Thursday, September 25, 2008

FREE DOWNLOAD Business Task Management in Netweaver

http://rapidshare.com/files/60028653/Business_Task_Management_in_SAP_NetWeaver.rar

Business Process Monitoring Session in Solution Manager

Use

You want to:

· activate the Business Process SETUP session settings for a business process.

Prerequisites

You have set up business process monitoring in the Business Process SETUP Session.

Activities

...

1. Start the transaction SOLUTION_MANAGER.

2. Choose Solution Monitoring ® Business Process Monitoring, in the Operations area.

3. Choose the Business Process Monitoring link to the desired business process.

You go to Change Mode: Business Process Monitoring.

4. Perform the following checks in change mode:Basic Settings

Activation

Business Process

§ Step

This graphic is explained in the accompanying text

The system generates the check with its process step subchecks when you have activated the monitoring for the business process. Check the activation log.

Session Change Modes Netweaver

Definition

In the change mode:

· of the business process monitoring maintenance session, you specify the business processes and business process steps which you have created.

· of the business process monitoring Setup session, you specify the business processes and their alerts which you want to monitor.

· of the business process monitoring Monitoring session, you monitor the business processes and process the alert messages.

Structure

The screen is divided into three areas:

Left-hand column

Displays all the checks which you must perform to set-up the business process monitoring of your solution.

Business Process Maintenance session

· Business Processes - Overview

· Interface Overview

· Contact Data

Business Process SETUP session

· Solution Support Organization

· Business Processes

¡ BPMon:

...

§ Notifications

§ Steps (according to process steps set up)

Monitoring Types (according to the number of monitoring types selected)

Monitoring Transactions

Monitoring Activities

Notifications

§ Generate Monitoring Customizing

¡ Interface Monitoring

§ Analyses and Monitoring tools

§ Monitoring activities

§ Notifications

...

· Data Collector Frequencies

· Local RFC Destination for Data Collection

· Monitoring Check Lists

· Cover Page

Business Processes MONITORING session

· Basic Settings

· Activation

· Business process

¡


Any subitems of checks only appear when you have performed and saved the check. The subitems are partially preconfigured if the system has the necessary information.

¡

Top right screen area:

Explains the use, background and procedure of the check.


To hide the documentation, move the frame.

Bottom right screen area:

The tables to be maintained by the check.


You can call the online documentation in the logon language, for the checks, with HELP (see SAP note: 789703).

Business Framework Architecture-BFA Netweaver

Business Framework Architecture (BFA) provides a structure for SAP system to connect to their partners and customers thru a specific standard.


The basic componenet of Business Framework are:

  • Business components (Processes)
  • Business objects (Entity/Data)
  • BAPI (Business Application Programming Interfaces)
    BAPIs are interfaces for business objects. Together with the business objects, BAPIs define and document the business interface standard.
  • Application Link Enabling (ALE)
    This involve distributing business objects across SAP/Non SAP system


  • Communication Services
    These are the communication technologies, for example, Distributed Component Object Model (DCOM) and Remote Function Call (RFC), which the Business Framework uses to access BAPIs.

BRTOOLS Netweaver

Following tools are availabe for managing oracle database:

  • BRBACKUP
  • BRARCHIVE
  • BRRESTORE
  • BBRECOVER

BRBACKUP and BRARCHIVE is a command line program. So, it can be easily schedule on your unix command line. The backup are based on the following programs:

  • cpio, dd in a UNIX enviroment
  • MKS-cpio, MKS-dd in Microsoft enviroment
  • External backup program that can be accessed using BACKINT interface program (Networker, TSM etc.)
  • Oracle Recovery Manager (RMAN) on both UNIX & Microsoft platform



All action are logged in the filesystem (sapbackup & saparch folder) and some related tables. Backup logs and profiles are always included in backups performed by BRBACKUP & BRARCHIVE.

BRBACKUP and BRARCHIVE allow extensive volume management. To use the functions provided, the volumes need to be initialized with BRBACKUP and BRARCHIVE to ensure that they include an SAP-specific label. Volumes that have not been released for use cannot be overwritten, if the retention period has not expired.

