What are the user groups and how can we use them?

Transaction SUGR - have a look. Purpose for example is to give certain system admin rights to unlock /
change password only to a given user group. You assign user group to an user id via SU01.
User group can be used for different reasons and in different way.
In the latest versions of SAP, actually two types of usergroup exist, the authorization user group and the
general user groups.
Naturally the main reason of user groups is to categorize user into a common denominator.
The authorization user group is used in conjunction with S_USER_GROUPauthorization object. It allows
to create security management authorization by user group. e.g. you can have a local security
administrator only able to manage users in his groups, Help-Desk to reset password for all users except
users in group SUPER, etc...
The general user group can be used in conjunction with SUIM and SU10, to select all the users in a
specific group. User can only be member of one authorization user group but several general user group.
One of the Primary uses of user groups is to sort users into logical groups.
This allows users to be categorised in a method that is not dependent on
roles/AG's/Responsibilities/Profiles etc.
User Groups also allow segregation of user maintenance, this is especially useful in a large organisation
as you can control who your user admin team can maintain - an example would be giving a team leader
the authority to change passwords for users in their team.
The most important factor identified is that the lack of user groups is an indication that there may be
problems with the user build process. This is very "fuzzy" but is a bit of a warning flag.
The Auditors job is to provide assurance that SAP is set up and administered in a way that minimises
risks to the financial data produced. If the only thing they have picked up on is the lack of usergroups then
you will be fine.

If you are in any doubt whatsoever ASK THE AUDITOR. They would have produced a report listing why
they feel there is a risk by not having User Groups implemented. If you feel that the risk is mitigated by
other measures then let them know. It works best as a 2 way process and both parties can learn
something.

Transport tables between clients

Use report RSCLCCOP to transport user master records, profiles and authorizatons between clients in an
R/3 system.
Start RSCLCCOP from the target client which the users and authorizations should be copied.
Do not use this report if the target client contains some users and authorizations you want to preserve.

Copying table entries from client 000

I need to copy table entries from client 000.
I have identified which entries I need to copy through running RPULCP00 but I don't know how to
move the entries.
The simplest way is to go into the table through SM31
Then in your top row of buttons there should be one called 'utilities' from here select 'adjust',
Then select the client that you want to compare/copy from (you need to have an RFC destination set up).
This will then show you the contents of the table in both clients and identify the status of each record, they
will fall into the following categories:
ML Differences, logon client entry
MR Differences, comparison client entry
L Entry only exists in logon client
R Entry only exists in comparison client
Identical entries
(M) Differences only in hidden fields
You should be able to scroll down the table, select the entries that you want to import, then hit the 'adjust'
button, then hit the 'copy all' button, then back out with the green arrow, and save your table.

Mass Maintenance of user profiles

Goto transaction code SU10
Select your SAP User by Address data or Authorization data.
With the users you want to change selected, click :User -> Change -> Profiles
Filled in the Profiles and click save.
How can I create multiple User Id at Random
We usually created Id though SU01, it only one by one.
Can I create multiple user id having same profile at once.
Yes you can, use tcode SCAT. First, make sure your client setting (SCC4) is enabled with ' X eCATT and
CATT allowed'. Just in case your Production disabled this.
- Then, you need to create a simulation (test case) of creating new user id by calling tcode
SU01 later.
- Test case must start with Z, example ZCREATE_NEW_USER. Create this case, put title and
choose component as BC (basis components).
- Save and choose Local if you dont want to transport it or choose a dev. class (example ZDEV)
if you want to transport it later.
- Go back and click Change button. Then key -in Object as example SU01, and choose Record
button on top. When it prompts to enter Transaction code, key in SU01 (if for roles,
key-in PFCG) and begin recording. As usual in SU01 create 1 user id, dept field, password,
roles, group and so on.
- Make sure you press Enter on each field because we want to capture the value/object and
SCAT is a bit stupid if you become familiar later....but still useful...indeed.
- You will see a clock on the bottom which means the recording process is on going.
Once done, click Back button and press End button to end the recording.
Note - I noticed you said the profiles are all the same. Then this is much easier...no need to enter the
roles/profiles, just duplicate this ID and change the name, dept and password only.
Okay..first stage has finished. Then double click the Object to begin inserting parameters. Then you will
see an object for each fields that you run from SU01. Choose the right field example user id (BNAME)
and choose button 'Insert Import Parameter (F6)' and you may click Next Screen to 'watch' what have
been recorded and proceed to choose several other objects like password field (PASSWORD1,
PASSWORD2), roles field (AGR_NAME), group field etc. If you happen to choose the wrong object, then
you can reset back (Edit -> Reset Parameterization). You may see so many junk fields captured and this
is because SCAT records every steps/dialogs.
Once done, choose Back and save this case. Then you need to click 'Goto -> Variant -> Export' and save
it. After that use Ms Excel to open it and begin inserting all other user ids. Save and close. Remember to
close this file because SCAT will use it.
Then last one, get back to SCAT and click button execute, processing mode chose Background, choose
external file 'the one you created with Excel' and execute. At this moment don't use tcode SU01 bcoz you

