14

Click here to load reader

SAP Security Interview Questions1

Embed Size (px)

Citation preview

Page 1: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 1/14

SAP Security Interview Questions 

Q. SAP Security T-codes 

A. Frequently used security T-codes

SU01 Create/ Change User SU01 Create/ Change User

PFCG Maintain Roles

SU10 Mass ChangesSU01D Display User

SUIM Reports

ST01 Trace

SU53 Authorization analysis

Q How to create users? 

Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for

that user on the Logon data tab. All other data is optional. Click here for turotial on creating sap user id

Q What is the difference between USOBX_C and USOBT_C? 

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not

(despite authority-check command programmed ). This table also determines which authorization checks are

maintained in the Profile Generator.

The table USOBT_C defines for each transaction and for each authorization object which default values an

authorization created from the authorization object should have in the Profile Generator.

Q What authorization are required to create and maintain user master records? 

The following authorization objects are required to create and maintain user master records:

• S_USER_GRP: User Master Maintenance: Assign user groups

• S_USER_PRO: User Master Maintenance: Assign authorization profile

• S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q List R/3 User Types 

1. Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own

password. Check for multiple dialog logon

2. A Service user - Only user administrators can change the password. No check for expired/initial passwords.Multiple logon permitted

3. System users are not capable of interaction and are used to perform certain system activities, such as background

processing, ALE, Workflow, and so on.

4. A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be

assigned within the system using a reference user. A reference user for additional rights can be assigned for every

user in the Roles tab.

Q What is a derived role? 

• Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions

included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and

functions if no transaction codes have been assigned to it before.

• The higher-level role passes on its authorizations to the derived role as default values which can be changed

afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role.User assignments are not passed on either.

• Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and

identical transactions) but have different characteristics with regard to the organizational level. Follow this link for

more info

Q What is a composite role? 

• A composite role is a container which can collect several different roles. For reasons of clarity, it does not make

sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.

• Composite roles do not contain authorization data. If you want to change the authorizations (that are represented

Page 2: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 2/14

by a composite role), you must maintain the data for each role of the composite role.

• Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of 

adding each user separately to each role required, you can set up a composite role and assign the users to that group.

• The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during

comparison. Follow the link to learn more

Q What does user compare do? 

If you are also using the role to generate authorization profiles, then you should note that the generated profile is not

entered in the user master record until the user master records have been compared. You can automate this by

scheduling report FCG_TIME_DEPENDENCY on a daily.

Q. Can we convert Authorization field to Org, field 

A. Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREATE or

ZPFCG_ORGFIELD_CREATE

Use SE38 or SA38 to run the above report.

• Organizational level fields should only be created before you start setting up your system. If you create

organizational level fields later, you might have to do an impact analysis. The authentication data may have to be

postprocessed in roles.

• The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an organizational level

field.

In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the authorizationfield which is now to become the organizational level field are removed and entered into the organizational level

data of the role.

Note: Table for Org Element- USORG

Refer to Note 323817 for more detail.

Q. How many profiles can be assigned to any user master record.

A. Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for users). This

table contains both information on the change status of a user and also the list of the profile names that were

assigned to the user.

The field PROFS is used for saving the change flag (C = user was created, M = user was changed), and the name of 

the profiles assigned to the user. The field is defined with a length of 3750 characters. Since the first two characters

are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the

maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.

Q. Can you add a composite role to another composite role? A. No Q. How to reset SAP* password from oracle database.

A. Logon to your database with orasid as user id and run this sql

delete from sapSID.usr02 where bname='SAP*' and mandt='XXX';

commit;

Where mandt is the client.

Now you can login to the client using sap* and password pass

Q. What is difference between role and profile. 

A. A role act as container that collect transaction and generates the associated profile. The profile generator (PFCG)

in SAP System automatically generates the corresponding authorization profile. Developer used to perform this stepmanually before PFCG was introduced bySAP. Any maintenance of the generated profile should be done using

PFCG.

Q. What is user buffer? 

A. When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each

user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains

all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56.

A user would fail an authorization check if:

• The authorization object does not exist in the user buffer

Page 3: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 3/14

• The values checked by the application are not assigned to the authorization object in the user buffer

• The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be

controlled using the system profile parameter auth/number_in_userbuffer.

Q. How to find out all roles with T-code SU01? 

A. You can use SUIM > Roles by complex criteria or RSUSR070 to find out this.

Go to the Selection by Authorization Value.

In Object 1 put S_TCODE and hit enter.

