How to remove unused clients including client 001 and 066
You find the same information in note 1749142 – How to remove unused clients including client 001 and 066
Introduction
You have to secure any client even if it is not used. This includes the security settings of standard users like SAP* or DDIC or EARLYWATCH which might still have well-known standard passwords as well as the security of any other (powerful) users.
Because of this you can reduce maintenance effort and increase the security of a system if you remove unused clients.
Client 001 is a copy of client 000 which was created during installation of the system which might have happened years ago. This client could have been used to become the productive client. However, if you have decided to use other clients as productive clients but not client 001, then you can safely remove the client 001.
Keep in mind, that a SAP Solution Manager System or a SAP Business Warehouse system usually uses client 001 as a productive client.
Client 066 is a client which was created during installation of the system (applicable for all SAP systems based on SAP NetWeaver 7.40 and below), which might have happened years ago. This client had been used to deliver services by SAP Active Global Support. This client is not used anymore, therefore you can safely remove the client 066. (Note 7312 shows some more information about this client and how to (re)-create it in case you want to get it back after deleting it.) SAP NetWeaver 7.40 is the last release delivering the client 066 with the installation or upgrade.
Caution: You must to NOT re-create this client as customer client in order to ensure smooth change control and maintenance processes in your SAP system.
This blog explains how to delete unused clients including client 001 (if not used) or 066 (which is not used anymore).
Prerequisites
It might be necessary to set profile parameter login/no_automatic_user_sapstar = 0 to be able to logon using built-in user SAP*.
You might need to implement note 2284180 to change the role of client 066 to TEST.
Caution:
Prior to deleting a client – especially in case of client 001 – SAP recommends checking if there are in fact no active users in the client. You can use report RSUSR200 of the User Information System (transaction SUIM) or the Workload Statistics (transaction ST03N) to check if there have happened some activities of users. Within ST03N you can use the Analysis View “Settlement Statistics” to inspect which clients had been used and which users have been used these clients.
You can lock all users (except one user of course) for some time before delete the client.
In addition you should check if no background job is scheduled within this client. You can easily check this using transaction SE16 for table TBTCO or view V_OP with a selection for the client using selection field AUTHCKMAN.
By the way: Getting the user name which executes a job step is more difficult: This information is stored in another table TBTCP in field AUTHCKNAM. To get client and user together you need to join both tables TBTCO (containing the client) and TBTCP (containing the user).
Finally you have to ensure that the client is not classified as “productive”. Use transaction SCC4 to check and maintain the client role.
If you are going to delete a client which had been used productively formerly then you should check note 934593 which describes how to delete all objects of a client from TemSe (this part is not covered by transaction SCC5).
Do it
You can remove a complete client using transaction SCC5. You have to logon to the client which you plan to delete. On the selection screen of SCC5 activate the option to remove the entry in table T000! Use the background mode to delete a large client like client 001. (This is not required for the small client 066.) The transaction offers a test-run mode, too.
To monitor the progress of the client deletion, use transaction SCC3.
Finally you should check using transaction SCC4 that there is no entry for the client in table T000 anymore and you should submit report RSUSR003 to check if no access to this client using standard user SAP* is possible anymore.
References
The notes 70643, and 365304 (which is quite useful if you delete a large client) and 446485 (which is about copying clients but gives recommendations for deletion as well) describe some more details about the client deletion process. Note 31496 describes options to recover a deleted client.
Online Help – Deleting Clients
http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4d/7cdfbc19a00f88e10000000a42189b/frameset.htm
Known issues:
Specific versions of the upgrade tools check for the existence of client 066 and stop the upgrade if this client does not exist. In this case simply create the entry for client 066 in table T000 using transaction SCC4 again, restart the upgrade and remove the entry after the upgrade again.
See KBA Note 1874687 Error in SUM phase EWIMPORT_UPG
Software Update Manager 1.0 SP13 will not request for a client 066 any more.
Post Processing
Set profile parameter login/no_automatic_user_sapstar = 1 for all application servers to block built-in user SAP*.
Consider to reorganize the database if you have deleted a large client. Search for notes about ‘reorganization’ within the application component of your database (e.g. BC-DB-DB*, BC-DB-HDB, BC-DB-INF, BC-DB-MSS, BC-DB-ORA, BC-DB-SDB).
Here are some references for Oracle:
- Note 646681 – Reorganization of tables with BRSPACE
- Note 541538 – FAQ: Reorganization
- Online help: Segment Management with BR*Tools
- Blog: BRSPACE Online Reorganizations: Advanced Reorganizations
Thank you Frank! I know many customers who want to do this as it makes sense, but are not sure about side affects such as hardcoding or secret ways to open changeability etc.
Is it known which upgrade versions might still check for the existence of 066? What was the logic behind that?