FYI, brtools is not only can be use in SAP. You can also this tools to manage any other oracle/DB that are not connected to SAP.

BRBACKUP Netweaver

The BRBACKUP tool allows an online or offline backup of the control file, of data files in individual orall tablespaces and, if necessary, of the online redo log files, as shown in the graphic. BRBACKUP also saves the profiles and logs relevant for the backup.


In addition to the actual backup, BRBACKUP also:

  • changes the state of the database automatically, depending on the type of backup wanted (that is,online or offline)
  • Checks the status of files
  • Optimizes the data distribution on the backup media. The algorithm for distribution is specially adapted to the requirements of a database backup, that is, to backing up a small number of large files. The distribution of data depends on whether you carry out a serial or parallel backup
  • Performs software compression, if the option is selected
  • Saves to hardware compressing tape stations, taking previously determined compression rates into account

The BRCONNECT program makes sure that the database status required for the online or offline backup remains unchanged during the backup. The saving rates largely depend on the number of tape stations in use and the CPU load (particularly when software compression is used).

You can also back up any files or directories you want. However, the backup of a directory is restricted to the files it contains. This enables backups of all SAP objects that do not belong to the database (for example, programs, SAP start profiles, selected logs, and so on).

You can also perform database backups on several disks or remotely connected tape stations.
BRBACKUP also supports Oracle databases on raw devices and Oracle Real Application Cluster
(RAC) configurations.

BRARCHIVE Netweaver

You can use the BRARCHIVE tool to archive the offline redo log files, that is, the online redo log files saved to the archiving directory by Oracle. For more information, see the graphic. BRARCHIVE also saves all the logs and profiles of the archiving process.

  • Reasons for archiving offline redo log files include the following:
    In the event of a failure, a consistent database status can only be recovered, if all relevant redo log files are available.

  • The database system of a production SAP System has to be operated in the ARCHIVELOG mode to prevent overwriting of unsaved online redo log files. To protect the archive directory against overflowing, it has to be emptied regularly.

  • An online backup of data files is useless if the related redo log files are missing. Therefore, you must archive the offline redo log files generated during the online backup immediately after running BRBACKUP.

For security reasons, BRARCHIVE offers duplicate archiving of offline redo log files (redundant serial or parallel archiving is possible). On the basis of the logs, BRARCHIVE can make sure that redo log files are not deleted before they have been archived and that the same files are archived once or twice.

BRARCHIVE allows the database administrator to continually archive offline redo log files. This means that the archiving directory, where Oracle places the offline redo log files, can be kept free by continually archiving and then deleting saved redo log files.

You can save offline redo log files on local or remote tape or on local or remote disk. Backup on disk is used particularly in the standby database environment.

BI Workload Stats in Netweaver 7.0 Netweaver

Recently installed or upgraded to BI 7.0? You will find that when using transaction ST03N to view BI Workload statistics (for OLAP,data load stats etc) that it's empty.
This is because ST03N does not read directly from the RSDDSTAT tables anymore.
Using the delivered technical content you need to load the data from RSDDSTAT into technical infoproviders which is then read by ST03N.

See SAP Note 964418 and 934848 for more information on this new feature.

Automatically Generated Information in BW Netweaver

Definition

Automatically generated information in the SAP Business Information Warehouse (SAP BW) consists of technical information that is generated by the system as well as manually created documentation. Both are displayed together in the browser. This concerns information about BW objects, such as InfoSources, InfoCubes, or queries. Within this information, you can navigate to help or further documentation by using additional objects, such as necessary objects or those that have been used.

Prerequisites

You need access to an SAP BW system in order to be able to display automatically generated information. Otherwise, you can also export HTML pages: Metadata Exchange in XML Format by CWM.

