on 10-27-2015 11:08 AM
Hi all,
Good day...!!
Our management want to restrict multiple gui logons of some users in our system. I created the parameter "login/disable_multi_gui_login" in RZ10, but in one single line only 21 entries is allowing
I want to add more users . How should i add ?
I searched in net about this, but all results are explaining about the disabling of multiple logons.
Please help on the above matter....
Regards
Praveen
Have a look at this SAP note for the solution.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Reagan, that's an interesting solution. I wasn't aware of that of adding more users than the line length would permit. Seems a bit complex, though, when probably the real answer is a better design of just who should be allowed to have multiple logins. As Cris says, probably no one really needs this, at least not in production systems, though it's conceivable the sysadmin might in rare cases need to login simultaneously from two different workstations, perhaps for some kind of performance tracing effort.
Praveen, are you sure what you want to do is add lots of users to the exception list? If your management wants to generally restrict multiple logins (which is a good idea -- most license contracts imply a requirement of something like this), then the number of exceptions should be fairly small, or even non-existent. I don't have any exceptions in my landscape, not even for myself, and not even in DEV. I used to have one developer who insisted she needed multiple login capability, but that turned out to be a training issue (multiple sessions is all she really needed, and of course she already had that, just like everyone else).
Cheers,
Matt
Hello Praveen
If this is a production system then go back to the management and make them aware of the SAP licensing conditions. In the past I have seen this practice but only for a few users (5 or 6) just because of the number of service providers involved.
Regarding the implementation of the note, you need to first set the local variables as suggested in the KBA and enter values there (based on what I have understood).
Eg:
_P1=ABC#EFG#HIJ
_P2=KLM#NOP#QRS
Afterwards you will provide these local variables as values to the parameter login/multi_login_users
Eg:
login/multi_login_users=$(_P1)$(_P2)
Hello Praveen,
It is not possible to have more users than the space available in RZ10 (80 characters in total).
Note that allowing users to login more than once is not a general feature, but should be seen as exception from the rule. The profile parameter login/multi_login_users is designed only for a smaller group of users who need to login multiple times even if the setting of login/disable_multi_gui_login generally prohibits the multiple login.
Regards,
Cris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Praveen
1. You can refer the SDN link Disable Multiple SAP Logons - Basis Corner - SCN Wiki
2. If the number of user id are more, you can switch the user id type from Dialog to Service in transaction code SU01.
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi SS,
I got that. But suppose, if i change one of the senior person's ,say "A" ,ID from dialog to service that person can allow multiple logon. All the users here are Dialog users. So if i ant to restrict one user (he is already Dialog user) what should i do ?
in the snapshot u mentioned changed it to service user. Service user can allow "Multiple logons" , RIGHT ??
Regards
Praveen
Hi Praveen.
You are already restricted the end user id's based on authorizations. Based on the business need you can change the user id type to service, others remaining in dialog.
in the snapshot u mentioned changed it to service user. Service user can allow "Multiple logons" , RIGHT ??
Yes,
Regards
SS
If you switch an actual user's account in the production system from Dialog to Service, you will be in violation of your license contract, because service users are not counted in the license audit. This is not the correct approach. Service users are intended for just what it sounds like and just what is described in SS' screenshot -- non-human processes, such as batch users that only run background jobs, or interface users, or anonymous web access, that sort of thing.
Praveen, I'm still unclear on your business requirement. I thought you said at the beginning that your requirement was to prevent multiple simultaneous logins by the same user. If this is the case, you don't need to mess with the login/multi_login_users parameter at all. Just delete this parameter. The parameter you should set is login/disable_multi_gui_login and set it to 1.
Hi Matt,
My Business requirement is this. In our envireonment, all the user ID's are using my multiple people. In our management some senior officers want to have restrict their own ID's so that their ID should be used by them only.
If i set "login/disable_multi_gui_login" to 1 , then all users will be restricted. That i don't wnat . I want some particular users only.
Means, i should give "login/multi_login_users" in RZ10 and give the names of all users who want multiple logons. For those ID, which i won't give will be restricted , according to SAP.
But in RZ10, only 80 charecters is allowing. I want to add more.
Regards
Praveen
Ok, this is a different requirement. In this case, just delete both parameters. You don't need to mess with login/multi_login_users at all, and you want login/disable_multi_gui_login to be set to 0, which is the default, therefore simply deleting the parameter should achieve this (but if you want to be sure, set the parameter in your profile to 0). Then multiple simultaneous logins by the same dialog user ID will be allowed.
In the case of your senior officers, the answer is even simpler. Have them change their passwords and don't give them out to anyone else. That's basic security.
However, this raises another possible license violation. Again, in most license contracts, use of a single dialog user account by more than one person is prohibited. In fact, it's precisely this behavior that the audit is trying to detect when it looks to see if the same account is logged in from more than one workstation at the same time. Your contract could conceivably be different, but probably it isn't. If this is a production system, or if these are developers with SSCR keys in a development system, then most likely they are required to be named users and only the person so named is authorized to use that account.
The exception would be test and training accounts in a test/training system (or likewise and also non-developers in a dev system), but generally you can't have dialog accounts in a production system used in this way. Everyone needs their own unique account.
Again, your contract may be different, but this would be the typical case.
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.