SAP User Types

This article answers the following queries:

• What are the different user types in SAP?
• Which user type(s) is /are used for dialog free communication in SAP?
• Validity period of a password is not applicable to which user type(s) in SAP?
• What are the specific uses of system user type in SAP?
• Which user type(s) cannot be used for direct logon to the SAP system?
• Which user type in SAP does not have a check on validity of password expiry or initial password?
• Which user type in SAP can be used to assign additional identical authorizations to other users?

1. What are the different user types in SAP?

    These are the 5 user types that are present in SAP

• Dialog
• Communication
• System
• Service
• Reference

Dialog: This is the most commonly used type. This user type is primarily for individuals to gain interactive system access. A user of this type can perform dialog processing in interactive mode, background processing, batch input processing and CPI-C services provided there are no explicit restrictions via assignment of specific authorizations.

SAP licensing can prohibit multiple concurrent use of the same user id in production SAP systems.

Communication: This user type is used for dialog-free communication between systems such as RFC (Remote Function call) communication. This user is not allowed to logon to the R/3 system or start dialog processing

System: This is the user type which can be used for dialog-free communication within a system (such as for RFC users for ALE, TMS, workflow and CUA) and for background processing.

A specific use of the system user type is validity period of a password won’t apply for this type. So, this can be used to run background jobs and in between RFCs so that jobs or RFC communications won’t fail due to expiry of the password.

Please note that logon in dialog is not possible used System user type.

Service: This user type is a dialog user which is available to a large, anonymous group of users. For example, to access via ITS (Internet Transaction Server)

There won’t be any check on initial password or expired passwords for this user type. Also, multiple logons are explicitly permitted for this user type.

However this user type should be assigned with great caution and with limited authorizations for security reasons.

Reference: This user type is in general, non-person related user.  This user type cannot be used for logon. Instead this user type will serve as a reference for assigning additional identical authorizations to other users.

For example: In case you have to assign some identical authorizations to all internet users, you can create a reference user with those authorizations and use this reference user to assign identical authorizations to all other users.

Installing and Upgrading Add-Ons

Add-On Installation Tool can process two different types of add-on delivery packages: add-on installations and add-on upgrades.

NOTE:

Only import packages when the system load is low, since users must not be logged onto the system and there should be no background jobs running.

Otherwise, problems can arise, such as terminated transactions or problems with synchronization.

Since the add-on installation procedure is identical to the add-on upgrade procedure, the installation is used as an example here.

Prerequisites

• You must have distributed maintenance certificates in your system if you want to import SAP add-on packages. For more information, see the SAP Support Portal under http://service.sap.com/maintenancecertificate and SAP Note 1240265.
• You are logged on in client 000.
• You have loaded the relevant installation packages into your system.
• You have called Add-On Installation Tool with transaction SAINT.
  The add-ons that have already been installed are listed on the initial screen.
• You have selected the required installation mode in the Add-On Installation Tool settings.

Procedure

Before installing add-ons you first have to make a series of definitions: The Add-On Installation Tool guides you through these. Use the Continue button to move to the next step. Choose Back to return to the previous step.

1. Define the installation queue
   Since it is often not only one add-on that is installed but several add-ons at the same time you first have to select the add-on packages that are to be installed. From the add-on packages that are selected, the system calculates the installation queue in the right order, that is, all packages that the installation consists of.
   Depending on whether your system is configured in the Solution Manager or not, you can define the installation queue using a stack configuration (Solution Manager) or manually.
   For more information, see Defining the Installation Queue.
2. Optional: Extend the installation queue with Support Packages.
   If you also want to include Support Packages with the add-ons to be installed in the installation queue, you can choose Support Packages that are to be imported with the queue for each software component on the Support Package Selection tab.
   For more information, see Extending the Installation Queue with Support Packages.
3. Optional: Include modification adjustment transports into the installation queue.
   If you have already executed a modification adjustment (for example, in the development system) and have created an adjustment transport from it, then you can include it in the follow-on systems in the installation queue.
   For more information, see http://rajsapbasis.blogspot.in/.
4. Define the start options or check those selected.
   You can define start options for the individual modules according to your system requirements. If you confirm the dialog field without changing any settings, the import tool assumes the default start options, according to the selected import mode. If you change any settings, you can save them as a template for future import activities.
   For more information, see Defining Start Options.
5. Install the queue.
   The selected start options define when the queue is installed. For example, if you have selected the option Immediate Start for the preparation module, then the installation starts straight after you have confirmed the start options.
   Depending on the selected import mode, the Add-On Installation Tool executes the installation.

Logon group configuration in SAP

Logon group configuration in SAP

This article answers following questions:

• How to configure/setup logon groups in SAP?
• What are logon groups in SAP?
• What transaction code is used for logon group configuration?
• How to perform work load distribution in SAP system?
• Explain the benefits of logon groups in SAP?
• What are the advantages of creating logon groups?
• What are the guidelines for creating logon groups in SAP?
• What is the default logon group in SAP?
• How to delete logon group in SAP?
• How to check logon load distribution in SAP?

