Automate saving user / password in SAP logon shortcut’s
Most people keep track of all their (SAP) systems, users, passwords in a personal database or Excel sheet. I do so myself in a Microsoft Access database. When a SAP user / password changes one wants to write back these changes into the SAP logon configuration. Find below the Microsoft Visual Basic for Applications (VBA) code to do so.
SAP Logon file format
Individual records to a SAP system client can be maintained in SAP Logon as a shortcut.
The shortcut contains the connection data (User, Password, Client, Language, …) to a specific SAP system.
The SAP logon shortcut’s are saved into a file named sapshortcut.ini. This file is located in the directory [Windows user directory]\AppData\Roaming\SAP\Common. The [Windows user directory] is the Windows user’s local file. In most cases it is the directory C:\Users\Login name.
The command section of the sapshortcut.ini file has next file format:
[Command]
Key36=-desc="System 1" -sid="SID" -clt="100" -u="MyUser" -l="EN" -tit="System 1 client 100" -wd="C:\Users\Windows user\Documents\SAP\SAP GUI"
Key37=-desc="System 1" -sid="SID" -clt="200" -u="MyUser" -l="EN" -tit="System 1 Client 200" -wd="C:\Users\Windows user\Documents\SAP\SAP GUI" -pwenc="PW_49B02219D1F6310E"
The command parameter section is identified by [Command].
SAP system ID and client are identified by parameter -sid and -clt.
User and password are identified by parameter -u and -pw or -pwenc. -pw holds the password in unencrypted format. -pwenc holds the password in encrypted format. SAP Logon will save passwords in encrypted format with -pwenc. In the VBA code here the unencrypted version with -pw is being used.
User / password database
I myself use a Microsoft Access database to store users and passwords. But any database or Excel sheet can be used as long as it is accessible by VBA.
Here DAO is used to access a recordset named QuUserSapShortcut. Any other recordset or table can be used as long as the correct name is used in the VBA coding (Database.OpenRecordset(“QuUserSapShortcut”)).
Here the fields SystemInstance, Client, User, Password are used. Any other field names can be used as long as the correct names are being used in the VBA coding,
Update SAP shortcut file
The sapshortcut.ini file file is updated by the VBA subroutine ChangeSAPShortcutIni() below. The program expects an existing SAP shortcut sapshortcut.ini file with existing system instance and client parameters.
The file is opened for reading with OpenTextFile in mode ForReading. Each command line is processed and when a corresponding database record is found on SID (database field SystemInstance, parameter sid) and client (database field Client, parameter clt) then user (database field User, parameter u) and password (database field Password, parameter pw or pwenc) are being substituted.
Finally the file is saved and overwritten with OpenTextFile in mode ForWriting.
To extract a command line into its parameter component regular expression is used (Object RegExp an pattern “-([^=]+)=””([^””]*)”””). It extracts all -parameter=”XXX” components from each command line. Where parameter=clt for instance and XXX=100.
Function GetMatch(Matches As MatchCollection, Parameter As String) As String
Dim Match As Match
For Each Match In Matches
If Match.SubMatches(0) = Parameter Then GetMatch = Match.SubMatches(1)
Next
End Function
Sub RegExpReplace (RegExp As RegExp, Line As String, Pattern As String, Replace As String)
RegExp.Pattern = Pattern
Line = IIf(RegExp.Test(Line), RegExp.Replace(Line, Replace), Line + Replace)
End Sub
Sub ChangeSAPShortcutIni()
Dim Database As DAO.Database
Dim Recordset As DAO.Recordset
Dim FileDialog As FileDialog
Dim FileSystem As FileSystemObject
Dim SelectItem As Variant
Dim RegExp As RegExp
Dim Matches As MatchCollection
Dim TextFile As TextStream
Dim ShortcutFile As String
Dim Line As String
Dim Command As Boolean
Set Database = CurrentDb()
Set Recordset = Database.OpenRecordset("QuUserSapShortcut")
Set FileDialog = Application.FileDialog(msoFileDialogFilePicker)
Set FileSystem = New FileSystemObject
Set RegExp = New RegExp
RegExp.Global = True
' Select SAP Shortcut file
FileDialog.InitialFileName = Environ("USERPROFILE") + "\AppData\Roaming\SAP\Common\sapshortcut.ini"
FileDialog.Title = "SAP logon shortcut file (sapshortcut.ini)"
FileDialog.Show
For Each SelectItem In FileDialog.SelectedItems
' Open shortcut file
Set TextFile = FileSystem.OpenTextFile(SelectItem, ForReading)
Do Until TextFile.AtEndOfStream
Line = TextFile.Readline
If Command Then
' Extract command parameters
RegExp.Pattern = "-([^=]+)=""([^""]*)"""
Set Matches = RegExp.Execute(Line)
' Find SID / client in authorisation table
Recordset.FindFirst _
"Client='" + GetMatch(Matches, "clt") + "' AND " + _
"SystemInstance='" + GetMatch(Matches, "sid") + "'"
' Set user / password
If Not Recordset.NoMatch Then
Call RegExpReplace(RegExp, Line, "-u=""[^""]*""", "-u=""" + Recordset!User + """")
Call RegExpReplace(RegExp, Line, "-pw(enc)?=""[^""]+""", "-pw=""" + Recordset!Password + """")
End If
Else
Command = Line = "[Command]"
End If
ShortcutFile = ShortcutFile + Line + vbCrLf
Loop
TextFile.Close
' Write shortcut file
Set TextFile = FileSystem.OpenTextFile(SelectItem, ForWriting)
TextFile.Write ShortcutFile
TextFile.Close
Next
If FileDialog.SelectedItems.Count > 0 Then _
MsgBox (IIf(Command, "SAP logon shortcut file saved", "Error during SAP logon shortcut file creation"))
End Sub
Uhm, I believe most people use either a password keeper app or a sticky note on a monitor. 🙂
Our number of systems is not large enough to call for such measures but I can appreciate the effort. Thank you for sharing!
Hi all,
I would like to stress again the SAP view on the "saving passwords in SAP Shortcuts" feature.
1) Using this feature is a security risk. In the interest of all users we strongly have to mention again that it should not be used. This holds true especially if users are not aware of the fact that an SAP Shortcut with full credentials in it can be used by anybody to log on with a foreign user account. Yes, you may say that you protect the files on your hard disk, but will all users do this (or will they even mail the shortcuts)? From SAP perspective this risk should not be ignored and therefore the administrators should NOT enable the feature.
2) There are better and more secure alternatives to the feature available (SSO solutions); if it is just about remembering passwords there are many programs available which store passwords in a safe way.
3) The password saving feature does not have a future anymore. With the introduction of SAP UI Landscape it has been removed and even though it is still working for saplogon.ini it is just a question of time until SAP GUI for Windows will no longer support saplogon.ini at all (before you ask: SAP GUI for Windows 7.50 will still support saplogon.ini). This feature will thus disappear.
4) SAP UI Landscape is already in release 7.40 mandatory for the combined usage of SAP GUI for Windows and the SAP Business Client. If you turn off SAP UI Landscape you cannot run this combination which adds a lot of value for end users.
My summary is therefore: Don't use this feature!
Best regards,
Frank