Sunteți pe pagina 1din 9

The following are FREE tips you can use: Disable Multiple Logins in the Same Client Roles

es with Restricted Company Codes and alues iew loc!ed transactions Logging into S"# using S"#S$C%T Fast Logon to an S"# Ser&er Sa&ing #asswords for S"# Shortcuts 'etting technical info at the (S le&el Controlling the S"#'%) *ew isual Design Loc!ing+%nloc!ing accounts , -ehind the scenes S"# table with ersion and )nstance name Logging on to S"#*et directly .bypass (SS/0 Chec! if your S"# ser&ers are ali&e from the Command #rompt Loc! a Client to #re&ent Logons "ll tips written by Giovanni Davila1 2ou can find more S"# tips at searchS"#1com and other S"#,related sites ) ha&e lin!ed from my site1

Disable Multiple Logins in the Same Client

To disable multiple user logins within the same client implement this parameter in the instance profile: login/disable_multi_gui_login = 1 If you do not use this parameter in your system, users have the ability to ignore the warning window at the time they try to login to the same client. Activating this parameter in your system will make you look good if you get audited! How about exceptional logins? In case you're wondering how to allow multiple logins for certain key users you can implement parameter login/multi_login_users. ou can list the user I!s that should be ignored if the parameter above is active in your system.

Roles with Restricted Company Codes and Values

!o you need to find out what roles you have set up with restricted company code values for specific authori"ation ob#ects$ If your company has changed its company code %BURK& and if you have limited access to a particular company code in your roles, you will have to ad#ust the roles to use the new company code or to use ' for any code.

(ut, how do you )uickly find out what roles you need to ad#ust$ *imple. +uery table AGR_1252 and check the contents of the LOW and H GH fields. ou can use your favorite )uery tool %+uery Analy"er in *+, *erver for e-ample& or use transaction SE16 or SE11 within *A.. /ere is a sample )uery: sele!t "A#$%& AGR_#A"'& (ARBL& LOW& H GH )rom AGR_1252 *+ere "A#$%=,1--, and .LOW /0,, or H GH /0,,1 and .LOW /0,2, and H GH /0,2,1 and AGR_#A"' not li3e ,4A56, The above )uery looks for any non0*A. role in client 122 where either LOW or H GH have anything different than '. ou'll get a list of the roles you need to ad#ust to use the new company code.

View Locked Transactions

As you know, you can lock3unlock transaction codes via *421. (ut, how do you go about viewing the transactions that are locked in the system$ ou need to look in field 5I678, table T*T5. 9ithin *A., you can use either *:11 or *:1; to browse the table contents. 4ake sure you enter <A-< as the <H'7-1 data element )or 484%< starting value and <A9< as the ending value. This will list all the transactions locked in the system. 6ote: The 5I678 field description is </:=21 data element for * *T<.

Logging on to SAP using SAPS C!T

ou need to pass these parameters: :s;sname > entry name in *A.,ogon :!lient > client number :user > user I! :<* > password %in plain te-t&

8ptionally, you can pass parameter :!ommand to e-ecute a transaction upon logon. *ee e-ample below: sa<s+!ut :s;sname=4A5 5rodu!tion :!lient=--- :user=sa<2 :<*=-=->1992 :!ommand=4"-? 7or more information, run *A.*/5?T 3$

"ast Logon to an SAP Ser#er

ou can log on to an *A. server )uickly using the <*A.@?I< e-ecutable. This way, you do not even need *A.,ogon. At the command prompt type: sa<gui +ostname instnumber :-ample: sa<gui m;<rd -The e-ample above lets you log on to the server <myprd< with instance number 22. The *A.@?I.e-e is located under the <*A.gui< directory. ou either need to put this directory in your system's path or change to the directory to be able to log on as indicated above.

Sa#ing Passwords $or SAP shortcuts

.asswords are not saved in shortcuts created within *A.@?I. In fact, when you edit a shortcut the password field is grayed out. 9hy$ (ecause you need to first register the *A.shortcuts using: sa<s+!ut :register *A.*/5?T.e-e is located under the *A.pcsapgui directory. In *A.@?I A.2 it was called *A.*/.e-e. 8nce you do the registration you need to open the registry %regedit or regedtBC& and change the value data of <'nable5ass*ord< to <1< under: HK@UA4o)t*areA4A5A4A54+ort!utA4e!urit;

Then, you will be able to type and save your passwords.