Logon Groups:

Logon groups (or work groups) are configured to dynamically distribute the load being processed by the dialog work processes.

In many cases, SAP systems will have 2 or more sap abap instances. In these cases, logon groups can be configured to achieve dynamic distribution of dialog users on the ABAP instances.

Setting up logon groups helps in uniform distribution of the work load across the available instances. While logging on using a logon group, the ABAP message server is contacted to identify the instance with best performance statistics within the selected logon group. A report runs in SAP every 5 minutes which determines the load across each server and updates in the memory area of the message server. This information will be used by SAP GUI to determine the best instance to distribute the next user.

SPACE is the default logon group. By default, every instance of an SAP system (including central instance) is assigned to the logon group SPACE. This performs uniform distribution of the dialog workload.

However, if you want to distribute users on some other criteria as following, you can create additional logon groups using SMLG transaction code.

Other criteria:

Logon groups according to SAP application / module: Separate logon groups can be setup for applications/modules such as HR, FI/CO, SD, MM etc. It means HR module users will be restricted to logon to identified instances, similarly other module users are allowed to login to their respective identified instances. The advantages of this method, is only the programs of the respective module are loaded into the program buffer of the particular instances of that logon group. Due to this, program buffer requires less memory and this helps to avoid buffer displacements thus improving system performance.

Logon groups according to language, country or company division:

If your SAP system is operating across multiple countries or languages, in that case it is good idea to create logon groups specific to a country or language. By this way the data and text related to specific country or language will be loaded into the buffers of the respective instances.

This minimizes buffer displacements and improves system performance. Also less memory is required for the table buffer.

Logon groups for certain user groups:

1. We can setup separate logon groups for some department like sales whose work is performance critical. For that logon groups we assign instances which operates with high level of performance (e.g: high speed processors, less users per server, no background or update work processes configured or a dedicated network etc)
2. Some department users may take time-consuming reports in dialog mode. For these type of users, you may have to create separate logon group and assign an sap instance where profile parameter rdisp/max_wprun_time is set to very high

In this way we can separate performance critical/resource intensive applications from others.

Logon groups for the SAP Web Dispatcher:

For direct ABAP web service requests, we can setup logon groups that the SAP Web Dispatcher can use. If logon groups are not configured for web dispatcher, the load is distributed to all ABAP instances on which ICM is configured. Also, based on URLs we can distribute certain group of requests to dedicated logon groups.

Logon groups for ALE/RFC:

Asynchronous RFCs are used to process in parallel. However if the parallel processes are not limited properly, they can occupy all the available processes which impacts dialog users and can bring down the application. So, it is good idea to create separate logon groups for incoming RFC calls so that RFCs are kept separate from work processes of online users and thus avoids impact to dialog users.

Guide lines:

After assigning instances to logon groups

1. We need to verify whether the instances of logon groups are evenly distributed or not.
2. If an instance hangs or temporarily got disconnected, you should be able to redistribute the users So, you need to setup at least 2 sap instances for each logon group.
3. Setting up logon groups involves extra administration and monitoring. So, unnecessarily large number of logon groups shouldn't be setup.

How to setup logon groups?

SMLG transaction code is used for creating logon groups.

Logon to SAP system and goto SMLG transaction as shown below:

In the above example there are 2 instances (00 and 50) in this SAP system. These are not yet assigned to any logon group.

We can create a new logon group by clicking on highlighted create icon on the above screen. It results in below screen.

In the above screen, either select logon group from drop down or provide its name if you are newly creating. After that assign instance for that logon group and click on copy to save the assignment.

In this example, i am creating one logon groups HR and assigning instances 00. Please find below screenshots which explains the same.

Once you are done with logon group setup, please log off from SAP system and goto SAPGUI of the respective SAP system.

Click on properties of the respective GUI entry and goto to connection tab as shown below.

Please select Group/Server selection option from the drop down of Connection Type as shown above and maintain description and system id of the instance as shown above.

Now, you should be able to view the newly created logon groups as shown in below figure:

Also, please note you are able to view logon group SPACE also which gets created by default

Now, you can configure any desired logon group to the users as shown below:

For example in the above screen fico group is assigned to the end users in his GUI so that now onward, he will login into instance number 50 only.

SAPGUI logged out automatically after certain time, Auto log-out (maximum user idle time exceeded)

Hi ,

Normally the purpose of this parameter is suppose if a user is logged in to the system and is inactive from the time specified in the parameter then it will automatically log that user out from the system to save the resources which cab be utilized by other active users. But, here you are saying that while executing the payroll stimulation this is happening. How it can happen when the user is running some thing and active. Kindly check whether the user is really running the report or not. If you do not want to set this parameter then you can put the value as 0.

