Oracle DB Administration
SM14 Update administration
If we look at the question of standardisation, this concerns not only the administrative side of IT products, but also the standardisation and simplification of IT products offered by the SAP basis. For this purpose, tools such as ITIL for standardised tasks and the development of IT product and IT service catalogues have already established themselves to the greatest extent possible. These clearly describe the IT services provided. In addition to the definition of the service to be provided, the clear description shall include the identification of disclaimers and conditions that must exist. Also part of the service description is a price that can be composed of fixed and variable parts. This simplification and bundling of the product portfolios should also reduce the administrative burden when ordering, activating, changing, terminating and, of course, invoicing. The description of the IT services and the associated development of an IT product catalogue is the basis for standardisation, whether the recipient is an external or internal customer (e.g. a business unit). One difficulty is the definition of IT products, i.e. the pooling of IT services and resources. An orientation towards the idea of cloud computing can help. The characteristics of cloud computing are the provision of standardised services in terms of performance and type of performance, results-orientated services, provision of performance to a wide range of service customers, scalability, transaction-based billing and high risk of IT service failure.
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
Every SAP Basis consultant must know these 10 technology trends
The core of the three-layer model is the application layer. This consists of one or more application servers and a message server. Companies use the application server to provide services for the operation of applications in SAP. The message server serves as an "intermediary" between the applications and services, for example, by controlling communication between the individual application servers and determining the load on the application servers. Furthermore, the data is prepared for the user in the application view so that the user can call up the data visually in the presentation layer. At the same time, the user data is forwarded to the database.
The Queue determines which support packages are inserted into your system in which order by the SAP Patch Manager. If the queue is not yet fully defined, you must define the queue from the available support packages. If the Queue is already fully defined, it is only displayed; they no longer have the ability to change the selection. However, you can delete the queue completely with Queue [page 37]. Note that your system is inconsistent when you delete the queue after objects have been imported (for example, after an error in the DDIC_IMPORT step and following). The deletion in these SPAM steps should only be used for troubleshooting and you should repeat the insertion of the support packages as soon as possible. The SPAM transaction ensures that only support packages that match your system are displayed in the queue. Support packages intended for another release or an uninstalled add-on will not appear in the queue, even if they are loaded into your SAP system. For more information, see Rules for the Queue [page 19]. You must define the queue before you insert support packages. Prerequisites You have loaded the appropriate support packages with the SPAM into your SAP system [page 15]. Procedure To define a queue, select View/Define SPAM on the entry screen of the transaction. The Select Component dialogue box appears. You will see the list of installed software components (e.g. SAP_BASIS, SAP_HR, SAP_BW, Add-On). Select the desired component. You see the available queue. This queue contains the support packages available for the selected component in your system, and any required Conflict Resolution Transports (CRT), as well as associated Add-On Support Packages. You can: If the queue you see matches your wishes, you can accept the queue with Queue confirm and leave this selection window.
Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.
This brings convenience, flexibility and a degree of freedom without neglecting operational security.
Nevertheless, the entries of the generated files should be checked by one person.