Basis

1 of 20

SAP BC (Basis Components) Hints and Tips

The SAP BC (Basis Components) is the root of the SAP Applications ERP software. It provides the runtime environment for the rest of the R/3 Applications. It ensures that applications are optimally integrated in the system environment. The SAP Basis Components contains powerful tools such as CCMS (Computing Center Management System) for easy system administration. It is also provides the interfaces to the distribute system components and third-pary vendors (EDI, RFC etc.). SAP Basis Links: Menu / Jobs / Spools / User Defaults / Transports / Statistics SAP Database Table Hints and Tips

Table of Contents
Interview questions Basis interview questions SAP Security Interview Questions Frequently Asked Basis Questions Authorization Authorization, Profiles, Address Transaction RZ10 - EditProfiles Users authorizations/profiles - for management reporting Authorization to only display customizing (SPRO) SAP Client Copy Client Copy with only user master and roles Client Copy from Production to Quality Server Client Copy By Using SCC8 and SCC7 Copy table contents Locking Lock Entries - (Mass Users Lock in 4.6x) Users Last Login Locked All the Users in One Client and Log-Off Unix Command Run UNIX script from SAP ABAP Unix Network Printer Unix Print Spooler Unix command to start/stopSAP Unix command to start saprouter Unix SAP Internet Mail Gateway Search for a file in Unix Unix Oracle unlock/lock all users Unix auto batch file ABAP Basis Control Limits the number of login sessions per user Easy Mass Maintain of display, locking and deleting users

Basis Password Changing personal Password on multiple SAP Sessions Forgot Password for user id SAP* in client 000 Restrict Role to unlock/lock Change Password

2 of 20

Forgot Password for user id SAP* in client 000

Happened to forgot your SAP* pasword in client 000 and you don't know what to do now. You need to log in to client 000 to apply support packages Options 1: Create the Program in any other Client and run it with SAP* User. It will set the SAP* Password same as in your current client. REPORT Z_SAP_USER_PASSWORD_SET. * * Run this progam as sap* in cient xxx. The user you specify * as a parameter, will have the same, client xxx password set in every * client * where it exists. * TABLES: USR02, T000. DATA: PASSWD LIKE USR02-BCODE. PARAMETERS: USER LIKE USR02-BNAME. SELECT SINGLE * FROM USR02 WHERE BNAME = USER. IF SY-UNAME <> 'SAP*'. WRITE: / 'Only SAP* is allowed to run this program'. EXIT. ENDIF. IF SY-SUBRC <> 0. WRITE: / USER, 'user does not exist!'. EXIT. "No template user ENDIF. PASSWD = USR02-BCODE. CLEAR USR02. WRITE: / 'The password of', USER, 'updated in client:'. SELECT * FROM T000 WHERE MANDT <> '066' AND MANDT <> SYMANDT. SELECT * FROM USR02 CLIENT SPECIFIED WHERE MANDT = T000MANDT AND BNAME = USER. WRITE: / USR02-MANDT. USR02-BCODE = PASSWD. USR02-LTIME = SY-UZEIT. USR02-BCDA1 = USR02-BCDA2 = USR02-BCDA3 = SY-DATUM. USR02-BCDA4 = USR02-BCDA5 = SY-DATUM. UPDATE USR02 CLIENT SPECIFIED. ENDSELECT. ENDSELECT.

Basis Options 2: You can logon as DDIC and change the SAP* password Options 3:

3 of 20

You can also delete SAP* user in client 000. It will default its password to PASS. In SQL SELECT * FROM USR02 WHERE BNAME='SAP*' AND MANDT='000' Run query to check return. Change Select to Delete and run again. Options 4: Aren't you supposed to use DDIC to install hotpacks? However, some prefer to use other users besides ddic.