Method 1:

Login into SAP System

Goto --> RZ11

Enter the Parameter : rdisp/gui_auto_logout

Click on --> Display 

Click on -->Change Value

 Enter the New Value : 3600

Click on--> Save.

Click on Continue.

Note: This will change the value and it will be effective with new value only until next restart of the instance. Once the instance is restarted it will revert back to old value and this is called dynamically changing parameter. Also, check the parameter rdisp/max_wprun_time if report is running for long time than value specified and throwing time out. Check in ST22 for any Time out dumps.

Parameter

Method 2:

Also, you can change the parameter temporarily or permanently like if you want to change the value permanently then change the value in instance profile and restart the instance to take effect. 

Check and Set the INSTANCE profile parameter as below:

rdisp/gui_auto_logout = <Auto_logout_time>

You can also delete or set as below to disable the auto logout time.

rdisp/gui_auto_logout = 0

You will need to restart the SAP after changing profile parameter.

1. Goto your Instance profile Parameter

Renewing SAP Router License

Hi All, 
Here are the Steps of renewing the SAP Router License. 

Step1: Login as sncadm user. Take a Backup of folder where SAP Router is installed. 
Ex: D:\usr\sap\saprouter to D:\usr\sap\saprouter_backup. 

Step2: Execute the below command

sapgenpse get_pse -v -r certreq1 -p local.pse

It will ask for PIN, so enter any 4 digit number and remember this, as you may need it in at other places during renewal. Easy to remember code is 1234.

Also enter the distinguish name.(You can find the distinguish name athttps://websmp203.sap-ag.de/saprouter-sncadd )

Now copy the content of “certreq“ .(Either to the clipboard or to the notepad)

Step3: At Service Market Place logon to https://websmp203.sap-ag.de/saprouter-sncadd -----> SAPRouter Certificates -----> Apply Now.

On the next page Click on "Continue"

After that Paste the Contect into the Edit Box(Paste the content from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- ).

Now Click on "Request Certificate".

Copy the entire content of the Certificate from Begining to End to a text file named “srcert.txt“ and copy this file to the same location where it was present. Rename it to "srcert".

Ex: D:\usr\sap\saprouter
Step4: Install the certificate in our saprouter by running
:\usr\sap\saprouter>sapgenpse.exe import_own_cert -c srcert -p local.pse

Profile Management in SAP

What is Profile ?

• Profile's are useful to run and control SAP system.
• Profile contain parameters.
• This parameters having Values, this values control our SAP system.

The profile files are automatically created during installation. After installation complete,the profile are stored at operating system level in the Directory:
\usr\sap\<SID>\SYS\profile


This directory can be read by all instances of an SAP system using the share or mount technique.
The configuration of the individual instances and therefore of the Sap system is performed using system parameters.The Default values for these parameters are defined in the program code of the Kernel.Instance is managed by using profiles.


Profile Types:
There are 3 types of profiles.
1. Start Profile :
Start up profile consists of start up parameters like

• Starting database
  
• Starting Message Server
  
• Dispatcher+work
  
• Workprocess
  

Start up profiles are used for when Sap system is going to start, it will follow the start up profile values and order.Do nor modify these parameter under any circumstances on Os level . It is instance-specific
START_<instance><Instance number>_<hostname>
In this we can specifies which processes are to be started for each instance there are for example ,the message server and the dispatcher.
Start up profile are one or more available based on instances. Number of instance is equal to start up profiles


2.Default profile :
It is used to provide global parameters for all the instances. For example:

• Buffer parameters
  
• Message server host
  
• Enqueue host
  
• Security parameters(password,user restrictions)
  

There is only one default profile for each SAP system and it is read by all instances.It contains system-wide settings such as the system name, the name of the database server, the name of the enqueue server or also the Default logon client.


3.Instance profile:
The instance profile is therefore instance-specific. This is used to set the instance specific parameters.
The instance profile (<SID>_<instance><instance number>_<host name>) defines parameters that apply for one instance, such as the number and type of work processes, or the definition of the size and allocation of the main memory area used by the Sap system.




Number of instance is equal to instance profiles


Sequence to start up the SAP system:

1. Start porfile
   
2. Default profile
   
3. Instance profiles
   

If we need to change any profile values there is two ways :

1. OS level:
   

In OS level go to \usr\sap\<SID>\SYS\profile path and find the all profiles in this path. Now is we want change any profile open with note pad and change value if require and save. Before change values take backup of profile.

2. SAP level:
   

In sap level we have two T-codes for changing values there are RZ10 and RZ11.
Before going to do this we need to know about parameters.


Parameter are two types :

1. Static Parameters: When ever we can change a static parameter value we need restart the SAP system. It is perment change in Sap and it will be done using RZ10 only.
   

2. Dynamic Parameters: When ever we can change dynamic parameter values we don't need restart the sap system,when we restart goes back to privious values . It will be change in RZ11 and RZ10 also.