order to run the client delete in the foreground. Alternately administrator can also run this in the background by clicking the pushbutton ‘Background’

You can set the SAP to default client login via parameter “login/system_client” means every time when you are going to login in SAP you will find 100 as client as shown in below image

 This can be done using transaction code RZ10 . As an example, you can set the parameter to client 100 in transaction code RZ10. A restart is needed to make the changes activated.

Client Copy Procedures

We can generate a blank client with SCC4.But how to fill the data in the client ?“Answer is the client copy.”
Client copy means “transferring client specific data” within same instance(SID) or between different instances(SID).
Client copy can be performed with three different methods –

1. Local client copy.
2. Remote client copy.
3. Client Import/Export.

Below brief details are given about client copy methods.
Local Client Copy :- This method is used to copy client within the same instance (SID).It is done by T-code SCCL.

Remote Client Copy- This method is used to copy client between different instances(SID).It is performed by T-code SCC9.


Client Import/Export:- This method is used to copy client between different instances(SID).It is performed by T-code SCC8

Client Copy Pre-steps

To avoid data inconsistencies there are few pre-steps to be performed before starting client copy:-
1) Disconnect and lock business users(SU10).You can end the session of active users in the system through SM04. Once all users are logged out , check that no cancelled or pending update requests exists in the system.

2) Suspend all background jobs

• Execute SE38 as given below.

• Fill program name with “BTCTRNS1″ as above figure.
•  Press Execute.

3)  For a local copy , system must have enough space in the database or tablespace .
For remote copy, target system must have enough space in the database or tablespace. Check space using Tx DB02.

4) To avoid inconsistencies during client copy users should not be allowed to work in source client.
5) rdisp/max_wprun_time parameter should be changed to 2000 second as a SAP recommendation . Although you use parallel processes and schedule job in background , dialog processes will be used.

Local Client Copy

Local client copy is performed using Tcode SCCL.

Scenario:-

• Source Instance & client := DKM-000
• Target Instance & client := DKM-202

Step 1) Create an entry for your new target client using SCC4 . In our scenario, we will create client 202 in DKM system.Log on to this newly created target client (DKM-202) with user SAP* and default password pass.
Step 2) Excute T-code SCCL.

Step 3)

• Select your desired profile
• Enter Source client.
• Enter Description

Step 4) By default Client Copy is executed as a single process. Single process will take a lot of time.We will distribute workload of single process to parallel(multiple) processes which will reduce time in copying a client.Select Goto from menubar.

1. Select Parallel Process.Parallel processes are used to exploit the capacity of database better

Step 5) Always execute long running processes in background mode rather than foreground/dialog mode. Infact, some  processes run more quickly in background.

Step 6) The client copy logs are available in SCC3 . Status – “Successfully Completed” means client copy is completed.

 

Remote Client Copy:-

This technique uses Remote function call. You can view RFC from SM59. This technique depends on the network ,so network connectivity must be strong enough.
Scenario:-
Source Instance & client := BD1-101
Target Instance & client := DKM-202
Step 1) Log on to the target system. Here we will log on to DKM system. Create a new target client entry(202) using SCC4. Log on to this new target client with user SAP* and default password “pass“.Here we will log on to DKM-200 system.
Step 2) Execute Transaction Code SCC9.

Step 3) Fill the basic details as per your requirement.

Step 4) Select Parallel Process.Parallel processes are used to exploit the capacity of database better.

Step 5) Schedule the client copy in background

Step 6) The client copy logs are available in SCC3

Creation of new client

SAP uses logical system concept in ALE (Application Link Enabling), workflow and EDI areas. The logical system must be unique throughout the company and any other ALE system grows up cannot use it. We must be careful changing the logical system entry. SAP treats a logical system as a client. We can use transaction BD54 to create a logical system and then enter that entry in the logical system box while creating a client.

In this “Changes and transports for client-dependent objects”, there are four options environment to protect our system. “No transport”option is used when we do not want any user to create a transport from this client.The“Client-independent object changes”category determines if the client independent data maintenance is allowed in this new client. We get following four options in this category:

• Changes to Repository and customizing allowed
• No changes to client-independent customizing objects
• No changes to Repository objects

Changes to Repository and client-end customizing allowed: Both client independent customizing objects and SAP repository objects can be maintained. Usually this option is selected in a master-customizing client.

No changes to client-independent customizing objects: No change is allowed for client independent customizing objects but changes to repository objects are allowed. This option can be used for a sand box client.

No changes to Repository objects: If we select this option, then no changes are allowed to the Repository objects but the client independent customizing is allowed. When we want to protect the repository objects in a client, this is the right option to use.

T-code used to make new client is scc4.  The newly-created client contains the initial user ID SAP* with the password PASS, which you can use to copy a client. The user SAP* is inactive by default in a new client. To activate the user SAP*, set the profile parameter login/no_automatic_user_sapstar to 0, and restart the application server. After copying client we can also export client. In first step we export quality, development and production configuration in a request then import to any client. Where as in copying client only tables are copied in new client. We can export only after copying client because SAP* user does not have authority to import. We created client 009.

Client Administration

There are three standard clients:-

• Client 000 – master client

Client 000 is considered to be a SAP reference client and it should not be changed or deleted at anytime from the system. After a SAP system is installed, we can create other clients from 000 by using the client copy procedure.  For some important configuration we have to logon to client 000. For example, if we want to configure our CTS system then this client must be used. Client 000 also plays a very important role in upgrade process.

Tasks and responsibilities:-

1. STMS Configuration
2. client creation
3. Patch Implementation
4. Add on Modules
5. Up gradation

• Client 001

The customer uses client 001 as a SAP sample client. After a new installation both 000 and 001 clients are identical, but after an upgrade 000 will have additional customizing data. Lot of customer sites does not use 001 client at all.

Responsibilities:-

It includes solution management, if any problem arises we can connect remotely to the German consultancy.

• Client 066

Client 066 is there for SAP Early Watch service. This client enables SAP to remotely access the customer system. SAP provides this service to the customer to improve the system performance. After Early Watch group goes through the checking methodology, a system performance summery and recommendations to improve performance report are provided to the customer.

Responsibilities:-

It is used for performance analysis.