Q. SAP Security T-codes A.

Frequently used security T-codes SU01 Create/ Change User SU01 Create/ Change User PFCG Maintain Roles SU10 Mass Changes SU01D Display User SUIM Reports ST01 Trace SU53 Authorization analysis Q List few security Tables Click here for security tables Q How to create users? Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Q What is the difference between USOBX_C and USOBT_C? The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authoritycheck command programmed ). This table also determines which authorization checks are maintained in the Profile Generator. The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator. Q What authorization are required to create and maintain user master records?

The following authorization objects are required to create and maintain user master records: • S_USER_GRP: User Master Maintenance: Assign user groups • S_USER_PRO: User Master Maintenance: Assign authorization profile

S_USER_AUT: User Master Maintenance: Create and maintain authorizations Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon A Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on. A Reference user is, like a System user, a general, nonpersonally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

Q List R/3 User Types
1.

2.

3.

4.

Q What is a derived role? • Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included

(transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before. • The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either. • Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level. Q What is a composite role? • A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles. • Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. • Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.

The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison. Follow the link to learn more

Q. What does the different color light mean in profile generator?

A.

Q. What are the different tabs in PFCG?

A. Q What does user compare do? If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on a daily. Q. Can we convert Authorization field to Org, field A. Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREATE or ZPFCG_ORGFIELD_CREATE Use SE38 or SA38 to run the above report.

Organizational level fields should only be created before you start setting up your system. If you create organizational level fields later, you might have to do an impact analysis. The authentication data may have to be postprocessed in roles.

• The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an organizational level field. In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the authorization field which is

now to become the organizational level field are removed and entered into the organizational level data of the role. Note: Table for Org Element- USORG Refer to Note 323817 for more detail. Q. How many profiles can be assigned to any user master record. A. Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for users). This table contains both information on the change status of a user and also the list of the profile names that were assigned to the user. The field PROFS is used for saving the change flag (C = user was created, M = user was changed), and the name of the profiles assigned to the user. The field is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user. Q. Can you add a composite role to another composite role? A. No

Q. How to reset SAP* password from oracle database. A. Logon to your database with orasid as user id and run this sql delete from sapSID.usr02 where bname='SAP*' and mandt='XXX'; commit; Where mandt is the client. Now you can login to the client using sap* and password pass

What is user buffer? A. his user buffer contains all authorizations of role USER_SMITH_ROLE.Q. How to find out all roles with T-code SU01? A. as you can use this to test any object. I use authorization object. A role act as container that collect transaction and generates the associated profile. And put SU01 in Transaction code and hit execute (clock with check) button. What is difference between role and profile. a user buffer is built containing all authorizations for that user. Q. Any maintenance of the generated profile should be done using PFCG. When a user logs on to the SAP R/3 System. Developer used to perform this step manually before PFCG was introduced bySAP. The user buffer can be displayed in transaction SU56. Q. Go to the Selection by Authorization Value. In Object 1 put S_TCODE and hit enter. . A. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer. You can use SUIM > Roles by complex criteria or RSUSR070 to find out this. A user would fail an authorization check if: • The authorization object does not exist in the user buffer • The values checked by the application are not assigned to the authorization object in the user buffer • The user buffer contains too many entries and has overflowed. if user Smith logs on to the system. Each user has their own individual user buffer. For example. The profile generator (PFCG) in SAP System automatically generates the corresponding authorization profile.

Execute SE16N Table AGR_1251 Object S_TCODE VALUE (low) SU01 Q. if you have access to SE16 or SE16N. as you can use this to test any object.You can also get this information directly from table. Execute SE16N Table AGR_AGRS Composite roles You can put multiple composite roles using the more button Q. I use authorization object. How can I check all the Organization value for any role? A. And put SU01 in Transaction code and hit execute (clock with check) button. Q. How to find out all the roles for one composite role or a selection of composite roles? A. In Object 1 put S_TCODE and hit enter. How to find out all the derived roles for one or more Master (Parent) roles? A. Q. Go to the Selection by Authorization Value. You can use SUIM >User by complex criteria or (RSUSR002) to find this out. Execute SE16N Table AGR_1252 . Execute SE16N Table AGR_DEFINE Use either agr_name field or Parent_agr field. How to find out all the users who got SU01 ? A.

SU10. You can always download all the information to spreadsheet also using . Hit the change button and go to the role tab and add the roles to be assigned and hit save. What are the Best practices for locking expired users? A. If you have more than 16 users – Click on Authorization data and click on next to users and upload from clipboard . Password rules can be enforced using profile parameter. Let say we are trying to restrict alias DIR_TEMP which is /tmp. How come the users have authorization in PFCG. Go to t-code AL11 > configure > create alias. How to remove duplicate roles with different start and end date from user master? A. Remove all the roles and profiles assigned to the user. Q. Open PFCG and assign t-code AL11. Q. Follow the link to learn more about the profile parameter. but user still complains with no authorization? . Lock the user. Move them to TERM User group. If you have less than 16 users then you can paste the userids. Please refer to note 365841 for more info. You can use PRGN_COMPRESS_TIMES to do this. How do I restrict access to files through AL11? A. Q. Q. First create an alias. How can I add one role to many users? A. and change the authorization for S_DATASET as mentioned below Activity 33 Physical file name /tmp/* Program Name with Search Help * Q. How can be the password rules enforced ? A.Role Type in the role here and hit execute. Q.

InfoSources.A. key figures. How can I have a display all roles. What is SAP? A. Execute Double click on the user id and expand the tree. SUIM > User by complex criteria.Follow the instruction below. If not do the role reorg in PFCG and see if that helps. May be the there is a user buffer overflow Also check the profile. workbooks. Put the userid of user who is having issue. . update rules and extractors for SAP R/3. SAP is the name of the company founded in 1972 under the German name (Systems. Make sure the user master is compared. Q. A. Explain the concept of “Business Content” in SAP Business Information Warehouse? A. All possible activities (ACTVT) are stored in table TACT (transaction SM30). Applications. and also the valid activities for each authorization object can be found in table TACTZ (transaction SE16). Business Content is a pre-configured set of role and taskrelevant information models based on consistent Metadata in the SAP Business Information Warehouse. These information models essentially contain roles. Business Content provides selected roles within a company with the information they need to carry out their tasks. queries. Copy sap_all and open the role and change the activity to 03 and 08 Q. Q. and Products in Data Processing) is the leading ERP (Enterprise Resource Planning) software package. How can I find out all actvt in sap? A. Q. Select the profile in question and see if the authorization is correct or not. InfoCubes. characteristics.

