Basis Note Basis Note

8/20/2019 Basis Note Basis Note

1/54

User AdministrationCreating a SAP Account / User Creation in SAP (SU01)

Step 1

To create an SAP user you should run transaction SU01 or Tools-> Administration->Maintain

Users-> Users. Then enter a user name for the user you want to create.When creating a user remem!er that that user only e"ists in that client. #f you want a user toha$e access to another client you must create the user in that client.When you create a new user that user has $arious ty%es of information associated with it.

Step 2

&ntering a %assword.The first field that you edit in a new User Master 'ecord is the %assword field. (ou must add a %assword for a new user. To %rotect against ty%ing errors you must enter the %assword twice.SAP user %asswords ha$e $arious %ro%erties.SAP %asswords )

are case-sensiti$emust !e at least three characters long. ha$e a ma"imum length of eight charactersmay contain any characters which can !e in%ut from the *ey!oard. This includes digits s%acesand %unctuation mar*scannot !egin with a +uestion mar* or e"clamation mar*may not contain s%aces within the minimum length. This is normally the first three charactersmay not !egin with three identical charactersmay not !e PASS or SAP,may not !e used if its use has !een for!iddenmay not start with a se+uence of three characters which a%%ears in the user name

When the user logs on for the first time he or she must enter a new %assword.When a user changes his or her %assword the new %assword must !e different to each of thatusers last fi$e %asswords.

Step 3 (Optional)

User Group

A user grou% is the name of the grou% User Master 'ecords to which this user is assigned.#f you %lan to di$ide maintenance of User Master 'ecords among user administrators then youmust assign the user to a user grou%. #f a user is assigned to a user grou% then only anadministrator who is authoried for the user grou% can maintain the user.A User Master 'ecord that is not assigned to a user grou% can !e altered !y any user

administrator.


2/54

Step 4 (Optional )

Account alidit! and Account "um#erThe account $alid dates are the dates during which this account is $alid. #f you do not enter anyinformation in these fields your account will !e $alid immediately and ne$er e"%ire.

Account num!er) &nter a freely-selecta!le account name or num!er. The user/s system usage isassigned to this account if you are using the SAP accounting system. The account name ornum!er may !e uni+ue to each user or can !e shared among grou%s of users.

SAP recommends entering a user/s cost center or com%any code as the account num!er.#f you are using the accounting system then you should always enter an account name ornum!er. therwise the user/s usage will !e assigned to a collecti$e 2o account category !y

the accounting system.

http://1.bp.blogspot.com/-B89KvHWyrKs/UcwTmDj7o1I/AAAAAAAAAV0/6oe3lxl7qIo/s1600/3.JPGhttp://1.bp.blogspot.com/-B89KvHWyrKs/UcwTmDj7o1I/AAAAAAAAAV0/6oe3lxl7qIo/s1600/3.JPG


3/54

Step $ (Optional)

User t!pe

%ialogA normal dialog user is used !y e"actly one %erson for all logon ty%es.3ialog logons are chec*ed for o!solete4initial %asswords which must !e changed.Multi%le dialog logons are chec*ed and logged.

S!stem

Use the user ty%e System for dialog-free communication within one system. 5for '67 or 7P#7ser$ice users8 or for !ac*ground %rocessing in one system.3ialog logon is not %ossi!le.A user of this ty%e is e"cluded from the standard settings for %assword $alidity %eriod. The %assword can only !e changed !y user administrators or in transaction Su01 5Goto -> Change

Password 8Communication Use the user ty%e Communication for dialog-free communication !etween systems 5for '67 or7P#7 ser$ice users of different a%%lications for e"am%le A9& Wor*flow TMS :;


4/54

A user of ty%e Service is a dialog user a$aila!le to a large anonymous set of users. #t usually hasclosely-restricted authoriations.Ser$ice users are e.g. used for anonymous system access $ia an #TS ser$ice. (ou can change asession which !egan as an anonymous session with a ser$ice user into a %ersonal session under adialog user with an indi$idual authentication.

There is no chec* for o!solete4initial %asswords at logon. nly the user administrator can changethe %assword.Multi%le logon is allowed.

'eerence

A Reference user is a general im%ersonal user li*e the Ser$ice user. (ou cannot logon with a'eference user. The 'eference user is to gi$e #nternet users identical authoriations.(ou can s%ecify a 'eference user for additional dialog user authoriations in the 'oles ta!. Thea%%lication generally controls the assignment of 'eference users. The name of the 'eferenceuser can !e assigned in $aria!les which should !egin with =. The assignment $aria!le-'eference user is made in the transaction SU'&6US&'


5/54

Step , (Optional )

A field can !e filled with %ro%osed $alues from SAP memory using a %arameter #3.&"am%le

A user only has authoriation for com%any code 001. This com%any code is stored in memory atthe !eginning of a transaction under the corres%onding %arameter #3. 6ields that refer to the dataelement are automatically filled with the $alue 001 in all su!se+uent screen tem%lates.3e%endenciesA field in the screen tem%late is only filled automatically with the $alue stored under the %arameter #3 of the data element if this was e"%licitly %ermitted in the Screen Painter.

