Query developement and se16 access on productive system

Similar Messages

• SM30/SM31 and SE16 access in Production systems - Confusion

  Hi Security Experts,
  Could any one give some information why SE16 or Sm30/SM31 access should not be granted directly in production systems even if its for a custom tables which are assigned to authorisation groups?
  I have been going through lot of forums where every one says access to tcodes should be restricted or access need to provided in alternate way but i could not see the clear information on why this is should not be granted?
  I can think of risk providing to standard table authorisation groups but i don't understand the reason why custom table access via SM30/Sm31/Se16 should be restricted?
  Could any one explain the implications of granting the access directly, if possible please provide information from audit point of view.
  In our company there are many users who have got access to SM30/Sm31 to maintain z* tables which are assigned to authorisation groups, is this  a security risk?
  Please shed some light on this. Your information is much helpful in clearing my doubts and is much appreciated.
  Thanks,
  Sandhya

  What you should also consider is that S_TABU_RFC lets you remotely turn the S_TABU_DIS checks off for specific tables if you create a view to them.
  It means that the calling application has taken care of the security before the call and the application user authorizations are correct and the view is correctly designed.
  Normally display activity in the debuger (s_develop actvt 03 object type DEBUG) is sufficient in the remote system to see everything in the target system - depending on the authorizations of the technical SYSTEM or COMMUNICATION user. These should ideally not access tables directly.
  For table / view comparisons you can use a "current user" destination (or use trusted RFC).
  It is unrealistic to restrict users to trouble shoot local problems, so you should ideally implement only the business scenarios for the RFC steps and those should be BAPI application type and not direct table access or generic interfaces to run programs, perform subroutines, install programs, etc.
  It is quite easy (with lots of time) to build a catalog of access from the (remote) application to datavia APIs, but you must first get away from the direct table access and control the client access to the generic functions and transactions.
  SE16 / Sm30 and many reports and function modules which can very easily be started by adventurous users which offer exactly that.
  If the users are doing axactly that then from a security administrator perspective you can only try to restrict it and process "tickets" all day long... 
  Cheers,
  Julius
  Edited by: Julius Bussche on Oct 2, 2011 9:12 PM

• Query developer and report developer

  Hi experts,
  Can anyone tell me what are the differences of query developer and report developer
  Thks
  Sujey

  Hi Su,
  With BI 7.0 you have the Query Designer and also the new Report Designer. You can check full details here:
  http://help.sap.com/saphelp_nw04s/helpdata/en/9d/76563cc368b60fe10000000a114084/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/4b/157e41ec0d020de10000000a1550b0/content.htm
  Hope this helps...

• Groups having which folders and universe access in a System

  Hi All,
  I have requirement as need to fetch data each group having access to which folders and which universe (if any).Can anyone assists me to write q query for the same.
  For Example :
  One group having access to which reporting folders and which universes.As our system has nearly 150 groups and more than 500 groups and many universe. Manually giving access of each group and checking the access from infoview is TDS Task.
  Thanks in advance,
  Sambasiva

  Although, I suppose it'd be better off to just get a 570 at that point. The price would be about the same and would perform up to par with the 6870, while having CUDA/Folding support. Still curious if it's possible.

• I changed an existing abap query ME80FN but not find in production system.

  Hi,
  I have changed an ABAP QUERY  ME80FN for user group SAPQUERY/ME in Dev system via transaction SQ01 & SQ02.
  But when I am searching for same query in Production via transaction SQ01 it is not existing.
  Please give me some inputs.
  Thanks,
  Jwala

  Hi Jwala
  1. Check if that ABAP query is transported to production or not.
  or
  check the versions of the ABAP Query in dev w.r.t Production so that you will know the status of the program in production.
  regards
  PBI

• Changing Solution manager landscape and having a Virtual production system

  We have a 2 line landscape like this
  Line1: DEV1 - QAS1 - PROD1
  Line2: DEV2 - QAS2 - VirtualPROD.  
  During our golive pahse the QAS1 in Line1 will be replaced by the QAS2 in Line2 and Lin 2 will be on hold for a while.
  My questions,
  1) does any one have any experience in topic?, on how to change the system landscape without closing any tasklist/maintenance cycle or project.
  2) We have some problems with logging on to QAS system from the change request when having a virtual production system, it works fine from the tasklist.
  Unfortunalty we can't see anything in the log.
  3)When having multiple QAS systems in one Line , how can the import the change to the second QAS system be handled when using urgent correction since only one QAS is in the task list the one which feeds the production system. (Urgent correction always uses the shortest path to production)
  Comments, references and all else is valuable.
  br
  patrik

  Question #2
  Apperently does the system check for a connection to the production system and since it's virtual there is no rfc , so would it be possible to create an rfc to a virtual system?

