Register Login

SAP Logon: Administration of functions

Updated May 18, 2018

You want to administer SAP Logon user options. In some system environments, you want to use the administration to restrict the user options for SAP Logon, for example:

Blocking the free selection of an application server using "Server Selection" (which means bypassing "Load Balancing" using "Group Selection")
Blocking all editing options of the selection box (buttons: New, Edit, Delete); in addition (if required), you can use the central administration of the SAP Logon list box selection, for example, during the central server installation of the SAP front end.

Comment:

The "SAP GUI installation directory" mentioned below refers to the directory [SAPdestdir]SAPgui. In this case, [SAPdestdir] is stored in the registry for the SAP GUI installation program under
HKLMSoftwareSapSap Shared [SAPdestdir]
(under HKLMSoftwareWow6432SapSap Shared on 64-bit operating systems).

Three .ini files are used for the administration of SAP Logon. Up to and including 3.0E, these files MUST be in the Windows directory.
512040 describes how to distribute the .ini files and the services file during the SAP GUI installation.
As of SAP GUI 640, there is a new .ini file sapshortcut.ini for the SAP shortcut entries in SAP Logon. This file must be in the same directory as the saplogon.ini file. For this file, the same search order applies as for the saplogon.ini file (see below).

(New features as of 3.0F, see below.)

1. Scope of functions:
SAP Logon can access all three .ini files. In addition, the services file must be maintained (see 52959 and 540379).
The purpose of these files is:
saproute.ini:
This file contains the SAProuter information (for details about SAProuter and the SAProuter string, see 30289) that is displayed in the Group/Server Selection dialog in the SAProuter dialog field. (This file is required only if SAProuter is to be used for the connection to the SAP system.)
The file should contain the following information (for examples, see 96655 or 95828):
[Router]
< Routername1>=
=
...
[Default]
name=
The router names are then displayed in the selection list (dropdown list) "SAP Router for" in the Group/Server Selection dialog.
The search order of the saprouter.ini file is as follows:
1) "saproute.ini" in the SAP GUI installation directory
2) "saproute.ini" in the Windows directory*
*Comment: In the terminal service environment, each user usually has their own Windows directory.
sapmsg.ini:
This file contains the SAP system names and the relevant message server. This information can be displayed in the Group/Server Selection dialog in the dialog field 'SAP System ID' or 'Message Server'.
The file should contain the following information (for examples, see 96655 or 95828):
[Message Server]
=
=
...
[Message Server Description]
=
=
...
The information contained in the sapmsg.ini file is displayed accordingly in the fields "System ID" (dropdown list), "Description", and "Message Server" in the Group/Server Selection dialog.
The search order of the sapmsg.ini file is as follows:
1) "sapmsg.ini" in the SAP GUI installation directory
2) "sapmsg.ini" in the Windows directory*
*Comment: In the terminal service environment, each user usually has their own Windows directory.
saplogon.ini:

This file contains all the information about the configuration, including all required information for the entries of the selection box in the main dialog.
The file name and the path specification of the 'saplogon.ini' file are freely configurable (as of GUI 31G):
In GUI higher than 40, the search order of the saplogon.ini file is as follows:

1) File name from command line parameter /INI_FILE=
(for GUI Version 640 or higher, see 756686)
If the file specified by this parameter is not available,
the system generates an empty saplogon.ini file.

2) File name from environment variable SAPLOGON_INI_FILE
If the file specified by this variable is not available,
the system generates an empty saplogon.ini file.

3) "saplogon.ini" in the SAP GUI installation directory

4) "saplogon.ini" in the Windows directory*
*Comment: In the terminal service environment, each user usually has their own Windows directory.
As of 710 GUI patch 19 and 720 GUI, a string such as %APPDATA% (environment variable string) may also be contained in the entry of 1) and 2).

2. Restricted functions:
You cannot use the Group/Server Selection dialog, you can make the selection only from a selection box configured by the administrator:

To do this, the administrator configures the required selection box using SAP Logon. To make this selection accessible to the user, ONLY the generated 'saplogon.ini' file must be copied to the Windows directory of the user. The files 'sapmsg.ini' and 'saproute.ini' must NOT be available on the user PC. As a result, the system selection of the Group/Server Selection remains empty. However, the selection box can be configured by the user using New/Edit.

3. Proposals for the SAP Logon administration when installing the SAP front end on a central server:
a) Users should be able to edit the selection list:

Use of SAP Logon:
The saplogon.ini file that saves the individual configuration of the user should always be stored in the Windows directory of the (local) PC. In contrast, the sapmsg.ini (and, if necessary, the saproute.ini) file should be stored centrally (in the SAP GUI installation directory or in the Windows directory of the PC that is not a terminal server). As a result, any changes that are required must only be maintained centrally at one location.

