Using Google Chrome?

Download my
free Chrome Extension, Power Notes Searcher, to make searching for and evaluating SAP notes, much easier.

Recent Posts

Thursday, November 24, 2016

SAP Change Non-Dialog User to Dialog User Using Function Module

Scenario: The DDIC account is locked in a SAP system.
You don’t know the password to DDIC, and to get access as SAP* you would need to bounce the system, which is not acceptable during this period of business usage.
You’ve got the password to an existing account with profile SAP_ALL, but the account is a non-dialog user (system user or communication user).
You’ve got access to a development system where you can create SM59 RFC connections,
You would like to gain access to unlock and reset the DDIC account, without bouncing the system.

What we are doing in the below process, is changing the non-dialog user account, to become a dialog user account.  We can then use the dialog account to logon to the SAP system and then unlock and reset the DDIC user account.

1, Log into the development SAP system as a user account that has SM59 access.
Create a new RFC connection to the destination SAP system (where DDIC is locked) set the authentication to use the non-dialog user account that has SAP_ALL.

2, In transaction SE37, from the menu select "Function Module -> Test -> Test Sequences".

3, Set two function modules to execute, BAPI_USER_CHANGE followed by BAPI_TRANSACTION_COMMIT.

4, Execute function module BAPI_USER_CHANGE for the non-dialog user account, with "LOGONDATA" field "U" changed to value "A" (dialog user).
Set LOGONDATAX to "X".
Set the destination to be the RFC destination you created.

5, Then execute function module BAPI_TRANSACTION_COMMIT.
Set the destination to be the RFC destination you created.

6, You can now log onto the target SAP system as the non-dialog user account (which is now a normal dialog user account).

7, You can now unlock the DDIC user and change the password.
Once completed, reset the non-dialog account back to be a non-dialog account.

As you can see, this is very easy to do.

To mitigate against this security threat:
- You should also look to prevent giving SAP_ALL to any SAP user accounts, even if they are non-dialog.
- Finally, you can also configure the RFC Access Control Lists (ACLs) to permit calls to specific function modules only.







Thursday, November 17, 2016

SAP Secondary Oracle DB Connection–EasyConnect

When you run an SAP system on a non-Oracle database platform, you may sometimes need to connect to a secondary Oracle database (for example, in a SAP BW environment you could need a connection to multiple source database systems).

The process that is usually followed, is to create the TNSNAMES.ora in the appropriate location on *every* SAP application server of the SAP system.  Then put the TNS service name and username/password into the DBCO transaction within SAP.

There are a couple of downsides to this approach:

1, You generally have to put the TNSNAMES.ora file in /sapmnt/<SID>  as this is already shared across the SAP system’s application servers.

2, You have to keep the TNSNAMES.ora file updated.  Any changes require a complete restart of the SAP system in order for the file to be re-read.

This is where the Easy Connect string can be used.
Instead of entering the TNS service name into the DBCO transaction, you simply enter all the service details, removing the need for the TNSNAMES.ora file.

An example of the Easy Connect string is:
"tns-service:1521/servername.com"
We are supposing that:

- “tns-service” is the TNS service name for your target database (listened for on the target Oracle listener)
- Port 1521 (default port) is used by the listener.
- The server on which the listener is located is servername.com.

You must include the double quotes in the DBCO entry.

Based on the above entry, you can then dynamically change the value as and when needed.
No need for a restart of the SAP application server.

Reference: SAP note: 808505 - Secondary connections to Oracle database

Power Notes Searcher Updated to v2.1

The free Google Chrome extension Power Notes Searcher, has been updated!
A small bug fix has been released which fixes a problem with the highlighting of note numbers in the SAP note pages.

The update also includes a few more direct links in the “Options” area, for things like SSCR keys and incidents.