And put SU01 in Transaction code and hit execute (clock with check) button.

I use authorization object, as you can use this to test any object.

You can also get this information directly from table, if you have access to SE16 or SE16N. Execute SE16N

Table AGR_1251

Object S_TCODE

VALUE (low) SU01

Q. How to find out all the users who got SU01 ? 

A. You can use SUIM >User by complex criteria or (RSUSR002) to find this out.

Go to the Selection by Authorization Value.

In Object 1 put S_TCODE and hit enter.

And put SU01 in Transaction code and hit execute (clock with check) button.I use authorization object, as you can use this to test any object.

Q. How to find out all the roles for one composite role or a selection of composite roles? 

A. Execute SE16N

Table AGR_AGRS

Composite roles You can put multiple composite roles using the more button

Q. How to find out all the derived roles for one or more Master (Parent) roles? 

A. Execute SE16N

Table AGR_DEFINE

Use either agr_name field or Parent_agr field.

Q. How can I check all the Organization value for any role? 

A. Execute SE16N

Table AGR_1252

Role Type in the role here and hit execute.

You can always download all the information to spreadsheet also using .

Q. How do I restrict access to files through AL11? 

A. First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias

DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as

mentioned below

Activity 33

Physical file name /tmp/*Program Name with Search Help *

Q. How can I add one role to many users? 

A. SU10. If you have less than 16 users then you can paste the userids.

If you have more than 16 users – Click on Authorization data and click on next to users and upload from clipboard .

Hit the change button and go to the role tab and add the roles to be assigned and hit save.

Q. What are the Best practices for locking expired users? 

A. Lock the user. Remove all the roles and profiles assigned to the user. Move them to TERM User group.

Page 4: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 4/14

Q. How can be the password rules enforced ? 

A. Password rules can be enforced using profile parameter. Follow the link to learn more about the profile

parameter.

Q. How to remove duplicate roles with different start and end date from user master? 

A. You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 365841 for more info.

Q. How come the users have authorization in PFCG, but user still complains with no authorization? 

A. Make sure the user master is compared. May be the there is a user buffer overflow

Also check the profile- Follow the instruction below.

SUIM > User by complex criteria.

Put the userid of user who is having issue.

Execute

Double click on the user id and expand the tree. Select the profile in question and see if the authorization is correct

or not. If not do the role reorg in PFCG and see if that helps.

Q. How can I have a display all roles.

A. Copy sap_all and open the role and change the activity to 03 and 08

Q. How can I find out all actvt in sap? 

A. All possible activities (ACTVT) are stored in table TACT (transaction SM30), and also the valid activities foreach authorization object can be found in table TACTZ (transaction SE16).

Posted by MSGoud at 1:18 PM 1 comment:

Step-by-Step Guide for Using LSMW 

Step-by-Step Guide for Using LSMW to Update Customer Master Records

Business Case:

As a part of reorganization and to better serve the customer needs, you are regrouping many of the customers. In

SAP terms, you are changing the Sales Office, Sales Group and Customer Groups for specific Customer Master

Records. Typically, you would maintain customer records with transaction XD02 to update ‘Sales View’. You

would enter Customer Key (Customer No, Sales Organization, Distribution Channel, and Division) and update

relevant fields on Sales View screen.

This document contains Step-by-step instructions to use LSMW to update Customer Master Records. It has two

demonstration examples - one using Batch Recording and another using standard SAP Object.

Note! The screen prints in this article are from IDES Release 4.6. They may differ slightly in other versions.

Demo Example 1 

LSMW to Update Customer Master Records with Transaction Recording

Call Legacy System Migration Workbench by entering transaction code LSMW. Every conversion task is grouped

together as Project / Subproject / Object structure. Create a Project called LSMW_DEMO and a Subproject as

CUSTOMERS and Object as CUST_REC as shown in Figure 1.

Figure 1 Conversion Task with Project, Subproject and Object

The main screen of LSMW provides wizard-like step-by-step tasks, as shown in Figure 2. To complete your data

conversion, you need to execute these steps in sequence. Once a step is executed, the cursor is automatically

positioned to the next step.

Note that these steps may look different depending upon your Personal menu settings. You could make step

numbers visible by ‘Numbers on’ icon or hidden by ‘Numbers off’ icon. You can execute a step by double-clicking

on the row. Toggle icon ‘Doubleclick=Display’ or ‘Doubleclick=Edit’, makes the step in ‘display’ mode or ‘change’

mode.