may interrupt the simulation. Wait for the logs. If you see reds then error was
happening.
Hoping this will help you. I have done (Sap 4.6C) this to create thousands of user ids and also thousands
of roles/profiles (pfcg). I heard with Sap 4.7, the SCAT has so many extra features...

Changing the default password for SAP*

You are trying to change the password for sap* user, however when you go into su01 and enter sap* as
the user name, the following message is displayed, user sap* does not exist.
You can delete the SAP* user using ABAP code :Delete from usr02 where bname = 'SAP*' and mandt = '***';
Where '***' means your client no.
Then login to your client using password SAP* and password PASS
However, if you delete it, then it will automatically created once again with password PASS
The userid, SAP*, is delivered with SAP and is available in clients 000 and 001 after the initial installation.
In these 2 clients, the default password is 07061992 (which is, by the way, the initial date when R/3 came
into being...). It is given the SAP_ALL user profile and is assigned to the Super user group. When I say it
is "delivered" with SAP, I mean that the userid resides in the SAP database; there are actually rows in the
user tables used to define userids.
If you delete the userid, SAP*, from the database, SAP has this userid defined in its kernel (the SAP
executable code that sits at the operating system level, i.e., disp+work). When this situation exists, the
password defined in the SAP code for SAP* is PASS. This is necessary when you are performing client
copies for example, as the user information is copied at the end of the process. You can sign into the
client you are creating while a client copy is processing using SAP* with password PASS (but you should
have a good reason to do this - don't change anything while it's running).
Anyway, if the SAP* userid is missing, you can sign in to the client you want and simply define it using
transaction SU01 and, as I stated above, assign it to the SUPER user group and give it the SAP_ALL
profile. You define its initial password at this point. If you've forgotten its password and don't have a userid
with sufficient authorization to create/change/delete userid,
then you can use the SQL statements to delete it from the database and then you can use SAP* with
PASS to sign back into the client you want to define it in and recreate it.

There is also a profile parameter which can override the use of SAP* with PASS to close this security hole
in SAP (login/no_automatic_user_sapstar). When this parameter is defined either in your DEFAULT.PFL
profile or the instance-specific profile and is set to a value of '1', then the automatic use of SAP* is
deactivated. The only way to reactivate the kernel-defined SAP* userid at this point would be to stop SAP,
change this parameter to a value of 0 (zero), and then
restart SAP.
The default password for SAP* is 06071992. (DDIC has 19920706)

Finding the current patch level

ou can use either of these two methods:
1: Follow the path
System --> Status --> Component Information (The Magnifying glass button in the SAP System Data
section)
2: Use the Transaction code ---- spam
spam(Support package manager) --> package level
Steps to Start Your Database After Kernel Upgrade
Do these steps to start your database:
1. Open command prompt
2. Give command: SQLPLUS "/as sysdba"
If its giving message connected to idle instance then proceed:
3. Give command: startup open
If its giving error that database is already open, shut it down first. Then first check what database process
is up and running.
4. Try stopping the database: shutdown immediate.
5. Follow step 3 again after shut down the database.

