SAP Architecture

SAP Landscape
Client Administration

Tcodes related to Client Administration

User Administration
Authorization
Role Administration- Profile

Role Administration- Roles

SU 01 Tabs:-
User Types
Change Docs and
Change of User lock
Standard Users/ Default Users
And Some Facts
 SAP Architecture Application Layer
SAP was started in 1972 at Waldroff Germany.
It consists of
They started with R1 Architecture • Processes
 R stands for Ream Time (online)
• Services
 1 stand for 1 Tier or 1 Layer
Processes:
1972-R2 Architecture  Dialog- All the interactions between user
 1st Layer-Presentation Layer-User Interface
and system, 600 Milli Seconds
software-SAP GUI-used to login into SAP  Background- Long duration activies and
system.
Recurring Activities
 2nd Layer-Database Layer
 Spool- printer related activities
1992-R3 Architecture was launched  Update- updating Database - Create,
 1 Layer- Presentation
modify or Delete data
 Layer2nd Layer- Application
 Enqueue- Following Q while updating DB
 Layer3rd Layer- Database
Services:
 Message- Load balancing among
application servers
 Gateway- Commuication channel between
2 SAPsystems or 1 SAP and 1 Non SAP
SAP Landscape: Non Technical questions
Client: BMW  ECC: ED1, EQ1, EP1
IT Company: Accenture  FI: FD1, FQ1, FP1
Total systems and applications using in BMW  Sales: SD1, SQ1, SP1
project  HR: HD1, HQ1, HP1
 SAP Finance  CRM: CD1, CQ1, CP1
 SAP HR Environments:
 SAP SD • Sandbox
 SAP MMS • Development
 AP CRM • Test
BASIS, Security and ABAP are technical and • Quality
admin teams. • Production
Total no of users
Security team size
Total Teams
Manager Name
TL Name
Client Head Quarters
Client CEO
IT Company CEO
 Client Administration
Client:
 Independent Space within SAP system Client Data:
 It is represented by 3 digit number 000-999 o Client Independent Data (Standard
 Max no of clients that can be created within Data)
SAP system = 1000 Ex,, Tcodes, ABAP Code
 000,001 & 006 are default clients in Non o Client Dependent Data (Customized
IDES system (Business) Data)
 000,001,066, 800, 810, 811, 812 are the Ex,, Users, Transactional Data,Business
default clients in IDES system Data
 IDES- International demonstration and
Education system (Training)
Some Tcodes related to this concept: (SCC*)
 SCC4- Client creation
 SCC5- Client Deletion
 SCCL- Local Client Copy
 SCC9- Remote Client Copy
Client Creation
Indetail
User Administration
It is all related to User Maintenance
 User creation
 User Modification
 User Deletion
 User Lock and Unlock
 User Copy
 User Password reset
SU01 --> Tcode for User Administration

Process involved in the user Administration

Home
Indetail Don’t enter any details. By default data is Filled

SU 01 Tabs:-
Delete
Display Lock/Unlock
Create Change
Copy Change Password

Assign users to Assign

extra Authorization
groups if he through Roles
When we click Create, we get the below tabs belongs to them

Enter only when Profiles are

 requested by user interlinked
Date With roles & they
Last name  Decimal Notations get assigned
Mandatory When SNC is avtivated  Time format Automatically Once
We don’t need to  Printer details
 User type enter the password. roles are
 Time Zone
 Initial password It is mostly enable for Assigned.
 Common to All
 User group SECURITY Max profiles a user
users except can have is 312
 Validity period And BASIS users printer
Indetail User Types: Change Docs
 Dialog- Default User type, Interactive user, To see changes done to user in a time
Password parameters are applied, GUI interval
Login is allowed. Path SU 01:- Information-Change
Ex, All employees of the organization document for user
 Service- Used for Multiple Dialog logons,
Different types of User Locks
Password parameters are not applied, GUI
0- Not Locked
login Allowed
32- Global Lock (CUA)
Ex, FFID in GRC, TEST Ids
 System- Used for Internal Communication, 64- Administrator lock{If it is locked by
Security Admin }
Password Parameters not applied, GUI
128- Incorrect Logons Lock{When user
login not allowed
entering wrong password for number of
Ex, Background Jobs are scheduled using
times}
these system ids, Internal RFC
 Communication- Used for External
Communication, Password Parameters are
not applied, GUI login not allowed
Ex, RFC (Remote Function call)
 Reference- Used for providing extra access
to DIALOG IDS when its access limit (312
profiles)is reached, No password required,
Cannot login thru GUI.
Standard Users / Default Users Indetail
User ids which exist in SAP system by default after installation.
Initial login in to the system would be with this ids
User ID Password Client
SAP* Pass/06071992 All
DDIC 19920607 000, 001
SAPCPIC admin 000, 001
EARLYWATCH support 066

