Professional Documents
Culture Documents
What Are The User Groups and How Can We Use Them?
What Are The User Groups and How Can We Use Them?
Transaction SUGR - have a look. Purpose for example is to give certain system admin rights to unlock /
change password only to a given user group. You assign user group to an user id via SU01.
User group can be used for different reasons and in different way.
In the latest versions of SAP, actually two types of usergroup exist, the authorization user group and the
general user groups.
Naturally the main reason of user groups is to categorize user into a common denominator.
The authorization user group is used in conjunction with S_USER_GROUPauthorization object. It allows
to create security management authorization by user group. e.g. you can have a local security
administrator only able to manage users in his groups, Help-Desk to reset password for all users except
users in group SUPER, etc...
The general user group can be used in conjunction with SUIM and SU10, to select all the users in a
specific group. User can only be member of one authorization user group but several general user group.
One of the Primary uses of user groups is to sort users into logical groups.
This allows users to be categorised in a method that is not dependent on
roles/AG's/Responsibilities/Profiles etc.
User Groups also allow segregation of user maintenance, this is especially useful in a large organisation
as you can control who your user admin team can maintain - an example would be giving a team leader
the authority to change passwords for users in their team.
The most important factor identified is that the lack of user groups is an indication that there may be
problems with the user build process. This is very "fuzzy" but is a bit of a warning flag.
The Auditors job is to provide assurance that SAP is set up and administered in a way that minimises
risks to the financial data produced. If the only thing they have picked up on is the lack of usergroups then
you will be fine.
If you are in any doubt whatsoever ASK THE AUDITOR. They would have produced a report listing why
they feel there is a risk by not having User Groups implemented. If you feel that the risk is mitigated by
other measures then let them know. It works best as a 2 way process and both parties can learn
something.
Use report RSCLCCOP to transport user master records, profiles and authorizatons between clients in an
R/3 system.
Start RSCLCCOP from the target client which the users and authorizations should be copied.
Do not use this report if the target client contains some users and authorizations you want to preserve.
may interrupt the simulation. Wait for the logs. If you see reds then error was
happening.
Hoping this will help you. I have done (Sap 4.6C) this to create thousands of user ids and also thousands
of roles/profiles (pfcg). I heard with Sap 4.7, the SCAT has so many extra features...
You are trying to change the password for sap* user, however when you go into su01 and enter sap* as
the user name, the following message is displayed, user sap* does not exist.
You can delete the SAP* user using ABAP code :Delete from usr02 where bname = 'SAP*' and mandt = '***';
Where '***' means your client no.
Then login to your client using password SAP* and password PASS
However, if you delete it, then it will automatically created once again with password PASS
The userid, SAP*, is delivered with SAP and is available in clients 000 and 001 after the initial installation.
In these 2 clients, the default password is 07061992 (which is, by the way, the initial date when R/3 came
into being...). It is given the SAP_ALL user profile and is assigned to the Super user group. When I say it
is "delivered" with SAP, I mean that the userid resides in the SAP database; there are actually rows in the
user tables used to define userids.
If you delete the userid, SAP*, from the database, SAP has this userid defined in its kernel (the SAP
executable code that sits at the operating system level, i.e., disp+work). When this situation exists, the
password defined in the SAP code for SAP* is PASS. This is necessary when you are performing client
copies for example, as the user information is copied at the end of the process. You can sign into the
client you are creating while a client copy is processing using SAP* with password PASS (but you should
have a good reason to do this - don't change anything while it's running).
Anyway, if the SAP* userid is missing, you can sign in to the client you want and simply define it using
transaction SU01 and, as I stated above, assign it to the SUPER user group and give it the SAP_ALL
profile. You define its initial password at this point. If you've forgotten its password and don't have a userid
with sufficient authorization to create/change/delete userid,
then you can use the SQL statements to delete it from the database and then you can use SAP* with
PASS to sign back into the client you want to define it in and recreate it.
There is also a profile parameter which can override the use of SAP* with PASS to close this security hole
in SAP (login/no_automatic_user_sapstar). When this parameter is defined either in your DEFAULT.PFL
profile or the instance-specific profile and is set to a value of '1', then the automatic use of SAP* is
deactivated. The only way to reactivate the kernel-defined SAP* userid at this point would be to stop SAP,
change this parameter to a value of 0 (zero), and then
restart SAP.
The default password for SAP* is 06071992. (DDIC has 19920706)
Click Save
Click Back to the Binary data for WebRFC
Click Create
Fill in :- Obj. name : zlogo.gif
Description : Company Logo
Click Import and specify the filename where your
GIF file is located.File type is BIN. Finish press the
Transfer button.
If successful, your logo will be shown in the Binary data for WebRFC.
Now run Transaction code SM30 Table/View SSM_CUST
Click Maintain
Click New Entries
Name Value to be set
START_IMAGE zlogo.gif
RESIZE_IMAGE NO
Logoff and Login again
Now you can see the Logo
BW Client Activation
teps for activating newly created client in BI 7.0:
Step 1, execute function module RS_MANDT_UNIQUE_SET / (Transaction SE37).Enter the new client
(300) as value for parameter i_mandt.