How to reset ddic & sap* passowrds on client 000

I install sapr3 4.7 and on WIN 2003& orale Db and after installation I set the the passwords for SAP* & DDIC on client 000 then I forget it. Pls help me how to reset them to login to the system by client 000& i in form u i can login with 001 & 066 ===== ## Rest the password of 'sap*' in client 000 ## Log on to oracle database using sqlplus. sqlplus / nolog SQL>connect /as sysdba SQL>update <SchemaOwner>.USR01 set bname='SAP*1' where bname='SAP*' and MANDT=000; ## [ e.g.: update SAPR3.USR01 set bname='SAP*1' where bname='SAP*' and MANDT=000; ] ## [e.g. : update SAP<SID>.USR01 set bname='SAP*1' where bname='SAP*' and MANDT=000;] SQL>commit; SQL>exit ## This will reset the user SAP* in client 000 . After loggin in client with user SAP* change the passwords for other users. ## You can user client number of your respective client. ## Please note do not reset any other user than SAP* with this method. Sachin

Basis

4 of 20

Changing personal Password on multiple SAP Sessions

I'm wondering if there is a way to logon to sap either via web or command prompt, script etc. in order to create a batch file to reset my own passwords on multiple SAP Boxes and Clients. I currently have over 100 ID's and passwords and it's starting to get time consuming having to reset them every month. There are 3 options I am aware of: 1) CUA is not recommended. 2) Writing a program is not recommended and should not be possible. 3) Set up a system in the network to which ONLY you have access to (should there be such a thing). No other users in any client except DDIC and SAP* which must be you. You will also need to consider several other levels of access to this system. Then maintain SM59 with connections to all the systems and their clients for the 100 user accounts which you have. Advantage: You have a sort of manual "SSO". Debatable topic: As the session generated is not recognized by the system as a dialog session (even although it looks and works like one), you can skip the 30 days policy... (As it is possible to crack SAP passwords like swatting flies, the 30 days only helps against auditors) Debatable topic: You can now set up up very complex passwords which are all different because you dont need to remember them- This is a very little bit more protected against dictionary attacks than what poor passwords are with SAPs neandertholic password regime. Disadvantage: When you do change the password(s), you have to change them twice... i.e. 1 time more than before... Major disadvantage: Anyone who gets into your central system, gets to go everywhere!!!!! Note: The backend of SM59 is client independent, so DO NOT think that you are alone in a client!

Basis

5 of 20

Restrict Role to unlock/lock Change Password

How to create role (contain tcode SU01) and restrict this role to only allow 'unlock/lock users' and 'change password'. I want to assign this role to admin operator. Try to create a role (PFCG) with the authorization object called S_USER_GRP, and assign Lock only in the activity field. I don't have any clue about restricting the Initialization of the Password, If anyone has, pls. share. I am did the same using Authorizations. I did as following: I created a Profile(Tcode: su02) called "Z:Helpdesk" containing the following: Y:HLPDSKTCOD : containing the Tcodes: SU01 (Class: Non-application-specific Authorization objects Object: Authorization check for transaction start) Y:HLPDSKACT : containing the Activities 03,05 User group in user master maintenance "*" (Class: Basis: Administration Object: User Master Maintenance: User Groups) If you assign this profile to a user he will be able to reset passwords and also lock/unlock users. Also assign "su53" Tcode to the user , this will always help. Whenever a user has some authorization issues, tell him to send a screenshot of "su53". In that screenshot SAP will clearly mention what all authorizations are required. To assign "su53" tcode dd the following to "Y:HLPDSKTCOD" Y:HLPDSKTCOD : Tcodes: SU01, SU53 Sameer I wanted to create a new role with su01 access only. it works fine through adding it thru the menu tab. However, I dont want this role to allow 1) removing of users 2) changing of user password other than himself I checked through the authorization tab after entering su01 in the menu tab but did not find what I want. SU01 user access is controlled via the object S_USER_GRP . Deleting users is activity 06. Changing of password is 05 (also lock / unlock id). The object works in conjunction with the user group that a user is assigned to. This is always possible for all users at the login screen by hitting the "new password" button after entering the correct password, but before hitting enter. The security is controlled by the login program. No authorizations required.

Basis

6 of 20

User
Decimals Format Time Zone Definition Problems Five Different "User Type"

Five Different "User Type"

In "USER MAINTENANCE- SU01" --> in the "logon tab" there are 5 different "user type" 1. dialog 2. system 3. communication 4. service 5. reference Kindly mention the function and role of all the above mentioned user types specifically and how is one user type different from another.

::Dialog (A)::
User type for exactly one interactive user (all logon types including Internet users): During a dialog log on, the system checks whether the password has expired or is initial. The user can change his or her password himself or herself. Multiple dialog logons are checked and, where appropriate, logged.