Procedure

You can call up the automatically generated information from the following places:

  • Administrator Workbench (AWB)
  • Administration
  • Business Explorer Analyzer (BEx) / Query Designer

Different procedures are required at the individual places for displaying automatically generated information:

Administrator Workbench (AWB)

  1. AWB ® Modeling
    1. Select the respective object and choose F1.
  1. AWB ® Modeling ® Object Maintenance ® MultiProvider
    1. Select the respective MultiProvider.
    2. Choose Documentation This graphic is explained in the accompanying text
.
  1. AWB ® Modeling ® Object Maintenance ® InfoSet, InfoCube, or InfoObjects
    1. Select the respective object.
    2. Choose Documents This graphic is explained in the accompanying text.
    3. Choose Display Documentation This graphic is explained in the accompanying text
.
  1. AWB ® Modeling ® Object Maintenance ® ODS Object
    1. Select the respective ODS object.
    2. Choose Display.
    3. Choose Documents This graphic is explained in the accompanying text
.
  1. AWB ® Transport Connection
    1. Select the respective object and choose F1.
  1. AWB ® Documents
    1. Select Metadata.
    2. Select the Object Type you want.
    3. Select the Object Name you want.
    4. Double-click on Show Me the Documents from...
    5. Choose Display Documentation This graphic is explained in the accompanying text
.
  1. AWB ® Metadata Repository
    1. Select the respective object type first, such as a query.
    2. Double-click on the respective object.

The information is then displayed in the browser.


If you display automatically generated information for an InfoSource, you can use Communication Structure to see the InfoSource fields.

Administration

Administration ® Process Chains

    1. Select the respective process chain by double-clicking on it.
    2. Choose Documents This graphic is explained in the accompanying text.
    3. Choose Display Documentation
.

Business Explorer or Query Designer

    1. Go to the change mode for the query.
    2. Choose Change Query (Global Definition).
    3. Choose Query Properties.
    4. Choose Documents.
    5. Choose Display Documentation This graphic is explained in the accompanying text

Exchanging Metadata in XMI Format Netweaver

Use

You can use the XMI format in the Administrator Workbench functional area Transport Connection to exchange metadata (BW objects) between different systems. A model derived along the lines of the CWM (Common Warehouse Metamodel) is used here.

Note

You can find additional information about the CWM standard on the OMG (Object Management Group) homepage: www.omg.org.

You can find additional information about the Administrator Workbench function area Transport Connection under Structure linkTransport Systems.

Integration

You can export or import the XML files (Download or Upload to/from PC) in the Administrator Workbench.

An HTTP service is also available under SAP/BW/XML/CWM. You can use this HTTP service to request this metadata in the way in which you are familiar from using the Web server. In order to request metadata for an object, use the following URL:

http://:Port/SAP/BW/XML/CWM?/CLASSID=&ID=&DETAIL=X&OBJECTVERSION=A

You need to replace the following terms:

Term

Information

:

Specify the name of the server and the port for the required BW system.

Example

http://LS0027.WDF.SAP-AG.DE:1080/

SAP/BW/XML/CWM?...


Specify the name of the class for the required BW object.

Example

As an example for the class InfoCube: CLASSID=COM.SAP.BW.CWM.OLAP.INFOCUBE

Note

You get the BW model in XML format from the following URL:

http://:Port/SAP/BW/XML/CWM?

CLASSID=METAMODEL


Specify the technical name for the required BW object.

Recommendation

You get an Overview of All Objects from:

http://:Port/SAP/BW/XML/CWM?

CLASSID=LIST&ID=&DETAIL=&OBJECTVERSION=A

You get an Overview of All Business Content Objects by using the parameter &OBJECTVERSION=D, namely

http://:Port/SAP/BW/XML/CWM?

CLASSID=LIST&ID=&DETAIL=&OBJECTVERSION=A

You get an Overview of All Objects of a Specific Type by using the ID specification in the URL.

Example

For example, you specify the following for InfoCubes:

http://:Port/SAP/BW/XML/CWM?

CLASSID=LIST&ID=COM.SAP.BW.CWM.OLAP.INFOCUBE

&DETAIL=&OBJECTVERSION=A

Functions

The exchange of metadata involves:

This graphic is explained in the accompanying text Importing from another system

This graphic is explained in the accompanying text Exporting into another system

Recommendation

Only objects for which there are BAPIs (Business Application Programming Interfaces) are supported with details. You can only import these objects after you have changed them. You are still not able to import non-BW objects.