http://4.bp.blogspot.com/-IEq4fiDsJv4/UcwTnyxpZLI/AAAAAAAAAWU/nQFArfLyHOY/s1600/7.JPGhttp://4.bp.blogspot.com/-IEq4fiDsJv4/UcwTnyxpZLI/AAAAAAAAAWU/nQFArfLyHOY/s1600/7.JPG


6/54

Step -The SAP standard contains more than 1?00 %redefined single roles from all a%%lication areas.#f you assign a %redefined role to a user he or she is automatically gi$en the user menu re+uiredfor his or her daily wor* and the authoriations re+uired for it when he or she logs on to the SAPSystem.@e or she can also define his or her %ersonal 6a$orites from the functions assigned to him or her.The user calls transactions %rograms or internet4intranet a%%lications from the 6a$orites or the o! structure tree.;efore you start to create your own roles for your staff chec* whether the roles deli$ered !ySAP can !e used for the o! descri%tions in your com%any.

Step 10

http://3.bp.blogspot.com/-H2J8F1Ok1lc/UcwToe36O9I/AAAAAAAAAWc/07Xt9OZlnzA/s1600/8.JPGhttp://3.bp.blogspot.com/-H2J8F1Ok1lc/UcwToe36O9I/AAAAAAAAAWc/07Xt9OZlnzA/s1600/8.JPG


7/54

User Proiles

The !ottom row of the Maintain User screen contains fields for entering the names of %rofileswhich can !e associated with the user. We will discuss how to add user %rofiles in a latercha%ter.

The SAP System contains %redefined %rofiles)SAPA99) assign the %rofile SAPA99 to users who are to ha$e all '4B authoriationsincluding su%er user authoriation.SAP2&W) assign this %rofile to users who are to ha$e access to all not yet %rotectedcom%onents.

Ste% 11 5%tional8

A User grou% is a logical grou%ing of usersThe %ur%ose of a user grou%s is to )a.Pro$ide administrati$e grou%s for users so they can !e managed in these grou%s. !.A%%ly SecurityCc.7reate the grou% DTrminE for terminated users. 9oc* all users in this grou%.

http://4.bp.blogspot.com/-ltGJwJrSq9M/UcwTk0YwP-I/AAAAAAAAAVk/PPNsSlZZTE4/s1600/10.JPG


8/54

User 7reation 7om%lete

@ow to 7hange4 3elete4 9oc*4 Unloc*4 7o%y SAP Account F @ow to 7hange Password f SAPAccount

C.anging SAP Account (SU01)

3eleting SAP Account 5SU018

9oc*ing4Unloc*ing SAP Account 5SU018

&nter an e"isting user name and choose oc!"Unloc! to grant or deny a user access to a system.9oc*ing or unloc*ing a user master record ta*es effect the ne"t time a user attem%ts to log on.Users who are logged on at the time that changes are made are not affected.The system automatically loc*s users if twel$e successi$e unsuccessful attem%ts are made to log

on. The loc* is recorded in the system log along with the terminal #3 of the machine where thelogon attem%t too* %lace.(ou can set the num!er of %ermissi!le unsuccessful logon attem%ts in a system %rofile %arameter.This automatic loc* is released !y the system at midnight. (ou can also remo$e the loc*manually !efore this time. 9oc*s that you s%ecifically set yourself a%%ly indefinitely until yourelease them.

http://www.blogger.com/blogger.g?blogID=6368647001073762328#editor/target=post;postID=9207410106485534534;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=0;src=postnamehttp://2.bp.blogspot.com/-MHUIhCL7bB0/UcwTkVlr9YI/AAAAAAAAAVc/ZVfuKdJdxPo/s1600/11.JPGhttp://www.blogger.com/blogger.g?blogID=6368647001073762328#editor/target=post;postID=9207410106485534534;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=0;src=postnamehttp://www.blogger.com/blogger.g?blogID=6368647001073762328#editor/target=post;postID=9207410106485534534;onPublishedMenu=allposts;onClosedMenu=allposts;postNum=0;src=postname


9/54

7hanging Password of SAP Account

&nter the user name and choose Change password .This new %assword must fulfill the standard conditions regarding %ermissi!le %asswords.The new %assword is effecti$e immediately. #f users forget their %assword they can use the new

one as soon as it has !een set.Users may change their %asswords no more than once a day. System administrators on the otherhand may change user %asswords as often as necessary. 7o%ying an e"isting user 5SU018

7hoose Copy. &nter the name of a reference user and the new user name.(ou can s%ecify whether you want to co%y only some of the user data or all of it. n thefollowing screen you can edit the new user master record as re+uired.(ou can also rename user master records if you sim%ly want to re%lace one record with anidentical one of a different name.