Convert the legacy system data to a flat file and convert flat file into internal table.if success data will transfer). Q. and also with each other. This server is called database server. Transfer the flat file into sap system called “sap data transfer”. Performance — Heavy reporting along with regular OLTP . Q. application and database servers in SAP R/3? A. A sample application provided for faster learning and implementation. Q. the database. Takes care of any enterprise however diverse in operation. What are presentation. The application servers communicate with the presentation components. Call transaction(Write the program explicitly) or create sessions (sessions are created and processed . In R/3 system all the three servers like presentation. The application layer of an R/3 System is made up of the application servers and the message server. spread over the world. application server and database server are located at different system. All the data are stored in a centralized server. What is SAP R/3? A.mySAP. What should be the approach for writing a BDC program? A. What is IDES? A. What are the major benefits of reporting with BW over R/3? Q. Would it be sufficient just to Web-enable R/3 Reports? A.com Business Applications and other selected applications. using the message server. Q. Q. International Demonstration and Education System. A third generation set of highly integrated software modules that performs common business function based on multinational leading practice. Application programs in an R/3 System are run on application servers.

memory. composition facts and dimensions. or yearend — now imagine that occurring even more frequently. Master Data: Master data is data that remains unchanged over a long period of time. What is the difference between OLAP and Data Mining? A. OLAP . often algorithmic. which has reference to the characteristics in the dimension table(s). The Master Data related tables are kept in separate tables. With master data . quarter end. where R/3 was designed for transaction processing. Q. It contains information that is always needed in the same way. The Star Schema consists of the Dimension Tables and the Fact Table. Mining is to build the application to specifically look at detailed analyses. Characteristics can bear master data in BW. Master data and Transaction data A. even more often misappropriate called “reporting. Just take a look at the load put on your system during a month end. a user can run any number of canned or user-designed reports without having to know anything of SQL or the schema.transactions can produce a lot of load both on the R/3 and the database (cpu. What is “Extended Star Schema” and how did it emerge? A. Because of that prior configuration. With a lot of work you can get the same analysis out of R/3 but most likely would be easier from a BW. Data analysis — BW uses a Data Warehouse and OLAP concepts for storing and analyzing data. Define Meta data. the OLAP engine “builds” and executes the appropriate SQL. By simple point-n-clicking. disks.On line Analytical processing is a reporting tool configured to understand your database schema. Q. Meta Data: Data that describes the structure of data or MetaObjects is called Metadata. In other words data about data is known as Meta Data. etc). Q. These separate tables for master data is termed as the Extended Star Schema.

Q. This dataset can be analyzed with a BEx Query or InfoSet Query. Bex Map. Texts. What is AWB?. Variables are parameters of a query that are set in the parameter query definition and are not filled with values until the queries are inserted into workbooks. What is the significance of ODS in BIW? A. The data of an ODS Object can be updated with a delta update into InfoCubes and/or other ODS Objects in the same system or across systems. Formulas. the data in ODS Objects is stored in transparent. Processing types. Bex Web. There are different types of variables which are used in different application: Characteristics variables. Replacement Path. It describes a consolidated dataset from one or more InfoSources. What are variables? A. AWB stands for Administrator WorkBench. analyze information and can execute queries. . texts or hierarchies. monitoring and maintaining all the processes connected with data staging and processing in the business information warehousing.you are dealing with attributes. Bex stands for Business Explorer. flat database tables. An ODS Object serves to store consolidated and debugged transaction data on a document level (atomic level). Q. What is Bex? A. Q. Bex analyzer. Hierarchies and hierarchy node. The queries in workbook can be saved to there respective roles in the Bex browser. Bex has the following components: Bex Browser. Bex enables end user to locate reports. What is its purpose? A. In contrast to multi-dimensional data storage with InfoCubes. Q. Transaction data: Data relating to the day-to-day transactions is the Transaction data. AWB is a tool for controlling. view reports. User entry/Default type.

An authority check is carried out against this object. Q. What is the difference between C (Check) and U (Unmaintained)? A. Then you have to generate the role. Extractors is a data retrieval mechanisms in the SAP source system. The extractor may be able to supply data to more fields than exist in the extract structure. First copy the master role using PFCG to a role with new name you wish to have. · CM (Check/Maintain) . This will help you keep the same derived role name and also the same profile name. . It is a Check Table for Table USOBT_C. How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of derived /child role same and also the profile associated with the child roles. Which can fill the extract structure of a data source with the data from the SAP source system datasets. The transport automatically includes the Parent roles. What is Extractor? A. the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. Once the new roles are done you can transport it. Background: When defining authorizations using Profile Generator. Now open each derived role and delete the menu.Q. You can put the name of the new master role you created. You determine the authorization checks that can be maintained in the PG using Check Indicators.The PG creates an authorization for this object and field values are displayed for changing. A. Once the menus are removed it will let you put new inheritance. In USOBX_C there are 4 Check Indicators. .

so field values are not displayed. ·U (Unmaintained) .An authority check is carried out against this object.Default values for this authorization can be maintained. . SAP Query also supports different kinds of reports such as basic lists.The PG does not create an authorization for this object. · N (No check) . and ranked lists.The PG does not create an authorization for this object.No default values can be maintained for this authorization. so field values are not displayed. · C (Check) . . is a tool that allows even relatively inexperienced users to create basic lists.The authority check against this object is disabled. SQVI ..The PG does not create an authorization for this object. .No default values can be maintained for this authorization.An authority check is always carried out against this object. statistics. I have created a tutorial for SQVI. so field values are not displayed. .No default values can be maintained for this authorization.No check indicator is set.. . QuickViewer (SQVI). R/3 Security Tips QucikViewer (SQVI) QuickViewer (SQVI) is a tool for generating reports. . . on the other hand. SAP Query offers the user a whole range of options for defining reports.

