Automate saving user / password in SAP logon shortcut’s
Most people keep track of all their (SAP) systems, users, passwords in a personal database or Excel sheet. I do so myself in a Microsoft Access database. When a SAP user / password changes one wants to write back these changes into the SAP logon configuration. Find below the Microsoft Visual Basic for Applications (VBA) code to do so.
SAP Logon file format
Individual records to a SAP system client can be maintained in SAP Logon as a shortcut.
The shortcut contains the connection data (User, Password, Client, Language, …) to a specific SAP system.
The SAP logon shortcut’s are saved into a file named sapshortcut.ini. This file is located in the directory [Windows user directory]\AppData\Roaming\SAP\Common. The [Windows user directory] is the Windows user’s local file. In most cases it is the directory C:\Users\Login name.
The command section of the sapshortcut.ini file has next file format:
[Command] Key36=-desc="System 1" -sid="SID" -clt="100" -u="MyUser" -l="EN" -tit="System 1 client 100" -wd="C:\Users\Windows user\Documents\SAP\SAP GUI" Key37=-desc="System 1" -sid="SID" -clt="200" -u="MyUser" -l="EN" -tit="System 1 Client 200" -wd="C:\Users\Windows user\Documents\SAP\SAP GUI" -pwenc="PW_49B02219D1F6310E"
The command parameter section is identified by [Command].
SAP system ID and client are identified by parameter -sid and -clt.
User and password are identified by parameter -u and -pw or -pwenc. -pw holds the password in unencrypted format. -pwenc holds the password in encrypted format. SAP Logon will save passwords in encrypted format with -pwenc. In the VBA code here the unencrypted version with -pw is being used.
User / password database
I myself use a Microsoft Access database to store users and passwords. But any database or Excel sheet can be used as long as it is accessible by VBA.
Here DAO is used to access a recordset named QuUserSapShortcut. Any other recordset or table can be used as long as the correct name is used in the VBA coding (Database.OpenRecordset(“QuUserSapShortcut”)).
Here the fields SystemInstance, Client, User, Password are used. Any other field names can be used as long as the correct names are being used in the VBA coding,
Update SAP shortcut file
The sapshortcut.ini file file is updated by the VBA subroutine ChangeSAPShortcutIni() below. The program expects an existing SAP shortcut sapshortcut.ini file with existing system instance and client parameters.
The file is opened for reading with OpenTextFile in mode ForReading. Each command line is processed and when a corresponding database record is found on SID (database field SystemInstance, parameter sid) and client (database field Client, parameter clt) then user (database field User, parameter u) and password (database field Password, parameter pw or pwenc) are being substituted.
Finally the file is saved and overwritten with OpenTextFile in mode ForWriting.
To extract a command line into its parameter component regular expression is used (Object RegExp an pattern “-([^=]+)=””([^””]*)”””). It extracts all -parameter=”XXX” components from each command line. Where parameter=clt for instance and XXX=100.
Function GetMatch(Matches As MatchCollection, Parameter As String) As String Dim Match As Match For Each Match In Matches If Match.SubMatches(0) = Parameter Then GetMatch = Match.SubMatches(1) Next End Function Sub RegExpReplace (RegExp As RegExp, Line As String, Pattern As String, Replace As String) RegExp.Pattern = Pattern Line = IIf(RegExp.Test(Line), RegExp.Replace(Line, Replace), Line + Replace) End Sub Sub ChangeSAPShortcutIni() Dim Database As DAO.Database Dim Recordset As DAO.Recordset Dim FileDialog As FileDialog Dim FileSystem As FileSystemObject Dim SelectItem As Variant Dim RegExp As RegExp Dim Matches As MatchCollection Dim TextFile As TextStream Dim ShortcutFile As String Dim Line As String Dim Command As Boolean Set Database = CurrentDb() Set Recordset = Database.OpenRecordset("QuUserSapShortcut") Set FileDialog = Application.FileDialog(msoFileDialogFilePicker) Set FileSystem = New FileSystemObject Set RegExp = New RegExp RegExp.Global = True ' Select SAP Shortcut file FileDialog.InitialFileName = Environ("USERPROFILE") + "\AppData\Roaming\SAP\Common\sapshortcut.ini" FileDialog.Title = "SAP logon shortcut file (sapshortcut.ini)" FileDialog.Show For Each SelectItem In FileDialog.SelectedItems ' Open shortcut file Set TextFile = FileSystem.OpenTextFile(SelectItem, ForReading) Do Until TextFile.AtEndOfStream Line = TextFile.Readline If Command Then ' Extract command parameters RegExp.Pattern = "-([^=]+)=""([^""]*)""" Set Matches = RegExp.Execute(Line) ' Find SID / client in authorisation table Recordset.FindFirst _ "Client='" + GetMatch(Matches, "clt") + "' AND " + _ "SystemInstance='" + GetMatch(Matches, "sid") + "'" ' Set user / password If Not Recordset.NoMatch Then Call RegExpReplace(RegExp, Line, "-u=""[^""]*""", "-u=""" + Recordset!User + """") Call RegExpReplace(RegExp, Line, "-pw(enc)?=""[^""]+""", "-pw=""" + Recordset!Password + """") End If Else Command = Line = "[Command]" End If ShortcutFile = ShortcutFile + Line + vbCrLf Loop TextFile.Close ' Write shortcut file Set TextFile = FileSystem.OpenTextFile(SelectItem, ForWriting) TextFile.Write ShortcutFile TextFile.Close Next If FileDialog.SelectedItems.Count > 0 Then _ MsgBox (IIf(Command, "SAP logon shortcut file saved", "Error during SAP logon shortcut file creation")) End Sub
VBA object library references
Uhm, I believe most people use either a password keeper app or a sticky note on a monitor. 🙂
Our number of systems is not large enough to call for such measures but I can appreciate the effort. Thank you for sharing!
I would like to stress again the SAP view on the "saving passwords in SAP Shortcuts" feature.
1) Using this feature is a security risk. In the interest of all users we strongly have to mention again that it should not be used. This holds true especially if users are not aware of the fact that an SAP Shortcut with full credentials in it can be used by anybody to log on with a foreign user account. Yes, you may say that you protect the files on your hard disk, but will all users do this (or will they even mail the shortcuts)? From SAP perspective this risk should not be ignored and therefore the administrators should NOT enable the feature.
2) There are better and more secure alternatives to the feature available (SSO solutions); if it is just about remembering passwords there are many programs available which store passwords in a safe way.
3) The password saving feature does not have a future anymore. With the introduction of SAP UI Landscape it has been removed and even though it is still working for saplogon.ini it is just a question of time until SAP GUI for Windows will no longer support saplogon.ini at all (before you ask: SAP GUI for Windows 7.50 will still support saplogon.ini). This feature will thus disappear.
4) SAP UI Landscape is already in release 7.40 mandatory for the combined usage of SAP GUI for Windows and the SAP Business Client. If you turn off SAP UI Landscape you cannot run this combination which adds a lot of value for end users.
My summary is therefore: Don't use this feature!