You can export the current BW model according to the XMI (XML Metadata Interchange) standard. This is made possible with the SAP report RSO_REPOSITORY_EXCHANGE_XML.

Note

You can find additional information about the XMI standard on the OMG homepage: www.omg.org.

The following graphic illustrates the functions EXPORT and IMPORT.

This graphic is explained in the accompanying text

Leaving content frame

Searching for Metadata Netweaver

Prerequisites

For you to be able to fully search in metadata, the search engine must be fully installed.

If the search engine has not been fully installed, the system generates an appropriate after entering a search term. You can either complete the installation of the search engine, or you can search for metadata using F4 help. However, this search process is limited to finding technical names, short and long texts for the objects.

Procedure

...

In the navigation area of the metadata repository, choose Search in Metadata Repository.

If you are using the search function in a BW system with release 2.0/2.1C for the first time, you have to create the search index first. To do so, choose Extras -> Metadata Search -> Create Search Index. The search index is created in the background.

Enter the term in the Search term entry field.

You can search by description (title) or by the object’s technical name. The system makes a full text search of all the objects in the search index.

If you want to restrict the search, you can choose one of the following object types:

InfoObjects

InfoCubes

ODS Object

Queries

Choose Start Search.

Result

You receive a list sorted according to object type /symbol, number, and technical name for activated objects and Business Content objects.

Defining Source System in BI 7.0 Netweaver

BI 7.0 Source System Definition for Source System with Basis Release lower than 640 is quite different.

As of release 640, you can use upper and lower case characters for user passwords. This is only uppercase characters for previous releases. Remember that your passwords are automatically converted to uppercase in previous releases.

As BI System has Basis 700 in bottom, upper and lower case passwords are important.

So, for defining source system is almost same as ordinary BW source System definitions.

One more important thing is that you have to take into account the EDI Ports. This may cancel your system definition if the settings are not correct. This settings must be controlled on both BI and Source System.

Here are the steps to configure Source System with Basis Relase lower than 640 in BI 70:

1. Take a look at table EDIPORT of your BW system and note the next free number for the field "Port". This is the adjacent number of the highest entry like 'A0000000123' for example. In this case e.g. take '124'.

2. Choose transaction "snum" and object "ediport".

Select "number ranges" from the menu "Goto" and here the button "status".

Change the CURRENT NUMBER of the ranges to the next free number you noted from table EDIPORT.

If the number range of your BW system is correct please check the same in your OLTP system.

3. Call TCODE RSA1 on BI System in BI Client.

4. Select Source Systems on Left Menu

5. Left Click SAP System and Choose Create

6. Important think is, as source system has Basis Release Lower than 640, You have to give All Passwords (For BI ALEREMOTE User and for Source System ALEREMOTE User) in UPPERCASE.

My Favourite is giving RFCCPIC for ALEREMOTE Passwords.

7. It Must Be OK.

Setting BW Production Client Netweaver

To setup production client in a BW system in order to use BW func. (e.g. RSA1) take the following steps.

1. create new client via SCC4

2. copy client from 000

3. adapt Instance or Default profile parameter login/system_client so the the system opens with prod. client

4. Edit the cust. in table RSADMINA and change the value of field BWMANDT to your new client.

5. Test with running RSA1.

References: OSS Note 122679 and 116432


BSP call : type of termination: RABAX_STATE

If you are getting the following error when calling Web Interface Applications created by BPS_WB TCODE in SEM System;


500 SAP Internal Server Error
Error message: An exception that could not be caught occurred.
( type of termination: RABAX_STATE )


Then you've some configuration problem which is easy to solve.


When you checked the ST22 ABAP Dump logs you sould find the following Dump:


Runtime Errors UNCAUGHT_EXCEPTION
Exception CX_BSP_HOST_NOT_QUALIFIED
Occurred on 09.12.2004 at 16:27:41


An exception that could not be caught occurred.


