On The Spot: Joey Hirao on Basis/administration

This month Joey Hirao, author of SAP R/3 Administration for Dummies, answers all of your SAP security questions.

On The Spot features a new guest expert on a hot SAP topic every month. This is your chance to get your questions answered by some of the best and brightest in the business, but hurry up: Each guest expert makes one appearance only! This month's topic is SAP Basis/administration with Joey Hirao, the author of SAP R/3 Administration for Dummies.

Joey Hirao, the author of SAP R/3 Administration for Dummies, is a senior Basis consultant for Groupbasis (www.groupbasis.com), a firm specializing in SAP Basis solutions. He has over 10 years experience providing SAP Basis support and solutions for customers worldwide. Some of his technical achievements include SAP Basis certification, Oracle 8i 9i OCP and SUN Solaris certification. Joey has also presented at SAPAdmin and written many articles for SAPtips.com.



Many companies run batch jobs, either submitted manually or on a schedule. Depending on the IT environment, this task is delegated to a very reduced number of IT people, but also regular users are allowed to create/change/remove batch jobs. What is the best way to secure this area and monitor/audit the success/failures?

-- Elliott Bujan,
    Deerfield, Ill.


Depending on your organization's philosophy, size, industry and regulatory requirements the SAP batch management strategy will vary. I am not privy to the specifics of your organization, so I'll keep my answer focused on the technology.
  1. Make a list of all Batch functionality and group those tasks into a role. Some tasks include create, schedule, release, change, delete batch jobs. Separate the tasks as required by your organization.
  2. SAP Security Batch security starts with defining the batch user roles such as a) batch scheduler b) batch monitor. Test using both positive and negative methods to ensure roles secure as anticipated. Assign these roles to named individuals for the specific batch tasks.
  3. Third party products There are third party products that manage SAP Batch jobs. You can decide if those applications are worth purchasing.
  4. Create a User that the jobs will run as. If many functional areas are represented, you can even create Batch user identified by areas. An example is Basis Batch jobs: BTC-BASIS.


-- Joey Hirao


We are currently using SAP I.S. Retail version 4.6.C and are planning to upgrade to ECC 6.

We have two business divisions: Retail and Wholesale distribution in SAP configured as separate companies. The only relation is cross company transactions and sharing some mater files. Due to business reasons we want to separate these two divisions as separate instance with separate hardware.

What is the best method for this kind of separation?

-- Nair T.K.G.,
    Dubai, UAE


You have an interesting situation. You have 2 complex changes, upgrade and a company split. First, you should choose to combine or separate the 2 tasks. Compartmentalizing the changes would mitigate the competing changes and possibly the complexity of the 2 endeavors. I always try to manage change and least common denominator.

With the company split, you have roughly 2 options as well. Option 1: starts from a fresh base install and configure 2 systems separately while using the source systems as a reference. This is probably least favorable in many regards due to the time considerations. Option 2: the starting point for both new landscapes starts with a copy of the primary landscape.

Option 1 in the company split is straightforward. It essentially treats your current system as legacy. Option 2 has many twists and wrinkles. You can copy the entire landscape to the secondary landscape and make your changes in the new landscape or just copy the development system then promote all changes via transports. Whatever the approach, you should aim to have the same process used to create the test systems as you do to build the production systems. I have detailed some high level approaches to your situation. Before embarking on this project, please be certain to outline the exact process.

-- Joey Hirao


I used to work in SAP administration back in the early R/3 days. Then I spent several years as a security consultant in a non-SAP environment. Now I'm considering a move back into the SAP world, but there seems to be some changes regarding SAP administration in the NetWeaver world. Can you recommend resources for studying up on how to bridge the gap between the old and the new?

-- Ling Nguyen,
    Milpitas, Calif.


The basic security fundamentals have not changed in ABAP. Enhanced tools such as profile generator, security report available via SUIM and the features in Central User Administration have made the toolbox heavier but, nonetheless, the fundamentals are the same. New products such as the J2EE engine will require some home work since it's a completely new product. Items such as single sign on and certificates were around in R3 but the feature are more robust. Porting SAP with external applications such LDAP have also been introduced so more homework is necessary. In summary I would take start with the NetWeaver administration course then drill down into specific areas of your interest.

-- Joey Hirao


What are the similarities and the differences between the Authorization Concept in SAP R/3 4.6.c, and the Role Based Access Control (RBAC)?

-- Ignacio Gomez-Landero,
    Toledo, Spain


Here is what I know about RBAC, it is a feature on Solaris that enables Unix user to obtain privileges to execute task as other than themselves. It is also a bolt on product for SAP. Lastly, it is also a security approach to restricting system access to authorized users.

-- Joey Hirao


Is there a way to track the data source for specific tables after they've already been filled in? We have a case of bad data entering our system with no apparent cause and need to figure out how to pinpoint the problem.

-- Sid O'Leary,
    New York City, NY


On many tables, SAP tracks changes. For application data tables, mostly there is not a mechanism that tracks changes by default. You may want to rule out the obvious by analyzing the system log, application log, batch logs, developer trace files and short dumps, if any. Also, if you know the problem table, see about opening a trace on know jobs that update, change or insert records in that table. If it is a custom program is used, think about error handling and validation routines to track the changes within the code.

-- Joey Hirao


I am a newbie to SAP and presently studying BW/BI and SD. I plan on doing another SAP related technical module, and was divided between ABAP and NetWeaver. I have previously studied JAVA, SQL and MCSE and am 25 years old. My big question is, given the out-look of ABAP vs. JAVA, and the explosion of NetWeaver on the scene, is Basis recommended or NetWeaver instead?

-- Karan Kapila,
    Markham, Ontario, Canada


All tracks in SAP are very rewarding and challenging. Your experience seem to be both technical and functional. I recommend this, find what interests you the most then go down that track. When you decide, take the SAP academy track in the area of interest.

-- Joey Hirao


We have a HP-UX RISC 64 bit database and went through a botched update process. We recovered, but there's a stubborn update request that doesn't seem to go away. It's not showing up in Tools > Administration > Monitor > Update.

-- Jolene Taylor,
    Houston, Tex.


It is hard to tell by the data provided what the problem is. On update errors, start by looking at the basic areas for a clue: SAP system log, Unix system log, developer trace files, short dumps and short dumps. From there look further into details of the update request.

-- Joey Hirao


Where can we find detailed information about what the users did during the previous days, months?

It is clear that SAP stores something when a user calls a transaction, and it should also keep track of how much CPU time, and maybe also some data about the tables accessed, etc. Is there a way to find this information and to extract it (transaction, bapi, etc.) to a system table that we can query?

-- Bernard Haddad,
    Paris, France


You can implement AIS then establish your logging criteria. You can then see user activity via SM20. AIS can be as detailed as you setup your logging criteria. Performance data is kept in the moni tables. ST03 gives you data regarding performance as it relates to users.

-- Joey Hirao


I need to change the default SAP GUI client number. How can I do this?

-- George Green,
    Los Angeles, Calif.


The default client for a system set via the instance parameter via login/system_client = your_default_client

-- Joey Hirao


Is there a way to disable to automatic file compression that takes place when we run our weekly tape backup of our DEV environment?

-- Fritz Kickinger,
    Berlin, Germany


If you use brbackup, tape backups and a third party backup management system such as Netbackup or Omniback, compression is handled at the backup management system level. Most packages do not recommend or support the compression flag by brbackup.

-- Joey Hirao

Dig Deeper on SAP Basis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.