Page 5: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 5/14

Figure 2 LSMW Wizard – initial screen

Step 1: Maintain Object attributes

In this example, you will be updating the customer master records with the help of recording a transaction (XD02).

Choose radio button Batch Input Recording and click on the recording overview icon to record the R/3 transaction.

Enter the Recording name as XD02_REC, the description as Customer Master Updates Recording, and the

transaction code as XD02.

Figure 3 Object type ‘Transaction Recording’

The system calls the transaction code XD02 and prompts you to complete the Change

Customer transaction, as shown in Figure 4. Enter the key customer information (I entered customer number 1000,

sales organization 1000, distribution channel 01, and division 00) and choose ‘Sales’ view within ‘Sales area data’.

Make changes to these three fields (I entered, sales office 1010, sales group 110, and customer group 01) and save

the transaction.

Figure 4 Transaction recording for Transaction Code ‘XD02’

Once the transaction is completed, R/3 records the flow of screens and fields and saves the information, as shown in

Figure 5.

Figure 5 Transaction recording overview

Note that the fields are populated with default values. The values you entered when you recorded the transaction are

set by default.

Note that if you have more fields in the recording than needed, you can remove them by clicking ‘Remove Screen

field’ icon.

Observe that the transaction-recording process stores field names in a technical format. By pressing the F1 key on

individual screen fields and then pressing the F9 key, the system displays technical names. You then can replace the

technical names with descriptive names. Double-click on the field RF02D-KUNNR and enter the name as KUNNR

and the description as Customer Account Number and remove the default value. (See Figure 6.)

Figure 6 Field attributes

Similarly, double-click on all other fields with default values and make appropriate changes. Once you have made

changes, the recording overview screen looks like what you see in Figure 7.

Figure 7 Transaction Recording Overview – with screen field attributes

Save your changes. When you go back to the initial screen, you will see that the initial screen steps have changed.

Since you want to import data via the BDC method, the Direct Input and IDoc-related steps are hidden, as they are

not relevant.

Step 2. Maintain Source Structures

Give a name and a description to the source structure (Figure 8).

Figure 8 Source Structure

Page 6: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 6/14

Step 3. Maintain Source Fields

In this step, you need to list what fields are present in the source structure. The easiest way is to click on ‘Table

Maintenance’ icon to enter Fieldname, Type and Length for each field as shown in Figure 9.

Figure 9 Source fields of source Structure

Note that your input file will have four fields as key fields and you need to update three fields in the system.

Step 4: Maintain Structure Relations

Execute a step to ‘Maintain Structure Relations’. (See Figure 10.) Since, there is only one Source and Target

Structure, the relationship is defaulted automatically.

Figure 10 Structure Relation

Step 5: Maintain field mapping and conversion rules

Field RF02D-D0310 represents that you chose ‘Sales view’ for the customer Master screen accordingly its value

should be set to X. Keep your cursor on field RF02D-D0310 and click on Constant rule icon to choose the constant

value of ‘X’.

If your source file already has the field value, you choose rule ‘Source Field’.

Keep cursor on field ‘KUNNR’ and click on ‘Assign Source field’ icon to choose source field CUSTOMER from

structure XD02S as shown in Figure 11.

Figure 11 Assign source fields

Similarly, assign ‘Source Field’ rules to the remaining fields.

Once all the fields are mapped, you should have an overview screen as shown in Figure 12.

Figure 12 Field mapping and Conversion rules overview

Step 6: Maintain fixed values, translations, user-defined routines

You can also maintain re-usable translations and user-defined routines, which can be used across conversion tasks.

In this case, that step is not required.

Step 7: Specify files

In this step, we define how the layout of the input file is. The input file is a [Tab] delimited with the first row as field

names. It is present on my PC (local drive) as C:\XD02.txt. (See Figure 13.)

Figure 13 File attributes

Create an Excel file (Figure 14) with your data and save it as a Tab-delimited text file on your local drive (C:\) and

name it XD02.txt.

Figure 14 Source data in Excel file (saved as Tab delimited file)

Step 8: Assign files

Execute step ‘Assign Files’ (Figure 15) and the system automatically defaults the filename to the source structure.

Page 7: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 7/14

Figure 15 Assign file to Source Structure

Step 9: Read data

In this step, LSMW reads the data (Figure 16) from the source file (from your PC’s local drive). You have the option

to read only selected rows and convert data values to Internal format.

Figure 16 Read Data

Step 10: Display read data

This step (Figure 17) is optional. If required, you can review the field contents for the rows of data read.

