Friday, September 12, 2008

G/L And Sub Ledger Reconciliation

在工作與客戶訪談時
常常會聽到客戶說:
” SAP 顧問告訴我,明細帳 (Sub-ledger) 與總帳 (General ledger) 是自動、即時過帳的,所以不需要做明細帳與總帳的調節…”

聽起來好像是對的
但真的這樣嗎?

這個說法要成立
是有很多的前提、參數要設定
例如 Reconciliation Account 等
下次有機會來說明這個好了

不過我的經驗告訴我
就是會有客戶遇到明細帳與總帳不符的狀況
所以,還是建議要做調節

那,要怎麼進行明細帳與總帳的調節?

SAP R/3

Report RFDOPO00 (A/R open items) to reconcile the balance sheet A/R
Report RFKOPO00 (A/P open items) to reconcile the balance sheet A/P
FI Ledger Reconciliation Report (SAPF190)

SAP ECC

Report RFDOPO00 is obsolete, use RFDEPL00 instead
Report RFKOPO00 is obsolete, use RFKEPL00 instead
FI Ledger Reconciliation Report (SAPF190)
Report RABEST01 (Asset Balances) to reconcile the balance sheet Asset, or transaction code ABST, ABST2




Thursday, August 21, 2008

SOD - KAH1 and F.19?

昨天接到上海 Senior Manager 的訊息
問說為什麼我們要在意這個職能分工上的衝突: KAH1 與 F.19 ?

老實說這個規則很怪,很沒道理
KAH1 是 Create Cost element group
F.19 是 Analyze GR/IR Clearing Accounts and Display Acquisition Tax
這兩個作業放在同一個人身上會有啥風險?
客戶的風險敘述是: manipulate cc report to hide journal entry...
但是 Journal entry 有啥好隱藏的? 要怎麼隱藏?

順手進去看了 F.19 的 Field Values
Object: F_BKPF_KOA & F_SKA1_BUK 的 default field value 都是 03 啊!
只有 Display 的權限能幹嘛
真的要分類,這應該是 Confidential 的 SOD 吧
對於 Audit 我想是沒有影響的


Thursday, May 15, 2008

Audit of SAP multiple logons

SAP 允許重複登入(multiple logon);當使用者要重複登入時,SAP 會跳出三個選項,當中有一個訊息是這樣寫的:
If you continue with this logon without ending any existing logons to system, this will be logged in the system. SAP reserves the right to view this information.

上面說,SAP 會將重複登入的資訊記錄起來。那紀錄在哪裡呢?要怎樣看?

用 T-code: SE16 看 Table: USR41_MLD,'Counter' 這個欄位就是告訴你,使用者繼續重複登入的次數(how many times the user have done a multiple logon)。

不過,看這個有什麼用?對 FS 應該沒有什麼影響吧....

Disable SAP USERS to logon multiple times

如果要停用重複登入,要怎麼設定呢?

用 T-code: RZ10 設定參數 login/disable_multi_gui_login:

  • 0 => 不啟用,允許重複登入
  • 1 => 啟用,不允許重複登入

那如果只要對少數人開放,其他人都不允許重複登入,又該如何設定?

除了上述的參數 login/disable_multi_gui_login = 1 之外,另外設定參數 login/multi_login_users,將欲開放重複登入的使用者帳號輸入於此,每個使用者帳號之間用逗號 “,” 分隔,並且不要留空白,重開 R/3 即可。

Maximum No. of SAP Session Per User

SAP 4.6x 預設允許每個使用者開啟 6 個 session 連線,如果要修改,用 T-code: RZ10 修改參數 rdisp/max_alt_modes 即可。要生效當然要重開 R/3。


Thursday, May 8, 2008

General SAP BI Authorization Concept

要了解 SAP BCS/BW 的存取控制,先要對 SAP BI 的權限觀念有基本的認識。SAP BI 並不是用來建立或更新資料,而是將資料轉換成有用的資訊以提供管理當局決策之用。

1. SAP BI Authorization Concept

Security needs in SAP BI are not the same as security needs in R/3. SAP R/3 is an OLTP (On line transaction processing) system. This means that SAP R/3 focuses on getting the daily work of the business completed. People only need access to the specific functions they perform in their daily work. In general, R/3 security is focused on:
  • Transaction code
  • Specific field values
  • Which activities a user can perform
On the other hand, SAP BI is an OLAP system. This means that SAP BI focuses on what data a user can access. This is may be controlled at the field level, or it may be controlled at the InfoProvider level. With SAP BI, authorizations can be defined and maintained by object (InfoObject, query, ODS object, InfoCube) and be applied to hierarchies. Authorizations can be added to roles that define what content is available to specific users or set of users in BI solution.