Do not assign any authorizations for modules you have not yet installed If you intend to gradually add modules to your system. the system inserts the generated profile in the user master record. Please test it. Object S_PROJECT S_PROJECT S_RFC S_RFC Field Value PROJEC * T_ID PROJ_C * ONF ACTVT 03 RFC_NA * ME . You might be asked to give SPRO display while implementing your SAP. This ensures that you cannot accidentally change data in your production system you may need at a later stage. If you then compare the user master records. Leave the corresponding authorizations or organizational levels open. Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab in role maintenance (PFCG) and enter the user to whom you want to assign the role or profile.Tutorial User assignment Never insert generated profiles directly into the user master record (Transaction SU01). Creating SPRO Display only. it is important you do not assign any authorizations for those modules you have not yet installed. Igenerally give these authoriztion to make it display only.

On the next screen. Assign a data element from the ABAP Dictionary to the field. For example. you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system. If you create a new authorization object. enter the name of the field. To create an authorization field.S_RFC S_TABU_CLI RFC_TY * PE CLIIDM ' AINT DICBER * CLS Deactivate or remove PIEC and TASK S_TABU_DIS ACTVT 03 S_TABU_DIS S_TRANSPR TTYPE T S_CODE REMOV SPRO E Creating Authorization Fields In authorization objects. you do not need to define your own fields. . authorization fields represent the values to be tested during authorization checks. You can often use the fields defined by SAP in your own authorization objects. Choose Create authorization field. 3. choose Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Fields. proceed as follows: 1. Field names must be unique and must begin with the letter Y or Z. 2. To create authorization fields.

Development --> Other tools --> Authorization objects --> Objects. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects. You can enter up to ten authorization fields in an object definition. To create authorization fields. Locking Security Holes through IMG transactions Even though you have restricted your users from SU01 or PFCG (to modifiy themselves or other people) they can get into these areas by the different IMG transaction codes. You must also enter a description of the object and documentation for it. Ensure that the object definition matches the ABAP AUTHORITY-CHECK calls that refer to the object. choose Tools --> ABAP Workbench. If your core team or user community has access to: OY20 OY21 OY22 OY24 OY25 OY27 OY28 Authorizations User profiles Create subadministrator Client maintenance CS BC: Set up Client Create Super User Deactivate SAP* Security Tables Table USR02 Description Logon data . Enter a unique object name and the fields that belong to the object.Creating Authorization Objects An authorization object groups together up to ten authorization fields that are checked together in an authorization check.

e. profile has sub profile) Text for authorisation profiles Authorisation values Short text for authorisation Tabl for illegal passwords User groups Text table for USGRP Change history for logon data User Master (runtime data) Address Data for users Name of the activity group profile Name of the activity group profile .e.USR04 UST04 USR10 UST10C USR11 USR12 USR13 USR40 USGRP USGRPT USH02 USR01 USER_ADDR AGR_1016 AGR_1016B User master authorization (one row per user) User profiles (multiple rows per user) Authorisation profiles (i. &_SAP_ALL) Composit profiles (i.

Cus Time Stamp for Role: Including profile Assignment of roles to users Relation transaction to .Customer vers Role menu texts Assignment of Menu Nodes to Role Profile name for role Assignment of roles to Tcodes File Structure for Hierarchical Menu .AGR_1250 AGR_1251 AGR_1252 AGR_AGRS AGR_DEFINE AGR_HIER2 AGR_HIERT AGR_OBJ AGR_PROF AGR_TCDTXT AGR_TEXTS AGR_TIME AGR_USERS USOBT Authorization data for the activity group Authorization data for the activity group Organizational elements for authorizations Roles in Composite Roles Role definition Menu structure information .

authorization object (SAP) USOBT_C USOBX USOBXFLAGS USOBX_C Relation Transaction to Auth. Object (Customer) Check table for table USOBT Temporary table for storing USOBX/T* chang Check Table for Table USOBT_C R/3 Security Tcodes .