What happened?


The exception 'CX_BSP_HOST_NOT_QUALIFIED' was raised but was not caught at any stage in the call hierarchy.

Since exceptions represent error situations, and since the system could
not react adequately to this error, the current program, 'CL_BSP_RUNTIME================CP ', had to be terminated.


In this case you have to check your ICM Server setting icm/host_name_full. This parameter must show the fully qualified domain name of your machine.


like: .


You can change this parameter by adding it into Instance Profile of your SAP System (__) via RZ10 TCODE.


If your system is not connected via Domain or not within a domain, you must do the following TRICK.


1. Open your servers hosts file (UNIX: /etc/hosts, Windows:C:>WINNTsystem32driversetchosts).


2. Add the following line.


.


e.g.


10.0.0.1 saptest1


10.0.0.1 saptest1.domain


3. Change the icm/host_name_full profile value within Instance profile


4. Restart your SAP R/3 server (only R3 with stopsap__ r3)


5. Try your BSP Application.


6. It works ha?



The following Article published in SDN by Brian McKellar on Sep. 25, 2003 04:11 PM

image

In synchronized translation: “BSP Exception: The URL does not contain a full domain specification (ls0028 instead of ls0028.wdf.sap-ag.de).”

Lovingly, this is referred to as the “Fully Qualified Domain Name” problem. FQDN requires that the hostname must be specified with a complete domain name when addressing the server.

For example:

image

Usually only the host name in the URL is required for the browser to determine the IP address to use. In the above example, ls0028 can easily be resolved to the correct IP address without the requirement of a domain name. See:

image

In the first instance, the hostname part of the URL is only for the browser to find a route to the Web server. Once on the Web server, the rest of the path starting at / is used to resolve the specific page to view.

So why would BSP require an FQDN and other services would not?

Motivation for FQDN

The first interesting aspect to understand is that the host name in the URL is effectively a routing string, which tells the browser how to reach the target. A typical situation is that a host might have an intranet name (example ls0028.wdf.sap-ag.de) that is totally different from the Internet name (example bsp.sap.corp - name changed to protect the innocent:). The name entered in the URL is important for the SAP Web AS, as this tells us the route that was followed to the server.

This host name is always placed into the HTTP header (header field “Host:”). The information is available on the server as to what the browser thinks the correct name is.

There are three big reasons why the browser must access the Web AS with FQDN.

  • Use of HTTPS protocol. The SSL protocol requires that the server and browser names match the names in the certificates (if used).
  • When setting cookies for a specific domain, it’s important to know the domain the browser requires for the cookie, so that the cookie will always be returned to the server. A typical example is the SSO2 cookie used for Single Sign-On over multiple servers.
  • For Java Script calls to work over different frames (from different hosts in the same domain), each frame must relax its document domain. Typically the hostname is stripped, and the domain is set to the FQDN. For this to work, the browser must already know the FQDN for the document that it’s retrieving. This information cannot be set from the server and must be correct from the beginning of the request.

Especially for the domain relaxation aspect, the BSP runtime cannot know beforehand if this will be used for the application. If FQDN is not enforced, it just opens the potential for many other types of more difficult-to-diagnose problems.

ICM Configuration

Usually, FQDN and its use are a browser-related problem. The URL is entered at the browser and should be correct.

However, there are many cases where a URL is created at the server. One typical example is when a BSP application is tested in the SE80. A browser window is opened with the URL to test. In this case of course, the URL must also be a FQDN!

Usually the ICM picks up the correct domain for the server from a Domain Name Server (DNS). However, there are many cases where this does not work accurately. For them, ICM supports a profile parameter icm/host_name_full. We recommend you configure this parameter at all times. This is the hostname that will be used to build fully qualified URLs.

References

ICM Configuration. Specifically icm/host_name_full.

For domain settings see OSS/CSN Note 434918.

Setting Up BEx Web in BI 7.0 Netweaver

Did you recently upgrade to or install BI 7.0 and want to make use of the new functionalities of BI and Java?
Look at Note 917950 - SAP NetWeaver 2004s: Setting Up BEx Web.
It contains a few attachments which is very handy in setting this up.

