SAP Basis Administration — System Architecture, TMS, Users & Monitoring

SAP Basis is the technical foundation of every SAP system — it manages the underlying infrastructure, transport landscape, user access, and system health so that all SAP applications (FI, CO, SD, MM, HR) can run reliably.

What You’ll Learn

• The architecture of AS ABAP, AS Java, and dual-stack SAP systems
• Transport Management System (TMS) and change management across landscapes
• User administration with SU01 and role-based authorization with PFCG
• RFC/destination configuration with SM59
• System monitoring using ST03, ST22, and DBACOCKPIT
• Client copy operations via SCCL
• SAP GUI configuration and connection management

Why SAP Basis Matters

Without Basis, there is no SAP. Basis administrators are the backbone of every SAP implementation — they install the system, configure the transport landscape, manage user access, monitor performance, and troubleshoot issues that application teams cannot resolve. A good Basis admin prevents downtime, ensures audit compliance, and keeps the system running at peak performance.

Doda Browser applies Basis-style monitoring to track rendering performance and memory usage across browser sessions. DodaZIP uses transport-landscape-inspired staging for its compression algorithm rollouts — develop, test, then promote to production.

Learning Path

    flowchart LR
  A["SAP Overview"] --> B["SAP Modules"]
  B --> C["SAP BASIS Admin<br/>You are here"]
  C --> D["SAP HANA Database"]
  D --> E["Advanced Basis"]
  style C fill:#f90,color:#fff
  

SAP System Architecture

SAP systems run on one of three architecture stacks.

AS ABAP (Application Server ABAP)

The traditional SAP stack. It consists of:

• Central instance — dispatcher, work processes, gateway, message server
• Dialog work processes — handle user requests (max ~200 per instance)
• Update work processes — process database changes
• Background work processes — run scheduled jobs
• Spool work processes — manage print output

AS Java (Application Server Java)

The Java stack for SAP Enterprise Portal, SAP Process Integration (PI), and SAP Solution Manager. Uses J2EE engine with server nodes and dispatchers.

Dual-Stack

Systems that run both ABAP and Java on the same instance. This is being phased out — SAP recommends separate instances for new installations.

    flowchart TB
  subgraph "SAP System Landscape"
    direction LR
    DEV["Development<br/>Client 100, 200"] --> QAS["Quality<br/>Client 300"]
    QAS --> PRD["Production<br/>Client 400, 500"]
  end
  subgraph "AS ABAP"
    DWP["Dialog WP"]
    UWP["Update WP"]
    BWP["Background WP"]
    SPO["Spool WP"]
  end
  

Transport Management System (TMS)

TMS manages changes as they move from development to quality to production. Think of it like a staging pipeline for configuration and code changes.

Transport Request Types

T-Codes

STMS    - Transport Management System overview
SE01    - Transport organizer
SE10    - Create/modify transport request
SCC1    - Client copy with transport
TP      - Transport command line tool

Transport Process

1. Developer creates a transport request in SE10 when changing an object
2. Release the request — SAP locks the objects for export
3. Import to Quality — the Basis admin uses STMS to import
4. Test — functional team validates
5. Import to Production — promote after approval

Common TMS Error

Error: Transport request S4K9001234 not released
Solution: Use SE10 to release the request before import

User Administration (SU01)

Every person who accesses SAP needs a user ID. SU01 is the central transaction for user management.

User Types

Key User Administration T-Codes

SU01    - Create/change/display user
SU10    - Mass user maintenance
SUIM    - User information system (reports)
SU53    - Display authorization check trace

Creating a User

Path in SU01:
1. User → Address: Name, department, phone
2. Logon data: Initial password, password change required
3. Roles: Assign role(s) from PFCG
4. Profiles: View authorization profiles (read-only)
5. Defaults: Start transaction, output device
6. Parameters: User-specific SAP profile parameters

Roles and Authorizations (PFCG)

SAP authorizations control exactly what each user can see and do. PFCG is the role maintenance tool.

Role Structure

    flowchart LR
  A["Role<br/>FI Accountant"] --> B["Authorization Object<br/>F_BKPF_BUK"]
  B --> C["Activity: 01, 02, 03<br/>(Create, Change, Display)"]
  B --> D["Company Code: 1000"]
  B --> E["Account Type: D"]
  

Key T-Codes

PFCG    - Role maintenance
SUIM    - User information system
SWU3    - Check role assignment consistency

Real-World Example

Role: FI_ACCOUNTANT
- Menu: SAP Menu → Accounting → Financial Accounting → General Ledger
- Authorizations:
  - F_BKPF_BUK: Activity 01 (create), 02 (change), 03 (display)
  - F_BKPF_BES: All company codes in group ZFI
  - F_GL_CRE: G/L account posting
- User: Assigned to user via SU01

RFC and Destination Configuration (SM59)

RFC (Remote Function Call) connects SAP systems to each other and to external systems. SM59 is the transaction for managing RFC destinations.

