Documentation and training
SM19 Security Audit
A first important step was the introduction of playbooks to professionalize our work. Back then, SAP installation manuals were real tomes with hundreds of pages that often went around in circles and were anything but easy to understand....
You can reduce the Queue selection. To do this, select the Support Package that should be the last in the queue. After that, the queue is recalculated. You can also start the recalculation explicitly with Queue. Note that you can only select Support Packages that are part of the software component you have selected (the mouse cursor will change its appearance accordingly). The support packages associated with the calculated queue are green. The highest support package of the previously selected software component is additionally marked with a green tick. The support packages that are no longer part of the queue are still visible in the list and can be selected again. If you want to set the queue for another software component, select New Component. Result You have defined a queue. Now insert the support packages in the queue [page 20]. Rules for the Queue The following rules apply to creating a Queue: If it is an FCS system, the first step is an FCS Support Package. If it is missing from the queue, it cannot be defined. Instead, you will receive an error message telling you the name of the missing FCS Support Package. You cannot insert an FCS support package in a non-FCS system (official state of delivery). Support packages for a selected component are queued in order. If support packages in the queue have connections to support packages of another component (further predecessor relationship, required CRT), the queue will be extended by additional support packages until all predecessor relationships are fulfilled. Note that the SAP Patch Manager takes into account the configuration of your SAP system and only adds support packages to the queue that can be inserted into your system.
Web Services (SOAP)
If your system is already above SAP NetWeaver Release 7.0, then you must either import SAP Note 1731549 or a corresponding Support Package. Afterwards, when creating new users, it is no longer possible to assign user names that are only composed of variants of spaces or other invisible special characters. Important: Changes to already existing users with these names or their deletion option are not affected by this! The SAP Note also adds the customizing switch BNAME_RESTRICT, whereupon you can control yourself whether alternative spaces are allowed to appear in certain places in the user name. For this, the following values must be set in the customizing table PRGN_CUST: NO = The alternative spaces are still allowed in the user name. ALL = The character set is reduced to a defined range, excluding certain special characters because they have specific meanings in certain operating systems or databases. This predefined character set is: ABCDEFGHIJKLNMOPQRSTUVWXYZ_0123456789,;-§&()={[]}+#. FME = The letters F, M and E stand for Front, Middle and End. With an 'X' in this three-digit switch value you can now explicitly specify at which position in the user name no wide spaces and control characters may occur. All combinations are possible, e.g.: XME = None of these special characters may occur at the BEGINNING of the user name. XMX = In the user name none of these special characters may occur at the BEGINNING and at the END. FME = One of these special characters may occur at any position in the user name (this corresponds to the default setting, i.e. as if no entry was maintained in PRGN_CUST for the switch). SAP recommends the use of the value ALL.
Only one transaction code can be entered here, otherwise a single role would always be searched, which includes all transactions searched for and is assigned to the respective user. However, since the transactions can also be assigned to the user via different roles, this would not be useful. If you use the above Input variants are also only considered transactions that have been maintained in the role menu. If it is not certain whether the transaction was entered in the menu or in the S_TCODE privilege object of the role, up to four transactions can also be checked by searching through the S_TCODE permission object. Important is the attention and appropriate use of the AND/OR relationship. After the query is executed, the roles that contain the requested transaction and are associated with the user are now displayed. If you use the search through the S_TCODE permission object, the following result page appears. When looking at the result, in addition to limiting the number of transactions that can be entered, another drawback of this variant becomes apparent: Although both associated roles are displayed, at first glance it is not possible to see which transaction is contained in which role. To do this, the roles would have to be considered individually. If more transactions with user assignment are to be identified at the same time and the role assignment is to be seen directly, the use of the transaction SE16N is recommended.
Some missing SAP basic functions in the standard are supplied by the PC application "Shortcut for SAP Systems".
The website www.sap-corner.de offers many useful information about SAP basis.
Basically, an SAP Basis administrator is responsible for installing, configuring, managing, maintaining and servicing all technical components of an SAP system landscape.
This happens, for example, through cooperation with companies, suppliers or even customers.