6. Exit from SQLPLUS

7. Run command on command prompt: R3trans -d
Check the results whether its still giving error or if it completed with 000 return code, then try starting SAP.
Follow the above steps.

How to lock and unlock the clients

1) To lock or unlock a client in R/3 System, run the following function modules in
transaction se37
2. SSCR_LOCK_CLIENT ( to lock the client)
3. SSCR_UNLOCK_CLIENT (to unlock the client)
Run these functions with a client input which is to be locked/unlocked. This function set flag '' Client is
locked temporarily for client copy" in client maintenance menu.The client will be available for users DDIC
and SAP*. If any other user tries to login, system gives message that ' Client locked temporarily'.
To unlock the client
1. Run transaction SE37
2. Enter the function module as SSCR_UNLOCK_CLIENT
3. press F8 or test run (single run).
4. Specify the client and execute(F8).
Follow similar procedure for locking the client...

Central user administration

Here is the procedure for Central user administration configuration in a landscape:
1) Create Logical systems to all clients for the landscape using BD54 or SALE ascomfortable.
2) Attach Logical system to clients using Same.
3) Create RFC connection to relevant systems with the same name as logical system name .
If you Logical system name is SIDCLNT100 for dev then create RFC connection to DEV with same name
SIDCLNT100.
4) Let us suppose you Central system: DEVCLNT100Child system: QUACLNT200
5) Create user CUA_DEV_100 in devclnt100 system
4. Create user CUA_QUA_200 in quaclnt200 system.
Create RFCs to child systems from central and central to child.
5) Now logon to central system and execute tcode scua to configure cua.
Enter the name of the distribution model: CUA
Press create
Enter ALL Child system RFCs
Save your entries now result screen will appear
If you expand the nodes for
the individual systems, you normally see the following messages for
each system: .ALE distribution model was saved,. .Central User

Administration activated,. and .Text comparison was started.. If

problem messages are displayed here, follow the procedure in SAP
Note 333441:
6) Setting the Parameters for Field Distribution Enter Tcode SCUM in central system following screen will
appearNow maintain your filed distribution and save it.You can use transaction SUCOMP to administer
company address data.You can use transaction SCUG in the central system to perform thesynchronization
activities between the central system and the childsystems by selecting your child system on the initial
screen of transactionSCUG and then choosing Synchronize Company Addresses in the Central System
After you have synchronized the company addresses, you can transfer theusers from the newly connected
child systems to central administration.
This is done, as with the synchronization of the company addresses, using
transaction SCUG in the central system. To do this, on the initial screen of
transaction SCUG, select your child system and choose the Copy Users to
the Central System button.
Use
You can use the report RSCCUSND from the central system of Central User Administration (CUA) to
synchronize the master data of selected users with a child system of the CUA. The report sends the master
data (including role and profile assignments) to a child system of the CUA.
If master data exists in the child system for the user sent, it is overwritten.
Procedure...
1. Start report RSCCUSND (for example, using transaction SA38).
2. In the Receiving System field, specify the child system to which you want to send the user data.
3. You can use the fields User and User Group to restrict the number of users.
4. Specify the data that you want to distribute under Distribution Options.
5. Choose Execute.

Run OS commands in GUI

What a interesting piece of information now you can run os commands from SAP GUI.
Just run report RSBDCOS0 in SA38 and enjoy .

How to List All the T-codes For a Role in SAP ?