Figure 17 Display Read Data

Step 11: Convert data

This is the step that actually converts the source data (in source format) to a target format. Based on the conversion

rules defined, source fields are mapped to target fields.

Step 12: Display Converted data

Again this is an optional step to view how the source data is converted to internal SAP format (Figure 18).

Figure 18 Display Converted DataStep 13: Create batch input session

Once the source data is converted in an internal format, you can create a batch session to process updates (Figure

19).

Figure 19 Create Batch Input Session

Step 14: Run Batch Input Session

You can execute the BDC session by Run Batch input session. Executing a batch input session is a standard SM35

transaction for managing BDC sessions. Once you have successfully executed the batch input session, the customer

master records are updated in the system. You can confirm this by viewing the customer master records (XD03).

Note! Browsing thru these 14 steps, you may get a feeling that this is a very lengthy and time-consuming activity.

However, for the purposes of demonstration, I have made it detailed. Although it looks lengthy, actually it takeshardly few hours from start-to-finish! After playing around with few simple LSMW scripts, you will find it so easy

to change and create more complex ones.

Demo Example 2

LSMW to Update Customer Master Records with Standard Object

As an alternative to using ‘Transaction Recording’, you could also use a standard SAP object to update Customer

Master Records. Business Object ‘0050’ is already pre-defined in the system with standard Batch Input Interface

Program ‘RFBIDE00’.

Create an Object CUST_OBJ within Project as LSMW_DEMO and Subproject as CUSTOMERS as shown in

Figure 20.

Figure 20 LSMW Object with Standard SAP Object

Note! For the Demo example 2, I will list only those steps that are different from the first demo example.

Step 1: Maintain Object attributes

You will be updating the customer master records with the help of Standard Batch Input; therefore, choose radio-

button Standard Batch/Direct Input as shown in Figure 21. Enter Object ‘0050’ for Customer Master records and

default method ‘0000’ and click on Save.

Page 8: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 8/14

 

Figure 21 Standard Batch/Direct Input Object Attributes

Step 4: Maintain Structure Relations

Sales view of Customer Master is stored in table KNVV. Accordingly, you need to update structure BKNVV.

However, in addition, the Standard Object ‘0050’ also requires updates to BGR00, BKN00 and BKNA1 structures.

(If you do not maintain Structure relations for mandatory entries, you might get a message such as ‘Target structure

BKNA1 needs a relation to a source structure’.)

Even though you don’t want to update any fields in these structures, you need to create a relationship with source

structures. In all, you need to create relationship for four target structures.

Create relationship between source structures XD02S with these target structures with icon ‘Create Relationship’ .

Keep Cursor on these four target structures and click on icon ‘Create Relation’ and structure relations are maintained

as shown in Figure 22.

Figure 22 Structure Relation

Step 5: Maintain field mapping and conversion rules

-- Keep your cursor on ‘TCODE’ field and click on ‘Insert Rule’ icon

Figure 23 LSMW Conversion Rules

Choose radio button ‘Constant’ (Figure 23) to enter value ‘XD02’ transaction code.

-- Keep your cursor on field ‘KUNNR’ and click on ‘Assign source field’ icon

Choose source field ‘Customer’ from source structure ‘XD02S’. (See Figure 24.)

Figure 24 Assign Source fields

-- Similarly, choose source fields for Sales Organization, Distribution Channel, and Division. (See Figure 25.)

Figure 25 Field Mapping and Conversion Rules

-- Scroll down to structure BKNVV fields and assign source fields to three fields Sales Office, Sales Group, and

Customer Group (Figure 26).

Figure 26 Field Mapping and Conversion Rules

Save and go back to main screen.

Page 9: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 9/14

Step 12: Display Converted data

When you convert data, LSMW automatically converts into the appropriate structure layouts, as required by

Standard program (RFBIDE00). (See Figure 27).

Figure 27 Converted data into multiple structures

Note that if you had only one record in source file, the converted file has four records.

Earlier, creating this input file, so that the standard interface program can read it, was a big nightmare, the primary

reason being that it could have multiple record layouts. Even for a simple conversion with one input record, you

would have to create this complex file with many record layouts. The advantage of LSMW is that it prepares these

multi-layout files automatically.

Step 13: Create batch input session

Once source data is converted in internal format, you can create a BDC session to process the updates (Figures 28

and 29).

Figure 28 Create BDC Session

Figure 29 BDC Session ‘CUST_OBJ’ created

Summary

Once BDC session is processed successfully, SAP updates the customer master records with relevant changes.Review these specific customers (transaction code XD03) and confirm that the changes are correctly reflected in the

master records.