In contrast, central storage of the saplogon.ini file is not useful because each change to ONE user will take effect for ALL users if the file is stored centrally (which is probably not intended).

b) Users should not be able to edit the selection list:
- Use of SAP Logon Pad:
The saplogon.ini file should be stored centrally to ensure that required changes, which the administrator can make using SAP Logon, are available immediately for ALL SAP Logon Pad users. The files sapmsg.ini and saproute.ini are not required when using SAP Logon Pad.
The .ini files that are actually used at runtime are displayed in the "SAP Logon configuration" dialog box of SAP Logon or SAP Logon Pad.

- Use of SAP Logon:
The use of SAP Logon is the same as the use of SAP Logon Pad, except for the option of deactivating system editing functions, which should be activated explicitly in this case. The file name (including the path name) of the read-only saplogon.ini file that is stored centrally can be specified using the environment variable SAPLOGON_INI_FILE, or it can be specified as the SAP Logon call parameter /INI_FILE= (also see below). Setting the environment variable or the SAP Logon call can be automated using a batch file that is executed when each user logs on to Windows.

c) Some users should be able edit the selection list and some should not be able to do so: Use of SAP Logon or SAP Logon Pad:
The reason for this requirement is that most users should use the selection list (that is centrally maintained), but there are also individual users who should be able to compile their own selection list, which means that the central 'saplogon.ini' file cannot be used.

Proposal: Store sapmsg.ini or saproute.ini centrally, as described under a). Use a central .ini file in the SAP GUI installation directory, which must NOT be called 'saplogon.ini' (it can be called z_saplog.ini, for example). For all users who are to use this file, the environment variable SAP_LOGON_INI_FILE must be set to .z_saplog.ini once on the PC, or the argument /INI_FILE=.z_saplog.ini must be added to the SAP Logon call. This central .ini file should be a read-only file, or all of these users should use SAP Logon Pad.

d) All users, for which the central .ini file is not to be used, should set a local file name or no file name as the .ini file name. In the latter case, the system uses the default 'saplogon.ini' file in the Windows directory again (see above).

As a result, when you use this configuration, users can bypass using the central .ini file if they have access to the environment variables or the call string of SAP Logon. If you want to ensure that this cannot happen, using two identical front-end installations is the only option. In this case, one installation is supplied with a central saplogon.ini file. The other installation is not supplied with a central saplogon.ini file and can, therefore, work with a local saplogon.ini file.

- NEW AS OF SAP FRONT-END :  3.0F:

1. An additional program "SAP Logon Pad" is contained in the delivery as "saplgpad.exe".
SAP Logon Pad displays the same list box selection as SAP Logon, but does NOT provide the user with any editing options. This means that the user cannot change the configuration file saplogon.ini once it has been made available.

2. Central administration of the .ini files: Both SAP Logon and SAP Logon Pad first search for all .ini files in the SAP GUI installation directory and then (if no files were found there) in the Windows directory (as before).

3. NEW ADDITION AS OF 3.1G: The file name and the path specification of the 'saplogon.ini' file are freely configurable: The environment variable SAPLOGON_INI_FILE or the command line parameter /INI_FILE= can now be used to explicitly specify a file name as an argument during the start of SAP Logon. If the environment variable AND the command line parameter are specified, the system uses the argument of the command line parameter. As a result, the search order is as follows:
1) "saplogon.ini" in the SAP GUI installation directory
2) File name from command line parameter /INI_FILE=
3) File name from environment variable SAPLOGON_INI_FILE
4) "saplogon.ini" in the Windows directory.
During points 2) to 4), the system generates the file if it does not exist. During points 2) and 3), any file name can be used. The file name extension does not have to be .ini (but this is recommended to ensure transparency).

If no path is specified, the system searches in the Windows directory (this is the default directory for .ini files). If you want the system to search in the SAP GUI installation directory, you must also explicitly specify the local directory ".".
Examples:
The call "saplogon /INI_FILE=.blabla.ini" searches for the file blabla.ini in the current directory.  The call "saplogon /INI_FILE=blabla.ini" searches for the file blabla.ini in the Windows directory. The .ini files that are actually used are specified in the "About SAP Logon" dialog box, which includes the full path for each file.

4. AS OF GUI 40,45,46, 620, 640
The search order of the saplogon.ini file was changed as follows:
1) File name from command line parameter /INI_FILE=
(also see 840143, which is release-independent with regard to the SAP GUI release
or see 756686 for GUI 640 or higher)
If the file specified by this parameter is not available, the system generates an empty saplogon.ini file.

2) File name from environment variable SAPLOGON_INI_FILE
If the file specified by this parameter is not available,the system generates an empty saplogon.ini file.

3) "saplogon.ini" in the SAP GUI installation directory

4) "saplogon.ini" in the Windows directory.


×