Hi Mathan

I'm trying to avoid logon pad fixes (I've also lost access to changes in user defined )

We have 6 servers and it's a 'deal or no deal' should we be on the same server - does anybody know why sm51 should not be a security code please. If valid what other options are possible bar messing with the pad and killing off current sessions?

Seems odd

Cheers

David

SM59 and SE37 would be much more critical in my books...

If you can start reports then there are a few which can help you and no mortal auditor would spot a z-tcode which presents the same options. Otherwise challenge the requirement if you enjoy arguing...

Cheers,

Julius

Hi All

Thanks for your assistance, we've lost and regained AL08 so we can see which server the user is on but not able to access SM51 to swap so we have the option of adding individual server log ons to the log on pad but I just wondered if there was another transaction I could have used instead of SM51 (which may not be classified as Basis).

We've also lost SE37 so that door is shut too and the thought of using RFC scares the living daylights out of me

Going for log on pad entries instead as the simplest/safest option!

Cheers

David

If you have display access to SM59, then try this:

From RFCDES get the names of the type "I" (internal) connections to the app servers.

In report RSMRFC01 save a variant for each of these destinations and give it a corresponding name (the variant). In the TRANS field enter ST01 in each of the variants.

Now, after you find the app server name in AL08, start that variant and you will land directly in ST01 there.

That is even faster than SM51....

Cheers,

Julius

Hi Julius

Sorry for not replying sooner - my laptop was being 'swapped' to a new one which went a little wrong

Just tried SM59 and we don't have that tcode either, I'm amazed I can still run SUPC but I can have a go in DEV tomorrow to see what SM59 does with those reports and try having that discussion you mentioed earlier.

Thanks for taking the time to help

Cheers

David

Try table RFCDES or a search help on destinations in rsusr050 or else the names are the same as the host names and case-sensitive!

Cheers,

Julius

>

> We have 6 servers and it's a 'deal or no deal' should we be on the same server - does anybody know why sm51 should not be a security code please. If valid what other options are possible bar messing with the pad and killing off current sessions?
> 

Hi David,

I see no reason why that access shouldn't be granted to security team members performing active support in the production environment.

Unfortunately I don't know the situation where you are but I would think it's definitely worth raising this as a "cost" of providing effective support. As we all know so well, security crosses a number of functions so why should it not encompass some activities or use some tools that are enjoyed by the friendly basement dwellers that wear the Basis hats.

Good luck (and sorry I don't have a solution)

Cheers

Alex

Hi Alex

Nice to hear from you again.

Julius wrote (and I nearly missed it)

If you have display access to SM59

I'll see if I can get this in restricted mode - can't see the risk if display only so I'll have a play in DEV tomorrow.

Many thanks

David

Actually, although I have access to SM51 I find the report mentioned above with a variant for each app server faster, but you will need SM59 tcode to execute the report (it checks it).

Otherwise, there are still a few other options...

- Start report RSM51000 which shows the app servers --> place your cursor on the one you want --> then click on "remote logon".

- Start transaction STMS --> click on System Overview --> Menu "Environment" --> Drop down "SAP servers"

- Start transaction ST20 --> type "SM51" into the ok-code command window --> hit enter.

- Start transaction SM04 --> type "REMS" into the ok-code command window --> choose the server --> hit enter.

- Start transaction S_ALR_87101258 --> type "SM51" into the ok-code --> hit enter.

- Start tcode SU3 and maintain the parameter ID "BAM_SERVER" to the target you want --> start report PPMON020 and wait 1 second.

- Logoff and logon again until you are load balanced onto that server and charge double for the time wasted...

If something is critical, you should not rely on transaction codes to protect it! That switching servers is not centrally protected means it is not really critical so I see no harm in finding other ways to do the same.

Cheers,

Julius

Edited by: Julius Bussche on Nov 25, 2010 9:04 PM

Hi Julius

Belated thanks for your help - we've just found that the last option works a treat!

Cheers

David