::System (B)::
User type for background processing and communication within a system (internal RFC calls). A dialog logon is not possible. The system does not check whether the password has expired or is initial. Due to a lack of interaction, no request for a change of password occurs. (Only the user administrator can change the password.) Multiple logons are permissible.

::Communication (C)::
User type for dialog-free communication between systems (such as RFC users for ALE, Workflow, TMS, and CUA): A dialog logon is not possible. Whether the system checks for expired or initial passwords depends on the logon method (interactive or not interactive). Due to a lack of interaction, no request for a change of password occurs.

::Service (S)::
User type that is a dialog user available to a larger, anonymous group of users. Assign only very restricted authorizations for this user type:

Basis

7 of 20

During a log on, the system does not check whether the password has expired or is initial. Only the user administrator can change the password (transaction SU01, Goto Change Password). Multiple logons are permissible. Service users are used, for example, for anonymous system accesses through an ITS service. After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.

::Reference (L)::
User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transactions SU01. You cannot log on to the system with a reference user. To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored. You should be very cautious when creating reference users. If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067. We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained. We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.

Setting the User Decimals Format

Your screen and layout sets decimals are affected by :OY01 - Country Global Parameters -> Double click on the country code SU01 - Maintain users -> Click Defaultsbutton In the Decimal format section. How to solve the Time Zone Definition Problems? The Time zone is defined in table TTZCU(refer to note: 91667) for System wide and Client wide. If you want it for individual user, go to SU01 under the default Personal Time zone sections. Settings for individual users is done when you have global users in different time zone. For Local users only, go to SM30 and change the table TTZCU. e.g. UTC+8 This is done when your Spool time is incorrect.

Basis ABAP Basis Control Limits the number of login sessions per user Easy Mass Maintain of display, locking and deleting users

8 of 20

Limits the number of login sessions per user with User Exits
4.6x
* * * * * * * * * * Transaction CMOD -> Utiliteis -> SAP Enhancements Exit Name SUSR0001 Double click EXIT_SAPLSUSF_001 Double click ZXUSRU01 Insert -> include zsesschk. zsesschk limits the number of login sessions per user in a certain client It runs from user exit SUSR0001 after the SAP Login n-1 is the number of concurrent sessions allowed

TABLES: UINFO. DATA: N TYPE I VALUE 2. "Upper limit of login sessions DATA: OPCODE TYPE X VALUE 2, I TYPE I, A(60). DATA: BEGIN OF BDC_TAB1 OCCURS 5. INCLUDE STRUCTURE BDCDATA. DATA: END OF BDC_TAB1. DATA: BEGIN OF USR_TABL OCCURS 10. INCLUDE STRUCTURE UINFO. DATA: END OF USR_TABL. * Exclude Limit login by Users IF SY-UNAME <> 'XXX' AND SY-UNAME <> 'XXX'. CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE ID 'TAB' FIELD USR_TABL-*SYS*. LOOP AT USR_TABL. IF SY-UNAME = USR_TABL-BNAME AND SY-MANDT = USR_TABL-MANDT. I = I + 1. ENDIF. ENDLOOP. IF I >= N. A = 'You have already '. A+17(2) = I - 1. A+19(25) = 'login sessions in client '. A+44(4) = SY-MANDT. CALL FUNCTION 'POPUP_TO_INFORM' EXPORTING TITEL = 'UNSUCCESSFUL LOGIN' TXT1 = A TXT2 = 'You are not allowed to log in'. MOVE: 'SAPMSSY0' TO BDC_TAB1-PROGRAM, '120' TO BDC_TAB1-DYNPRO, 'X' TO BDC_TAB1-DYNBEGIN. APPEND BDC_TAB1.CLEAR BDC_TAB1. MOVE: 'BDC_OKCODE' TO BDC_TAB1-FNAM, '/nex' TO BDC_TAB1-FVAL. APPEND BDC_TAB1.CLEAR BDC_TAB1. CALL TRANSACTION 'SM04' USING BDC_TAB1 MODE 'N'.

Basis
ENDIF. ENDIF.

9 of 20

Easy Mass Maintain of display, locking and deleting users

REPORT ZSU01 NO STANDARD PAGE HEADING. SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN BEGIN OF BLOCK B1 WITH FRAME. BEGIN OF LINE. COMMENT (20) COMMENT0. POSITION 56.

