Do you still need standard client 066 in your SAP system?
The question
Client 066 still exists in the latest SAP versions like SAP Netweaver 7.3 and according to the online documentation it is used for EarlyWatch functions.
Isn’t EarlyWatch functionality in Solution Manager? Yes you can create EarlyWatch alert reports in Solution Manager. Since SAP Solution Manager has become obligated and every customer should have it running you can ask the question, do you still need standard client 066? I sought out an answer to this question through a customer message.
Auditing
As with all auditing lots of questions are raised, among those questions, what do you do in client 066 in SAP? The answer: “Nothing”. “It’s a standard client so you shouldn’t delete it” can also be part of the answer. “It’s used by SAP is special circumstances” is another valid answer.
Standard passwords
The EARLYWATCH user comes with a standard password SUPPORT. This is flagged in multiple services as a security risk because the password is available in the online documentation and it means anyone could use the user/pass combination to logon to client 066.
Changing the password is normally very easy as you logon with the EARLYWATCH user and change the password through transaction SU01. But sometimes you bump into a SAP system where the number ranges where not maintained properly and you cannot change the password, you take SAP* but you don’t have enough authorization to maintain the number range either and then you have to go the creative way and do some magic to get the standard password changed.
Intension of raising questions
I’ve written about customer interaction before in my blog on expensive SQL statements which wasn’t the greatest experience I had so far. However, it’s not my intention to have criticism on everything.
I notice things and I’m looking for possible improvements and yes I do ask questions and yes some might not be flattering but it comes out of love for SAP, not hate.
It is always easier to raise questions than to actually do something about it so wherever possible I also try to propose an alternative or provide a solution myself with the purpose of doing something with it and not only raising the questions.
Writing to a friend
In my customer message I asked if there is a more efficient, easier way to change the EARLYWATCH user’s password since I bumped into the number range issue and all. It wasn’t urgent so I created a low priority customer message. After the first answer however, I raised the question “Do we still need client 066?”
The answer I received was not really convincing. I told support that I haven’t seen any activity what so ever in the past four years (give or take my whole career up till now) so I requested support to escalate further and seek confirmation within SAP. I mean I wanted to have a clear answer. You shouldn’t delete it isn’t a clear answer for me. I want to know why I shouldn’t delete it. The documentation sais you shouldn’t delete it, I know.
SDN rocks
The answer I received was from Paul Babier. If the name doesn’t ring a bell you can take a look on the forum. His first three lines of his response set the tone for the further conversation. I have sent this blog to Paul and requested his consent that I could post his first three lines:
“Hello Tom,
It’s nice to see a message from you, as I have seen your contributions
in SDN forums, I feel as if I almost know you.”
Let me share a part my response also:
“Hello Paul
The same counts for me.
I have seen many of your contributions on SDN, well written and containing valuable information like
your answer to this customer message.”
This feels like writing to a friend. I have seen his answers and I believe he does a great job on SDN and doing his job. The answer in the customer message was exactly the kind of information I wanted to receive.
Get involved in the community
Do I need to create more propaganda for community members to be active on SCN? Yes! The connection we have by being active contributors on SCN changed the conversation. Instead of writing a few lines I suddenly wrote back half a blog.
The answer
Either you are still reading which is great or you skipped the entire great story but here comes the answer to the question.
The client 066 is used by SAP in case an EarlyWatch service has to be delivered and SAP Solution Manager is not available. Removing the client means you cannot get a performance/monitoring based report of your managed system in case an issue would arrive and SAP Solution Manager isn’t available.
The question then becomes, is that an issue? It’s not in my opinion. A SAP System (Netweaver, Basis whatever you fancy) Administration should be able to get that data out of the SAP system. Another argument is that Solution Manager wasn’t obligated in the past but it is today. You need it for your system administrators so they can perform their job. The only time it will not be up and running is when it’s in a downtime phase during a downtime minimized support package stack update.
While the client might have been useful some years ago when Solution Manager wasn’t obligated and available everywhere, for me client 066 is no longer needed and could be cleaned up. I will give the recommendation here to leave out client 066 in future SAP system installations and that it is not an issue to delete it in existing SAP installations.
SAP should think about removing the client in future SAP products unless it really still does serve some purpose but I doubt it strongly.
I believe client 066 did serve a purpose some years ago but now it’s one of those things that is lying around. On my attic there are lots of things I should throw away but for some reason they are still there.
Technical information
The client 066 isn’t large at all, it’s very small and doesn’t take much space in the database. Deleting the client will create a little bit free space in the database but don’t expect anything huge. It will get rid of the auditing questions on client 066 of course and you wouldn’t have to maintain security settings for the client either.
For more information on the technical aspects of client deletion and reorganization I can recommend you read Client deletion & reorganization (other posts will also exist which can help you out on a technical level)
There is also a SAP note with information on client 066 and steps to reconstruct it in case it would no longer exist and would be needed.
After deleting client 066 I ran a new Earlywatch Alert report to check if any errors would be flagged but no errors were found in the report.
This blog triggers the question as to
what is the use of other two default clients provided by SAP? I have never used them as such in my developments?
Thanks.
Thanks for your comment.
Client 000 is the SAP reference client, it is used by the system adminitrators when a component needs to be updated.
This client would have the latest updated settings if you update to the latest available version. Client 000 is not ment to be used productive.
Client 001 is the production preparation client, the idea behind it is to copy the customizing that you need from client 000 and use is a preparation client in the sense that you use it as a test client for the new customizing, it's not a client that is ment to be used productive.
During the creation of the first productive client, clients 000 and 001 are also used in the client copy procedure to build up the new client.
I can say for sure client 000 is used but I don't know to what extent the implementation partners or consultants actually uses client 001. I would be glad to see a response from someone.
Kind regards
Tom
It is MUST to have this 066 client available, if you plan upgrade for SAP later.
SAPinst always check and verify the availability for this client before downtime, entry in client table is also must for 066 for scc4.
Never delete this until SAP recommend.
Regards,
Amit Lal
Thanks for your feedback.
Interesting to know that it is mandatory for an upgrade. Not really the answer I got from SAP. The client is pretty small so gaining space isn't really an awesome benifit either.
In my opinion it's always a good idea to challenge the standards and reflect on why they exist.
Kind regards
Tom
Hello Tom,
I would like to know what is the purpose of client 001 in an ABAP only system. I've seen that for ABAP/JAVA systems people use 001 client as a productive client. However, I prefer to create a new one, with 000 as source client and 001 for source client user masters.
Regards,
Juan
You have to secure any client even if it is not used. This includes the security settings of standard users like SAP* orDDIC or EARLYWATCH which might still have well-known standard passwords as well as the security of any other (powerful) users.
Because of this you can reduce maintenance effort and increase the security of a system if you remove unused clients.
Client 001 is a copy of client 000 which was created during installation of the system which might have happened years ago. This client could have been used to become the productive client. However, if you have decided to use other clients as productive clients but not client 001, than you can safely remove the client 001.
Keep in mind, that a SAP Solution Manager System or a SAP Business Warehouse system usually uses client 001 as a productive client.
Client 066 is a client which was created during installation of the system which might have happened years ago. This client had been used to deliver services by SAP Active Global Support. This client is not used anymore, therefore you can safely remove the client 066. (Note 7312 shows some more information about this client.)
This blog explains how to delete unused clients including client 001 (if not used) or 066 (which is not used anymore):
How to remove unused clients including client 001 and 066
http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066