• IDX2 and Idoc metadata in production system

  As explained my Michal & SAP note - 767091, I ran program IDX_GET_CONFIG in production, pointed rfc dest to source where the config is located. It loaded the data but the metadata in the tables are pointing to the XI development (DEV) target system port and not production (PRD)landscape....meaning
  XI0 sending data to SAPDEV port
  XC0 sending data to SAPTST port
  XP0 sending Idoc data to SAPPRD port
  Now all my entries in xp0 is pointing to SAPDEV port
  How do I fix this. I don't want to create a SAPPRD port in XI0 and load metadata from SAPPRD into Xi0...its would not be SOX complaint.
  IDoc Adapter: Configuration Data Transfer
         17 Entries for table  IDXSLOAD
          0 Entries for table  IDXIDOCINB
          1 Entries for table  IDXNOALE
          0 Entries for table  IDXQUEUE
          9 Entries for table  IDXPORSM59
        492 Entries for table  IDXIDOCSYN
  Please Help!
       4470 Entries for table  IDXEDSAPPL
        636 Entries for table  IDXEDISDEF

  hi,
  just like I said you need to do it manually
  I gave you note 767091 just to consider
  (the note is for system copy not for DEV-PRD)
  also Naveen told you the same
  you only need to be <b>careful</b> and <b>read</b> what we write
  now just delete IDX1 entries in PRD and create new
  manually - just like we said
  Regards,
  michal

• Backup and Recovery procedures for production system

  I am trying to decide and test a best backup/recovery approach for our DBXML database in the production environment. Right now I am trying to go through the documentation.
  http://www.oracle.com/technology/documentation/berkeley-db/db/gsg_txn/CXX/filemanagement.html
  What is the best option among offline, hot and incremental backups?
  I am thinking of implementing incremental backups.
  What are the constraints in implementing incremental backups? Is there a detailed step by step example to do this?
  Can I test the backup and recovery procedures by copying the db files and log files from Linux (production) environment to my local machine (Windows XP)? I see only one log.00000000xx file in production and staging environments. It is of same size 52428800 in all our environments (both production and staging) at this point of time.
  What is __db.001 file? What is the significance of this file in backup and recovery procedures?
  A detailed input with example is greatly appreciated.
  Thanks in advancs

  Raghu,
  A couple of points, up front:
  1. the __db* files are the environment (cache, locks, various shared memory regions), and are not part of backup, other than the fact that you need to checkpoint or otherwise flush your cache to your database(s) for a full backup.
  2. log files are not architecture-neutral. That is you can't use a log file created on linux and just use it safely on another hardware platform. It's OK to copy them around, but they can only be used on the same architecture that created them. Database files (containers) are entirely portable among hardware and operating system platforms.
  I don't know of a step-by-step cookbook for backups. This is because of the variations among application needs. However, the procedures described on this page are pretty straightforward:
  http://www.oracle.com/technology/documentation/berkeley-db/db/gsg_txn/CXX/backuprestore.html
  I'm not sure what you mean by "constraints" on incremental backups. The only constraint is that you need to have a full backup first, or you won't be able to recover properly. Based on what I said above, the other constraint is that you'll only be able to recover on a machine of the same architecture as the one that created the log files.
  As for testing, you can certainly copy your database and log files to your Windows machine, treating Windows as an offline backup. If you want to test recovery, you need to copy the files back to Linux. You'll start seeing additional log files when your log data starts to exceed the configured log file size.
  Let me know if you need more clarification,
  Regards,
  George

• Development and consolidation same system

  Hello All,
  Can i declare both the development and consolidation as the same system without specifying test and production system in a track? If yes then is there any other factors to be considered?
  Also the SC state is in grey whereas if i click synchronize DC dependencies it turns green. Any suggestions on this?
  Regards,
  Anand

  HI,
  Can i declare both the development and consolidation as the same system without specifying test and production system in a track?
  you can declare development and consolidation as the same system. but then you wont be able to distnguish between the changes you made.
  keeping consolidation virtual is an good option than keeping development and consolidation as the same system.
  and without specifying test system is not a good option, test system should have to be there, as at that stage only you assemble and check you development as a complete application.

• Transporting role menu and workbook created diurectly in production system

  Hi gurus,
  We have several workbooks (and queries) that are created directly in production system. thoose workbooks are connected to a role that is created in development system and transported to production system.
  Now, we would like modify this role in development then tranport it on production system, but we are afraid that will be wiped out (overwrite) our production system workbooks (because the role not contains this workbook in development).
  Could you please explain to us what we have to do in order to not wiped out our production workbooks.
  Thank you in advance

  thank you, it's more clear for me...
  Exactly, to have all my requests and workbook in development, I tried to use "Transport order of copy (it means transport queries from Production system to development system)", then to connect them with the corresponding roles in development, but I have the think that BW considers them as new requests when I re-transport them again on the prod.)
  Could you say me if i can transport my production system queries on my development system, and manage them in this system (development) in the future.
  Thank you in advance

• Lock on Portion and MRU in Production System

  Can anyone explain why is there a lock on MRU and Portion in the production system but not in development? Can it be removed?

