SAP: SID, Client, Instance

SID: System Identifier

3 letters

AAA -- HPE, HDE, HQE

AAN --- HP1, HQ1, HD1

NNA --- 11D, 11Q, 11P

ANA --- H1D, H1Q, H1P

DEV QAS PRD

IT users IT users IT users

Business/End users Business/End users

FUT: Functional unit/user testing (Developers/functional team)

QAT: Quality acceptance testing (Functional people from Business)

UAT: User acceptance testing (Business/End users)

ECC – DEV, QAS, PRD

HR – DE1, QE1, PE1

GRC- GD1, GQ1, GP1

Client: 000, 001, 066, 030, 060

000 – Standard/Golden Client – SAP standard data.

001 – Copy of Golden Client

066 – Early Watch

030 – Standard data + customize data

ECC 6.0 EHP 4-- current ECC version 2030

GRC

BI

S4 HANA

SOLMAN

HANA STUDIO

SOLMAN
HR
CRM, SRM, IBP, IDM….

S4 HANA 2.0

ECC:
Versions of SAP
 4.6 C
 4.7 EE
 ECC 5.0 - Enterprise core/central component.
 ECC 6.0 EHP 1, EHP 2,3,4,5,6,7,8…
Flavours in SAP:

SAP Flavours
 IDES -- Training System (000, 001, 066, 800)
 Non IDES -- Real time system (000, 001, 066, 100)
Projects:
 Implementation
 Support
 Upgrade
 Roll out
 Migration

Default users in SAP (Standard users in SAP)

 SAP*
 DDIC
 EARLYWATCH

USER 000 001 066

SAP* YES YES YES
DDIC YES YES NO
EARLYWATCH NO NO YES

 SAP* ---- 06071992

 DDIC ---- 19920706
 EARLYWATCH --- support
 SAP* ----- pass (other than 3 default clients (000, 001, 066))

Powerful Profiles:
 SAP_ALL
 SAP_NEW
 S_A.DEVELOP
  S_A.CUSTOMIZ
 S_A.SYSTEM
SAP ECC 6.0 EHP7 -- EHP 8
Instance: 00 to 99

HPE 030 00 + HPE 030 01 + HPE 030 + 02

T-code: will give permissions to perform an activity in SAP system

T-codes are minimum 4 letters maximum 10 mostly 4 letters.

 T-codes
 Tables
 Reports

SU01: User Administration

USER CREATION
USER CHANGE
USER DELETION
LOCK/UNOCK
PASSWORD RESET
COPY USER
User Types:
 Dialog: All human users are called as Dialog users.
Password policy & License applicable
GUI Login possible.
Multiple logins possible.

 Service : FFID’s are Service users

Password policy & License are not applicable
GUI Login possible. Multiple logins not possible.

 System: for RFC connections, Background jobs and system

workflows.
Password policy & License are not applicable
GUI Login not possible. Communicate b/w SAP to SAP

 Communication: for RFC connections, Background jobs and

system workflows.
Password policy & License are not applicable
GUI Login not possible. Communicate b/w SAP to SAP, SAP
to Non SAP.

 Reference: To provide additional access to profile exceeded

user.
Password policy & License are not applicable
GUI Login not possible.
RFC : Remote function call
SAP System RFC SAP COMM RFC NON SAP (JAVA)

S4HCLNT800--------- ABCCLNT800 -------- JAVCLNT123

SNC: Enable SSO to user.

SSO: Single Sign On

Security roles & Responsibilities:

User Administration
Role Administration
Troubleshooting authorization issues
Reports extraction based on the client requirement
Audit support
Day to Day tickets support

/n to open new session with closing existing screen

/o open new session without closing the current session
/nex exit from the sap

SU01: User Administration

SU01D: Display user
SU0,SU1,SU2,SU3….End user t-codes
SUGR: To create user groups in SAP
SU10 : Mass User Administration
SUIM : System Information
SE16 : Table browser/ Data browser
SU53: Last missing authorization check

TABLES: Data Browser in SAP – SE16/SE16N

User Admin Tables:
USR02: User Last logon data info
USR03: User address data info
USR04: User Profile info
USR05: User parameter info
USGRP: list of user groups in system
USGRP_USER: Users vs user groups
USR06: User license data
USR21 & ADR6: user mail address
TSTC: List of all the t-codes in the system
TACT: List of all the activities in the system.

UFLAG (Lock Status) values in SAP:

0: User not locked
64: Admin Lock
128: Incorrect logons lock
192: Incorrect + admin lock

USR40: Illegal Passwords

SM30: To modify the table.
SM04: List of all the active users in the current server/instance.
AL08: List of all the active users in all the servers/instances.

Role Administration: PFCG

 Role Creation
 Role modification
 Role Deletion
Role Types:
 Single Role -- > Y or Z---> ZS:
 Composite Role ZC: Contains single roles.
 Master/Derived Role ZM/ZD:

Authentication: Gives permissions to Login.