PARAMETERS: DISP RADIOBUTTON GROUP R1. SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN END OF LINE. BEGIN OF LINE. COMMENT (20) COMMENT1. POSITION 56.

PARAMETERS: LOCK RADIOBUTTON GROUP R1. SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN END OF LINE. BEGIN OF LINE. COMMENT (20) COMMENT2. POSITION 56.

PARAMETERS: DELETE RADIOBUTTON GROUP R1. SELECTION-SCREEN END OF LINE. SELECTION-SCREEN END OF BLOCK B1. * User type input SELECTION-SCREEN BEGIN OF BLOCK B2 WITH FRAME. SELECTION-SCREEN BEGIN OF LINE. SELECTION-SCREEN COMMENT (35) COMMENT3. SELECTION-SCREEN POSITION 56. PARAMETERS: INAC RADIOBUTTON GROUP R2. SELECTION-SCREEN END OF LINE. SELECTION-SCREEN BEGIN OF LINE. SELECTION-SCREEN COMMENT (35) COMMENT4. SELECTION-SCREEN POSITION 56. PARAMETERS: NOLOG RADIOBUTTON GROUP R2. SELECTION-SCREEN END OF LINE. SELECTION-SCREEN END OF BLOCK B2. * Choose SAP Version SELECTION-SCREEN BEGIN OF BLOCK B2A WITH FRAME. SELECTION-SCREEN BEGIN OF LINE. SELECTION-SCREEN COMMENT (35) COMMENT7. SELECTION-SCREEN POSITION 56. PARAMETERS: IVER1 RADIOBUTTON GROUP R2A. SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN SELECTION-SCREEN END OF LINE. BEGIN OF LINE. COMMENT (35) COMMENT8. POSITION 56.

PARAMETERS: IVER2 RADIOBUTTON GROUP R2A. SELECTION-SCREEN END OF LINE.

Basis
SELECTION-SCREEN END OF BLOCK B2A. *--- Period input SELECTION-SCREEN BEGIN OF BLOCK B3 WITH FRAME. SELECTION-SCREEN BEGIN OF LINE. SELECTION-SCREEN COMMENT (12) COMMENT5. SELECTION-SCREEN POSITION 16. PARAMETERS: DAYS(3) TYPE N OBLIGATORY DEFAULT '60'. SELECTION-SCREEN COMMENT 21(20) COMMENT6. SELECTION-SCREEN END OF LINE. SELECTION-SCREEN END OF BLOCK B3. *--- Initialize the selection screen INITIALIZATION. COMMENT0 = 'DISPLAY USERS WHO'. COMMENT1 = 'LOCK USERS WHO'. COMMENT2 = 'DELETE USERS WHO'. COMMENT3 = 'LAST LOGGED IN'. COMMENT4 = 'NEVER LOGGED IN AND WERE CREATED'. COMMENT5 = 'AT LEAST'. COMMENT6 = 'DAYS AGO'. COMMENT7 = '4.6x (Tested)'. COMMENT8 = '3.x (not tested)'. START-OF-SELECTION. *--- Data declaration TABLES: USR02. DATA: LAST_DATE TYPE D. DATA: BEGIN OF USERS OCCURS 50, BNAME LIKE USR02-BNAME, TRDAT LIKE USR02-TRDAT, ERDAT LIKE USR02-ERDAT, UFLAG LIKE USR02-UFLAG, END OF USERS. data: begin of bdc_tab occurs 100. include structure bdcdata. data: end of bdc_tab.

10 of 20

*--- Add Selection Option for User Name! SELECT-OPTIONS USERNAME FOR USR02-BNAME OBLIGATORY DEFAULT 'xxName?xx'. *--- Calculate the date LAST_DATE = SY-DATUM. LAST_DATE = LAST_DATE - DAYS. *--- Find the users that fulfill the criterias SELECT * FROM USR02 WHERE USTYP = 'A' AND BNAME IN USERNAME. IF USR02-TRDAT <= LAST_DATE. IF USR02-TRDAT = '00000000' AND NOLOG = 'X'. IF USR02-ERDAT <= LAST_DATE. MOVE-CORRESPONDING USR02 TO USERS. APPEND USERS. ENDIF. ELSEIF USR02-TRDAT <> '00000000' AND INAC = 'X'. MOVE-CORRESPONDING USR02 TO USERS. APPEND USERS. ENDIF. ENDIF.