Specifics of SAP BI Security
 • Security is not focused on transactions.
 • Only two groups of Authorization Objects exist:
  o Business Explorer
  o Administrator Workbench
 • Easy to extend with authorization relevant InfoObjects

2. Reporting and Analysis Authorizations

In SAP NetWeaver 2004s, there are two authorization concepts, one is reporting authorization, and the other is analysis authorizations.
  1. Traditional Reporting and Analysis Authorization concept
    Reporting authorizations control for which data a user has display authorization in a query. Previous to SAP NetWeaver 2004s, authorization objects must first be created for this reporting authorization. An authorization object include up to 10 authorization fields which are used to determine whether a user is allowed to execute a specific action on a specific BW object. As soon as authorization objects were saved and assigned to a role, the authorization may be checked when executing a query.
  2. New Reporting and Analysis Authorization concept
    Analysis authorizations are not based on authorization objects. Instead you create authorizations that include a group of characteristics. Users restrict values for these characteristics. The authorizations can include any authorization-relevant characteristics and treat single values, intervals and hierarchy authorizations the same. Navigation attributes as well can be indicated as authorization-relevant in the attribute maintenance for characteristics and can be then transferred into authorizations as characteristics.
3. Restrictions on BW components

To restrict access SAP BW requires the definition of reporting relevant authorization objects which need to be defined individually since these reporting relevant objects cannot be predefined by SAP. Beside the majority of authorization objects which need to individually defined in the system. Beside these individual objects some standard objects need to be assigned also granting the user the right to access certain infoareas as well as to start the reporting tools.

Possible restrictions on BW components:
  • Authorization on cube level
  • Authorization on Characteristic level
  • Authorization on Characteristic value level
  • Authorization on key figure level



Monday, April 7, 2008

SAP Security Audit: SM19

使用SA38_RSPARAM 或 T-code: RZ11檢查Security Audit Log是否啟用:
  • rsau/enable=1 啟用
  • rsau/enable=0 未啟用
但即使未啟用 (rsau/enable=0),客戶使用SM19啟動Audit Log功能仍有效,此係動態方式設定;若要採用靜態方式才須設定rsau/enable為1。

1. Static filters
If you use static filters, all of the application servers use identical filters for determining which events should be recorded in the audit log. You have to define filters only once for all application servers. You can also define several different profiles that you can alternatively activate.

Result
The filters you define are saved in the audit profile. If you activate the profile and restart the application server, actions that match any of the active filter events are then recorded in the security audit log. Before you can set Static Filters, you must first set the following profile parameters:
rsau/enable
rsau/local/file
rsau/max_diskspace/local
rsau/selection_slots

2. Dynamic filters
Dynamic filters enable you to respond to real-time events in your system environment, setting traps that can assist you in addressing a security problem. With this option, you can dynamically change the filters used for selecting events to audit. The system distributes these changes to all active application servers.

Result
The audit filters are dynamically created on all active application servers. If you activate the profile(s), any actions that match any of these filters are recorded in the security audit log. Changes to the filter definitions are effective immediately and exist until the application server is shut down. Before you can set dynamic filters, you must first set the following profile parameters:
rsau/local/file
rsau/max_diskspace/local
rsau/selection_slots


資料來源 (Provided by Rita)
https://www.sdn.sap.com/irj/sdn/thread?threadID=328127
SM19 Dynamic Configuration.


Monday, March 31, 2008

Oracle DB connection

Oracle's password file

If the DBA wants to start up an Oracle instance there must be a way for Oracle to authenticate this DBA. That is if (s)he is allowed to do so. Obviously, his password can not be stored in the database, because Oracle can not access the database before the instance is started up. Therefore, the authentication of the DBA must happen outside of the database. There are two distinct mechanisms to authenticate the DBA: using the password file or through the operating system. The init parameter remote_login_passwordfile specifies if a password file is used to authenticate the DBA or not. If it set either to shared or exclusive a password file will be used.

The initialization parameters can be set in the init.ora file.

Default location and file name
The default location for the password file is:
$ORACLE_HOME/dbs/orapw$ORACLE_SID on Unix and
%ORACLE_HOME%\database\PWD%ORACLE_SID%.ora on Windows.


Monday, March 24, 2008

SAP CO 月結與差異分攤

SAP Controlling month end and variance allocation

1. Cost Center month end

1.1 Collect indirect expense
Collect indirect expense

1.2 Collect manufacturing expense
Collect manufacturing expense

1.3 Actual Price calculation
Actual LAB FOH VOH rate calculation

1.4 Overhead per production order calculation (Indirect expense allocation)
Indirect expense allocation (Std)

1.5 Revaluation at Actual Price : Production Order (Manufacturing expense allocation)
Manufacturing expense allocation

2. Production Order Settlement

2.1 Calculate Work in Process (WIP)
Calculate WIP
Movement type relevant to Production Order

2.2 Variance Calculation (Quantity variance)
Quantity variance
Month end production orders settlement

2.3 Actual settlement (Allocate variance and Create accounting document)
Accountant use CO88 to perform actual settlement. Variance was allocated and accounting documents were created by SAP.

3. Material Ledger Update

3.1 Price variance calculation and allocation
Price Variance

3.2 Manual allocate remained expenses to COGS
Accountant check all 4* and 5* accounts and post a journal entry manually to allocate all remained expenses to COGS.

4. Actual cost walkthrough test
ROH actual cost walkthrough
WIP actual cost walkthrough

5. Material records price control check
Material records price control