@ow to creat User Grou% #2 SAP 5 SUG' 8

Transaction code SUG' is used to create and maintain user grou%s in SAP system. The usergrou%s commonly used to to categorie user into a common denominator sort users into logicalgrou%s and allow segregation of user maintenance this is es%ecially useful in a largeorganiation. User grou%s can categoried as two ty%esH Authoriation user grou% ) #n conunction with SUS&'G'UP authoriation o!ect. #tallows to create security management authoriation !y user grou%. e.g. you can ha$e a localsecurity administrator only a!le to manage users in his grou%s @el%-3es* to reset %assword for

all users e"ce%t users in some grou%.H General user grou% ) #n conunction with SU#M and SU10 to select all the users in a s%ecificgrou%. User can only !e mem!er of one authoriation user grou% !ut se$eral general user grou%.

enter the name of 2ew User Grou% in SUG' and clic* on create

then enter to user id of %eo%le which you want to add in grou%

Single 'ole Creation n SAP (PCG)

'O role means set of transactions

1. Go to Tcode P67G?. &nter 2ew 'ole 2ame you want to createB. 7lic* 'ole !utton


10/54

I. 3escri!e the 'ole in 3escri%tion field

J. 7lic* Menu ta!

K. 7lic* Transaction !utton to add Tcode

L. 7lic*. 7lic* Authoriations ta!

http://3.bp.blogspot.com/__YcYcKOWRr8/R1KTRjAg3wI/AAAAAAAABng/yYBiiP7hqXM/s1600-R/assign+tcode.jpghttp://1.bp.blogspot.com/__YcYcKOWRr8/R1KPcDAg3rI/AAAAAAAABm4/H1K10sHr0G4/s1600-R/role6.jpghttp://4.bp.blogspot.com/__YcYcKOWRr8/R1KPUzAg3qI/AAAAAAAABmw/s6dimlIEFRI/s1600-R/role5.jpghttp://1.bp.blogspot.com/__YcYcKOWRr8/R1KSVDAg3vI/AAAAAAAABnY/7TKh5PnP6Sc/s1600-R/4+role.jpghttp://3.bp.blogspot.com/__YcYcKOWRr8/R1KPijAg3sI/AAAAAAAABnA/b_3WnE5rKNU/s1600-R/role2.jpg


11/54

N. 7lic* %encil !utton to change authoriation

10. Put rg element $alue11. Sa$e

1?. 6ill in the missing authoriation

http://2.bp.blogspot.com/__YcYcKOWRr8/R1KXhTAg3xI/AAAAAAAABno/e3sD4sVBB0U/s1600-R/full+role.JPGhttp://4.bp.blogspot.com/__YcYcKOWRr8/R1KaBzAg3zI/AAAAAAAABn4/Y-obVXLWoyE/s1600-R/blank+role.jpghttp://2.bp.blogspot.com/__YcYcKOWRr8/R1KO7TAg3mI/AAAAAAAABmQ/eqPxWubfQck/s1600-R/role7.jpghttp://2.bp.blogspot.com/__YcYcKOWRr8/R1KPOTAg3pI/AAAAAAAABmo/4zX3pXMcSKk/s1600-R/role5c.JPG


12/54

1B. #f We wish to gi$e full authoriation to this role @it the chec* !utton

This is the current ;7A !ect class

And this is the whole roles list

1I. Sa$e the role.1J &nter %rofile name.

#we can get auto generated profile name from system if we leave it blan!$%

http://3.bp.blogspot.com/__YcYcKOWRr8/R1Kc6jAg31I/AAAAAAAABoI/5C4UeqL-VN0/s1600-R/role11.jpghttp://1.bp.blogspot.com/__YcYcKOWRr8/R1KOpDAg3kI/AAAAAAAABmA/AGfAdKBSssg/s1600-R/role10.jpghttp://4.bp.blogspot.com/__YcYcKOWRr8/R1KO0zAg3lI/AAAAAAAABmI/DPEztEMR7fY/s1600-R/role9.jpghttp://4.bp.blogspot.com/__YcYcKOWRr8/R1KZGzAg3yI/AAAAAAAABnw/Lr9odtDOKsg/s1600-R/role8a.jpg


13/54

1K. Generate for authoriation1L. 7lic* user ta! to assign role to rele$ant users

1. 7lic* to ma*e com%arison of users

Composite role creation in SAP (PCG)

Composite role) A grou% of one or more roles for administrati$e %ur%ose is refereed ascom%osite role.

http://1.bp.blogspot.com/__YcYcKOWRr8/R1KP8DAg3uI/AAAAAAAABnQ/_Capmz1Tqxw/s1600-R/rolecpmapre.jpghttp://2.bp.blogspot.com/__YcYcKOWRr8/R1KPITAg3oI/AAAAAAAABmg/5KX5A76rTqo/s1600-R/role5d.jpghttp://2.bp.blogspot.com/__YcYcKOWRr8/R1Kd2TAg32I/AAAAAAAABoQ/7bpmGOHYu9w/s1600-R/role13.jpg


14/54

Ste% 1- go to P67G

Ste% ?

enter com%osite role name and then clic* on com% role

http://1.bp.blogspot.com/-1bBGg9_tOKc/T3w9NLyjzOI/AAAAAAAAABY/CEGnkWUcT1M/s1600/comp1.png