Audit Check a m ol s W -tr e cl la in a u -e s t T o ta m > a Cl ie ti s r P M t > a e rr bl A ie n o y > u e S h C s m a I k e d s t st C u A rn et y U o C fo > D S M b a > m B t c 1. n Fi a fu M U s io at m U D di of o P p a e cr h it u ti k m r u 2 I e _ t el p r ff b is ll n ai 0 e n o et > s is R a m r n d C e o t a o a P M al M B o e et tr U t > ct n 3 rs of O e pl V I li u p o a rt / s at P r h s n u e ly G n > rt r w a p h P io t R P rs w a _ nf 3 st t s fil g of D tr M e r o at s r n cr C O G a m t ti g / e Z s r S n y B A s h fr e C o ai c a of ri fa m p u e t ) s r c n 1 o of a U D ) R r b o M m h w n k u > z S il ai o P at > h M c y t n fil a 0 il Transport d 2 a c A G y ri m ai nl s ta I t U e n s a e B ai t > st di d _ n e 5 t e r . at z c o p M in n h G s ti 2 d ti te e t p a r n -T y ff M al c s P a V io bj at x P t k T d e o 4 n o h r si T ta m st > 2 ai s e u a _ io u S in P d rt < e ic ri r n a of n s in I > T a s) r C a. 5 > 8 h e s r k .A S Cl R L I M C T Li T B r y ie e n ai o st o T S A e s c st n m ol of ol a o y P at t ot al ta p s End User R/3 Security. o hi e in a di r e a 1 in A S cr Li -rt pl n al g o y e 1 o a U e t ai ff in m i ( n s r S U at c a y D ( bl u e st > s o M g ly t n A T c r 0 d Profile Generator Configuration 0 e h t V v s di . e C s d n p u a s 3 I ri M r A is U D S G u S i A C I M e m o P s d t nf z S > pl 5 Role Administration is U A t e n P rt o ni p S r i s a d e a o at -m U a 3 pl 5 c h is W ( p y ti r m n T e t M r m io > 2 M i ti c P M y a 6 ti h vi tr o b y ( al of -a is r ai e m L C 5 ai n li u e la ti P y vi ri c a r et ( w C il > st tr n a s at D o : n is ti r st F u o t < P z ti k w b it u C e a ta s/ > io bj c S ta n tr e p u a C s n y F > at s b e et hi st p o r ti M S in d U n k fi e in a s o P u G e User Administration : o U D io e w a n in C a U ef s S ct tr cr g T l r ti s a t a r E D -e o m r fi di n s P h o a e T S y s ip u r ol o e t h b c n P M e v > cl a g al s C e ul r d M st (I ti a c e n > h o r uf t u e > el T U h ie n r m o ti M S G c ts P 3 e ni o a n t: M s D ri a fe e r n o a cl s T et g. e o r M D S ct c r y di oi of n u m a z e B C n S il ol a E O r n D m e li P c t b C p e D y E cl fi m a p s c n R o S P pl t at r u h C c C e o x f t a s at s) n r k > o A st E el ti M et Z T t U ol n C a o io at ff e L e C s m si o h p a t e _i n M D U c R s d u 4 T R 8 0 1 s M 3 2 C t r n o e c 9 p g r o e at cl t n a is s al ol e 3 ) * 4 s) n 1 0 m S rs . > ai U e k o / r D S ai 0 m n ti s T C a u is ty r n r p u bl T ts ie y A e a U 0 n I p o is U ( fo al ct of r h n si > pl c U S p o P m e > r in n st d bl rs ti T s ta 1 e n a fil pl 0 ta T r io s o U u n M C h s U M S ri s a D di ts m .

A m a T M s c e n d r e ti o a h x ts m e n d ol o m a ts T s n e M to a S C _ e ta bl y o c There comes a time when you have to deal with auditors.com SAP R/3 user ID SAP* and other system user id has been _ e o adequately secured. SAP R/3 user ID SAP* and other system user id has been adequately secured. A n Access Restriction: SCC4 and SE06 T c S_DEVELOP is secured ) e Change management is secured and controlled Transport access to production is restricted Developer access in production Change critical number range is restricted Custom tables has authorization group Locking of sensitive systems transaction codes BDC user types should has only required access Run Program in the back ground Changes to critical SAP R/3 tables are logged Scheduling and Monitoring Batch jobs Access to run reports should be restricted. Performed the following steps to confirm that user ID SAP* has been adequately secured: . ( n m t If V t h you feel I should add more email me admin@sapecc. I have n bl e s > d a together a check list to go through. Critical and custom SAP R/3 tables are restricted. If this is a new put u M t A e s implementation you should go through this and may be you can s ai e u impress your boss. D n ri D a z The production system has been set to productive.

• • Who has sap_all andsap_new Execute transaction code SUIM Click on “User” Click on “List of users according to complex selection criteria”. The SAP_ALL profile should only be assigned to a minimal number of users on the system. The default SAP R/3 passwords for DDIC. . and run report RSUSR003. Reviewed RSUSR003 report to verify that the parameter login/no_automatic_user_sapstar is set (value =0). Enter SAP_ALL in the Profile field and click Execution button Execute transaction code SUIM Click on “User” Click on “List of users according to complex selection criteria”.• Verified whether default password of SAP* was changed in all production clients: Execute transaction code SA38. Click on “By user profiles”. Click on “By user profiles”. Enter SAP_NEW in the Profile field and click on the Execution button Risk: The SAP_ALL profile grants a user full/complete access to all functions in the SAP system and has the potential to be misused.

the IDs could potentially be misused To review any passwords which are not allowed for users to use: Execute transaction code: SE16 Table name: USR40 Risk: Table USR40 is used to prevent users from using a list of commonly guessed passwords.SAPCPIC and EarlyWatch (in client 066) have been changed and access restricted to the super user.SUPPORT • Default passwords that should be changed: • SAP* • DDIC • SAPCPIC • EarlyWatch Risk: SAP comes supplied with a number of default user IDs.ADMIN .19920706 . SAPCPIC and EarlyWatch have been changed and access restricted to the super user ID: • • Execute transaction: SA38 Program: RSUSR003 . all of which have default passwords. If it is not used it increases the possibility that users could select trivial passwords or you can use profile parameter to do this The SAP R/3 system profile parameters have . Performed the following procedures to verify that the default SAP R/3 passwords for DDIC. The passwords to these IDs are well known.PASS . and therefore if they are not changed.

been set to appropriate values. Performed the following procedures to determine whether the SAP R/3 system profile parameters have been set to appropriate values: click here for more deail on profile parameter R/3 Security. There are various company codes that come as default within SAP. SOX team/ Security team should perform the following steps: Execute transaction code: OBR3 . This is to ensure that only the company codes that are being used should be checked and setup as productive.Audit Check The production system has been set to productive. To verify that the company codes utilized in the SAP R/3 systems are set to productive.

without going through the appropriate change management process.Review “Productive” column and ensure applicable global settings have not been checked off. Verify that changes to client dependent and client independent objects are not allowed and that the client is set to productive. If these transactions are not appropriately set there is a risk that unauthorized changes may be made directly in the production system. Performed the following steps to verify that production client settings have been flagged to not allow changes to programs and configuration: Execute transaction code SCC4 (all clients) and SE06 Double click on the applicable production client. R/3 Security. Performed the following steps to verify that the ability to make changes to client and system settings is restricted and access . The production client settings have been flagged to not allow changes to programs and configuration.Audit Check Access Restriction: SCC4 and SE06 Transaction codes SCC4 and SE06 are critical transactions which can be used to prevent direct changes being made to the production system.

privileges are appropriately assigned based on job responsibilities. Perform the following steps Query 1 Execute transaction code: SUIM Select User by complex criteria Authorization object: S_TCODE Transaction code value: SCC4 Authorization object: S_TABU_DIS Activity: 02 and 03 Authorization Group: SS Authorization object: S_TABU_CLI Indicator for cross client maintenance: X Query 2 Execute transaction code: SUIM Authorization object: S_TCODE Transaction code value: SCC4 Authorization object: S_ADMI_FCD System Administration Function: T000 Authorization object: S_CTS_ADMI Administration task: INIT Query 3 .