Mitresh Kundalia heads SAP practice division at Quality Systems & Software (www.QSandS.com). QS&S helps

companies achieve world-class performance by realizing their latent business and technological potential with

emphasis on SAP systems. QS&S uses Industry-wide best-practices and proven implementation tools to integrate

complex business processes with the SAP system. With an MBA degree in finance, Mitresh implements Financial

and Logistics applications with specialization in Management reporting, Profitability Analysis, Information systems

and Business Information Warehouse. He can be reached by e-mail at [email protected].

Posted by MSGoud at 12:50 PM No comments:

XI Interview questions 

Q1: What is SAP XI?

A1: SAP XI is a component of SAP NetWeaver and it runs on SAP Web Application Server (SAP Web AS). SAP

XI enables ISVs to implement collaborative processes (A2A or B2B) using standards-based XML messaging.

Q2: What are the XI interface certifications that SAP offers?

A2: SAP offers XI Adapter (NW-XI-AF), XI Content (NW-XI-CNT), and XI Content based on Industry Standards

Page 10: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 10/14

(NW-XI-CNT-IS) certification for ISVs.

Q3: When should ISVs build an XI adapter?

A3: XI adapters provide an additional, specific technical protocol to facilitate communication with XI. SAP already

provides many adapters such as SOAP, HTTP, RFC, Idoc, etc. Typically XI adapters are provided by EAI vendors

for support of additional protocols. XI adapters must be implemented as resource adapters of the Java Connector

Architecture 1.0 (JCA).

Q4: What do I need to build and test my XI adapter?

A4: You must have the SAP Partner Connectivity Kit (SAP PCK) to develop and test your XI adapter. Once you

apply for XI Adapter certification, an ICC representative will put you in contact with the relevant group in SAP so

that you can purchase the PCK license.

Q5: What is the SAP PCK?

A5: The SAP PCK provides a platform to development and test your own JCA resource adapter. The SAP PCK

includes JCA sample adapter with source code, XML file for sample adapter metadata, and Java docs for adapter

development.

Q6: What is XI content package?

A6: XI content facilitates integration scenario of a particular business process (A2A or B2B) via XI. The XI content

package includes integration scenario, message definitions, interface definitions, and mapppings using XIintegration builder tools. ISVs who plan on integrating their business application with SAP business applications via

XI typically would go for XI content certification.

Q7: What is XI content package based on Industry Standards?

A7: SAP supports many industry standards such as RosettaNet (for High Tech), CIDX (for Chemical), ISA-S96 (for

Manufacturing), STAR (for Automotive), etc. ISVs can select business processes defined by industry standards to

build a content package via XI. ISVs who want to utilize industry standard on their integration scenario should go

for XI content based on Industry Standards.

Q8: Where do I find more information about XI integration scenarios?

A8: Please go to XI interface page to learn more on XI Adapter certification.

Please go to XI Content interface page to learn more on XI Content certification.

Please go to XI Content based on Industry Standards interface page to learn more on XI Content based on IndustryStandards certification.

Q9: Where can I get XI test system to build XI content package?

A9: ICC is hosted many SAP application systems including XI for ISVs remotely access to develop and test their XI

content scenario. For more information on this service, please refer to Developer Package.

Q10: Can I become PBNW after the completion of XI certifications?

A10: It depends. If you complete the XI adapter certification successfully, you qualify for PBNW.

If you complete either XI content or XI content based on Industry Standards certification, you also need to complete

the EP-BP certification to obtain PBNW.

Posted by MSGoud at 12:40 PM No comments:

ASAP Methodology 

SAP Stands for System Application Product in Data Processing

In 1972, five systems analysts began working nights and weekends to create standard software with real-time data

processing. Twenty-five years later their vision is a reality: SAP is the world’s market and technology leader in

business application software.

On April 1, 1972 five former IBM employees founded SAP as System analyse und Programmentwicklung

Page 11: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 11/14

Page 12: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 12/14

The purpose of this phase is to complete the final preparation of the R/3 System for going live. This includes testing,

user training, system management and cutover activities, to finalize your readiness to go live. This Final Preparation

phase also serves to resolve all crucial open issues. On successful completion of this phase, you are ready to run

your business in your productive R/3 System.

IIn Phase 4, your end users go through comprehensive training. The last step will be to migrate data to your new

system. In particular a going-live check is carried out and an R/3 Help Desk set up.