15/54

Ste% B

S%ecify the descri%tion

#n com%osite role it doesn/t contain authoriations ta!.it is nothing !ut grou% of one or moreroles.

http://1.bp.blogspot.com/-AK5datlCHUg/T3w9apyHEqI/AAAAAAAAABg/_Li6zve2IVE/s1600/comp2.png


16/54

http://2.bp.blogspot.com/-PUJjJzt2n2c/T3w9dwyt8jI/AAAAAAAAABo/xJH27Lv_O_k/s1600/comp3.png


17/54

Ste%IS%ecify the roles


18/54

http://2.bp.blogspot.com/-vXlDOwrtPNE/T3w9hmDaUUI/AAAAAAAAABw/FPbsFslTu_A/s1600/comp4.png


19/54

Ste% J7lic* on 'ead menu ta!.when you clic* on this read menu ta! then it will fetch authoriationsfrom the single roles.


20/54

http://1.bp.blogspot.com/-hLHWlDNozKo/T3w-nH3OuUI/AAAAAAAAACQ/3vpqkidUJI4/s1600/comp6.png


21/54

Ste% K

2ow in user ta! enter user id of %eo%le which want this newly created com%osite role

then clic* on User 7om%arison

then sa$e your com%osite role

com%osite role is created

http://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.pnghttp://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.png


22/54

@ow to 3ownload4U%load 'oles from P67G in SAP

http://4.bp.blogspot.com/-mSTkixamhZs/T3w-gVGKXRI/AAAAAAAAACI/mX63hYwwHGg/s1600/comp5.png


23/54

3ownload 'ole Authoriation from P67G

1.Goto P67G?.&nter role name5 which you want to download8B.7lic* on 'ole F 7lic* on 3ownload

@ow to 7lose 4 Terminate a user session in SAP 5SM0I8#n most im%lementations a client can close his own sessions. This is es%ecially hel%ful whendealing with %ro!lematic transactions or '67s that hang and do not release the session.

G to SM0I then user list will a%%ear 3ou!le-clic*ing on the User will !ring u% the sessions hehas o%en. To close a session select it and then clic* the &nd Session !utton.

http://2.bp.blogspot.com/_kjSn7oWph-M/TCwa80SUjmI/AAAAAAAABIs/bQzUXYrBb0o/s1600/Untitled.jpg


24/54

or

Sometimes there will !e a re+uirement to terminate a user session.6or e"am%le) An user has run a re%ort or %rogram with ina%%ro%riate selection criteria which

leads wor* %rocess going to P'#< mode occu%ying so much memory im%acting %erformance ofthe system. #n those cases you will ha$e to chec* with the user and terminate his session orlogoff user system wide if he is no longer wor*ing.


25/54

http://lh3.ggpht.com/_kjSn7oWph-M/TCwZMINGKiI/AAAAAAAABH8/qyI0RQsMC2I/s1600-h/clip_image004%5B4%5D.jpg


26/54

U%load 'ole Authoriation from P67G

1.Goto P67G?.&nter role name5 which you want to u%load8B.7lic* on 'ole F 7lic* on U%load

http://lh3.ggpht.com/_kjSn7oWph-M/TCwZWJki7ZI/AAAAAAAABIE/R6xdxAn5Tw0/s1600-h/clip_image006%5B4%5D.jpg


27/54

http://lh6.ggpht.com/_kjSn7oWph-M/TCwZrrOX5aI/AAAAAAAABIU/gBNr1Moftug/s1600-h/clip_image010%5B4%5D.jpghttp://lh6.ggpht.com/_kjSn7oWph-M/TCwZhTgQvAI/AAAAAAAABIM/BnzGFjbUu_c/s1600-h/clip_image008%5B4%5D.jpg


28/54

http://lh4.ggpht.com/_kjSn7oWph-M/TCwZ1rMtKBI/AAAAAAAABIc/ABzn0nRYiXA/s1600-h/clip_image012%5B4%5D.jpg


29/54

2e"t acti$ity for generate role and assign to user or role

@ow to send %o%u% 4 indi$idual message to a s%ecific user in SAP 5 S&BL 8There is a $ery interesting function module with the hel% of which you can send the %o% u%messages to the users4friends who are logged into the SAP system.The interesting function module name is [email protected] this you and your friend should !e logged on into the SAP system and you must *now theSAP user id of your friend to whom you are going to send the message.

ST&PS )

1. Go to transaction S&BL and enter the function module name T@PPUP.

?. Pass the client user name and the message which you want to send and e"ecute the functionmodule.

http://lh4.ggpht.com/_kjSn7oWph-M/TCwZ_-cALuI/AAAAAAAABIk/PpYY8woRNj4/s1600-h/clip_image014%5B4%5D.jpg


30/54

ut%ut )The %o% u% will a%%ear to the user4friends SAP system

2ote - if user has logged on multi%le systems then the message will !e sent to multi%le systems.

@ow to %ost system message in SAP 5 SM0? 8

@ow to 7lose 4 Terminate a user session in SAP 5SM0I8#n most im%lementations a client can close his own sessions. This is es%ecially hel%ful whendealing with %ro!lematic transactions or '67s that hang and do not release the session.