Execute transaction code: SUIM Authorization object: S_TCODE Transaction code value: SE06 Authorization Objects: s_transprt Activity Value: * Request Type: * Authorization Objects: s_cts_admi Administration Task: RELE S_DEVELOP is secured Only the SAP R/3 super user has S_DEVELOP authorization object with critical activity values in the production system. Performed the following procedures to verify that only super user has S_DEVELOP authorization object with critical activity values in the production system: Query Execute transaction code: SUIM S_TCODE: SE38 .

Authorization Object: S_DEVELOP All fields: “*” Risk: The risk here is that users who have this access. Change management is secured and controlled Performed the following procedures to ensure that SAP R/3 change management environment provides a secure and controlled structure for software changes. enter the table name and choose option Display. note various transport layers. Start the transaction SE16. TCEDELI Recipient systems . Such access should be restricted to developers in the development system only. have the ability to perform development related functions in the production system. TCETRAL Cross Transports Inspecte the table TCETRAL. Reviewed transport layers . TCESYST Environments Inspect the table TCESYST which details the various environments.

Transport access to production is restricted Performed the following procedures to verify that the ability to make transports to production is restricted and access privileges are appropriately assigned based on job responsibilities: Risk: The risk here is that users who have this access. have the ability to move code from the development environment to the production environment.Inspect the table TCEDELI which details with SAP systems receive released transports. Executed transaction: SUIM Authorization object: S_TCODE Transaction code value: SE11 Authorization Object: S_TRANSPRT Activity value: 01 OR 43 Request Type: DTRA OR CUST Developer access in production .

have the ability to maintain the SAP database (data dictionary). Identify users who can do development in Production Execute transaction code: SUIM S_TCODE: SE38 Authorization Object: S_DEVELOP Activity: 02 and 03 All fields: LEAVE BLANK All fields: “*” .The ability to make changes to the SAP R/3 Data Dictionary is restricted and access privileges are appropriately assigned based on job responsibilities. Performed the following procedures to verify that the ability to make changes to the SAP R/3 Data Dictionary is restricted and access privileges are appropriately assigned based on job responsibilities: Executed transaction: SUIM Authorization object: S_TCODE Transaction code value: SE11 Authorization object: S_DEVELOP Activity value: 01 or 02 Other fields: “*” Risk: The risk here is that users who have this access.

Such access should be restricted to developers in the development system only. have the ability to perform development related functions in the production system. Execute transaction code: SUIM S_TCODE: SE38 Authorization Object: S_DEVELOP Development Object ID: PROG Activity: 02 All fields: “*” AND LEAVE BLANK Risk: The risk here is that users who have this access. Change critical number range is restricted. (company code.Risk: The risk here is that users who have this access. charts of accounts etc.) Performed the following procedures to verify that the SAP system appropriately restricts the ability to change critical number . Such access should be restricted to developers in the development system only. Execute transaction code: SE16 Table Name: DEVACCESS Risk: Developer key is required along with the open system to make changes within production. have the ability to perform development related functions in the production system.

ranges (i.). Query .. Custom tables has auth group Performed the following procedures to verify that all customized SAP R/3 tables have been assigned to the appropriate authorization group: Executed transaction code: SE16 Table name: TDDAT Table name: Z*.e. Y* Risk: If tables are not assigned to authorization groups it is not possible to appropriately control direct access to tables. Execute transaction code SUIM Authorization object: S_TCODE Transaction code value: SNRO Authorization object: S_NUMBER Activity: 02 Number of number range: “*” Risk: The risk here is that users who have this access. have the ability to maintain critical number ranges. etc. chart of accounts. Locking of sensitive systems transaction codes in Production environment. company codes. accounting period data.

The risk therefore is that these transactions be accidentally run. or run with malicious intent. Query Generated a list of users who have access to lock/unlock transaction codes.The authorization to lock and unlock transaction codes should only granted to selected few users. This also applies to costumer developed tcodes provided they are entered in table TSTCA through transaction code SE93 Do check using the following report in production who has this access. Execute transaction: SM01 OR Execute transaction: SE16 Table Name: TSTC C info field: 20 to 20 Risk: SAP recommends that certain sensitive transactions be locked in the production system to prevent accidental or malicious use. Execute transaction code: SUIM S_TCODE: SM01 Authorization object: S_ADMI_FCD Field value: TLCK (lock/unlock transactions) .

Click on “By user ID”. Such IDs could potentially be misused. which is excessive based on the typical needs for these IDs. An overview of jobs scheduled in the SAP R/3 system is performed regularly. Click on “Other view” twice to display the user type for all listed user IDs. Then execute by clicking on the small green check mark. Risk: The risk here is that these IDs have been provided “super user” access rights. . performed the following steps: Execute transaction code SUIM Click on “User” Click on “List of users according to complex selection criteria”. Click on “Incorrect” Tab. Don't need sap_all To verify that BDC users are assigned only authorizations to perform the required task. Performed the following steps to produce a listing of batch input sessions: Execute transaction code SM35 Enter a * in the “Session name” field and “Created By” field. BDC user types should has only required access.Risk: These users have the ability to lock or unlock sensitive transactions which should not be run in the production system.