Some facts:
• User ID max length: 12 Chars User ID naming convention: differs from org to org.
Combination of First Name and last name
Ex, BALATHARAN MURALI - BALAMU
• Max number of profiles assigned to one user 312
• Mandatory Fields while creating user: Last Name and Password
 User related tables:
All the tables related to user data will start with USR*
Ex USR02 -User Logon Data
USR40 Illegal Passwords
 Authorization Concepts • Authorization is identified by Auth
 Authorization -- Permissions Fields And Auth Objects
 Authentication - identity check [UserId/Password] • Auth Objects is a group of 10
AuAuth field max

 We use SU21 Tcode to check

The Auth Objects inSAP System
 SU24 Tcode to findthe
Auth
Objects related to any Tcode
in SAP
This is how we create Role on the basis of request from USER  Tcode :- Stands for
transaction code/act as
Objects elated to shortcut to the program.
SU01 TCode  Tcode is create the Tcode.
 Security team give access to
Tcode.
o SE93:- Tcode Maintainence
o SA38:- To execute program
o SE38 :- To maintain program
 Role Administration
Profile:-
Current Version of SAP is
ECC 6.0+EHP 1,2,3,….8;
ECC-ERP Central Component
ERP Enterprise Resource Planning
EHP Enhancement Package
o In 4.7 majopr changes are occuredin
the security area.
o Roles concept is introduced from 4.7
onwards.
o Before that the Profile Concept was
there.
Profile is of 2 types
1. Standard[come along wit
[installation]
2. Generated[Through Roles]
SAP Recommends NEVER ASSIGN
STANDARD PROFILE TO USER. As they
give extra access.
Hence we have to Assign Roles to user
which in turn assign profile to users
internally.
Roles:- It is the Group of Tcodes and its These process can be of two ways
related Auth 1. Manual 2. Automate[ChARM][Change Access Req
Create the necessary roles for each and Management]
every team in th e project. Role Naming Convention:
Following are the teams;- Types of Roles:1) Single (X)
 Finance  BASIS
 Security 2) Composite (Y) 3) Derived (Z)
 HR
 ABAP Role Length: 30 Chars max
 Sales
 BW Role name should contain following data
 CRM  Role Type
 S  Business Process or Functional Module -FI,
Roles are categorized as 2 HR, SD....
Technical/Support Roles- Support Users  Sub Process-HR(PA, PD, Payroll) FI( AP, GL,
Functional/Business Roles- End user/ FA)
Business user  Extra Information-Client, project or branch
Role Matrix:- Gathered Info from all or Business name
technical teams regarding roles and the X:HR:PERSONNEL ADMIN:BMW- -> PA20, PA30,
types of roles and access they needed. PA40
Role Creation/ Modification process:-
 Change Request[CR] form has to be
filled by the respective technical team
 that has to be approved by CAB- Change
Advisory Board
 Once approved the request comes to
security and we create the roles.
Write role name as per Role PFCG- PROFILE GENERATOR[TABS]{TCODE} Authoriztion
Naming Covention is all About
Generating
Profiles.
It consist of Auth Obj
Click Transactions and
Related to Tcodes Click on these Icon.
Click Single enter Tcodes
provided in Menu S/M Will GEN profile
role if the Role
List of Tcodes to be assigned for user should be entered in Menu
doesn’t exist
The GEN Profile will reflected in
We found Below tabs when we click Single Role
Authorization Tab
Becoz of CR we creating
Role Under Description Fill Long Text
Indicated the USERS assigned to this Role

Don’t Touch

When and Who created

Write a small Details about
Role what we are creating
 Authorization Tab in PFCG

Auth Objects

 Standard- Represents SAP default standard values pulled from

Status of Auth Objects:- SU24 for the Tcode added in the Menu
 Maintained- Represents blank fields have been maintained
with Values
 Changed- Represents SAP default values have been modified
 Manually- Represents Auth Object has been inserted directly
into the Role (not pulled from SU24
It tells From which Tcode these Auth Obj
came from Organizational Fields
Auth Fields are of Two types
• Normal Field:- Which doesn’t represent
Organization. Ex:- Activity, Role
o Normal field value is universal.
o Can be maintained Directly
• Org Field:-The field which represent
Organization. Ex:- Plant, Cost Centre.
o Org value varies from Org to Org.
Org field values are maintained in Organizational Level
icon in Authorization Tab