Basis
ENDSELECT.

11 of 20

*--- Depending on the action: display, lock or delete IF DISP = 'X'. WRITE: / ' USER LAST LOGIN CREATED UFLAG (128=LOCKED)'. SKIP. LOOP AT USERS. WRITE: / USERS-BNAME, USERS-TRDAT, USERS-ERDAT, USERS-UFLAG. ENDLOOP. ELSEIF LOCK = 'X'. WRITE: / 'LOCKED:'. WRITE: / ' USER LAST LOGIN CREATED'. SKIP. LOOP AT USERS. WRITE: / USERS-BNAME, USERS-TRDAT, USERS-ERDAT. SELECT SINGLE * FROM USR02 WHERE BNAME = USERS-BNAME. USR02-UFLAG = '128'. MODIFY USR02. ENDLOOP. ELSE. WRITE: / 'DELETED:'. WRITE: / ' USER LAST LOGIN CREATED'. SKIP. LOOP AT USERS. WRITE: / USERS-BNAME, USERS-TRDAT, USERS-ERDAT. PERFORM USER_DELETE. ENDLOOP. ENDIF. *---------------------------------------------------------------------* * FORM USER_DELETE * *---------------------------------------------------------------------* FORM USER_DELETE. PERFORM BDC_FILL USING 'X' 'SAPMS01J' '0200'. PERFORM BDC_FILL USING ' ' 'BDC_OKCODE' 'DELU'. PERFORM BDC_FILL USING ' ' 'BDC_CURSOR' 'XU200-XUSER'. PERFORM BDC_FILL USING ' ' 'XU200-XUSER' USERS-BNAME. PERFORM BDC_FILL USING 'X' 'SAPLSPO1' '0400'. PERFORM BDC_FILL USING ' ' 'BDC_OKCODE' 'YES'. PERFORM BDC_FILL USING 'X' 'SAPLSPO1' '0100'. PERFORM BDC_FILL USING ' ' 'BDC_OKCODE' 'YES'.

Basis
PERFORM BDC_FILL USING 'X' 'SAPMS01J' '0200'. PERFORM BDC_FILL USING ' ' 'BDC_OKCODE' 'BACK'. PERFORM BDC_FILL USING ' ' 'BDC_CURSOR' 'XU200-XUSER'. PERFORM BDC_FILL USING ' ' 'XU200-XUSER' USERS-BNAME. IF IVER1 = 'X'. call transaction 'OPF0' using bdc_tab mode 'N'. ELSE. call transaction 'SU01' using bdc_tab mode 'N'. ENDIF. ENDFORM. "4.6x "3.x

12 of 20

*---------------------------------------------------------------------* * FORM BDC_FILL * *---------------------------------------------------------------------* FORM BDC_FILL USING P1 P2 P3. clear bdc_tab. if p1 = 'X'. bdc_tab-dynbegin = p1. bdc_tab-program = p2. bdc_tab-dynpro = p3. else. bdc_tab-dynbegin = p1. bdc_tab-fnam = p2. bdc_tab-fval = p3. endif. append bdc_tab. ENDFORM. *--- End of ABAP Program

Basis

13 of 20

Authorization
Authorization, Profiles, Address Transaction RZ10 - EditProfiles Users authorizations/profiles - for management reporting Authorization to only display customizing (SPRO) SAP Authorization, Profiles, Address The R/3 authorization concepts permits the assignment of general or finely detailed user authorizations. These assignments can reach down to the transaction, field and field value level. These authorizations are centrally administered in user master records and most allow the handling of certain R/3 components applicable to specific operations. Actions by a user may required several authorizations. For example, to change a material master record, authorizations are required for the : Transaction change Specific material General authorization to work within the company code RSUSR010 - Transaction Lists According to Selection With User, Profile or Object. List of Transaction codes of the user. RSUSR007 - List Users Whose Address Data is Incomplete The program check for space in the address data field. To print the whole list, tick a field which is always space. (e.g. Room No.) Version 4.6x RSUSR002_ADDRESS - Users by address data In 4.6x you used Role for each users and SAP will generate the necessary profiles and authorizations. PFCG - Basic Maintenance Type in a meaningful ZXXX role name and click Create Menu -> Transaction (insert all the transaction code for this role) Authorization -> Change authorization data -> Generate What is Transaction RZ10- Edit Profiles? If you want to change things like the default Client 000 to 999, rdisp/max_wprun_time (dialog abap program runtime - standard = 300 seconds). choose the instance profile click Extended maintenance click the display or change button look for this parameter name login/system_client Work Processor : rdisp/wp_no_dia rdisp/wp_no_vb rdisp/wp_no_vb2 rdisp/wp_no_enq rdisp/wp_no_btc rdisp/wp_no_spo DialogProcessor UpdateProcessor Update 2 Processor Enquiry Processor BackgroundProcessor Spool Processor

