Saturday, 30 April 2016

How to Limit Logon Attempts in SAP

Before we learn to limit logon attempts we need to know parameter 

What is a parameter?

Parameter is the set of keys and values to manage the SAP system.There are two types of parameters -
  1. Static:- It needs restart. It doesn't effect to the system immediately once you set the value for it.
  2. Dynamic:- It does not need restart .It effects to the system immediately once you set the value for it.

How to view a parameter?

Step 1) Execute T-code RZ11

Step 2)
  1. Put parameter name "login/fails_to_session_end" in text-field.You can put any Parameter name.
  2. Click Display

Step 3) The screen below shows the current value set for the parameter by the admin
In order to change a parameter, click the pencil icon and make desired changes

Important Parameters to limit login attempts

  • login/fails_to_session_end: This parameter specifies the number of times that a user can enter an incorrect password before the system ends the logon attempt. The parameter is to be set to a value lower than the value of parameter
  • login/fails_to_user_lock: This parameter specifies the number of times that a user can enter an incorrect password before the system locks the user against further logon attempts. Default value is 12. You can set it to any value between 1 and 99 inclusive.

Thursday, 28 April 2016

How to Lock/Unlock a User in SAP

Locking a user

Purpose of locking user is to temporarily deactivate the users so that they cannot longer access the system.

Users can be locked in 2 ways:-
  • Automatically
  • Explicitly/Forcefully

Automatically:- There are two possibilities when users get lock automatically
  • Maximum number of failed attempts:- controlled via the parameter login/fails_to_user_lock .If value is set to 3 it means after 3 failed attempts user will be locked.
  • Auto unlock time:- "login/failed_user_auto_unlock" defines whether user locked due to unsuccessful logon attempts should be automatically removed at midnight.

Explicitly/Forcefully: We can lock and unlock users in 2 ways-
  1. Lock single user (SU01)
  2. Lock multiple user (SU10)

Procedure to lock a single user

Step 1) Execute T-code SU01
Step 2) Enter username in User field.
Step 3) Press Lock/Unlock button
Step 4) In the next screen, Press Lock button again to lock the user.

Procedure to lock multiple users

Step 1) Execute T-code SU10
Step 2) Enter users' username in User field.
Step 3) Press Lock/Unlock button
All the users listed will be locked

Procedure to unlock a user

Step 1) Execute T-code su01
Step 2) Enter username in User field.
Step 3) Press Lock/Unlock button
Step 4) Press Unlock button

Procedure to unlock multiple users

Step 1) Execute T-code SU10
Step 2) Enter users' username in User field.
Step 3) Press Unlock button
Users will be unlocked

Wednesday, 27 April 2016


Many of the Functional Consultants face issues in understanding what are the Roles and what are Authorizations in SAP. This is a document which would help people who are curious to know what is exactly the concept behind this and how does it work.

Functional Consultants have a lot of questions in mind regarding this concept and one of the main questions here is why should Functional Consultants worry about Roles and Authorization when it is a job of BASIS team.
Well, to answer this, it is not solely a job of BASIS team rather it is also like other activities, it an integrated activity which should be performed by both BASIS team and Functional team.

BASIS team have a know how about the User Management, Roles Creation, Profile Creation, Roles and Profile assignment, Authorization assignments etc. but main concern in most of the cases arises when the below questions are unanswered by BASIS team:

  1. Whom to Assign the Roles or transactions
  2. What to Restrict in a transaction and for whom
  3. How to authorize Custom transactions
and many more such questions cannot be answered by BASIS team. Hence, it becomes the role of a Functional Consultant to guide them with the exact process flow and exact organizational chart.
Explaining with a small example here, suppose we have a maintenance team as below:

  1. Supervisor – He is responsible for notifying the breakdown or Corrective Maintenance requirements
  2. Maintenance In-charge – He is responsible for assigning the above tasks to Engineers
  3. Head of the department – He is responsible for approving the Maintenance tasks.

Now, Functional Consultant is very well aware that for Supervisor would require only the transactions related to Notifications (say IW21, IW22, IW28, IW29 etc), Maintenance In-charge would require some of the notification related transactions (say IW22, IW28, IW29) and also order related transactions (IW31, IW32, IW38, IW39 etc) and the Head of the department would require notifications and order transactions (say IW28, IW29, IW38, IW39) and also along with this he require special permissions like releasing orders, approving permits, technical completions etc.
Looking from BASIS team’s perspective they are not clear with these requirements and they thus cannot take the decision for this and should be provided by Functional Consultants.
But, the main issue in most of the cases arises when Functional Consultants are not aware about the concept of Roles and Authorizations.
Hereby, this document will explain the basic concept of Roles and Authorizations:


Roles and Authorizations allow the users to access SAP Standard as well as custom Transactions in a secure way.
SAP provides certain set of generic Standard roles for different modules and different scenarios.
We can also define user defined roles based on the Project scenario keeping below concept in mind:

There are basically two types of Roles:
  1. Master Roles – With Transactions, Authorization Objects and with all organizational level management.
  2. Derived Roles –With organizational level management and Transactions and Authorization Object copied from Master Role.