Risk: If batch sessions are not monitored on a regular basis. have the ability to run programs directly in the background. S_BTCH_NAM can be used to schedule jobs under a different user id. S_BTCH_ADM should be granted to batch administrator and not to all the users. The other authorization like delete change andmove should only be assigned to the batch adminstrator. Activity PROT is required to display log. To check who all have acces to this production follow the instruction below Execute transaction code SUIM S_tcode: SM36/SM37 Authorization Objects: S_BTCH_JOB.: “*” Risk: The risk here is that users who have this access. there is a risk that important batch sessions will contain errors or not be completely processed and therefore processing of critical financial information will not be complete and the issue will not be identified on a timely basis Run Program in the back ground By default user is allowed to schedule reports for background processing. but cannot release. Authorization for to release jobs is controlled by S_BTCH_JOB. This is a critical authorization can release other users jobs. Controls access to jobs in all clients of a system. bypassing . Never give * as this would allow the user to start batch jobs under any user id. S_BTCH_NAM Job Operations: RELE: Summary of jobs for a group: “*” Background user ID. Activity RELE is needed to release jobs.

If you use name range then naming convetion should be used properly.transaction level security in SAP. table DD09L and noted that tables have been selected for logging. You can restrict the privileages tocertain sesssion byentering the respective session name or name range. Batch input . Execute transaction code SUIM S_tcode: SM35 Authorization Objects: S_BDC_MONI Batch Input monitoring activity: “*” Session Name: “*” Risk: The risk here is that users who have this access.SM35 Batch input transaction code SM35 needs authorizationforobject S_BDC_MONI. Run transaction SE16. have the ability to process batch transactions without being explicitly authorized to do so. and could potentially run programs /transactions they are not explicitly authorized to run. Query Execute transaction code: SUIM S_TCODE: SE01 Authorization object: S_TRANSPRT Activity: 02 . Changes to critical SAP R/3 tables are logged and management regularly reviews the logs.

Such access should be restricted to basis administrators only. Activity PROT is required to display log. Controls access to jobs in all clients of a system. To check who all have acces to this production follow the instruction below. This is a critical authorization can release other users jobs. S_BTCH_NAM can be used to schedule jobs under a different user id. Scheduling Batch jobs By default user is allowed to schedule reports for background processing. RSUSR002 S_tcode: SM36 (Schedule) Authorization Object: S_BTCH_JOB . S_BTCH_ADM should be granted to batch administrator and not to all the users. Activity RELE is needed to release jobs. The other authorization like delete change andmove should only be assigned to the batch adminstrator. Never give * as this would allow the user to start batch jobs under any user id.Field Object in Workbench Organizer: UPGR Risk: The risk here is that users who have this access. but cannot release. Authorization for to release jobs is controlled by S_BTCH_JOB. Performed the following steps to verify which users have the ability to change the SAP R/3 job schedule: Execute transaction code SA38. have the ability to transport matchcodes into the production system.

Risk: If jobs are not monitored on a regular basis. “*” Risk: The risk here is that users who have this access. Monitoring Batch jobs Run transaction SM37 to check if any of the jobs that had been during the last year are still active. have the ability to run programs directly. Execute transaction code SUIM S_tcode: SA38 Authorization Objects: S_PROGRAM User action ABAP program: SUBMIT ( foreground and background) Authorization Group: *. bypassing transaction level . there is a risk that jobs will not run to completion and therefore processing of critical financial information will not be complete and the issue will not be identified on a timely basis Access to run reports should be restricted.Job Operations: RELE Summary of jobs for a group: “*”. * Risk: The potential risk here is that users who have this access. and could potentially run programs or transactions they are not explicitly authorized to run. bypassing transaction level security in SAP. have the ability to run programs directly in the background.

security in SAP. Critical and custom SAP R/3 tables are restricted. and could potentially run programs /transactions they are not explicitly authorized to run. Execute transaction SUIM Authorization Object: S_TCODE . This includes transactional. have the ability to maintain table data directly in the production system. masterfile. ABAP/4 utilities to copy and delete programs) Authorization Group: * Risk: The risk here is that users who have this access. Execute transaction code SUIM S_tcode: SA38 Authorization Objects: S_PROGRAM User action ABAP program: EDIT (maintain attributes. have the ability to maintain program attributes. Execute transaction SUIM Authorization Object: S_TCODE Transaction Code: SM31 (enhanced tables maintenance) Authorization object: S_TABU_DIS Activity: 02 AND 03 Risk: The risk here is that users who have this access. security and configuration data. text elements.

SAP BW enables analysis and interpretation as well as the distribution of this information. Since all transactions are secured by S_Tcode this control is still effective. Introduction SAP Business Information Warehouse (SAP BW) as a core component of SAP NetWeaver data warehousing functionality.Transaction Code: SM31 Authorization object: S_TABU_DIS Activity: 02 AND 03 Authorization Object: S_TABU_CLI Identify if custom transactions have references to authorization objects. provides both a business intelligence platform and a suite of business intelligence tools. With the tool set provided. sound decisions can be made and goal oriented activities can be initiated. With extensive predefined . relevant business information can be integrated into SAP BW and transformed and consolidated there. Based on this analysis. Verified in table TSTC that the majority were secured by Authorization objects. Execute transaction code: SE16 Table name: TSTCA / TSTC TCODE: Z* Check table TSTCA and verified that no Z transactions existed.

Technically they are treated in the same way. In your project you need expertise in the area of . 1. With these objects you can specify which part of the data within an InfoProvider a user is allowed to see. system administration tasks. Reporting authorization objects: For more granular authorization checks on an InfoProvider’s data you need another type of authorization objects defined by the customer. However.information models provided for the various roles in a company (BI Content). Standard authorization objects: This type of authorization objects is provided by SAP and covers all checks for e. SAP BW Authorization Specifics In an SAP BW system there are two different types of authorization objects. This is an additional step that needs to be treated with care because the structure of the authorization objects determines the possible use in regards to selections. the design of reporting authorizations is more complex because you need to design the reporting authorization objects first.g. SAP BW also increases the usability of these analyses and enables a quick. cleanup and storage of data. data modelling tasks. It also signifies the extraction of data for analysis and interpretation. data extraction and the management of the data warehouse management processes. 2. cost-effective implementation. Data warehousing in SAP BW represents the integration. Both types of authorization objects use the same authorization framework. combinations and granularity. consolidation. The data warehousing process includes data modeling. and for granting access to InfoProviders for reporting. For this type of authorizations the same concept and technique is used as in an SAP R/3 system. transformation.

