Disable Multiple Logins in the Same Client
To disable multiple user logins within the same client implement this parameter in the instance profile:
login/disable_multi_gui_login = 1
If you do not use this parameter in your system, users have the ability to ignore the warning window at the time they try to login to the same client.
Activating this parameter in your system will make you look good if you get audited!
How about exceptional logins?
In case you’re wondering how to allow multiple logins for certain key users you can implement parameter login/multi_login_users. You can list the user IDs that should be ignored if the parameter above is active in your system.
Roles with Restricted Company Codes and Values
Do you need to find out what roles you have set up with restricted company code values for specific authorization objects?
If your company has changed its company code (BURK) and if you have limited access to a particular company code in your roles, you will have to adjust the roles to use the new company code or to use * for any code.
But, how do you quickly find out what roles you need to adjust?
Simple. Query table AGR_1252 and check the contents of the LOW and HIGH fields. You can use your favorite query tool (Query Analyzer in SQL Server for example) or use transaction SE16 or SE11 within SAP.
Here is a sample query:
select MANDT, AGR_NAME, VARBL, LOW, HIGH
and (LOW <>” or HIGH <>”)
and (LOW <>’*’ and HIGH <>’*’)
and AGR_NAME not like ‘SAP%’
The above query looks for any non-SAP role in client 100 where either LOW or HIGH have anything different than *.
You’ll get a list of the roles you need to adjust to use the new company code.
View Locked Transactions
As you know, you can lock/unlock transaction codes via SM01.
But, how do you go about viewing the transactions that are locked in the system?
You need to look in field CINFO, table TSTC.
Within SAP, you can use either SE11 or SE16 to browse the table contents.
Make sure you enter “A0” as the “HEX01 data element for SYST” starting value and “A9” as the ending value.
This will list all the transactions locked in the system.
Note: The CINFO field description is “HEX01 data element for SYST”.
Logging on to SAP using SAPSHCUT
You need to pass these parameters:
-sysname = entry name in SAPLogon
-client = client number
-user = user ID
-pw = password (in plain text)
Optionally, you can pass parameter -command to execute a transaction upon logon.
See example below:
sapshcut -sysname=SAP Production -client=000 -user=sap* -pw=06071992 -command=SM04
For more information, run SAPSHCUT /?
Fast Logon to an SAP Server
You can log on to an SAP server quickly using the “SAPGUI” executable.
This way, you do not even need SAPLogon.
At the command prompt type:
sapgui hostname instnumber
sapgui myprd 00
The example above lets you log on to the server “myprd” with instance number 00.
The SAPGUI.exe is located under the “SAPgui” directory. You either need to put this directory in your system’s path or change to the directory to be able to log on as indicated above.
Saving Passwords for SAP shortcuts
Passwords are not saved in shortcuts created within SAPGUI. In fact, when you edit a shortcut the password field is grayed out.
Why? Because you need to first register the SAPshortcuts using:
SAPSHCUT.exe is located under the SAPpcsapgui directory. In SAPGUI 4.0 it was called SAPSH.exe.
Once you do the registration you need to open the registry (regedit or regedt32) and change the value data of “EnablePassword” to “1” under:
Then, you will be able to type and save your passwords.
Getting technical info at the OS level
It is very easy to obtain the patch level of some core R/3 executables such as: disp+work, tp and r3trans.
Many people would like to know how to do this. Here, I will show you how to do it for R/3 systems running on Windows and SQL Server environments.
1. Go to the command prompt.
2. Change to the “run” directory of your SAP instance (cd \usr\sap\\sys\exe\run).
3. Run the following three commands:
dsp+work -V | find “patch number”
tp -V | find “patch number”
r3trans -V | find “patch number”
If you want to see all the release information, then do not filter for the patch number.
Now that you know how to do this, you can get creative and write a little script that reads the names of all your SAP servers from a text file and then it runs the three commands listed above. This way, you can get the patch level of all your systems by just running a script. This becomes in handy when you’re consulting or putting reports together.
Controlling the SAPGUI New Visual Design
SAPGUI 4.6x introduced the “new visual design” or “enjoySAP” look and feel.
As you know, users can switch back and forth the new visual design or the “light” look and feel. They simply use the “SAP Configuration” applet in Control Panel. However, you the administrator might need to control what they set up on their PCs in order to have a uniform platform.
The Windows registry controls this setting:
By the default, it is set to “On”. When the user changes it to the light version using the SAP Configuration icon that is on the desktop or Control Panel, then the registry value changes to “Off”.
You can hide the SAP Configuration applet. You can even do this when setting up SAPGUI. You can edit the file SAPSETUP.NID and comment out these two lines:
In SAPGUI 4.6D the line above is number 1,459.