G to SM0I then user list will a%%ear 3ou!le-clic*ing on the User will !ring u% the sessions hehas o%en. To close a session select it and then clic* the &nd Session !utton.

http://sapbasiskapilpatil.blogspot.in/2013/06/how-to-post-system-message-in-sap.htmlhttp://www.blogger.com/nullhttp://sapbasiskapilpatil.blogspot.in/2013/06/how-to-post-system-message-in-sap.html


31/54

or

Sometimes there will !e a re+uirement to terminate a user session.6or e"am%le) An user has run a re%ort or %rogram with ina%%ro%riate selection criteria which

leads wor* %rocess going to P'#< mode occu%ying so much memory im%acting %erformance ofthe system. #n those cases you will ha$e to chec* with the user and terminate his session orlogoff user system wide if he is no longer wor*ing.

@ow To Protect S%ecial Users #n SAP3efault Passwords for S%ecial UsersUser 3escri%tion 7lient 3efault Password

SAP, SAP 2et Wea$er AS system su%er user 000 001 all newclients@ard-coded %assword isPASS.

33#7 A;AP dictionary and software

logistics su%er user

000 001 Master %assword set during

installation.&A'9(WAT7@ 3ialog user for the &arly Watchser$ice in client 0KK 0KK

Master %assword set duringinstallation.

SAP7P#7 User for remote connections to legacySAP systems 5I.J8000 001 all newclients A3M#2

TMSA3M User for trans%ort management system5TMS8 000Master %assword set duringinstallation.


32/54

Since a!o$e users ha$e standard names and %asswords you must secure them againstunauthoried use !y outsiders who *now of their e"istence.

@ow to %rotect SAP,#t is not %ossi!le to delete the SAP, user. The suggested measure is to create a new su%er-useraccount with a com%le" %assword and deacti$atethe SAP, default account.This can !e done !y acti$ating the %rofile %arameter login"no&automatic&user&sap' orlogin"no&automatic&user&sapstar .&$en though the SAP, account is !eing deacti$ated the default %assword for this account must !e changed.

@ow to %rotect 33#7As for the 33#7 user this account cannot !e deleted or deacti$ated either. And therefore the !est %rotection is to change its default %assword.

@ow to %rotect &A'9(WAT7@The &A'9(WAT7@ account is used s%ecifically for the &arly Watch ser$ice and its %asswordmust !e changed and the account loc*ed out. #t should !e unloc*ed when re+uired and re-loc*ed after use.

@ow to %rotect SAP7P#7The SAP7P#7 user can !e either disa!le or its default %assword can !e changed. &ither method

in$ol$es disa!ling certain functionality. Therefore this is an organiation-s%ecific issue wherethe functionality re+uired will decide which method is !est.

Profile Parameters for 9ogon and Password 59ogin Parameters8Parameter &"%lanationlogin4min%asswordlng 3efines the minimum length of the

%assword.3efault $alue) B %ermissi!le $alues) B Q

login4min%assworddigits 3efines the minimum num!er of digits 50-N8 in %asswords.

3efault $alue) 0 %ermissi!le $alues) 0 Q A$aila!le as of SAP We! AS K.10login4min%asswordletters 3efines the minimum num!er of letters 5A-

:8 in %asswords.3efault $alue) 0 %ermissi!le $alues) 0 Q A$aila!le as of SAP We! AS K.10

login4min%asswords%ecials 3efines the minimum num!er of s%ecialcharacters in the %assword Permissi!le


33/54

s%ecial characters are =RF458/,VX-.)YZ[\]^>_ and s%ace3efault $alue) 0 %ermissi!le $alues) 0 Q A$aila!le as of SAP We! AS K.10

login4%asswordcharset This %arameter defines the characters of

which a %assword can consist.Permissi!le $alues)C 0 5restricti$e8) The %assword can onlyconsist of digits letters and the following5AS7##8 s%ecial characters )` =RF458/,VX-.)YZ[\]̂ >b and s%aceC 1 5!ac*ward com%ati!le default$alue8) The %assword can consist of anycharacters including national s%ecialcharacters 5such as from #S 9atin-1 JN-18. @owe$er all characters that are

not contained in the set a!o$e 5for $alue 08 are ma%%ed to the same s%ecialcharacter and the system therefore does notdifferentiate !etween them.C ? 5not !ac*ward com%ati!le8) The %assword can consist of any characters. #t iscon$erted internally into the Unicodeformat UT6-. #f your system does notsu%%ort Unicode you may not !e a!le toenter all characters on the logon screen.This restriction is limited !y the code %age

s%ecified !y the system language.