%etting technical in$o at the &S le#el

It is very easy to obtain the patch level of some core D3B e-ecutables such as: disp+work, tp and r3trans. 4any people would like to know how to do this. /ere, I will show you how to do it for D3B systems running on 9indows and *+, *erver environments. 1. @o to the command prompt. C. 5hange to the <run< directory of your *A. instance %cd EusrEsapEF*I!GEsysEe-eErun&. B. Dun the following three commands: dis<B*or3 :( C )ind D<at!+ numberD t< :( C )ind D<at!+ numberD rEtrans :( C )ind D<at!+ numberD If you want to see all the release information, then do not filter for the patch number. 6ow that you know how to do this, you can get creative and write a little script that reads the names of all your *A. servers from a te-t file and then it runs the three commands listed above. This way, you can get the patch level of all your systems by #ust running a script. This becomes in handy when you're consulting or putting reports together.

Controlling the SAP%!' (ew Visual Design

*A.@?I A.;- introduced the <new visual design< or <en#oy*A.< look and feel. As you know, users can switch back and forth the new visual design or the <light< look and feel. They simply use the <*A. 5onfiguration< applet in 5ontrol .anel. /owever, you the administrator might need to control what they set up on their .5s in order to have a uniform platform. The 9indows registry controls this setting: HK'8_LO@AL_"A@H #'A4o)t*areA4A5AGeneralA'nFo;AA!tiGe (y the default, it is set to <8n<. 9hen the user changes it to the light version using the *A. 5onfiguration icon that is on the desktop or 5ontrol .anel, then the registry value changes to <8ff<.

ou can hide the *A. 5onfiguration applet. ou can even do this when setting up *A.@?I. ou can edit the file *A.*:T?..6I! and comment out these two lines: H nstallIileList.,6W #484$ R6,1 64A5sour!e$ir6Asa<guiAsa<)!<lJ!<l 'nd5ro!/U/%4 In *A.@?I A.;! the line above is number 1,AHI. H@reate !onOrLin3.,4A5 @on)iguration,&,6W #484$ R 6Asa<)!<lJ!<l ,&,64A5*or3$ir6,&,sa<)!<lJ!<l&-,&,$es3to<A,&, ,&!gAs@ommon1/%4 In *A.@?I A.;! the line above is number 1,;AH.

Locking)!nlocking accounts * +ehind the scenes

?ser accounts can be locked3unlocked via *?21 %?ser 4aintenance.& But, what goes on behind the scenes? What does the system do to actually set this? The table USR02 gets updated. The field UFLAG determines if the user account is locked or unlocked. The value <;A< indicates that the user account is locked. The value <2< that the user account is unlocked. Jnowing this, you can then issue an update statement at the database level that locks all users in mass. !on't lock yourself out, though! ?se e-ceptions for super user accounts in your update statement. 6otice that A.;b and above have made improvements to this kind of task, making the locking3unlocking a bit easier. /owever, changing at the database level is much faster and it is #ust one simple )uery.

SAP table with Version and 'nstance name

?*A. D3B stores its version, instance name and 8* platform in tables! This is e-cellent as you can then )uery the F*I!G database to get the D3B version, Instance 6ame and 8* platform as follows: sele!t 2 )rom 4('R4

sele!t 2 )rom %4L'? ou don't even have to log on to the application to get this info. The above )uery gives it to you in less than 1 second.

Logging on to SAP(et directly ,bypass &SS-.

ou can logon to *A.6et 0D3B 7ront:nd without using transaction 8**1. This way you don't have to open an *A. session #ust to log on to *A.6et. /ere is how to do it: 1. 5reate the file <saproute.ini< under the KwinntK directory and add the following two entries: LDouterM sa<serG7=/H/;our:4A5router:internal: 5:address/H/4A54erG7: 5:address/H/ :-ample: sa<serG?=/H/2--J1-J1-J2?/H/2-?J>9J199J2/H/ C22.12.12.CA is my *A. router's I. address. C2A.NI.1II.C is *A.*ervA's I. address. C. 5reate the file <sapmsg.ini< under the KwinntK directory and add the following two entries: L4essage *erverM O-1=oss--1J*d)Jsa<:agJde B. 8pen the *A.,ogon program %it is part of the *A. 7ront:nd software 0*A.@?I, on your .5&. A. 5lick on the <@roups< button. H. 5lick on the down arrow for <*A. Douter for< and select your *A.*erv= from the list. ;. 5lick on the <@enerate list< button. N. *elect <1O.?(,I5< from the list of groups. P. 5lick on the <Add and ,ogon< button. ou're done! ou can change the name of the *A.6et session in *A.,ogon if you want

to. 6o more typing 8**1!