In SAPGUI 4.6D the line above is number 1,645.
Locking/Unlocking accounts – Behind the scenes
User accounts can be locked/unlocked via SU01 (User Maintenance.)
But, what goes on behind the scenes? What does the system do to actually set this?
The table USR02 gets updated. The field UFLAG determines if the user account is locked or unlocked. The value “64” indicates that the user account is locked. The value “0” that the user account is unlocked.
Knowing this, you can then issue an update statement at the database level that locks all users in mass.
Don’t lock yourself out, though! Use exceptions for super user accounts in your update statement.
Notice that 4.6b and above have made improvements to this kind of task, making the locking/unlocking a bit easier. However, changing at the database level is much faster and it is just one simple query.
SAP table with Version and Instance name
USAP R/3 stores its version, instance name and OS platform in tables!
This is excellent as you can then query the database to get the R/3 version, Instance Name and OS platform as follows:
select * from SVERS
select * from TSLE4
You don’t even have to log on to the application to get this info. The above query gives it to you in less than 1 second.
Logging on to SAPNet directly (bypass OSS1)
You can logon to SAPNet -R/3 FrontEnd without using transaction OSS1.
This way you don’t have to open an SAP session just to log on to SAPNet.
Here is how to do it:
1. Create the file “saproute.ini” under the %winnt% directory and add the following two entries:
126.96.36.199 is my SAP router’s IP address.
188.8.131.52 is SAPServ4’s IP address.
2. Create the file “sapmsg.ini” under the %winnt% directory and add the following two entries:
3. Open the SAPLogon program (it is part of the SAP FrontEnd software -SAPGUI, on your PC).
4. Click on the “Groups” button.
5. Click on the down arrow for “SAP Router for” and select your SAPServX from the list.
6. Click on the “Generate list” button.
7. Select “1_PUBLIC” from the list of groups.
8. Click on the “Add and Logon” button.
You’re done! You can change the name of the SAPNet session in SAPLogon if you want to.
No more typing OSS1!
Check if your SAP servers are alive from the Command Prompt
This is a very useful tip that can help you check if an SAP R/3 server is up and running. This way, you don’t have to log on to the system just to find out.
Additionally, you can create another script that uses the FOR command to check ALL your servers so you don’t have to check one by one. Have the script do the job for you.
The key to this script is the command SAPINFO.exe, which comes on the SAPFrontEnd CD (SAPGUI). It’s part of the SDK. If you don’t have the file, e-mail me and I’ll send it to you.
The syntax of SAPINFO is:
sapinfo ashost=host sysnr=nn
When used in a batch file (.bat or .cmd) you can check the errorlevel returned by the program. If it is 1 then the system is not up and running.
My script below first checks if the system is on the network by ‘pinging’ it and expecting a reply.
If you want to check all your systems, then create another script (example: checkallrfcs.bat) and use this command:
FOR /F %%i in (SAPsystems.txt) do call checkrfc %%i 00
The command above reads the file SAPsystems.txt, which should have a list of all the servers (one server name per line) and then it invokes the script ‘checkrfc’ passing the server name as a parameter. The 00 indicates the instance number.
I believe you will find it extremely useful and it will save you tons of time.
Now, you can just run the script, sit back and watch it report the status of the systems.
rem Script: CheckRFC.BAT
rem It uses SAPINFO from the RFC-SDK (SAPGUI) to check an RFC destination.
rem It needs two parameters: 1. Hostname 2. Instance Number
rem A ping is sent to the host. If successful an RFC check is carried out.
rem By: Giovanni Davila
if “%2″==”” goto NoParameter
echo Pinging %1 …
ping %1 -n 2 | find /i “reply” >nul && goto CheckRFC
echo System does not exist on the network! & goto Bye
sapinfo ashost=%1 sysnr=%2 & if errorlevel 1 goto System_Down
echo System is up. RFC checks OK!
echo System is down!
echo You did not specify at least one parameter!
echo Syntax: checkrfc “hostname” “instance number”
echo Example: checkrfc mydev 00
Lock a Client to Prevent Logons
Do you need to do maintenance on a system and want to make sure nobody logs on to it while you’re working on it?
You can lock a system at the OS level by running: tp locksys pf=tpprofile
Example: To lock your DEV system enter this command: tp locksys DEV pf=saptranshostsapmnttransbintp_domain_dev.pfl
Users will get this message if they attempt to log on: “Upgrade still running. Logon not possible”.
Notice that the message is not exactly accurate. TP locksys is mainly used during release upgrades so the message is kind of generic. But, it works!
To unlock the system, run: tp unlocksys pf=tpprofile
Now you can tell your boss that you know how to keep the users off the system!
Only SAP* and DDIC can log on to any of the clients in the system that has been locked.