Phase 5: Go Live and SupportNow you are ready to go live with your productive system! Afterwards, the project

team focuses on supporting the end users, for which training may not be completed. It is also necessary to establish

procedures and measurements to review the benefits of your investment in R/3 on an ongoing basis. Key SAP

Services to support you in this phase include

Posted by MSGoud at 12:38 PM No comments:

Thursday, November 29, 2007

CUA-Central User Administration 

W hat i s t he easy and s im p le w ay o f ac t i va t i ng Cen t r a l User Adm in i s t r a t i on

( CUA) v ia SCUA?

Customers that have implemented the Central User Administration in lower releases have

had to read and skim through cookbooks and adhere to the different set-up procedures of the ALE landscape used to propagate the user data and input methods like UserClone in

transaction WE20 (managing partner profiles), bearing in mind upper and lower cases for

the different methods. There is good news for you.

The setup of CUA is now extremely simple and easy. All you have to do to activate the CUA,regardless of whether you want to set up a complete new CUA just add a new client to the

CUA, is activate the CUA via transaction SCUA. So, no more fumbling in ALE configurationsand partner profile management is needed! The process, in short, is as follows:

1. Log on to the new child system and create a communication user for the CUA. Assign this

user a customer copy of the following two roles: SAP_BC_USR_CUA_CLIENT,

SAP_BC_USR_CUA_SETUP_CLIENT. The latter can be removed from the communicationuser after CUA activation.

2. Create the RFC connection(s) between central system and client. 

3. Create a new logical system for the CUA client.

4. Assign the logical system to a client . 

5. Go into transaction SCUA, enter the logical system and save. This will generate the ALEdistribution model including partner profiles. 

Page 13: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 13/14

6. If you configure a CUA newly from scratch you have to customize the field distribution in

transaction SCUM. 

7. Migrate new users into your CUA central using transaction SCUG. Let's look at the details

and do it.

The CUA landscape we start with is as follows: We have a central system in client 100 on aWeb Application Server stand-alone called TT1. 

We have two child systems in client 200 and 300. Now, we want to add client 400. So, how

do we start? Create the communication user on client 400.

So, we log on to client 400 and create the communication user via transaction SU01. This

user has also been assigned the roles Z_SAP_BC_USR_CUA_CLIENT and

Z_SAP_BC_USR_CUA_SETUP_CLIENT, which are custom copies of the pre-delivered SAP

roles. 

Now we have to create the RFC connection. To do this, we log onto the central system client

100 in system TT1 and go into transaction SM59. We maintain the technical settings for theRFC connection.

And we maintain the communication user in this RFC connection. What is the next step? To

create a logical system for the new client 400. This is done in transaction SALE on the

central system. Navigate to the menu path for logical systems and click on Define LogicalSystem. 

On the next screen enter a new value for TT1CLNT400 and save. Then, go back with thegreen arrow and double-click on Assign Logical System to Client. On the next screen

double-click on client 400. Assign the logical system TT1CLNT400 to client 400.

Please note that the setup of the CUA landscape in our example spares us the burden of creating an RFC connection from the new daughter system client 400 back to the CUA

central client 100, because we are in ONE system only, namely the TT1.

W hat i s l e f t t o do? 

Well, all you have to do now is go into transaction SCUA, add the new child systemTT1CLNT400 there, and click on save. Let us do it. After you have saved your entries, you

will see the following logs. So, activities you formerly had to do yourself like creation andgeneration of the ALE partner model and input of methods in the ALE model are now done

AUTOMATICALLY for you.

If you have not configured it yet, you can now maintain the field distribution in transactionSCUM. This transaction allows you to configure on a field level where you want to allow

Page 14: SAP Security Interview Questions1

7/31/2019 SAP Security Interview Questions1

http://slidepdf.com/reader/full/sap-security-interview-questions1 14/14

fields of the user master record to be maintained. Optionally you can just take the SAP

defaults. So there is nothing to configure in transaction SCUM. The defaults will be

distributed when you activate the CUA with transaction SCUA.

Then, you can migrate the users from child system 400 into the central system 100 using

transaction SCUG. For more information on CUA and how to implement

it please take a look here: SAP Security Homepage" -> Security in Detail -> IdentityManagement -> Centralized Administration -> Cookbook: Central User Administration (Web

AS ABAP 6.20 or higher release)

Hopefully, this weblog has shown how easy it has become to implement CUA. The crucialtransaction SCUA has been powerfully enhanced, so that you are spared the burden of a lot

of manual configuration. I hope you enjoy implementing CUA.