The reason behind this concept is to simplify the management of Roles.


A Master Role or a Derived Role is having below components inside it:
  1. Transaction Codes
  2. Profile
  3. Authorization Objects
  4. Organization level

Transaction Codes: SAP Transaction codes (Standard or custom)

Profile: Profiles are the objects that actually store the authorization data and Roles are the Container that contains the profile authorization data.

Authorization Objects: Objects that define the relation between different fields and also helps in restricting/ allowing the values of that particular field (For ex: Authorization object I_VORG_ORD: PM: Business Operation for Orders, contains relation between fields: AUFART = Order Type and BETRVORG Business Transaction).
Authorization objects are actually defined in programs that are executed for any particular transactions. We can also create custom authorization objects for any particular transaction (generally custom transaction).

Organization level: This defines actually the organizational elements in SAP for ex: Company Code, Plant, Planning Plant, Purchase organization, Sales organization, Work Centers, etc.

Suppose we take an example of creating a role for Maintenance In-charges in a particular industry who are responsible for different maintenance plants. Consider the Scenario as under:

Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift In-charges).

As mentioned before, Maintenance In-charge will have rights to following transactions – IW22, IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to release the Maintenance order.


Hence, considering the above situation, we will create a common Master role for all 4 Maintenance In-charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name starts with ZMPM to make us understand that it is a Z Master Role for Plant Maintenance ) with transaction mentioned above with all rights (with value “*”) inside the transactions but only restricting release of Maintenance order with the help of authorization objectI_VORG_ORD and removing value: BFRE and field: BETRVORG but with all any organizational level (sayplant) assignment.

Now based on this Master Role we have to create derived Roles for all 4 Maintenance In-charges individually say for first Maintenance In-Charge we create a derived role ZDPM_MAIN_IN_CHARGE_ROLE_MI1referring the above Master Role ZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the transactions and authorization objects from Master Role but will not copy the organizational level assignments which we have assigned in Master Role. Hence, we need to maintain the organizational level for the derived role (say PlantP1).

Here once we save (& Generate) the Master as well as Derived Role we can assign this role to the User ID for the particular Maintenance In-charge.

Creating a User

Step 1) Execute T-code SU01
Step 2)
  1. Enter Username which you want to create.
  2. Click the create button

Step 3) In the next screen
  1. Click the Address tab.
  2. Enter Detials

Step 4) Choose the user type in Logon Data tab.

There are 5 types of users in sap:-
  1. Dialog user:- Normally it is used for interactive system access from GUI (used for human users)
  2. System user:- Normally it is used for Background processing, communication within a system.
  3. Communication user:- It is used for external RFC calls.
  4. Service user:- Dialog user available to a larger, anonymous group of users.
  5. Reference user:- General, non-person related users that allows the assignment of additional authorizations. Example, Internet users created with transaction SU01. No logon is possible.

Step 5) Type the initial password for 2 times.

On first logon of the new user , system will ask to re-set the password.

Step 6)
  1. Select the roles tab
  2. Assign roles as per requirements

Step 7)
  1. Select the profiles tab
  2. Assign profiles as per requirements

You can assign SAP_ALL and SAP_New profile to user for full authorization.
  • SAP_ALL:You assign this profile to users who are to have all R/3 authorizations, including super-user authorization.
  • SAP_NEW:You assign this profile to users who have access to all currently unprotected components. The SAP_NEW profile grants unrestricted access to all existing functions for which additional authorization checks have been introduced. Users can therefore continue to work uninterrupted with functions which are subject to new authorization checks which were not previously executed.

Step 8)
  1. Press save
  2. Then the back button(F3) button

User will be created!

Monday, 25 April 2016

Dropping a Client

Step 1) T-code which is used for client deletion is SCC5.
Step 2)  Click on "delete in background" to run client deletion as background job.You can also check option "Delete entry from T000" table.
Table "T000"  contains clients' entry which we have created in SCC4.
Step 3) Check status of  client deletion process using  SM50.
Workprocess overview will open. "BGD" denotes background workprocess.
Once complete. Client will be deleted

Sunday, 24 April 2016

Client Copy

We can generate a blank client with SCC4.But how to fill the data in the client ?"Answer is the client copy."

Client copy means "transferring client specific data" within same instance(SID) or between different instances(SID).