Here I am sharing the procedure more-over its a trick to get all the t-codes from a Role.
To find all tcode for role along with the tcode that are present in the tcd field..
goto se16 enter agr_1251 and click on data browser button enter the role name in agr_name field and
enter tcd in FIELD field
Then click on execute button or press F8 to execute and you will see the list of tcodes for that role.
SAP T-Codes
Here I am sharing List of T-codes that can help you lot in case you are facing some Problems.
1) SWU3:RFC destination warning in workflow custom. check Automatic Work Flow Customizing 2)
SUCOMP : User Company Address Maintain
3) STZAC: Customizing Time-Zones

4) SWF_XI_CUSTOMIZING:Automatic Work Flow Customizing For XI

5) SXMB_ADM:Integration Engine Administration
6) SOST :SAPConnect Transmission Request Overview With Log
7) SMSY: In Solution Manager To Define System
8) DSWP:In solution Manager To Check EWA / MOPz

Solution Manager Key Generation

Hi All,
To Generate Solution Manager Key Execute T-code SMSY in Solution Manager system, you need to do the
following steps:
1)Create a system by right clicking on System entry and select Create new system.
2)Enter the System Name i.e., SID (3 chars)
3)Product = SAP ECC (select from the list)
4)Product Version= ECC 5.0 (select from the list)
5)Save the entries.
6)Select Menu Item "System--->Other Configuration" and enter the SID which you have created earlier.
7)Enter the Server Name(hostname)
8)Finally click on Generate "Installation/Upgrade Key Button " The system generates a Key ,copy that Key
and paste it in the SAPINST screen when it prompts for Sol man Key.

How do you add your company logo in sap screen

Steps to add companys LOGO
Transaction code SMW0
Select Binary data for WebRFC application
press Enter
Click Execute
Click Settings -> Maintain MIME types
Click the Create button
Fill in :- TYPE : image/gif EXTENSION : .GIF

Click Save
Click Back to the Binary data for WebRFC
Click Create
Fill in :- Obj. name : zlogo.gif
Description : Company Logo
Click Import and specify the filename where your
GIF file is located.File type is BIN. Finish press the
Transfer button.
If successful, your logo will be shown in the Binary data for WebRFC.
Now run Transaction code SM30 Table/View SSM_CUST
Click Maintain
Click New Entries
Name Value to be set
START_IMAGE zlogo.gif
RESIZE_IMAGE NO
Logoff and Login again
Now you can see the Logo

BW Client Activation
teps for activating newly created client in BI 7.0:
Step 1, execute function module RS_MANDT_UNIQUE_SET / (Transaction SE37).Enter the new client
(300) as value for parameter i_mandt.
Step 2, enter default client (300) in the field BWMANDT of the tableRSADMINA (Transaction SE16).
Step 3, change the profile parameter login/system_client to 300(Transaction RZ10 > Default profile).

How to change the title of transaction code

Sometimes, you may need to change the Title of the SAP Transaction code to a more meaningful
one.

The steps are as follows:

Goto tcode SE63 ,On the top left Menu of the screen Click Translation > Short texts >
Transactions
For example, assuming you want to change the title of the t-code su10 from user maintenance:
Mass changes Initial Screen to Mass User changes . On the first screen, fill in the following
information:
Transaction code SU10
Source Language English
Target Language English
To change the Title, click the Edit button. On the second line (the one in dark yellow), type in the
Title (For e.g. Mass User changes) you want for the transaction code. Click the Save button
Now, call up the transaction code /nSU10 again and you should be able to view the new Title.

How to Reset Buffers in Sap ?

Hi Friends,
Some-time its needed to reset some buffers in SAP For performance issues So here iam sharing
the differnt buffer cleanup T-codes.
But Keep n mind Resetting of the buffers could change the performance of the entire system
/$DYNP reset the screen buffer of the application server
/$SYNC resets the buffers of the application server
/$CUA resets the CUA buffer of the application server
/$TAB resets the TABLE buffers of the application server
/$NAM the nametab buffer of the application server