Check i$ your SAP ser#ers are ali#e $rom the Command Prompt
This is a very useful tip that can help you check if an *A. D3B server is up and running. This way, you don't have to log on to the system #ust to find out. Additionally, you can create another script that uses the 78D command to check A,, your servers so you don't have to check one by one. /ave the script do the #ob for you. The key to this script is the command *A.I678.e-e, which comes on the *A.7ront:nd 5! %*A.@?I&. It's part of the *!J. If you don't have the file, e0mail me and I'll send it to you. The synta- of *A.I678 is: sa<in)o as+ost=+ost s;snr=nn 9hen used in a batch file %.bat or .cmd& you can check the errorlevel returned by the program. If it is 1 then the system is not up and running. 4y script below first checks if the system is on the network by 'pinging' it and e-pecting a reply. If you want to check all your systems, then create another script %e-ample: checkallrfcs.bat& and use this command: IOR /I 66i in .4A5s;stemsJtKt1 do !all !+e!3r)! 66i 22 The command above reads the file *, which should have a list of all the servers %one server name per line& and then it invokes the script 'checkrfc' passing the server name as a parameter. The 22 indicates the instance number. I believe you will find it e-tremely useful and it will save you tons of time. 6ow, you can #ust run the script, sit back and watch it report the status of the systems. Script code: Le!+o o)) rem ============================================================ ========== rem 4!ri<tM @+e!3RI@JBA% rem t uses 4A5 #IO )rom t+e RI@:4$K .4A5GU 1 to !+e!3 an

RI@ destinationJ rem t needs t*o <arametersM 1J Hostname 2J nstan!e #umber rem A <ing is sent to t+e +ostJ ) su!!ess)ul an RI@ !+e!3 is !arried outJ rem B;M GioGanni $aGila rem ============================================================ ========== i) D62D==DD goto #o5arameter e!+o 5inging 61 JJJ <ing 61 :n 2 C )ind /i Dre<l;D 0nul NN goto @+e!3RI@ e!+o 4;stem does not eKist on t+e net*or3H N goto B;e M@+e!3RI@ sa<in)o as+ost=61 s;snr=62 N i) errorleGel 1 goto 4;stem_$o*n e!+o :::::::::::::::::::::::::::: e!+o 4;stem is u<J RI@ !+e!3s OKH e!+o :::::::::::::::::::::::::::: goto B;e M4;stem_$o*n e!+o ::::::::::::::: e!+o 4;stem is do*nH e!+o ::::::::::::::: goto B;e M#o5arameter e!+o :::::::::::::::::::::::::::::::::::::::::::::: e!+o 8ou did not s<e!i); at least one <arameterH e!+o 4;ntaKM !+e!3r)! D+ostnameD Dinstan!e numberD e!+o 'Kam<leM !+e!3r)! m;deG -e!+o :::::::::::::::::::::::::::::::::::::::::::::: MB;e

Lock a Client to Pre#ent Logons

!o you need to do maintenance on a system and want to make sure nobody logs on to it while you're working on it$ ou can lock a system at the 8* level by running: t< lo!3s;s /4 $0 <)=t<<ro)ile

:-ample: To lock your !:Q system enter this command: t< lo!3s;s $'( <)=sa<trans+ostsa<mnttransbint<_domain_deGJ<)l ?sers will get this message if they attempt to log on: <?pgrade still running. ,ogon not possible<. 6otice that the message is not e-actly accurate. T. locksys is mainly used during release upgrades so the message is kind of generic. (ut, it works! To unlock the system, run: t< unlo!3s;s /4 $0 <)=t<<ro)ile 6ow you can tell your boss that you know how to keep the users off the system! 8nly *A.' and !!I5 can log on to any of the clients in the system that has been locked.