Authorization: Gives Permission to perform an activity.
Single Role: Contains T-codes, authorization Objects, fields &
Values.
Composite Role:
 Contains Single & Derived Roles.
 Doesn’t have any authorizations & Profiles.
 We can’t add Comp role to comp role.
 We should not add Master role to Comp role.
Master/Derived: We use this Master role for same job function
but different job locations.
 We should not assign master role to user.
 We should only assign Derived role to user.
Single Role concept:-
ZS_LEN_MGR_HYD – VA01, GS01, HYD
ZS_LEN_MGR_BAN – VA01, GS01, BAN
ZS_LEN_MGR_KOL – VA01, GS01, KOL
ZS_LEN_MGR_MUM – VA01, GS01, MUM
ZS_LEN_MGR_CHN – VA01, GS01, CHN
Master role: T-codes, authorization objects, fields & Values.
Derived role: T-codes, authorization objects, fields & Values
and we maintain Org values.
ZM_LEN_MGR_ALL – VA01, GS01, GST1
ZD_LEN_MGR_HYD01 – VA01, GS01, GST1, 01
ZD_LEN_MGR_HYD02 – VA01, GS01, GST1, 02
 ZD_LEN_MGR_BAN – VA01, GS01, GST1, 03
ZD_LEN_MGR_KOL – VA01, GS01, GST1
ZD_LEN_MGR_MUM – VA01, GS01, GST1
ZD_LEN_MGR_CHN – VA01, GS01, GST1
Lenovo store: Manager, Ass manager

SAP Hierarchy:
System
Client
User
Role
Profile
Object Class
Authorization Object Authorization Hierarchy
Fields
Values

SU24:
Role MENU:
System will check objects assigned to t-code
Add t-code SE16 in role Menu.
like below

Authorization tab in role: Objects

pulled from SU24 which are
maintained as YES S_TABU_DIS - YES
S_TABU_DIS S_TABU_NAM - YES
S_TABU_NAM S_TABU_LIN - NO
SU56: Reset user buffer

SU01 User Buffer DATABAS

PFCG, SU01 , PFCG SU01
PFCG, SU10, SUGR

Authorization concept:
Authorization Object: are control user activities.

Activities:
01-Create
02-Change
03-Display
04-Print
05-Lock/Unlock
06-Delete
16- Execute
22- Enter, Include, Assign
78 – Assign.
 S_USER_GRP S_USER_AGR S_USER_PRO

User creation Role Creation Profile related tasks

Role change : S_USER_AGR ACTVT: 02

Profile assign : S_USER_PRO ACTVT: 22, 78
User Delete : S_USER_GRP ACTVT:06
USER ROLE assign: S_USER_AGR ACVT: 22,

Create a user admin role with only lock/unlock and password

reset. Z_USER_ADMIN_RES
SU01
Traffic Signals in PFCG:
MENU Tab:
GREEN: T-codes are added
RED : T-codes not added

Authorizations Tab:
GREEN: Profiles generated
YELLOW: Profiles partially maintained
RED: Profiles not generated

USER Tab:
GREEN: Users assigned to role
YELLOW: User comparison required
RED: Users not assigned

Inside the Authorization Tab:

GREEN: Values are maintained
YELLOW: Values not maintained
RED: Org values not maintained
Authorization Status:
 Standard
 Maintained
 Changed
 Manually

Standard: Fields & Values Are Proposed By SAP

Maintained: Fields Proposed By SAP
Values Maintained By User
Changed: Fields & Values Proposed By SAP
Values Changed By User
Manually: Fields & Values Are Proposed By User

Tables related to Role Admin:

AGR_USERS: Role vs Users
AGR_TCODES: Role vs t-codes
AGR_AGRS: Single role v composite role
AGR_DEFINE: Master role vs Derived role
AGR_1251: Role vs Authorization Objects & Values
AGR_1252: Role vs Org values
AGR_PROF: Role VS Profiles
Reports: SA38: To execute reports
SE38: To View & edit the report.
 RSUSR200
 RSUSR003
 RSUSR405
 RSAUDITC
SU22, SU24, SU25
Troubleshooting Authorization Issues: SU53, ST01,
STAUTHTRACE:
TABLE Security:
Transport concept:
Real time process for user admin & role admin.

TOBJ: stores authorization objects. (Table)

TOBC: stores objects class. (Table)
SU21: To see all the authorization objects.

Imp authorization objects:

S_TCODE
S_USER_AUT
S_USER_GRP
S_USER_AGR
S_USER_SYS
S_USER_PRO
S_GUI: It will give download & upload access in SAP
S_RFC: RFC authorizations
S_DEVELOP
S_PROGRAM
ABAP team need developer key access
Code Build: Developer key access.
Standard object change: Object key access.
DEVACCESS: stores all developer keys
ADIRACESS: Stores all Objects keys.