Installing two Oracle databases on a host

Hi Team,
Here i am sharing the experience of installing two oracle database on same host.
After installing new database my first database wont come up.there are some problems with
listener.ora and tnsnames.ora so you have to follow this approach
dbsid1 existing Database
dbsid2 New Database
Changes in listener.ora
################
# Filename: listener.ora for more than one database
# Created.: created by SAP AG, R/3 Rel. >= 4.0A
# Name.:
# Date.:
################
LISTENER =
(ADDRESS_LIST =
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid1.WORLD)
)
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid1)
)
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid2.WORLD)
)
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid2)
)
(ADDRESS =

(COMMUNITY = SAP.WORLD)
(PROTOCOL = TCP)
(HOST = DBHOSTNAME)
(PORT = 1527)
)
)
STARTUP_WAIT_TIME_LISTENER = 0
CONNECT_TIMEOUT_LISTENER = 10
TRACE_LEVEL_LISTENER = OFF
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SDU = 32768)
(SID_NAME = dbsid1)
(ORACLE_HOME = ORACLE_HOME_dbsid1)
(PRESPAWN_MAX = 10)
)
(SID_DESC =
(SDU = 32768)
(SID_NAME = dbsid2)
(ORACLE_HOME = ORACLE_HOME_dbsid2)
(PRESPAWN_MAX = 10)
)
)
and tnsnames.ora should be like this:
################
# Filename: tnsnames.ora
# Name.: LOCAL_REGION.world
# Date.:
################
dbsid1.world =
(DESCRIPTION =
(SDU = 4096)
(ADDRESS_LIST =
(ADDRESS =

(COMMUNITY = sap.world)
(PROTOCOL = TCP)
(HOST = DBHOSTNAME)
(PORT = 1527)
)
)
(CONNECT_DATA =
(SID = dbsid1)
(GLOBAL_NAME = dbsid1.world)
)
)
dbsid2.world =
(DESCRIPTION =
(SDU = 4096)
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = sap.world)
(PROTOCOL = TCP)
(HOST = DBHOSTNAME)
(PORT = 1527)
)
)
(CONNECT_DATA =
(SID = dbsid2)
(GLOBAL_NAME = dbsid2.world)
)
)
I think it will help you.
For more clarity follow SAP Note 98252

Activating Industry Specific Solutions and Short Text Conversion

A.Activating Industry Specific Solutions Like(IS OIL, IS RETAIL, IS MILL, IS MEDIA):
1) Go to T-code SPRO.

2) Click On SAP Reference IMG button.

3) Check for Activate SAP ECC Extension
4) Select Business Function Set as SAP oil and Gas.
5) Change Status Of All the business function to ON.
6) Accept Prompt For LicenseSO Add-on Has been Activated...(Running in background)
B. Short Text Conversion:
While SAP ECC or SAP R/3 uses terms that are linked to its industry sectors (material and plant in
production, article and site in SAP Retail), in other components you will find the more universallyemployed terms product and location.
1) Log on to your SAP system, client 000 as user SAP*.
2) Start report RSBRAN03 and fill the selection fields as follows:
BRANCHE: ISR
LANG:
All other fields remain default.
3)Run the report in background (F9).
4) After the job finished, reset the text buffers by entering /$SYNC in the command line.
Please note: Resetting buffers can significantly change the performance of the entire system. Nevertheless
the reset of the buffers is necessary.
5) Please note that the report must be executed in every system separately.

Do not check CL_FORCE and UP_FORCE because they are reserved for SAP internal services.

LOG IN TO BR*TOOL STUDIO

Hi ALL,
Here i am sharing the procedure to run and use BRTOOL STUDIO
1) To Run Studio Go to Studio home and run server.cmd
2) To Access it go to url;
Https:hostname:port/studio
3) A pop-up window will come
Provide username:Administrator(Same as shown Capital A and all other small )
Password:You provide at the time of installation
4) Click on instances and then Create

5) Provide Info as Password for Administrator

Database user (Please note that password of DB user should not be contain@ in password
string)
6) Give The Path for brtool profile parameter
Oraclehome/database/init.sap
7) Finally click on Go(Left Side)
Now you will be log off and login to your instance Using
Administrator as username and password you provide at the time of installation
9) Now here you can create more user for brtool with different user roles.
You can use it to view space, check status ,control files,backup,restore and you now more
thing..