Cheers,
Julius
Interesting. What is missing is a reference of a note that describes when a delete of client 66 is allowed and when not. The referenced notes 7312,70643, 365304 and 31496 focus on different topics. From the validity of the noted (7.1 and below) one could assume the version to be 7.20 and above, but I think that would be to easy because of the dependency with the Solman.
I don't know about any usage of client 066 anymore - and this is independant from any release. Nowadays this client not used for the EarlyWatch Alert or any other service executed by SAP Active Global Support and it's not used by any problem analyzing support activities.
Hi Frank,
does that mean the new installations will not install 066 either? Or is it like that already? I don't remember seeing many systems without 066 so far.
Cheers Otto
Hi Otto,
currently new installations still come with client 066. I hope, that we can omit it in the future.
Kind regards
Frank
Hello Frank,
Thanks for writing it! That's great to have this news...
Regards,
Felipe
Hi Frank! Thanks for providing these information by a SCN Blog! It's a good reference that can be provided to SAP Customers how to deal with unused clients!
Hello Frank,
many thanks for your usefull post here in SAP SCN.
Best Regards,
Florian
Hi Frank!
Thanks for very interesting post published in your SCN Blog.
I have noticed recently that the status of the note 1749142: “How to remove unused clients including client 001 and 066” has been changed. I have got information from SAP that the note is still being verified. Do you have any idea when the note 1749142 will be officially released?
Regards,
Tomasz
Keep beeing patient - and follow the recommendations within this blog.
Hello
Thank you for all the information you share.
Almost 3 months later and note 1749142 is still not released... Is there a secret committee at SAP who's fighting for the survival of the lost clients 001 & 066 ?
At least there is a note is for 66 => 1897372 - EarlyWatch Mandant 066 - Can Client 066 be deleted?
and one for 001 => 552711 - FAQ: Client copy (16. Can I delete client 001?)
Regards
Great blog, but I am having an issue in that I cannot create a user in client 066, only Earlywatch & SAP* exists and neither has enough authorization power to create a user with SAP_ALL or to delete a client. Any suggestions of a work around?
Hello
Just use the kernel embedded SAP* account:
Set instance parameter login/no_automatic_user_sapstar to 1
Delete the SAP* account in client 066 at DB level
delete from sapsr3.USR02 where BNAME='SAP*' and MANDT='066';
commit;
Restart SAP instance
It is then possible to log in client 066 using SAP* with password PASS.
Regards
68048 Deactivating the automatic SAP* user
Thanks. I never knew the embedded SAP* account had full access.
Dear Frank Buchholz,
to set login/no_automatic_user_sapstar a downtime is necessary, or not ?
Is there a possibility on database level to prepare a user to logon, without a downtime ?
Thanks with regards, Franz
That is really interesting topic.
Still Note 1749142 is not released at the moment.
Hi Frank,
Thanks for nice blog ,
can we consider that sap documentation was not updated with recent changes ? because i can still see in the documentation "Do not change or delete this client."
System and Client Settings - System Administration Assistant (BC-RRR) - SAP Library
This client is purely a service client that enables SAP to access remotely the customer system with regard to analyzing errors and performance.
Do not change or delete this client.
//Veeramalla
Thanks Frank for the information. One of the managers in my previous project asked the Basis team why 066 was requried when we get all the Early watch reports from Solman. Your blog answers teh question!
Regards,Savitha
SAP Note 1749142 is still in processing. What, that's a year now!
Cheers,
Dan Mead
I would suggest to open a SAP OSS incident under SV-SMG-SER for this.
Hello Frank,
if we try to delete client 066 we get the error "Zielmandant ist produktiv und geschützt gegen Mandantenkopie". In SCC4 the client is classified as "SAP Referenz". If we try to change this we get the error "Mandant 66 darf nicht als Kundenmandant verwendet werden. (SV836)". What are we doing wrong?
Regards
Herbert
Its been a while but here is the process I followed
Thanks for the reply!
Our problem is "SCC4 -- Make client modifiable". As it is not possible do delete a productive client we tried to change der client role vom "SAP reference" to any non productive role, but we get the error "Client 66 cannot be a customer client (Message No. SV836)".
Regards
Herbert
Have you done this as SAP*? I want to say that is what enabled me to change the settings. In addition I also had to change the currency. I want to say I got a warning but I was able to proceed.
We tried this as SAP* and as EARLYWATCH with the same result. We also changed the currency. We dont get warnings, we get errors.
I will open an Incident on SAP Support Portal.
Regards
Herbert
Hello Herbert,
strange, as it worked for a lot of customers with the Standard Client Settings...
If you can Access table t000 you could Change field cccategory from S to T there for Client 066.
Of course this is not supported by SAP, but as you want to delete the Client anyway...
b.rgds, Bernhard
Hello Bernhard,
our issue was solved by Note "2284180 - To change the 066 Client role to TEST". After implementing the note it was possible to change der Client role and to delete the client 066.
Best Regards
Herbert