Friday, September 12, 2008

FREE DOWNLOAD Beginners SAP XI

http://rapidshare.com/files/60027978/Beginners_guide_for_SAP_XI_Part1.rar

http://rapidshare.com/files/60027989/Beginners_guide_for_SAP_XI_Part_2.rar

Background documentation Business Partner Integration Using Industry Standards Locate the document in its SAP Library structure

With this variant, SAP NetWeaver uses industry-specific business packages to support the integration of both new and existing industry standards. The business packages contain the collaboration knowledge defined by the respective industry standards, and the technical adapters required for the transport, routing, and packaging of industry-specific messages.

The technical adapters provided are:

The RNIF adapter for the RosettaNet industry standard for the high tech industry

The CIDX adapter for the chemical industry

Both adapters run in the central or non-central Adapter Engine.

The Adapter Engine connects senders and receivers that do not speak the XI message protocol by handing over messages to the Integration Engine and the other way round.

In addition to the central Adapter Engine, non-central Adapter Engines can be installed on an SAP NetWeaver AS Java without Integration Engines. There may be any number of non-central Adapter Engines, each associated with exactly one Integration Server with which the Adapter Engine communicates using the XI protocol.

The following security aspects apply:

Propagating user identities

User identity propagation should not be used for B2B communication, because external users cannot be distinguished from internal users.

See also: Structure linkService Users for Message Exchange

User authorization

Access control lists (ACLs) can be defined in the Integration Directory for the RNIF and CIDX adapters.

See also: Structure linkService Users for Message Exchange

Message-level security

Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.

However, message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which means the following communication paths when the RNIF or CIDX adapter is involved:

RNIF and CIDX protocol

RNIF or CIDX sender to Adapter Engine

Adapter Engine to RNIF or CIDX receiver

The RNIF and CIDX adapters support both a direct and a single-level hierarchical trust model.

See also:

Structure linkMessage-Level Security

Structure linkSecurity Configuration at Message Level

Network and communication security

Depending on the protocol used, all data (including passwords) is usually transmitted through the network (intranet or Internet) in plain text. To maintain the confidentiality of this data, you should apply transport-layer encryption for both internal communication and message exchange.

For an overview of supported security mechanisms on transport level, see Structure linkNetwork and Communication Security.

Communication ports

For the configuration of a process integration landscape, it is necessary to know the network addresses, the ports, and further information such as Internet addresses, to be able to define rules for the security components of the network (such as firewalls and proxies).

For messaging components, you have to distinguish between push mode and pull mode. For push mode protocols and adapters, like the RNIF and CIDX adapters, certain ports and addresses are used for incoming messages.

See the table in Structure linkCommunication Ports.

Network zones

Depending on the usage scenario, the risk assessment of the network infrastructure, and a company’s security policy, appropriate security measure should be taken.

The most critical case is where PI is used for B2B messaging and the business partner sends HTTP messages over Internet connections that are not secure. In this case, we strongly recommend that you use secure messaging connections and security components such as firewalls and application gateways to prevent attackers from eavesdropping or modifying messages.

Depending on the security requirements, a dedicated Integration Server for B2B messaging can be added in a separate network zone. This provides enhanced security because it impedes direct access from the Internet to the more critical A2A Integration Server and A2A Adapter Engines.

See also: Structure linkNetwork Zones

Adapter-specific security configuration

Each adapter is configured by an adapter-specific configuration for both the inbound (sender) side and the outbound (receiver) side. You make these configuration settings in a sender agreement for the inbound side and a receiver agreement for the outbound side, together with adapter-specific channels referenced in the agreements.

See Structure linkRosettaNet RNIF Adapters for special considerations concerning the RNIF adapters.

See Structure linkCIDX Adapter for special considerations concerning the CIDX adapter.

Background documentation Adding an ABAP System to ...