SAP Load Balancing and Work Processes

Troubleshoot
The benefit of segregating user groups by line-of-business (using logon groups) is related to the
point that groups of users (like SD users or HR users, for example) tend to use the same sets of
data. They (generally) work with the same groups of tables and hit the same indexes using the
same programs (transactions).
So, if you can group all of the users hitting the same tables, onto (or one set of) App server(s), then you can tune the App server
buffers to a much greater extent. If the FI users (generally) never hit against the HR tables then the App servers in the FI group
don't (generally) have to buffer any HR data. That leaves you free to make memory and buffer adjustments to a more drastic
extent, because you don't have to worry (as much) about screwing the HR users (as an example), when you're adjusting the FI
server group.
So, (in opinion only) you should start with a buffer hit ratio analysis / DB table & index access analysis (by user group) to see
where you would get the best benefit from this kind of setup. If you don't have this kind of info, then creating logon groups by
line-of-business may have no benefit (or worst case, may make performance degrade for the group with the highest load %). You
need some historical information to base your decision on, for how to best split the users up.
You may find that 50% of the load is from the SD users and so you may need one group for them (with 3 App servers in it) and
one other group for everyone else (with the other 3).
The logon group(s) will have to be referenced by SAP GUI, so SAP GUI (or saplogon.ini + maybe the services file, only) will
have to change to accomodate any new groups you create in SMLG. Also consider that there's variables for time-of-day (load
varies by time-of-day) and op-mode switches (resources vary by op-mode).
All Work process are running? What will be our action?
Are all the work processes (dia,btc,enq,upd,up2,spo) running or just all the dialog work processes?

If all the work processes are running, then you may want to look at SM12 (or is SM13?) and see if updates are disabled. If they
are, look at the alert log (if it's an Oracle database) and see if you have any space related errors (e.g. ORA-01653 or ORA01654). If you do, add a datafile or raw device file to the applicable tablespace and then, re-enable updates in SM12.
If only all the dialog work processes are running, there are several possible causes. First, look to see if there's a number in the
Semaphore column in SM50 or dpmon. If there is, click once on one of the numbers in the Semaphore column to select it and
then, press F1 (help) to get a list of Semaphores. Then, search OSS notes and, hopefully, you'll find a note that will tell you how
to fix the problem.
If it's not a semaphore (or sometimes if it is), use vmstat on UNIX or task manager on Windows to see if the operating system is
running short on memory which would cause it to swap. In vmstat, the free column (which is in 4k pages on most UNIX
derivatives) will be consistently 5MB or so and the pi and/or po columns will have a non- zero value. The %idle column in the
cpu or proc section will be 0 or a very low single digit while the sys column will be a very high double-digit number because the
operating system is having to swap programs out to disk and in from disk before it can execute them.
In task manager, look at free memory in the physical memory section under the performance tab. If it's 10MB or 15MB (I think),
then the operating system will be swapping.
Usually, when all the dialog work processes are running, you won't be able to log in via SAPgui and will need to execute the
dpmon utility at the commandline level. The procedure is basically the same on UNIX and Windows.
On UNIX:
telnet to server and login as sidadm user.
cd to /sapmnt/SID/profile directory
execute "dpmon pf=SID_hostname_SYSNR" (e.g. PRD_hercules_DVEGMS00) select option "m" and then, option "l"
On Windows:
Click on START, then RUN
Type "cmd" and press enter
change to drive where profile directory resides (e.g. f:)
cd to \sapmnt\SID\profile
execute "dpmon pf=SID_hostname_SYSNR" (e.g. PRD_zeus_DVEGMS00) select option "m" and then, option "l"
On both operating systems, you'll see a screen that looks like what you see in SM50. Depending on what you see here, will
depend on what you do next, but checking the developer trace files (e.g. dev_disp) in the work directory (e.g.
/usr/sap/SID/DVEGMS00/work) is never a bad idea.