SU25: To copy SU22 data to SU24 & Upgrade activities

SU22: Standard authorization data
USOBX: T-codes, authorization objects.
USOBT: T-codes, authorization objects, fields & Values.
SU24: Standard authorization + Custom Authorization data.
SU22 SU24
USOBX USOBX_C
USOBT SU25 USOBT_C

USOBX_C: T-codes, authorization objects.

USOBT_C: T-codes, authorization objects, fields & Values.
Check Indicators:
 Check
 Do not check
Check Proposals:
 Yes
 Yes without values
 No
 New/unmaintained

Expert Mode:
 Delete & recreate profile & authorization.
 Edit old status
 Read old status & merge with new data

PFCGMASVAL: Mass role changes

SUPC: Mass role generation
PFUD: Mass user Comparison & delete invalid assignments
EWZ5: Mass lock/unlock users.

Troubleshooting Authorization Issues: SU53, ST01,

STAUTHTRACE:

SU53: Last missing authorization check

ST01: authorization trace for Users (Missing & Successful)
STAUTHTRACE: System wide trace for User (Missing &
Successful)
RC values in Trace:
 RC=0 : Authorization Successful
 RC=4 : Object available with different values
 RC=12: Object itself is missing

Table Security: TDDAT, DD02L, SE54

 S_TABU_DIS: To restrict table access to user at Auth group
level.
 S_TABU_NAM: To restrict table access to user at table
level.
 S_TABU_LIN: To restrict table access at line level
 S_TABU_CLI: To restrict table access at Client level.
Z_TABLE – Auth Group : USR02, AGR_AGRS, TSTC, RSECVAL
SC, SA Z_TABLE

USR01, TSTC ZUSR01

USR02 ZTSTC

&NC&: Stores the tables which are not part of any authorization
group
Background Jobs:
SM36: To schedule Background Job
SM37: To monitor Background Job

PFCG_TIME_DEPENDENCY:
 MASS user comparison
 Remove invalid role assignments
PRGN_COMPRESS_TIMES:
 It removes all expired roles
 Compress the roles validity

Dialog
BACKGROUND
ENQUEUE
SPOOL
Update

DD D DD D B B B U S E

Transport: To Move changes from one system to another system.

SE01, SE09, SE10.
Workbench: Standard sap data changes. Exp: SU24 changes,
Table modifications.
Customize: Stores customize data. Exp: roles
DEV QAS PRD
Z_SEC_01 su01 Z_SEC_01 su01 Z_SEC_01 su01
ZC_SEC_01 del delete delete
GRCK900102 GRCK900102 GRCK900102

GRCK900102 GRCK900102

DEVCLNT100 ------ QASCLNT100

Role Deletion Process:
 Add Role ZC_SEC_01 into TR
 Delete the role
 Release the TR
 Move TR -- QA-- PRD

SM01_DEV/SM01_CUS: To Lock/Unlock T-code.

SM59: To Create RFC connection. S_RFC, S_RFCACL
SIDCLNT-client number
GRCCLNT400

What will happen when user execute a T-code?

 T-code available in TSTC or not
 T-code locked or not (SM01_DEV/SM01_CUS)
 T-code is available in S_TCODE or not
 Authorization Objects related to T-code
 Authority check in t-code.
What will happen when we add t-code in role?
 System will check SU24 changes for that particular T-code
vs objects.
SU01
S_USER_GRP, S_USER_PRO, S_USER_AUT,
S_USER_AGR, S_USER_SYS, S_USER_SAS.
 Pull all the authorization objects to the role.

User Creation Process: (Service Now (SNOW) or Remedy)

 User will raise the ticket in SNOW
 Ticket will go to Manager approval
 Ticket comes to security queue once Manger approved
 Security team verify the User details & roles
 Security team verify the role owner for roles in role matrix
 Security team will send mail to role owner.
 Based on role owner approval we will provide access to
user in SU01
 Credentials will be shared to user separately.
Role Creation or Change process: (Service Now (SNOW) or
Remedy).
 Requestor will raise the ticket in SNOW
 Ticket will go to Manager approval
 Ticket comes to security queue once Manger approved
 Security team verify the role change details & roles
 Security team verify the role owner for the role in role
matrix.
 Security team will send mail to role owner.
 Based on role owner approval we will start security changes
in development system.
 We need to check the role dependency
 Start the changes in Dev system
 Create the TR request and release the TR
 Contact Basis to Move the TR from DEV to QAS.
 Ask user to perform UAT (User acceptance test) in QAS
system and ask user to provide the UAT signoff.
 Contact Basis to Move the TR from QAS to PRD.
 We will inform the requestor and close the ticket.