Skip to Content

Ever get tired of finding a system account is locked when a critical business function stops and it takes a few hours to discover it was a password that was changed and something still had the old password.  Well bring on Solution Manager and System Monitoring!

I would like to point out that in order for this to work it will require you to define accounts to monitor for a lock status; if you are looking for any account being locked you may be interested in a blog entry I posted:  http://scn.sap.com/community/netweaver-administrator/blog/2013/06/20/notifications-upon-account-locking

So lets start off by getting on the same page, issue Tx Solman_setup (or navigate to the SAP Solution Manager: Configuration work center).

User.locked.alert.png

  1. Technical Monitoring is where the configuration(s) is for the Alert Inbox
  2. System Monitoring is the type of Technical Monitoring, the other radio buttons provide different metrics
  3. If the Configure Infrastructure and Standard Users steps have been completed, we can start our work under Template Maintenance
  4. Change to Edit mode
  5. Ensure you flip on Expert mode (even though it says Standard mode, this is what it will show)
  6. Select the correct template, it is important that you select the Technical System templates.  In my screenshot you can see that ABAP 7.00 is supported, I confirmed that 6.20 – 6.40 also supports this metric, 4.6C does not have this metric collection it may be possible to create it and alert off of it based on a newer release template.
  7. Ensure you copy the template as you can’t make changes to the base templates supplied by SAP, now doing this will require a transport.  I recommend not doing a local or $tmp transport so down the road if you need to transport your work at some later point in time.  It is also at this point under the ‘Template Settings’ tab (above Change Settings) and you can re-name the Template to something that makes sense; I have left mine in the screenshot as an example.
  8. This is a dual point, you first need to navigate to ‘User Lock status’ (note the list is in semi alphabetically order, I recommend filtering on Exceptions).  Once you have the line highlighted you can click on Change Settings, this will allow for the ‘Data Collection’ tab to have changes made to it.
  9. Add variant is an odd way to specify adding an account to monitor, but you have to click this for each account you want monitored.  Keep in mind that the users defined are in the system you are monitoring, a good example is solman_admin and the SM_* accounts those should only exist in SolMan and not something like ECC/ERP.
  10. Define your users and click the Save/Next button (you will probably be prompted for a transport number).

Now you can select the SID under 5 ‘Define Scope’ and click the Next button.  Now under 6 ‘Setup Monitoring’  the Managed Object Name you want SID~ABAP and assign the template that you created in ‘Template Maintenance’.  Something to keep in mind is that you can only assign 1 template per object.

Now at this point you should see entries show up in the Alert Inbox of Solution Manager, by adding entries in the notification portions of Technical Monitoring you will get an email typically within a minute (keep in mind my experience may differ due to a small[er] landscape, timing may vary).

Feel free to review/rate some of my other blogs

Feel free to review/rate some of my other doco

To report this post you need to login first.

13 Comments

You must be Logged on to comment or reply to a post.

  1. Julius von dem Bussche

    A good idea is a consistent prefix for all RFC users, and the source SID and then some unique freetext for the connection.

    Then you have 1:1 cardinality between the connections and the users.

    Then you normally also dont have lock out problems… 😉

    Cheers,

    Julius

    (0) 
    1. Billy Warring Post author

      Defiantly good a good practice, as long as you can create them; in some cases you inherit what the SAP implementation partner does to meet project dead lines vs informing you of all the moving parts and pieces.

      I also know when you setup TREX you don’t get much choice in the RFC creation as TREX is the one that does the work.  I’m not sure if there are other software platforms out there that might do the same tasks with RFC generations.

      Thank you for the feed back!

      (0) 
      1. Julius von dem Bussche

        Several SAP wizards suggest the name, but I am aware of only one which is really hardcoded -> TMSADM.

        Others are urban legends or just defaults (from code or customizable even).

        Of course inheriting a legacy is a different ball gam, particularly when custom programs hardcoded the if sy-unames as well…  🙁

        Cheers,

        Julius

        (0) 
    1. Billy Warring Post author

      Interesting way to take this Theresa Prawdzik; I have added a “*” as a variant in my SolMan and intentionally locked a Dialog user….over 6 hours ago and still nothing, so my guess is that its looking for a user of “*” vs a wildcard.  Nothing shows up within tx SOST at the moment.

      It would be interesting to see if there is a valid wildcard that is supported!

      Have you had a chance to review the other document that I linked to at the beginning that does notify for any user?

      (0) 
        1. Billy Warring Post author

          Good to hear!!  I also started using it recently to help myself troubleshoot a TMSADM issue I was having in a non-managed client on SolMan.

          Now if I could just figure out a trick to be notified when a Java account changes to a locked account, that would make my day at the moment!….Perhaps a future doc… 😉

          (0) 
  2. Mirko Edling

    Hi all,

    i configure the moniting for locked users as described in this documentation. My problem was that the Extractor EPC_DPC_PULL_CORE can´t find the users that i have maintained in the metrik. I look in the metrik again and i can see that there is no field for client implement. Currently only the users in the productive client were checked and not the users in client 000. Has anyboby a solution hoiw i can monitor lolcked users in different clients.

    I dont´t want to do with the id in TX SM21 because the ID checks all users.

    Thankx

    regards

    Mirko

    (0) 
    1. Billy Warring Post author

      Howdy Mirko,

      What is the client you set for this system in question, when you managed that system?  This would be step 5 of the managed system guided procedure.

      (0) 
      1. Mirko Edling

        Hi Billy,

        we always use the productive client under ABAP parameters.

        And so we only can check the users in the productive client and not also in the client 000.

        regards

        Mirko

        (0) 
        1. Billy Warring Post author

          Apologies when I said productive client, I did not mean within the ABAP system profile parameters.

          When you manage a system on SolMan you put in a client and this is what gets set to “productive” from SolMan’s point of view.  In my example the SolMan system is 001 for the client within the management of SolMan.

          I have been having recent issues with PISUPER being locked on ECC and PI systems, and plan on getting this setup for that account very soon.

          (0) 

Leave a Reply