When you add an SAP NetWeaver Application Server (AS) ABAP system to your system landscape, you must decide whether you want to do the following:

● Add the system to Central User Administration (CUA)

● Use Lightweight Directory Access Protocol (LDAP) synchronization

You can do both. The following figure shows a number of ABAP systems in a CUA where the CUA central system is synchronized with an LDAP directory.

This graphic is explained in the accompanying text

ABAP Systems in a CUA Landscape and Synchronized with an LDAP Directory

Central User Administration

With CUA, you maintain user master records centrally in one system. Changes to user information are then automatically distributed to the child systems. The CUA provides you with an overview of all user data in the entire ABAP system landscape.

For more information, see Structure linkCentral User Administration.

The use of CUA is not a requirement, but it is designed to make the management of multiple ABAP systems easier. If a new ABAP system is not a child system of CUA, then you must manage the new system independently.

For more information, see Structure linkUser Maintenance.
LDAP Synchronization

You can make use of or provide information to an LDAP directory in your system landscape. The direction of the synchronization depends on whether the LDAP directory or the ABAP system is the leading system for user data.

Note

The user password is not transferred from the AS ABAP to the LDAP directory when the user data is synchronized. You must maintain the user password, both in the ABAP (or CUA) system and in the directory service.

Using Single Sign-On (SSO) with an AS Java, you can avoid duplicate password maintenance altogether. Configure the user management engine (UME) of the AS Java to use the LDAP directory as its data source. All systems must be configured to accept logon tickets. Users can now log on using the UME, are authenticated with the directory service, receive a logon ticket, and can then access all systems with SSO.

For more information, see Adding an AS Java System to Your System Landscape.

Recommendation

If you want to integrate a large number of ABAP systems, we recommend that you use CUA and synchronize the CUA central system with the LDAP directory. This way it is not necessary to synchronize each ABAP system separately. You can then distribute the synchronized data from the central system to the child systems and use the central system to manage the system-specific ABAP authorization role assignments.

For more information about LDAP synchronization, see Structure linkSynchronization of SAP User Administration with an LDAP-Compatible Directory Service.

Inconsistency in SAP NetWeaver BI in Just 5 Steps

Consider an organization with multiple source systems feeding master and transactional data to an enterprise data warehouse based on SAP NetWeaver BI. During these data update stages, all the data targets that the system retrieves for consolidation, cleansing, and enrichment need the most current data. This is particularly critical in a single-source data warehouse. When you consolidate or enrich information, you must confirm that all the dependent loads succeeded.

If your enterprise has a single master data chain, the transactional loads can still progress even though the master data chain has failed for some of the master data. This allows inconsistent data to infiltrate your system. To avoid this, you need to set up dependencies in the data load process chain.

However, SAP NetWeaver BI 7.0 and earlier releases lack the infrastructure capabilities to set up these dependencies. We developed a five-step process that allows you to set up and track dependencies for critical loads:

Step 1. Become familiar with using the ABAP program process type in transaction RSPC

Step 2. Create a custom table in transaction SE11 to map and store the dependencies

Step 3. Create a custom program to get the dependencies for the data load

Step 4. Create a variant for each dependency you need

Step 5. Run the process chain with the variant you created in step 4

When implemented, the process automatically synchronizes the data loads — using dependencies that you maintain in a custom table — and checks for successful completion of these dependencies in the process chain execution. If a dependent process does not complete successfully, the process blocks the next data load and raises an error.

Assigning Authorizations Netweaver

Use

A single administrator (superuser) or a group of administrators assign authorizations, depending on the size and organization of your company. By assigning authorizations, the administrator determines (within the range of possibilities defined by the programmer) which functions a user may execute or which objects he or she may access.

Process Flow

As an administrator, you perform the following steps to assign authorizations:

· Maintaining authorizations for each authorization object

An authorization is the combination of permissible values in each authorization field of an authorization object.

· Generating Authorization Profiles

Authorizations are grouped in authorization profiles in such a way that the profiles describe work centers, for example, flight reservation clerk.

