Analysis and reflection of the existing system configuration
Analysis
All the roles that contain the string "ADM" are considered critical, as they usually refer to administrative roles. When identifying critical SAP permissions, profiles and roles, it should be noted that SAP does propose a concept for names, but this is not always taken into account by applications or its own developments.
Many companies are struggling with the introduction and use of secinfo and reginfo files to secure SAP RFC gateways. We have developed a generator that supports the creation of the files. This blog post lists two SAP best practices for creating the secinfo and reginfo files to enhance the security of your SAP gateway and how the generator helps you do this. secinfo and reginfo Request generator Option 1: Restrictive procedure In the case of the restrictive solution approach, only in-system programmes are allowed. Therefore, external programmes cannot be used. However, since this is desired, the access control lists must be gradually expanded to include each programme required. Although this procedure is very restrictive, which speaks for safety, it has the very great disadvantage that, in the creation phase, links which are actually desired are always blocked. In addition, the permanent manual activation of individual connections represents a continuous effort. For large system landscapes, this procedure is very complex. Option 2: Logging-based approach An alternative to the restrictive procedure is the logging-based approach. To do this, all connections must be allowed first by the secinfo file containing the content USER=* HOST=* TP=* and the reginfo file contains the content TP=*. During the activation of all connections, a recording of all external programme calls and system registrations is made with the gateway logging. The generated log files can then be evaluated and the access control lists created. However, there is also a great deal of work involved here. Especially with large system landscapes, many external programmes are registered and executed, which can result in very large log files. Revising them and creating access control lists can be an unmanageable task. However, this process does not block any intentional connections during the compilation phase, which ensures the system will run non-disruptively.
OAC2 Change document types
Transporting transport orders from one system line to another or importing third-party transport orders into the SAP system is also an occasional task for an SAP basis administrator. As in my last blog post on system modifiability, I would like to offer you a way to quickly present this topic. So you will find a step-by-step guide which you can follow if you have already understood the content of the topic, but only the steps need to be taken. What are the requirements? Transport orders include two files, titled "data" and "cofiles". These files consist of a six-character alphanumeric combination and a file extension, which often represents the system from which the files were exported. The first character is always a K (the cofiles file) or an R (the data file). For our example we call the files K12345_DEV and R12345_DEV. These files are of course needed for an import into your own SAP system. Furthermore, you need access to the file system or the SAP directories, as they have to insert the above files there manually. In addition, the transaction STMS is required in the SAP system because it attaches the transport orders to the import queue. Now, if you have all of this available, we can start with the import: What is the procedure? Operating System Level Preparation. The first step is to copy the files to the transport directory of the SAP system. This is usually below /usr/sap/trans, but can be changed individually depending on the system. If you want to make sure that you are working in the correct directory, you can look in the transaction AL11 to see which directory is specified under "DIR_TRANS". This is the right directory to work on. Here the existing files are copied into it, namely the cofiles file (K12345_DEV) in the cofiles folder (/usr/sap/trans/cofiles) and the data file (R12345_DEV) in the data folder (/usr/sap/trans/data). Note: In this case, especially for companies with multiple systems on multiple servers, the access permissions and the file owner need to be changed so that the import in the target system does not cause problems.
The Queue determines which support packages are inserted into your system in which order by the SAP Patch Manager. If the queue is not yet fully defined, you must define the queue from the available support packages. If the Queue is already fully defined, it is only displayed; they no longer have the ability to change the selection. However, you can delete the queue completely with Queue [page 37]. Note that your system is inconsistent when you delete the queue after objects have been imported (for example, after an error in the DDIC_IMPORT step and following). The deletion in these SPAM steps should only be used for troubleshooting and you should repeat the insertion of the support packages as soon as possible. The SPAM transaction ensures that only support packages that match your system are displayed in the queue. Support packages intended for another release or an uninstalled add-on will not appear in the queue, even if they are loaded into your SAP system. For more information, see Rules for the Queue [page 19]. You must define the queue before you insert support packages. Prerequisites You have loaded the appropriate support packages with the SPAM into your SAP system [page 15]. Procedure To define a queue, select View/Define SPAM on the entry screen of the transaction. The Select Component dialogue box appears. You will see the list of installed software components (e.g. SAP_BASIS, SAP_HR, SAP_BW, Add-On). Select the desired component. You see the available queue. This queue contains the support packages available for the selected component in your system, and any required Conflict Resolution Transports (CRT), as well as associated Add-On Support Packages. You can: If the queue you see matches your wishes, you can accept the queue with Queue confirm and leave this selection window.
The "Shortcut for SAP Systems" tool is ideal for doing many tasks in the SAP basis more easily and quickly.
For this, the following values must be set in the customizing table PRGN_CUST: NO = The alternative spaces are still allowed in the user name.
It is important that the associated approval processes can also be mapped and easily tracked.