RFC Connection Types

SM59 - Create RFC destination
Test → Connection test should return:
"RFC connection successful"

System Monitoring

Basis admins monitor the system constantly. These are the essential monitoring tools.

ST03 — Workload Analysis

Shows response times, CPU usage, database times per transaction. Key metrics:

- Avg dialog response time: target < 1 second
- CPU time: target < 40% of total response time
- Database time: target < 50% of total response time
- Wait time: target < 10% of total response time

ST22 — ABAP Runtime Errors

Dumps (runtime errors) point to program bugs, data issues, or configuration problems. Every dump has a unique ID and can be analyzed for root cause.

DBACOCKPIT — Database Administration

DBACOCKPIT → Performance → SQL Analysis → Top SQL by runtime

Optimize the most expensive SQL statements. Look for full table scans, missing indexes, or poorly written Open SQL.

Client Copy (SCCL/C)

Client copy creates or refreshes a client within a system. Used for creating test data from production.

Copy Types

WARNING: Client copy is a high-impact operation
- Production client copy locks tables
- Always run during maintenance windows
- Monitor with SM50 (process overview)

Common Errors

1. Transport import fails — “Object not released”

The transport request was not released in the source system. Go to SE10, select the request, and release it before importing.

2. User lock after failed logins

SAP locks users after 3 failed login attempts by default. Use SU01 → Unlock or run OSS note for batch unlock.

3. RFC connection test fails — “No RFC destination”

The destination in SM59 points to a system that is unreachable. Check network connectivity and SAP router (SAProuter) configuration.

4. Dialog work process shortage

All work processes are busy. Users see “No more dialog work processes available.” Increase rdisp/wp_no_dia in the instance profile and restart.

5. Update termination in SM13

Update requests can terminate due to data conflicts. Use SM13 to analyze and manually repeat terminated updates.

6. Profile parameter missing

An SAP feature requires a profile parameter that isn’t set. Use RZ11 to search for and maintain parameters. Activate with RZ10.

7. Client copy table lock

SCCL requires exclusive table locks. If another user is running a transport, client copy fails. Schedule during quiet hours.

Practice Questions

1. What is the purpose of TMS? To manage and transport configuration and development objects across system landscapes (DEV → QAS → PRD).

2. What transaction code creates RFC destinations? SM59. It manages connections to other SAP systems and external programs.

3. How do you monitor ABAP runtime errors? ST22 displays all ABAP dumps with error details, source code location, and recommended actions.

4. What is the difference between a role and a profile? A role (PFCG) is the modern authorization container that includes menu, authorizations, and user assignment. A profile is the legacy format that contains authorization objects. Roles generate profiles.

5. What transaction code creates a new user? SU01. It handles user master data, passwords, roles, and defaults.

Challenge: Design a three-system SAP landscape with two clients per system. Define the transport route strategy, create roles for an FI accountant (display-only vs. full access), and outline the monitoring dashboard with ST03 metrics thresholds.

FAQ

Try It Yourself

Set up a simple monitoring check using Python scripting:

import subprocess
import json

# Simulate SAP monitoring metrics
metrics = {
    "dialog_response_time_ms": 450,
    "cpu_time_ms": 180,
    "database_time_ms": 200,
    "wait_time_ms": 70,
    "work_processes_used": 142,
    "work_processes_total": 200,
    "failed_logins_today": 3,
    "transport_queue_count": 12
}

# Alert thresholds
alerts = []
if metrics["dialog_response_time_ms"] > 1000:
    alerts.append(f"CRITICAL: Response time {metrics['dialog_response_time_ms']}ms exceeds 1s threshold")
if metrics["failed_logins_today"] > 5:
    alerts.append(f"WARNING: {metrics['failed_logins_today']} failed logins today")
if metrics["work_processes_used"] / metrics["work_processes_total"] > 0.9:
    alerts.append("WARNING: Work process utilization above 90%")

print("SAP Basis Health Check Report")
print("=" * 40)
for key, value in metrics.items():
    print(f"{key.replace('_', ' ').title()}: {value}")

if alerts:
    print("\nAlerts:")
    for alert in alerts:
        print(f"  ⚠ {alert}")
else:
    print("\nAll metrics within acceptable range ✓")

Expected output: Health check report with metric values and any triggered alerts.

What’s Next

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Updated 2026-06-20.