Client copy can be performed with three different methods -
  1. Local client copy.
  2. Remote client copy.
  3. Client Import/Export.
Below brief details are given about client copy methods.

Local Client Copy :- This method is used to copy client within the same instance (SID).It is done by T-code SCCL.
Remote Client Copy-This method is used to copy client between different instances(SID).It is performed by T-code SCC9.
Client Import/Export:- This method is used to copy client between different instances(SID).It is performed by T-code SCC8

Client Copy Pre-steps

To avoid data inconsistencies there are few pre-steps to be performed before starting client copy:-

1) Disconnect and lock business users(SU10).You can end the session of active users in the system through SM04. Once all users are logged out , check that no cancelled or pending update requests exists in the system.

 2) Suspend all background jobs
  • Execute SE38 as given below.

  • Fill program name with "BTCTRNS1" as above figure.
  •  Press Execute.

3)  For a local copy , system must have enough space in the database or tablespace .
For remote copy, target system must have enough space in the database or tablespace. Check space using Tx DB02.
4) To avoid inconsistencies during client copy users should not be allowed to work in source client.

5) rdisp/max_wprun_time parameter should be changed to 2000 second as a SAP recommendation . Although you use parallel processes and schedule job in background , dialog processes will be used.

Local Client Copy

Local client copy is performed using Tcode SCCL. 
  • Source Instance & client := DKM-000
  • Target Instance & client := DKM-202

Step 1) Create an entry for your new target client using SCC4 . In our scenario, we will create client 202 in DKM system.Log on to this newly created target client (DKM-202) with user SAP* and default password pass.

Step 2) Excute T-code SCCL.
Step 3)
  • Select your desired profile
  • Enter Source client.
  • Enter Description

Step 4) By default Client Copy is executed as a single process. Single process will take a lot of time.We will distribute workload of single process to parallel(multiple) processes which will reduce time in copying a client.
  1. Select Goto from menubar.
  2. Select Parallel Process.Parallel processes are used to exploit the capacity of database better

Step 5) Always execute long running processes in background mode rather than foreground/dialog mode. Infact, some  processes run more quickly in background.
Step 6) The client copy logs are available in SCC3 . Status - "Successfully Completed" means client copy is completed.

Remote Client Copy:-

This technique uses Remote function call. You can view RFC from SM59. This technique depends on the network ,so network connectivity must be strong enough.

Source Instance & client := BD1-101
Target Instance & client := DKM-202
Step 1) Log on to the target system. Here we will log on to DKM system. Create a new target client entry(202) using SCC4. Log on to this new target client with user SAP* and default password "pass".Here we will log on to DKM-200 system.

Step 2) Execute Transaction Code SCC9.

Step 3) Fill the basic details as per your requirement.
Step 4) Select Parallel Process.Parallel processes are used to exploit the capacity of database better.
Step 5) Schedule the client copy in background
Step 6) The client copy logs are available in SCC3 as given below.

Client Import/Export

For large database it is recommended to use client import/export instead of remote client copy.
Source Instance & client := PKT-300
Target Instance & client := DKM-202
This technique always starts with client export step.

Note:- You must have enough space in the /usr/sap/trans_SID file system to perform the client export.

How to export client?

Step 1) Log on to the target system(DKM). Create an entry for your new target client using SCC4 .Log on to the source system / source client(PKT).

Step 2)Before you import a Client you need to export.Export is nothing but transferring data files and co-files from source system's database to target system's import buffer.Execute T-code SCC8.
 Step 3) 
  • Select profile
  • Choose target system.

Step 4) Schedule the export in background
Step 5) Once the job is executed  data files and co-files of profiles from PKT system's database are transferred to DKM system's import buffer.Once we will import request in DKM only then it will be reflected in database of DKM system.

Depending on the chosen export profile there can be up to 3 transport requests created :
  • Request PKTKO00151 will hold the cross client data,
  • Request  PKTKT00151 will hold the client dependent data,
  • Request  PKTKX00151 will also hold some client dependent data.

How to import the client? 

Step 1) Log on to the newly created target client(DKM-202) using SAP* and password pass.

Step 2) Start the STMS_IMPORT transaction
As shown below , import queue will open
Step 2) Select the transport requests generated by client export .Import theses transport requests on the target client.

The transport requests should be imported in the following sequence :
  1. Request PKTKO00151
  2. Request  PKTKT00151
  3. Request  PKTKX00151
The system automatically detects these are client export transport requests and automatically performs the import of the 3 requests.
The import logs can be seen in STMS_IMPORT.
Step 3) Post import phase:- 
Once the import is done, execute SCC7  to perform the post client import actions,
Schedule the post import job in background.
Step 4) Import log will be available in SCC3. Client is successfully  imported.