We recommend that your system administrator automatically sets up authorization profiles using the Profile Generator (see Role Maintenance). If necessary, the administrator can also set up an authorization profile manually by choosing Tools ®Administration, User maintenance ® Profiles (see Creating and Maintaining Authorizations and Profiles Manually).

· Assigning authorization profiles to a user master record

By assigning the roles, you assign the corresponding authorization profiles (work centers) to a user master record.

Result

When an authorization check takes place, the system compares the values entered by the administrator in the authorization profile with those required by the program for the user to execute a certain activity.

Authorization Netweaver

Authority to execute a particular action in the SAP system. Each authorization references an authorization object. It defines one or more values for each authorization field contained in the authorization object. Authorizations are combined in profiles, which are entered in a user’s master record.

The user can work in the SAP System after a successful authorization check.

Editing Predefined Authorizations Netweaver

Once you have a role, you can generate authorizations automatically. The values of these authorizations are predominantly supplied with SAP default values. However, you can add missing values, change default values and also add additional authorizations from SAP templates or profiles.

Generating Authorizations

...

1. In role maintenance (transaction PFCG), choose the Authorizations tab page.

In addition to creation and change information, there is also information about the authorization profile there: the profile name, profile text, and status.

The status display on the Authorizations tab page displays whether or not the corresponding authorization profile is current. The profile is not current if the display is red or yellow. In this case, the status text on the tab page shows the reason for this.

2. To change the predefined and open authorizations of the transactions assigned to the role, choose Change Authorization Data or Expert Mode for Profile Generation.

You can explicitly select the maintenance options for the authorization values in export mode. This option is automatically set correctly in normal mode.

3. Maintain the predefined and open authorization fields for the transactions.

4. To generate an authorization profile based on this data with the Profile Generator, choose Generate (This graphic is explained in the accompanying text ).

The authorization profile generated in this way is added to the master records of the users of the role after the user master records are compared.

Changing authorizations

...

1. Choose Change Authorization Data.

2. You can maintain organizational levels by choosing Org. levels.

Note

If the selected authorization data contains organizational levels, the dialog window appears.

Organization levels can be plants, company codes and business areas, for example. Specify a global value for this role for each organizational level; that is, for each field.

Note

You can display and maintain existing organizational levels with the transaction SUPO.

3. Save your entries.

4. Check or change the default authorizations in the hierarchy view displayed. See SAP authorization concept and Authorization maintenance symbols and status texts.

Authorization Checks Netweaver

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:

· Starting SAP transactions (authorization object S_TCODE)

· Starting reports (authorization object S_PROGRAM)

· Calling RFC function modules (authorization object S_RFC)

· Table maintenance with generic tools (S_TABU_DIS)

Checking at Program Level with AUTHORITY-CHECK

Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.

AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.

Starting SAP Transactions

When a user starts a transaction, the system performs the following checks:

· The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.

· The system then checks whether the user has authorization to start the transaction.

The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.

¡ The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.

¡ If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).

Note

If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).

· The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.

The check is not performed in the following cases:

You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.

This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.

¡ You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.

¡ So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).

All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.

Starting Report Classes

You can perform additional authorization checks by assigning reports to authorization classes (using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.

We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This means that you have a more transparent overview of the authorization classes to which the various reports are transported.

Note

You must consider the following:

· After you have assigned reports to authorization classes or have changed assignments, you may have to adjust objects in your authorization concept (such as roles (activity groups), profiles, or user master records).

· There are certain system reports that you cannot assign to any authorization class. These include:

· RSRZLLG0

· STARTMEN (as of SAP R/3 4.0)

· Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001, ZXUSRU01).

· Authorization assignments for reports are overwritten during an upgrade. After an upgrade, you must therefore restore your customer-specific report authorizations.

Calling RFC Function Modules

When RFC function modules are called by an RFC client program or another system, an authorization check is performed for the authorization object S_RFC in the called system. This check uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.

Checking Assignment of Authorization Groups to Tables

You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

Example

You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).

See also:

· SAP Notes 7642, 20534, 23342, 33154, and 67766

· Documentation for RSCSAUTH

Archive

All Rights Reserved