With login4%asswordcharset ? %asswords are stored in a format thatsystems with older *ernels cannot inter%ret.(ou must therefore only set the %rofile %arameter to the $alue ? after you ha$eensured that all systems in$ol$ed su%%ortthe new %assword coding.A$aila!le in the standard system as of SAPWe! AS K.I0.

login4min%assworddiff 3efines the minimum num!er of charactersthat must !e different in the new %asswordcom%ared to the old %assword.3efault $alue) 1 %ermissi!le $alues) 1 Q A$aila!le as of SAP We! AS K.10

login4%assworde"%irationtime 3efines the $alidity %eriod of %asswords indays.3efault $alue) 0 %ermissi!le $alues) any


34/54

numerical $aluelogin4%asswordchangeforSS #f the user logs on with Single Sign-n

chec*s whether the user must change his or her %assword.A$aila!le as of SAP We! AS K.10 as of

SAP ;asis I.K !y Su%%ort Pac*agelogin4disa!le%asswordlogon 7ontrols the deacti$ation of %assword- !ased logonThis means that the user can no longer logon using a %assword !ut only with SingleSign-n $ariants 5.J0N certificate logontic*et8. More information) 9ogon 3ata Ta!PageA$aila!le as of SAP We! AS K.10 as ofSAP ;asis I.K !y Su%%ort Pac*age

login4%asswordlogonusergrou% 7ontrols the deacti$ation of %assword-

!ased logon for user grou%sA$aila!le as of SAP We! AS K.10 as ofSAP ;asis I.K !y Su%%ort Pac*age

Multi%le 9ogonParameter &"%lanationlogin4disa!lemultiguilogin 7ontrols the deacti$ation of multi%le dialog

logonsA$aila!le as of SAP ;asis I.K

login4multiloginusers 9ist of e"ce%ted users that is the users thatare %ermitted to log on to the system morethan once.

A$aila!le as of SAP ;asis I.K#ncorrect 9ogonParameter &"%lanationlogin4failstosessionend 3efines the num!er of unsuccessful logon

attem%ts !efore the system does not allowany more logon attem%ts. The %arameter isto !e set to a $alue lower than the $alue of %arameter login4failstouserloc*.3efault $alue) B %ermissi!le $alues) 1 -NN

login4failstouserloc* 3efines the num!er of unsuccessful logonattem%ts !efore the system loc*s the user.

;y default the loc* a%%lies until midnight.3efault $alue) 1? %ermissi!le $alues) 1 -NNlogin4faileduserautounloc* 3efines whether user loc*s due to

unsuccessful logon attem%ts should !eautomatically remo$ed at midnight.3efault $alue) 1 59oc* a%%lies only onsame day8 %ermissi!le $alues) 0 1

#nitial Password) 9imited


35/54

Parameter &"%lanationlogin4%asswordma"new$alid 3efines the $alidity %eriod of %asswords

for newly created users.A$aila!le as of SAP We! AS K.10 as ofSAP ;asis I.K !y Su%%ort Pac*age

login4%asswordma"reset$alid 3efines the $alidity %eriod of reset %asswords.A$aila!le as of SAP We! AS K.10 as ofSAP ;asis I.K !y Su%%ort Pac*age

SS 9ogon Tic*etParameter &"%lanationlogin4acce%tsso?tic*et Allows or loc*s the logon using SS tic*et.

A$aila!le as of SAP ;asis I.K3 as of SAP;asis I.0 !y Su%%ort Pac*age

login4createsso?tic*et Allows the creation of SS tic*ets.A$aila!le as of SAP ;asis I.K3

login4tic*ete"%irationtime 3efines the $alidity %eriod of an SStic*et.A$aila!le as of SAP ;asis I.K3

login4tic*etonly!yhtt%s The logon tic*et is only transferred [email protected]$aila!le as of SAP ;asis I.K3

login4tic*etonlytohost When logging on o$er @TTP5S8 sends thetic*et only to the ser$er that created thetic*et.A$aila!le as of SAP ;asis I.K3

ther 9ogin Parameters

Parameter &"%lanationlogin4disa!lec%ic 'efuse in!ound connections of ty%e 7P#7login4noautomaticusersa%star 7ontrols the emergency user SAP, 5SAP

2otes ?BB and K0I8login4systemclient S%ecifies the default client. This client is

automatically filled in on the system logonscreen. Users can ty%e in a different client.

login4u%datelogontimestam% S%ecifies the e"actness of the logontimestam%.A$aila!le as of SAP ;asis I.K

ther User Parameters

Parameter &"%lanationrdis%4guiautologout 3efines the ma"imum idle time for a user

in seconds 5a%%lies only for SAP GU#connections8.3efault $alue) 0 5no restriction8 %ermissi!le $alues) any numerical $alue


36/54

@W T 3#SA;9& P67G T'A2SP'T ;UTT2 #2 SAP 5 S@30 8

Tcode S@30&nter the follow

B. ;utton is in$isi!le due to this $ariant. 3eacti$ated this $ariant and trans%ort !utton will $isi!leagain

http://4.bp.blogspot.com/-Wq0Gu_LkNa0/UgneyuMeNhI/AAAAAAAAAXI/7_0eCD4CQaw/s1600/Capture1.PNG


37/54

%ierence et5een SAP6A and SAP6"7

What is the difference !etween SAPA99 and SAP2&W

3efinition of SAP2&W)-SAP2&W is a SAP standard Profile which is usually assigned to system users tem%orarilyduring an u%grade to ensure that the acti$ities and o%erations of SAP users is not hinderedduring the U%grade. #t contains all the necessary o!ects and transactions for the users tocontinue their wor* during the u%grade. #t should !e withdrawn once all u%grade acti$ities iscom%leted and re%laced with the now modified 'oles as it has e"tensi$e authoriations thanre+uired.