  Hi Kunal,
  The lock will appear in production system only as the standard logic checks for production client before showing up the lock.
  ============================
  CHECK g_clnt_prod = 'P'.
  ============================
  Lock Icon on Portion:
  Following two FMs are used to determine whether the locked icon is to be displayed or not
  ISU_DB_EVER_FIND_CONT_FOR_PORT,
  ISU_DB_TE422_FIND_MRU_FOR_PORT
  Simply put forward, if portion is being used  for an ISU contract(EVER) or is associated with any MRU(TE422) lock icon will be displayed.
  Lock Icon on MRU
  It check in table EANLH(Install.Time Slice) with the following condition bis >= sy-datum AND ableinh = te422-termschl.If record is found, then the lock icon is displayed.
  Simply put forward, if MRU is being used up in any ISU installation as on system date, the MRU lock will be displayed.
  About, removing the icons, it checks for business function  ISU_UTIL_1 to be active for the system. If not, the lock is not displayed in production environment .
  I hope, this clarifies you doubt.
  Thanks,
  Ritesh

• What is native for EP and what is needed to develop and how...

  Hi guys!
  I have to prepare a presentation of possibilities of the SAP's EP 6.0. I need to know, what is "native" - just plug n' play and how to develop other things... Can you help me please? Any links, documents .... are welcome!
  Another question: If I have an independent web application...  - how is it possible to develop it wthin the portal?
  Thanx 4 answer... Points are guaranteed!
  Peter

  Hi Peter,
  There is a wealth of information you can pull from SAP sites by looking at presentations and product info.  If you need a short cut, I have a simple presentation I put together with some talking points about the SAP Portal.  eMail me at [email protected] to get it.
  In a nut shell, the "native" things you can get from the SAP Portal is quick and easy access to SAP systems.  For example, you can create and display a page to users with a SAP R/3 transaction, an ITS screen, or a BW report in just a few minutes.  With some simple configuration work, users will not have to login to the separate systems.  One of the key advantages of the portal is that it creates an environment for administrators to create/modify views to information using configuration (templates) instead of having to do any coding.
  SAP Portal out-of-the-box also has some support for connecting to web services (SAP and non-SAP) and for displaying content from external/internal sites using an IFrame.
  If you are not familiar with Portals, I would read some of the product information on the SAP Portal.  There you will learn more about the use of Roles to secure and display information, delegated administration of content, end user features, etc.
  Another key concept is the use of Business Packages provided by SAP and other vendors.  Business Packages are pre-built content that you import into the portal.  These packages do require some configuration, however, they are really meant to be "plug and play."  Depending on your companies license agreements, a lot of these packages may be free.  Examples, include Employee Self Service and Manager Self Service business packages that interface with the HR Module in R/3 and BW.  You can get to a listing of the packages here: https://www.sdn.sap.com/irj/sdn/developerareas/contentportfolio   If you look at some of them, you will see documents and screen shot examples.
  If you are not using out-of-the-box functionality then you will create your own templates and applications.  Custom development is done based on JAVA or ABAP development stacks or by using visual toolsets.   JAVA development is done using SAP Netweaver Developer Studio which is based on the Eclipse IDE.  There are two main styles of JAVA development: JSPDynPage model or WebDynpro model.  The first is pure JAVA, the second is designed to speed up development with some JAVA and some Configuration/Visual development.  ABAP development can be done using SE80 and writing a BSP or I beleive you can run a JAVA and ABAP stack for your portal.  .NET development of iViews can be done using the SAP Netweaver Developer Studio for .NET.  Visual development can be accomplished using Visual Composer (I would stay away from this until 2.0 comes out).
  My company has been successful deploying Business Packages, configuring SSO to systems, custom iView creation to R/3, BW, and ITS, custom JAVA development, BSP development. 
  We have also experimented with deploying our own web applications on the WAS and may move all JAVA development onto the WAS for hosting. 
  To take an exisiting web app and truly make it a portal app you would have to rewrite quite a bit of the front end.  You could almost completely separate out the back end of the app from the front end.  You would have to rewrite the front end of the app and possibly redesign the app to take advantage of portal functionality (eventing, centally managed styles, etc).
  Another option besides a full rewrite of the app is just to create a url iView (basically an IFrame) to your existing application.  This way it is in portal and then you can take advantage of Roles and security.  With this option though, the portal doesn't control the display of the app (if your buttons and color are different they will remain different).  This is nice for working with a vendor app.
  Yet another option would be to integrate the app enough to take advantage of portal events.  To do this you would write a quick custom Portal application to accepts events and call your app with parameters.  With this option though the portal doesn't control the display of the app.
  Sorry for the book, but you asked a few open ended questions, which, there probably are books out there to cover.  I know I only touched on a few of the capabilities.