More Setting up RFC to R3 system BW RFC / ALE Setup. create update rules for InfoCubes. Then. and set up source systems. explaining how to link a BW system to an EP system... . User Type in BW There are different types of users in SAP BW.. InfoAreas. you should create a system (not a dialog) user called BWALE. ." read more about how to secure administrator users click here Using Workbooks model Generally power user create query to suit their teams needs and save the results in a workbook. and InfoObjects. Some people may refer to them as "power users" or "data analysts. knowledge of the basis authorization framework is not sufficient. BWALE should have the authorization profile (not Role)S_BI-WHM_RFC…." To read more about how to secure reporting users click here There are also users who develop new queries. .. monitor performance. These people could be considered "reporting users" or "end users. They also schedule data loads." The users who develop queries may also create new workbooks and may be responsible for publishing that information to the right audience..More Linking BW to Enterprise Portal (EP) Step-by-step list. The users who do these tasks are normally referred to as "administration users.More Transaction Code in BW . They may want to save the workbooks to their Favorites folder for easy retrieval later.reporting authorizations.In SAP BW. there are users who create new objects like InfoCubes. or they may want to save the workbooks to a location where other users can execute the same workbook. Most of your users will be the users who execute queries and workbooks.

which is used by SAP BW administrator • Reporting User Security Authorization Objects Used Primarily by Reporting Users In order to execute any query. S_RS_COMP is a powerful object that enables you to make choices on how to secure. and set up source systems. you must have access to S_RS_ICUBE. plant. They also schedule data loads. The . or InfoCube. create update rules for InfoCubes. and another field that relates to the InfoCube. S_RS_COMP. There is one field in S_RS_COMP that relates to the query. which is used to create and execute queries RSA1: Launches the Administrator Workbench. monitor performance. InfoAreas.• RRMX: Launches the BEx Analyzer. This gives you the option to secure by query name. InfoArea. S_RS_COMP1 and S_RS_FOLD. Tips • InfoArea = group of InfoCubes • InfoCube = actual data • InfoObject=field (for example: company code. or cost center) Administrator There are users who create new objects like InfoCubes. and InfoObjects.

There are two fields in this object: Activity and Administrator Workbench Object. The primary objects used are: S_RS_ADMWB: Administrator Workbench .Objects Authorization object S_RS_ADMWB is the most critical authorization object in administration protection." Some of the common tasks performed by administration users are: • Set up and maintain different source systems and connections to SAP BW • Manage metadata and define new InfoObjects.users who do these tasks are normally referred to as "administration users. DataSources. maintaining InfoObjects . The possible values for the Administrator Workbench field are: • • SourceSys: Working with a source system InfoObject:Creating. When you do anything in transaction code RSA1. object S_RS_ADMWB is the first object checked. and InfoSources DesignInfoCubes • Create transfer rules and update rules • • Schedule and monitor data-loading processes Administration authorization objects are primarily used when doing anything in the Administrator Workbench (transaction codeRSA1). Each of the two fields can have a variety of values.

• Maintain . document . Administrator Workbench. InfoPackage. Reporting Agent settings. application component. master data. InfoObject. monitor. InfoPackage group. hierarchies. InfoArea.• Monitor: monitoring data brought over from the source systems • Workbench: Checked as you execute transaction code RSA1 • • InfoArea:Creating and maintaining InfoAreas ApplComp: Limiting which application components you can access InfoPackage: Creating and scheduling InfoPackages for data extraction • • Metadata: Replication and management of the metadata repository The following list shows possible values for the Activity field.23 • Update metadata . metadata.66 Other Authoization objects for Admin user Authorization object/ Technical name Administrator Workbench -Objects S_RS_ADMWB Description Authorizations for working with individual objects of the Administrator Workbench.03 • Execute-16 • Administer document storage . Reporting Agent package. transaction data). In detail. documents (for metadata. these are: source system. settings.

Support Package 1.0B. . Authorizations for working with InfoSources with flexible updating and their sub-objects Administrator Workbench InfoSource (flexible update) S_RS_ISOUR Administrator Workbench InfoSource (direct update) S_RS_ISRCM Administrator Workbench InfoCube S_RS_ICUBE Administrator Workbench MultiProvider Authorizations for working with InfoSources with direct updating and their sub-objects Authorizations for working with InfoCubes and their sub-objects Authorizations for working with MultiProviders and their sub-objects Until BW 3.0A. General authorization protection for InfoObjects still works as in the past.store administration. InfoSpoke. Administrator Workbench InfoObject S_RS_IOBJ Authorizations for working with individual InfoObjects and their sub-objects Until Release 3. only general authorization protection was possible with authorization object S_RS_ADMWB. Special protection with S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ.

explaining how to link a BW system to an EP system. (Note: Those are the personal notes an EP novice.S_RS_MPRO authorizations for MultiProviders were checked by using the authorization object S_RS_ICUBE. Support Package 2. this can be maintained. As of BW 3. object S_RS_ODSO Administrator Authorizations for working with InfoSets Workbench .InfoSet S_RS_ISET Administrator Workbench hierarchy S_RS_HIER Authorizations for working with hierarchies Administrator Authorizations for processing master data Workbench – Master in the Administrator Workbench data maintenance S_RS_IOMAD Linking BW to Enterprise Portal (EP) Summary Step-by-step list.0B. they should not be used as a reference!) . choose in Customizing under Business Information Warehouse ® General BW Settings ® Settings for Authorizations. or you can change the check over to the authorization object S_RS_MPRO. Administrator Authorizations for working with ODS Workbench – ODS objects and their sub-objects. To do this.