Basis

14 of 20

Users authorizations/profiles - for management reporting

What exactly information does the management want? There are a few approaches you can take. SAP Job Description: For each job (highest level role. composite, etc) we have a description that describes in Business Speak what that job allows a user to do. It avoids as much SAP jargon as possible. Any person from the business could look at the description and get a picture of what that person should be doing on SAP. This is what gets signed off at the highest level and it is the security, functional and internal audit guys that are responsible to ensure that the role meets this spec. Transaction Breakdown: For Internal Audit Management the job is broken down into it's constituent transactions and Internal Audit (and usually Functional Team) will look at this at a high level to ascertain that the required functionality is being met by transactional access. Where sensitive transactions are identified the granular breakdown is used. Granular Breakdown: This is the level at which restrictions are reported. It is here that object level restrictions are documented. Any transactions that are deemed sensitive will have information pertaining to the restrictions included here. In Practice this is all contained within one document, any changes to the roles are contained within this document. A point to make is that by listing transactions to your management team, you will not give them an accurate indication of users access by giving them a list of transactions! If you want to get lists of transactions you can use the following tables. AGR_USERS AGR_TCODES AGR_1252 (Lists Org Levels) AGR_1251 ------------------------------------------------------Comments on Authorisation concept Above all KEEP IT SIMPLE!!!!!! Composites are NOT simple. they require a lot more time to discren what is wrong and which piece must be fixed. and then you have to test EVERY role the component is used in not just the set tied to the user. Base you role on "everything the user must have to do their job", Granted some user have more that one job, but a "Vendor Invoice processor" should be the same all over a centralized company. Further, composites cause the user to load several redundant authorizatons which slows logon time, require you to have a bigger machine than needed, and the list goes on. It would be best you could go one step further and avoid the use of composites.

Basis

15 of 20

1) they lead to users having far more than they need 2) they are not suited to different sites which have big differences in the number of employees but still need to do the same roles - eg in a larger company users' roles are much smaller and vice-versa 3) they are a pain to maintain 4) they do not bring great enough benefits You will realized these things after using and maintaining composites for some period of time. If you have used composites, get rid it. You'll never missed them!

Authorization to only display customizing (SPRO)

Anyone can advise on what profile or role I should assign to my consultants, for them to display the customizing in production? 1. There are no SAP-roles for customizing (update or display). 2. You can create a customizing role in PFCG: in the menu tab utilities/customizing auth; you can use a project IMG (maintainable in SPRO) to restrict the authorizations for example to FI or CO. As the roles can get pretty big it is quite a lot of work to check the authorizations and to limit them if necessary (e.g. only display) and authorizations which certain users (e.g. consultants) do not need. This is important if they have other roles which in combination may allow "unwanted certain things. generated to delete especially access" to

What is basically necessary for customizing display is SM30, S_TABU_DIS for the relevant authorization groups (activity 03) plus if you want to read the tables out of the IMG the relevant S_TCODE-authorizations. Additionally many transactions require various other authorization objects (which are generated out of SU24 - which is not "100% accurate" as SAP states). === We use version 3.1. but there is no posting in any web site suitable for creating IMG All display only profile for Ver 3.1 Can any one please share there knowledge. === The 3.1 version I beleive is a different structure than the higher versions so I am not sure the CUST_ACTOBJ table exists. You will have to debut the IMG to find the source where the tcodes are housed. There are MANY transactions associated with the IMG and S_TABU_DIS is only a part. Version 3.i is VERY difficult to use to get SU24 to load the role so you can make a display IMG. It would be simplet to copy SAP_ALL and change the activities to '03'. === But even in SAP_ALL the customizing for IMG (S_IMG_ACTV) object value is only having Change or nothing..!! There is no option to display... their are few more objects like this. If I dont have any value selected, the profile is not be effective. Nothing can be done. Any more suggestions..

