Solution Manager can tell me if a system account i...

bxiv · ‎2013 Jun 25

Ever get tired of finding a system account is locked when a critical business function stops and it takes a few hours to discover it was a password that was changed and something still had the old password. Well bring on Solution Manager and System Monitoring!

I would like to point out that in order for this to work it will require you to define accounts to monitor for a lock status; if you are looking for any account being locked you may be interested in a blog entry I posted: http://scn.sap.com/community/netweaver-administrator/blog/2013/06/20/notifications-upon-account-lock...

So lets start off by getting on the same page, issue Tx Solman_setup (or navigate to the SAP Solution Manager: Configuration work center).

Technical Monitoring is where the configuration(s) is for the Alert Inbox
System Monitoring is the type of Technical Monitoring, the other radio buttons provide different metrics
If the Configure Infrastructure and Standard Users steps have been completed, we can start our work under Template Maintenance
Change to Edit mode
Ensure you flip on Expert mode (even though it says Standard mode, this is what it will show)
Select the correct template, it is important that you select the Technical System templates. In my screenshot you can see that ABAP 7.00 is supported, I confirmed that 6.20 - 6.40 also supports this metric, 4.6C does not have this metric collection it may be possible to create it and alert off of it based on a newer release template.
Ensure you copy the template as you can't make changes to the base templates supplied by SAP, now doing this will require a transport. I recommend not doing a local or $tmp transport so down the road if you need to transport your work at some later point in time. It is also at this point under the 'Template Settings' tab (above Change Settings) and you can re-name the Template to something that makes sense; I have left mine in the screenshot as an example.
This is a dual point, you first need to navigate to 'User Lock status' (note the list is in semi alphabetically order, I recommend filtering on Exceptions). Once you have the line highlighted you can click on Change Settings, this will allow for the 'Data Collection' tab to have changes made to it.
Add variant is an odd way to specify adding an account to monitor, but you have to click this for each account you want monitored. Keep in mind that the users defined are in the system you are monitoring, a good example is solman_admin and the SM_* accounts those should only exist in SolMan and not something like ECC/ERP.
Define your users and click the Save/Next button (you will probably be prompted for a transport number).

Now you can select the SID under 5 'Define Scope' and click the Next button. Now under 6 'Setup Monitoring' the Managed Object Name you want SID~ABAP and assign the template that you created in 'Template Maintenance'. Something to keep in mind is that you can only assign 1 template per object.

Now at this point you should see entries show up in the Alert Inbox of Solution Manager, by adding entries in the notification portions of Technical Monitoring you will get an email typically within a minute (keep in mind my experience may differ due to a small[er] landscape, timing may vary).

bxiv/content?filterID=contentstatus[published]~objecttype~objecttype[blogpost]

bxiv/content?filterID=contentstatus[published]~objecttype~objecttype[document]

Former Member · ‎2013 Jul 02

A good idea is a consistent prefix for all RFC users, and the source SID and then some unique freetext for the connection.

Then you have 1:1 cardinality between the connections and the users.

Then you normally also dont have lock out problems... 😉

Cheers,

Julius

bxiv · ‎2013 Jul 02

Defiantly good a good practice, as long as you can create them; in some cases you inherit what the SAP implementation partner does to meet project dead lines vs informing you of all the moving parts and pieces.

I also know when you setup TREX you don't get much choice in the RFC creation as TREX is the one that does the work. I'm not sure if there are other software platforms out there that might do the same tasks with RFC generations.

Thank you for the feed back!

Former Member · ‎2013 Jul 02

Several SAP wizards suggest the name, but I am aware of only one which is really hardcoded -> TMSADM.

Others are urban legends or just defaults (from code or customizable even).

Of course inheriting a legacy is a different ball gam, particularly when custom programs hardcoded the if sy-unames as well... 😞

Cheers,

Julius

TheresaP · ‎2013 Aug 09

Billy, can you tell me if this supports * for user vs. a list of all users to monitor for lock status?

bxiv · ‎2013 Aug 10

Interesting way to take this theresa.prawdzik; I have added a "*" as a variant in my SolMan and intentionally locked a Dialog user....over 6 hours ago and still nothing, so my guess is that its looking for a user of "*" vs a wildcard. Nothing shows up within tx SOST at the moment.

It would be interesting to see if there is a valid wildcard that is supported!

Have you had a chance to review the other document that I linked to at the beginning that does notify for any user?

bxiv · ‎2013 Aug 11

Found a way to get any user locking in a ABAP system to trigger an alert from SolMan using the new alerting methods; getting a document typed up for this.

I will provide a URL to the new doco, in the near future and it will be within the Security space.

URL: http://scn.sap.com/docs/DOC-45048

TheresaP · ‎2013 Sep 10

Thanks Billy; The system log monitoring for locked users works.

bxiv · ‎2013 Sep 10

Good to hear!! I also started using it recently to help myself troubleshoot a TMSADM issue I was having in a non-managed client on SolMan.

Now if I could just figure out a trick to be notified when a Java account changes to a locked account, that would make my day at the moment!....Perhaps a future doc... :wink:

Lluis · ‎2013 Sep 21

Great post bxiv ¡

Regards,

Luis

Former Member · ‎2016 Jun 09

Hi all,

i configure the moniting for locked users as described in this documentation. My problem was that the Extractor EPC_DPC_PULL_CORE can´t find the users that i have maintained in the metrik. I look in the metrik again and i can see that there is no field for client implement. Currently only the users in the productive client were checked and not the users in client 000. Has anyboby a solution hoiw i can monitor lolcked users in different clients.

I dont´t want to do with the id in TX SM21 because the ID checks all users.

Thankx

regards

Mirko

bxiv · ‎2016 Jun 28

Howdy Mirko,

What is the client you set for this system in question, when you managed that system? This would be step 5 of the managed system guided procedure.

Former Member · ‎2016 Jun 30

Hi Billy,

we always use the productive client under ABAP parameters.

And so we only can check the users in the productive client and not also in the client 000.

regards

Mirko

bxiv · ‎2016 Jul 28

Apologies when I said productive client, I did not mean within the ABAP system profile parameters.

When you manage a system on SolMan you put in a client and this is what gets set to "productive" from SolMan's point of view. In my example the SolMan system is 001 for the client within the management of SolMan.

I have been having recent issues with PISUPER being locked on ECC and PI systems, and plan on getting this setup for that account very soon.

mhuchet · ‎2018 Feb 27

Hi Billy,

From 2013/2016, have you found a solution to use this Solman monitoring/alerting to know when we have a locked technical user in SAP Process Orchestration (SAP PO 7.5), so in Java area ?

For instance, in SAP PO, I created a technical user used by a third-party application to send data to SAP PO, and I would like to know if we can have such Solman monitoring / alerting to directly be informed when this user is locked (for any reason).

Regards

Mickael

Solution Manager can tell me if a system account is locked (ABAP)

SAP PI for Beginners

ABAP 7.40 Quick Reference

Difference between SAP S/4HANA :Public Vs Private edition : RISE with SAP