Step 2, enter default client (300) in the field BWMANDT of the tableRSADMINA (Transaction SE16).
Step 3, change the profile parameter login/system_client to 300(Transaction RZ10 > Default profile).
Hi Team,
Here i am sharing the experience of installing two oracle database on same host.
After installing new database my first database wont come up.there are some problems with
listener.ora and tnsnames.ora so you have to follow this approach
dbsid1 existing Database
dbsid2 New Database
Changes in listener.ora
################
# Filename: listener.ora for more than one database
# Created.: created by SAP AG, R/3 Rel. >= 4.0A
# Name.:
# Date.:
################
LISTENER =
(ADDRESS_LIST =
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid1.WORLD)
)
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid1)
)
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid2.WORLD)
)
(ADDRESS=
(PROTOCOL=IPC)
(KEY= dbsid2)
)
(ADDRESS =
(COMMUNITY = SAP.WORLD)
(PROTOCOL = TCP)
(HOST = DBHOSTNAME)
(PORT = 1527)
)
)
STARTUP_WAIT_TIME_LISTENER = 0
CONNECT_TIMEOUT_LISTENER = 10
TRACE_LEVEL_LISTENER = OFF
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SDU = 32768)
(SID_NAME = dbsid1)
(ORACLE_HOME = ORACLE_HOME_dbsid1)
(PRESPAWN_MAX = 10)
)
(SID_DESC =
(SDU = 32768)
(SID_NAME = dbsid2)
(ORACLE_HOME = ORACLE_HOME_dbsid2)
(PRESPAWN_MAX = 10)
)
)
and tnsnames.ora should be like this:
################
# Filename: tnsnames.ora
# Name.: LOCAL_REGION.world
# Date.:
################
dbsid1.world =
(DESCRIPTION =
(SDU = 4096)
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = sap.world)
(PROTOCOL = TCP)
(HOST = DBHOSTNAME)
(PORT = 1527)
)
)
(CONNECT_DATA =
(SID = dbsid1)
(GLOBAL_NAME = dbsid1.world)
)
)
dbsid2.world =
(DESCRIPTION =
(SDU = 4096)
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = sap.world)
(PROTOCOL = TCP)
(HOST = DBHOSTNAME)
(PORT = 1527)
)
)
(CONNECT_DATA =
(SID = dbsid2)
(GLOBAL_NAME = dbsid2.world)
)
)
I think it will help you.
For more clarity follow SAP Note 98252
Do not check CL_FORCE and UP_FORCE because they are reserved for SAP internal services.
If all the work processes are running, then you may want to look at SM12 (or is SM13?) and see if updates are disabled. If they
are, look at the alert log (if it's an Oracle database) and see if you have any space related errors (e.g. ORA-01653 or ORA01654). If you do, add a datafile or raw device file to the applicable tablespace and then, re-enable updates in SM12.
If only all the dialog work processes are running, there are several possible causes. First, look to see if there's a number in the
Semaphore column in SM50 or dpmon. If there is, click once on one of the numbers in the Semaphore column to select it and
then, press F1 (help) to get a list of Semaphores. Then, search OSS notes and, hopefully, you'll find a note that will tell you how
to fix the problem.
If it's not a semaphore (or sometimes if it is), use vmstat on UNIX or task manager on Windows to see if the operating system is
running short on memory which would cause it to swap. In vmstat, the free column (which is in 4k pages on most UNIX
derivatives) will be consistently 5MB or so and the pi and/or po columns will have a non- zero value. The %idle column in the
cpu or proc section will be 0 or a very low single digit while the sys column will be a very high double-digit number because the
operating system is having to swap programs out to disk and in from disk before it can execute them.
In task manager, look at free memory in the physical memory section under the performance tab. If it's 10MB or 15MB (I think),
then the operating system will be swapping.
Usually, when all the dialog work processes are running, you won't be able to log in via SAPgui and will need to execute the
dpmon utility at the commandline level. The procedure is basically the same on UNIX and Windows.
On UNIX:
telnet to server and login as sidadm user.
cd to /sapmnt/SID/profile directory
execute "dpmon pf=SID_hostname_SYSNR" (e.g. PRD_hercules_DVEGMS00) select option "m" and then, option "l"
On Windows:
Click on START, then RUN
Type "cmd" and press enter
change to drive where profile directory resides (e.g. f:)
cd to \sapmnt\SID\profile
execute "dpmon pf=SID_hostname_SYSNR" (e.g. PRD_zeus_DVEGMS00) select option "m" and then, option "l"
On both operating systems, you'll see a screen that looks like what you see in SM50. Depending on what you see here, will
depend on what you do next, but checking the developer trace files (e.g. dev_disp) in the work directory (e.g.
/usr/sap/SID/DVEGMS00/work) is never a bad idea.