5) to an Enterprise Portal (release BW6. Before diving into the subject matter. things depend partially on your local IT infrastructure. 2.0): In the following article. I want to share my experience in linking a BW System (release BW3. just a warning: The steps before worked for me. I admit. .Linking a BW System to the Enterprise Portal (EP6. After browsing through the documentation and some system settings. Given this. I want to note that I am fairly technically experienced in the BW system. For any serious activities. however so far only had very limited exposure to the EP. You will see a screen "System Landscape Editor". Also. lets give it a try". after about 2 hours I had successfully built (and tested) the connection (again. [Before I go into details. Right-Click on "Portal Content".] Those were the steps I had to take (btw. then "System". with NO prior experience in this area at all)! (Ok. you should make sure to either receive the proper training. On a second thought. I had super user rights on the EP): 1. first I was ready to hand over the task of linking the two systems to an experienced colleague. or to consult with an expert in the respective area. and on the left to it "Portal Content". however. some of my statements below *could* be incorrect. However results may vary.0SP2). choose "System Administration". I said to myself "heck. and choose New >> System". 5 minutes counseling by an EP expert probably had helped as well). or to J2EE platforms in general. Once logged into the EP. then "System Configuration".

Enter the following: System Name (here I choose the 3 digit system name from the logon.com") Logical System ID (you can get from table T000 in the BW system. like in my case). 4. you can get this e. BW) Then save as system. like "BW1") SAP System Number (you get this e.g. something like BW1?) System ID (here I choose the logical system ID.g. it?s the number which comes after the Application host.3. Choose "SAP_R3_LoadBalacing" (if your system is load balanced. from the query URL string mentioned above. and maintain the following fields: Application Host (the address of the host. something like ? usbw0101.xxx.g. from table T000 in the BW system) System ID Prefex (a prefix to find and group your settings.g. 1. Choose "Property Category = Connector". something like "BW1CLNT003") SAP Client (BW client name) SAP System Name (here I entered the 3 letter system name.g. ?8100?) System Template Name (here I used again the logical system ID . from the BW WAD from a web query URL string. it?s what comes after http:// and before ?:[port]". Click "next". e. like BW1CLNTT003.g. from the BW logon properties) Server Port (this again you get e. you can get this e. e. The System Wizard comes up. Click "next".

800}Client. something like "usbw0101. choose "System Aliases". then "Support". Choose "Property Category = WAS". "BW1") WAS host name (same as application host above. Create and save a new "System Alias". Still from the same screen.Language") User Mapping Type ("admin. Final Step: Now you are ready to test the system connection! For this purpose.xxx.com:8100") WAS path "/sap/bw/bex" WAS protocol ("http") 1.from above) System Type ("SAP_BW".e. I went to "User Administration". I picked the logical system ID "BW1CLNT003" as system alias. i. of course) 1. and saved this. user") Save all your settings. Choose "Property Category = User Management". and push ?Run?. Almost finished: As a next step. e. 2. I had to perform what?s called ?user mapping? (so the EP can talk to the BW on behalf of a specific user). I searched (in this case) for my user in "Users". and maintained the login settings. Basically. but together with port number from above. and maintain the following: Logon Method ("SAPLOGONTICKET"). and maintain the following fields: WAS description (same as System Name above. from here to "SAP Application". User mapping fields ("{003. Under "Tool" select "BWReport". Select your BW system. then (under "Logon Data for System") selected the BW system. 1.g. the "User Mapping". go to "System Administration". and a BEx Web .

g. and services needed to accomplish their daily tasks. Links to back-end and legacy applications. and you should see the query results right in your Portal! Enterprise Portal SAP Enterprise Portal offers users a single point of access to all applications. Have a proxy server installed and place it in DMZ.Application Query String (you can use the string from the WAD URL above. information. Portal Architecture overview The security features of SAP Enterprise Portal include: •Authentication – Confirms or denies user identity through user ID and password. Execute. selfservice applications. company intranet services. and Internet services are all readily available in the user’s portal. This can be done by using the existing LDAP Server •Authorization – Enforces role-based authorization for all content under the administrative control of the portal and prevents unauthorized access. Follow the link below at the bottom of this page for installing proxy server. e. like? cmd=ldoc&TEMPLATE_ID=LSTEMP?). The advantage is you don’t have your portal server facing the world. If you plan to have external users (internet users ) access your portal or backend system. and disadvantage is that you . basically the piece which starts with "cmd".

This means once you signon to your windows operating system. Then you have to enable SSO between Protal and R3 system so that you don’t have to sign on to R3 or any other SAP system if . an SSO mechanism maps portal authentication information to each application for which a user holds predefined access permissions.have additional hardware. In a portal environment. You can have SSO enable for Portal using third party tool like Siteminder from Netegrity. This reduces user frustration. I can hide the port number from users.you don’t have to sign on to portal again. Single Sign-On (SSO) Single Sign-On (SSO) provides secure access to multiple systems without requiring users to reenter ID and password information for each application. This will use Windows authentication. I prefer proxy server for internal users also. providing enhanced interaction with enterprise resources via the portal.

You can have additional layer of security by giving them secureid or digital certificate.. Some systems reside in a dedicated network zone in the intranet but many systems reside on different networks or on the Internet. in the SAP HR system. including SAP and non-SAP Systems.. • Users need to have different IDs and passwords to access these systems. Logon ticket.more If you are one of those admin who faces few of the issues listed below • Users access multiple systems. the user has to change his or her password every 30 days. This example is based on a Red Hat Linux installation and is transferable to all other operating systems. . the user has to change the password every 90 days. Apache Configuration for J2EE Web Applications This document explains and describes how to set up the Apache Web server for use with the SAP J2EE Engine. In the next system. verifies the digital signature. For example.. . If you plan to have external users access your portal / backend system. The administrator is constantly resetting passwords. and extracts the appropriate user ID. This can be done using SAP logon. What does this lead to? Users forget their passwords. the user does not need to regularly change his or her password at all. • Each of these systems also maintains its own password policy.0. Keep in mind that this makes social engineering much easier.you are accessing data from any of these systems. It will give you instructions how to configure the Apache with Proxy Mode The backend used in the tests was a SAP J2EE Server running Enterprise Portal 6. In another system.

SSO users access multiple systems based on single authentication. .Solution is Single Sing On.

Sign up to vote on this title
UsefulNot useful