Basis

16 of 20

=== And S_IMG_ACTV means very little. You can configure with or without it and since configuration is tcode driven and accessable anywhere in the system. You have to give S_IMG_ACTV '02', it means little === I beleive you need S_IMG_GENE to actually change the config. We have two roles (4.6C) ... one for display only and one for changing. === Create f.ex a role "CUSTOMIZING" and run the following ABAP. It will bring to your role all SPRO tarnsactions. Then go through the auth objects and change them display only. This way you'll have a display only role. REPORT ZTCODES . tables: cus_actobj, agr_tcodes. data: ica like cus_actobj occurs 1000 with header line, iagrtc like agr_tcodes occurs 4000 with header line. select * from cus_actobj into table ica. sort ica by tcode. delete adjacent duplicates from ica comparing tcode. iagrtc-agr_name = 'CUSTOMIZING'. iagrtc-TYPE = 'TR'. iagrtc-direct = 'X'. loop at ica. iagrtc-tcode = ica-tcode. append iagrtc. endloop. modify agr_tcodes from table iagrtc. Note, there is another table cus_acth as well that you load into your internal table and you need to add a sort tcodes and delete adjacent duplicated. then load to your role.

Locking
Lock Entries - (Mass Users Lock in 4.6x) Users Last Login Locked All the Users in One Client and Log-Off SAP Lock Entries If there is a sudden power failures, some of the users update entries might still be locked. You can check or release the locked entries using transaction SM12. You can check the lock entries of individual users or key an * at the user name to check all the users lock entries. The lock entry list shows you the users who is locking the entry, the time when the lock was initiated, the table that was locked as well as the locked records. If possible, asked the user to logoff first before deleting the locked.entries. For locking individual transactions code,used SM01. Putting a tick at the Locked columns will prevent allusers from using the transactions code.

Basis To lock individual user goto transaction SU01. Click the Lock/Unlock button.

17 of 20

To lock multiple users (ver 4.6x) SU10 - User Maintenance Mass Changes click Address Execute Select all -> untick users you are not changing click Transfer Select users click Lock/Unlock - depending whether you want to Lock or Unlock (Pleasebe careful because once you lock all the users including yourself, youwill not be able to Unlock it.) RSUSR006 - List of UsersMaster Records Locked Due to Incorrect Logon List of all Users Locked SE16 - Data Browser Table -> USR02 Field -> UFLAG <> 0 In 4.6x, you can used the SAP standard lock/unlockprogram EWULKUSR ortransaction EWZ5. For 3.0x, you have to write your own ABAP program.

A sampleABAP program to Mass Lock/Unlock SAP 3.0x users.

Example ABAP Source Code to Mass Lock/Unlock SAP users REPORT ZUSR02 NO STANDARD PAGE HEADING LINE-SIZE 120 LINE-COUNT 90(3). TABLES: USR02, USR03. * XCLASS - User Class * S_CLASS * XBNAME - User Name * S_BNAME * XLOCK - Lock User * XNLOCK - Unlock User * Put an unknown default in case you press the execute button too fast
SELECT-OPTIONS: XCLASS FOR USR02-CLASS DEFAULT 'XXX'. SELECT-OPTIONS: XBNAME FOR USR02-BNAME. SELECTION-SCREEN SKIP. PARAMETERS: XLOCK RADIOBUTTON GROUP X1, XNLOCK RADIOBUTTON GROUP X1 DEFAULT 'X'. SELECTION-SCREEN SKIP. PARAMETERS: S_CLASS RADIOBUTTON GROUP R1, S_BNAME RADIOBUTTON GROUP R1. DATA: WCLASS LIKE USR02-CLASS, WLOCK(6).

