SCCL Client copy - local
Use of the Security Audit Log
At best, for the time in which an emergency user is in service, a separate log of the activities undertaken is written, which can then be evaluated. In the following chapter I would like to explain our best practice approach to implementing an emergency user concept. Our approach to using an emergency user concept We have had good experience with the use of the Xiting Authorizations Management Suite (XAMS) in this area. This suite consists of various modules for creating role concepts, managing permissions including a permission concept, and also enables the implementation of an emergency user concept. XAMS works here with a limited time assignment of reference users with extended privileges to enable the emergency user concept. A self-service application may be made with a justification and a period for allocating special rights. The application window is illustrated in an example in the following screenshot: Evaluation of the use of the Emergency User Concept Once this request has been initiated, a new mode will be opened for the user, in which he can work with the extended rights. In addition, depending on the configuration, a stored workflow can be initiated as an approval process, or pre-defined controllers will be notified by email to verify activities. Once the session has ended with the emergency user, the responsible persons will receive another email with the logged activity of the user with the extended permissions. One of these logs is shown in the next screenshot: These logs can also be viewed in the system. Here you will get an overview of all the sessions that have been run. In addition, it is possible to approve activities with special rights after an evaluation. This allows the controller to get an overview of the activities undertaken with the emergency user. If you are using this Emergency User Concept and following these steps, you can ensure: Each user on the production system retains his or her original necessary rights.
The Queue determines which support packages are inserted into your system in which order by the SAP Patch Manager. If the queue is not yet fully defined, you must define the queue from the available support packages. If the Queue is already fully defined, it is only displayed; they no longer have the ability to change the selection. However, you can delete the queue completely with Queue [page 37]. Note that your system is inconsistent when you delete the queue after objects have been imported (for example, after an error in the DDIC_IMPORT step and following). The deletion in these SPAM steps should only be used for troubleshooting and you should repeat the insertion of the support packages as soon as possible. The SPAM transaction ensures that only support packages that match your system are displayed in the queue. Support packages intended for another release or an uninstalled add-on will not appear in the queue, even if they are loaded into your SAP system. For more information, see Rules for the Queue [page 19]. You must define the queue before you insert support packages. Prerequisites You have loaded the appropriate support packages with the SPAM into your SAP system [page 15]. Procedure To define a queue, select View/Define SPAM on the entry screen of the transaction. The Select Component dialogue box appears. You will see the list of installed software components (e.g. SAP_BASIS, SAP_HR, SAP_BW, Add-On). Select the desired component. You see the available queue. This queue contains the support packages available for the selected component in your system, and any required Conflict Resolution Transports (CRT), as well as associated Add-On Support Packages. You can: If the queue you see matches your wishes, you can accept the queue with Queue confirm and leave this selection window.
Site Reliability Engineering
There are the following reasons that may lead to the termination of this step: CANNOT_SKIP_ATTRIBUTE_RECORD: The attributes cannot be read in the OCS file. The file probably cannot be opened for reading because it has been deleted in the meantime, or the permissions at the operating system level are insufficient. CANNOT_DETERMINE_EPS_PARCEL: The OCS file does not exist in the EPS inbox; presumably it was deleted.
SAP Basis administrators still spend much of their time reviewing their systems or doing project work such as new installations. With the transition to more automated, container-based environments that span multiple clouds, the role of the administrator will also need to be redefined and root cause analysis will take on a much higher profile.
Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
Now you can repeat the steps for the frontend as explained above.
It is not for nothing that "SAP Basis Administrator" is a career field in its own right.