• How to Deploy OOB Webparts created in Sharepoint 2010 designer to production system

  Hi,
  Can anyone help me the process of deploying the OOB Webparts developed in Sharepoint 2010 designer to Production Server.
  Actually i developed some OOB Webparts and Workflow using Sharepoint 2010 designer.
  So, i want to move these OOB Webparts and Workflow to my Production System.
  Please assist me what is the process?
  Rama

  Hi,
  Thanks for posting your query, 
  There are a lot of mechanisms for doing this, but doing a simple export from your dev environment and then an import into your prod environment is probably a good place to start. You can move the whole site or just a list/library. You can do it via PowerShell
  or Central Admin:
  Export:
  http://technet.microsoft.com/en-us/library/ee428301.aspx
  Import:
  http://technet.microsoft.com/en-us/library/ee428322.aspx
  I hope this is helpful to you. Please mark it as
  Answered. If this works
  Regards,
  Dharmendra Singh (MCPD-EA | MCTS )
  Blog : http://sharepoint-community.net/profile/DharmendraSingh

• SAP Query Use and Transport Strategy

  Anyone wish to share their experience in the use of SAP Query?  We generally have an understanding that we don't want to be giving out this tool to end-users in Production.  We would like to create queries, and when we wish to give them out we'll attach t-codes to them and roll them out.
  However in practice, this is becoming difficult.  An example is where in our gold client we create queries and then we would typically transport to our unit test client.  But whenever we do an export, it generates a transport request.  Before we are done testing we may end up with 10's of transports for a single query?
  Anyone have some ideas on a transport strategy for SAP Query?  How about it's use in Production?  Our landscape for changes are typically DEV Gold -> DEV Test -> QAS -> PRD.  We would ideally like our transport strategy for queries to match what we do for everything else.

  HI,
  Query objects are transported in different ways according to the query area in which they were created.
  In order to know which transport options are available, you must first understand how query objects are created.
  <b>Standard Area</b>
  Query objects are stored in the client-specific table AQLDB. They are not connected to the Change and Transport Organizer.
  <b>Global Area</b>
  Query objects are stored in the cross-client table AQGDB. They are connected to the Change and Transport Organizer.
  http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb467f455611d189710000e8322d00/content.htm
  Global area objects can be transported into other systems. Standard area query objects can not only be transported to other clients within their own system, but into all clients of other systems as well. In addition, query objects can be transported from the global query area to the standard query area and back within the same system.Transports are normally performed by the system administrator, not by end-users. For this reason, you need the appropriate authorizations
  Check the below links for detailed explanation
  <b>Transporting Global Area Objects</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/ec/052786a30411d1950a0000e82de14a/content.htm
  <b>Transporting Standard Area Objects</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/ec/052789a30411d1950a0000e82de14a/content.htm
  <b>General Transport Description</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb4699455611d189710000e8322d00/content.htm
  <b>Generating Transporting Datasets</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb46a6455611d189710000e8322d00/content.htm
  <b>Reading Transport Datasets</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb46e7455611d189710000e8322d00/content.htm
  <b>Managing Transport Datasets</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/d2/cb46f4455611d189710000e8322d00/content.htm
  <b>Transporting Objects between Query Areas</b>
  http://help.sap.com/saphelp_47x200/helpdata/en/ec/05278ca30411d1950a0000e82de14a/content.htm
  I hope this solves your purpose.
  Regards,
  Vara
  Message was edited by:
          varaprasad bhagavatula

• Help needed on movement of transports between two production systems

  Hi All,    
  Our client is implementing SAP in US and Europe and it has separate production systems for both. It already went live in US and now started SAP implementation for Europe. They wanted to leverage the development & configuration done for US in Europe implementation and have taken the copy of US development box and started building on that. For Europe, they identified few changes to the existing custom objects from US,  few objects from US which are not required and also brand new objects. Going forward, they also decided to import all the defect fixes and changes from US into Europe system on a regular basis(monthly).
        If anybody has experience in an environment like above, please let us know the pros and cons with the approach highlighted above.

  Differentiate thru trasports requests and move the correspoding cofiles and Data files in required system and import as suggested earlier.
  Thanks