Basis
IF XNLOCK = UPDATE USR02 WHERE ELSEIF XLOCK = UPDATE USR02 WHERE AND AND ENDIF. IF S_BNAME = 'X'. PERFORM BNAMERTN. ELSE. PERFORM CLASSRTN. ENDIF. 'X'. SET UFLAG BNAME 'X'. SET UFLAG BNAME = '' IN XBNAME. = ' 64' IN XBNAME

18 of 20

* User not lock (include yours, just in case)

BNAME <> 'SAP*' BNAME <> 'DDIC'.

*---------------------------------------------------------------------* * FORM BNAMERTN * *---------------------------------------------------------------------*

FORM BNAMERTN. SELECT * FROM USR02 WHERE CLASS IN XCLASS ORDER BY BNAME. IF XLOCK = 'X'. CHECK USR02-UFLAG = ' 64'. ENDIF. IF XNLOCK = 'X'. CHECK USR02-UFLAG = ''. ENDIF. IF USR02-UFLAG = '64'. WLOCK = 'Lock'. ELSE. WLOCK = 'Unlock'. ENDIF. SELECT SINGLE * FROM USR03 WHERE BNAME = USR02-BNAME. IF SY-SUBRC EQ 0. WRITE:/001 USR02-CLASS, 016 USR02-BNAME, 031 USR03-NAME1, 064 WLOCK, 071(4) USR03-KOSTL, 078 USR03-ABTLG, 093 USR03-ORT01. ELSE. WRITE:/001 USR02-CLASS, 016 USR02-BNAME, 064 WLOCK. ENDIF. ENDSELECT. ENDFORM.

*---------------------------------------------------------------------* * FORM CLASSRTN * *---------------------------------------------------------------------*

FORM CLASSRTN. SELECT * FROM USR02 WHERE CLASS IN XCLASS ORDER BY CLASS BNAME. IF XLOCK = 'X'. CHECK USR02-UFLAG = ' 64'. ENDIF.

Basis
IF XNLOCK = 'X'. CHECK USR02-UFLAG = ''. ENDIF. IF USR02-UFLAG = '64'. WLOCK = 'Lock'. ELSE. WLOCK = 'Unlock'. ENDIF. SELECT SINGLE * FROM USR03 WHERE BNAME = USR02-BNAME. IF SY-SUBRC EQ 0. WRITE:/001 USR02-CLASS, 016 USR02-BNAME, 031 USR03-NAME1, 064 WLOCK, 071(4) USR03-KOSTL, 078 USR03-ABTLG, 093 USR03-ORT01. ELSE. WRITE:/001 USR02-CLASS, 016 USR02-BNAME, 064 WLOCK. ENDIF. ENDSELECT. ENDFORM. TOP-OF-PAGE. WRITE:/ SY-DATUM,SY-UZEIT, 50 'XXX PTE LTD', 105 'Page', SY-PAGNO. WRITE: / SY-REPID, 'SAP User-IDs'. SKIP. ULINE. WRITE: /001 'User Group', 016 'User-ID', 031 'Name', 064 'Sts', 071 'SBU', 078 'Dept', 093 'Location'. ULINE.

19 of 20

Which table can you find the Users Last Login? At some point of time, you may want to find out whether an user id have been inactive or not. You can reference to their last login date with the table USR02 4.6x You can check the users last logon to SAP from :SE16N - Table USR02 Last login is TRDAT - Last logon date LTIME - Last logon time

Basis

20 of 20

Locked All the Users in One Client and Log-Off

Tips by: Arif Ahmed I locked all the users in one client and log-off from sap. Now, how can I connect to sap? I never face the same situation but following may be a soluton: If the system has been locked using TP.exe then open it with following steps . 1. login as <SID>adm os user 2. open a command prompt 3.run following command -> tp.exe unlocksys <SAPSID> pf=<transport profile> else You can connect using sap* user. First Check that following parameter values shold be 1. login/no_automatic_user_sapstar should be 0. 2. Login/failed_user_auto_unlock should be 1. You can check/add both parameters at OS level checking profiles files. Restart the system if you made any changes . Then login into SAP System as <SID>adm user and open a SQL prompt . Execute following sql update command: alter table sap<SID>.usr02 set bname='sap**' where bname='sap*' and MANDT='<CLIENT>' ; commit; then you can login as <client> ,sap*,pass into your system and unlocked all user PS: As far as I know both command will not harm system if execuated in a proper way.