3efinition of SAPA99)-SAPA99 is a SAP standard %rofile which is used on need !asis to resol$e %articular issueswhich may arise during the usage of SAP. #t is used !y Administrators43e$elo%ers only and is

a%%lied on a need to use !asis then withdrawn. #t contains all SAP system o!ects andTransactions. SAPA99 is $ery critical and only SAP, contains SAPA99 attached to it in the %roduction system. 2o other dialog users ha$e SAPA99 attached to them.

SAP2&W is used in the Production en$ironment during a $ersion u%grade whereas SAPA99shouldn/t !e or not allowed !e used in Production 5for audit %ur%oses o!$iously8 e"ce%t wherenecessary in a controlled manner with all %ro%er a%%ro$als from the customer.

http://4.bp.blogspot.com/-nfNY_vnTIgI/Ugne55e8E4I/AAAAAAAAAXQ/8nhIrCAWqlw/s1600/Capture2.PNG


38/54

8o5 to conigure ogon groups in SAP ( S9G )

9ogon Grou%s)

9ogon grou%s 5or wor* grou%s8 are configured to dynamically distri!ute the load !eing

%rocessed !y the dialog wor* %rocesses.#n many cases SAP systems will ha$e ? or more sa% a!a% instances. #n these cases logon grou%scan !e configured to achie$e dynamic distri!ution of dialog users on the A;AP instances.

A re%ort runs in SAP e$ery Jminutes which determines the load across each ser$er and u%datesin the memory area of the message ser$er.

ther criteria)

9ogon grou%s according to SAP a%%lication 4 module) Se%arate logon grou%s can !e setu% fora%%lications4modules such as @' 6#47 S3 MM etc. #t means @' module users will !erestricted to logon to identified instances similarly other module users are allowed to login totheir res%ecti$e identified instances. The ad$antages of this method is only the %rograms of theres%ecti$e module are loaded into the %rogram !uffer of the %articular instances of that logongrou%. 3ue to this %rogram !uffer re+uires less memory and this hel%s to a$oid !ufferdis%lacements thus im%ro$ing system %erformance.

9ogon grou%s according to language country or com%any di$ision)

#f your SAP system is o%erating across multi%le countries or languages in that case it is good

idea to create logon grou%s s%ecific to a country or language. ;y this way the data and te"trelated to s%ecific country or language will !e loaded into the !uffers of the res%ecti$e instances.

This minimies !uffer dis%lacements and im%ro$es system %erformance. Also less memory isre+uired for the ta!le !uffer.

9ogon grou%s for certain user grou%s)

i8 We can setu% se%arate logon grou%s for some de%artment li*e sales whose wor* is %erformance critical. 6or that logon grou%s we assign instances which o%erates with high le$elof %erformance 5e.g) high s%eed %rocessors less users %er ser$er no !ac*ground or u%date

wor*%rocesses configured or a dedicated networ* etc8ii8 Some de%artment users may ta*e time-consuming re%orts in dialog mode. 6or thesety%e of users you may ha$e to create se%arate logon grou% and assign an sa% instance where %rofile %arameter rdis%4ma"w%runtime is set to $ery high#n this way we can se%arate %erformance critical4resource intensi$e a%%lications from others.

9ogon grou%s for the SAP We! 3is%atcher)


39/54

6or direct A;AP we! ser$ice re+uests we can setu% logon grou%s that the SAP We! 3is%atchercan use. #f logon grou%s are not configured for we! dis%atcher the load is distri!uted to allA;AP instances on which #7M is configured. Also !ased on U'9s we can distri!ute certaingrou% of re+uests to dedicated logon grou%s.

9ogon grou%s for A9&4'67)

Asynchronous '67s are used to %rocess in %arallel. @owe$er if the %arallel %rocesses are notlimited %ro%erly they can occu%y all the a$aila!le %rocesses which im%acts dialog users and can !ring down the a%%lication. So it is good idea to create se%arate logon grou%s for incoming '67calls so that '67s are *e%t se%arate from wor*%rocesses of online users and thus a$oids im%actto dialog users.

Guide lines)

After assigning instances to logon grou%si8 We need to $erify whether the instances of logon grou%s are e$enly distri!uted or not.

ii8 #f an instance hangs or tem%orarily got disconnected you should !e a!le to redistri!utethe usersSo you need to setu% at least ? sa% instances for each logon grou%.

iii8 Setting u% logon grou%s in$ol$es e"tra administration and monitoring. Sounnecessarily large num!er of logon grou%s shouldnt !e setu%

@ow to setu% logon grou%s

SM9G transaction code is used for creating logon grou%s.

9ogon to SAP system and goto SM9G transaction as shown !elow)

http://1.bp.blogspot.com/-sKSgJJc_bGU/UlwKvEQTW2I/AAAAAAAAAqc/JTIbosGDR9I/s1600/capture1.PNG


40/54

#n the a!o$e e"am%le there are ? instances 500 and 0N8 in this SAP system. These are not yetassigned to any logon grou%.

We can create a new logon grou% !y clic*ing on highlighted create icon on the a!o$e screen. #tresults in !elow screen.

http://2.bp.blogspot.com/-rW4XdWNx0H8/UlwKxlWNp8I/AAAAAAAAAqk/Z3GPG6OO9ag/s1600/Capture2.PNG


41/54

#n the a!o$e screen either select logon grou% from dro%down or %ro$ide its name if you arenewly creating. After that assign instance for that logon grou% and clic* on co%y to sa$e theassignment.

#n this e"am%le iam creating two logon grou%s hr and fico and assigning instances 00 and 0Nres%ecti$ely. Please find !elow screenshots which e"%lains the same.


42/54

http://4.bp.blogspot.com/-0O5J3AqoV3M/UlwK0PHiKbI/AAAAAAAAAqs/ZUz_oZyfi5w/s1600/Capture3.PNG


43/54

http://2.bp.blogspot.com/-muGrE345Zf4/UlwK2QJhrcI/AAAAAAAAAq0/UQgRCyAajck/s1600/Capture4.PNG


44/54

'e%eat the same ste% and create logon grou% fico and assign instance 0N for it as shown a!o$e.

After doing this you can see following logon grou%s in SM9G

nce you are done with logon grou% setu% %lease log off from SAP system and goto SAPGU# of the res%ecti$e SAP system.

http://4.bp.blogspot.com/-5mzXPj0seIk/UlwK4vSSyRI/AAAAAAAAAq8/Kn9HCrNFb5M/s1600/Capture5.PNG


45/54

7lic* on %ro%erties of the res%ecti$e GU# entry and goto to connection ta! as shown !elow.

http://1.bp.blogspot.com/-Wcsrw4eiOF8/UlwK7DPthKI/AAAAAAAAArE/CAAZRMQtHe0/s1600/Capture6.PNG


46/54

http://2.bp.blogspot.com/-oIasAvqYQag/UlwK_cU1kaI/AAAAAAAAArM/h7Y80oQZa6k/s1600/Capture7.PNG


47/54

Please select Grou%4Ser$er selection o%tion from the dro% down of 7onnection Ty%e as showna!o$e and maintain descri%tion and system id of the instance as shown a!o$e.

2ow you should !e a!le to $iew the newly created logon grou%s as shown in !elow figure)


48/54

http://1.bp.blogspot.com/-yRKeMPjsjfY/UlwLBr9nkvI/AAAAAAAAArU/z95fJ31SxU4/s1600/Capture8.PNG


49/54

Also %lease note you are a!le to $iew logon grou% SPA7& also which gets created !y default

2ow you can configure any desired logon grou% to the users as shown !elow)


50/54

http://1.bp.blogspot.com/-Z8KmcixfrNQ/UlwLEVdflNI/AAAAAAAAArc/Kb9sxsw2eyo/s1600/Capture9.PNG


51/54

6or e"am%le in the a!o$e screen fico grou% is assigned to the end users in his GU# so that nowonwards he will login into instance num!er 0N only.

@ow to delete logon grou% or assignment

#f you no longer re+uire any logon grou% you can delete !y %roceeding as shown !elow)

i8Goto SM9G transaction

ii8 Select the res%ecti$e row and clic* on delete assignment which deletes the assignment of aninstance to a logon grou% 5highlighted in green color in !elow screen8

http://1.bp.blogspot.com/-kD4sWPuO0uM/UlwLHeodrSI/AAAAAAAAArk/BUuymr6h0qA/s1600/Capture10.PNG


52/54

http://4.bp.blogspot.com/-efLZGTWdNKc/UlwLkC_PAWI/AAAAAAAAArs/I-sL3Dt1LX8/s1600/Capture11.PNG


53/54

7lic* on delete icon a!o$e which confirms deletion of assignment

iii8#f you wish to delete logon grou% itself then select the res%ecti$e logon grou% and clic* onDdelete grou%E in the a!o$e screen highlighted in red color 5%lease refer screen 1 of %oint iia!o$e8. This deletes the logon grou% itself and remo$es all assignments related to this grou%.

@ow to chec* logon load distri!ution in SAP

Goto transaction code SM9G as shown !elow and clic* on highlighted icon !elow to $iew theload distri!ution across instances

http://1.bp.blogspot.com/-gfKoF8AtLew/UlwLmsxCKeI/AAAAAAAAAr0/D5ELDTcaqDE/s1600/Capture12.PNG


54/54

Alternati$ely you can $iew this !y na$igating to Goto -> 9oad 3istri!ution or !y %ressing 6J*ey in the a!o$e screen

Basis Note Basis Note

Documents

Transcript of Basis Note Basis Note