cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Want to restrict multiple gui logons

Go to solution
former_member183044
Active Participant

on ‎10-27-2015 11:08 AM

0 Kudos

Hi all,

Good day...!!

Our management want to restrict multiple gui logons of some users in our system. I created the parameter "login/disable_multi_gui_login" in RZ10, but in one single line only 21 entries is allowing

I want to add more users . How should i add ?

I searched in net about this, but all results are explaining about the disabling of multiple logons.

Please help on the above matter....

Regards

Praveen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Reagan
Advisor
Advisor
‎10-27-2015 1:12 PM
0 Kudos

Have a look at this SAP note for the solution.

2215040 - Long profile parameters are truncated

Show replies
Show replies
Matt_Fraser
Active Contributor
‎10-27-2015 3:03 PM
0 Kudos

Reagan, that's an interesting solution. I wasn't aware of that of adding more users than the line length would permit. Seems a bit complex, though, when probably the real answer is a better design of just who should be allowed to have multiple logins. As Cris says, probably no one really needs this, at least not in production systems, though it's conceivable the sysadmin might in rare cases need to login simultaneously from two different workstations, perhaps for some kind of performance tracing effort.

Praveen, are you sure what you want to do is add lots of users to the exception list? If your management wants to generally restrict multiple logins (which is a good idea -- most license contracts imply a requirement of something like this), then the number of exceptions should be fairly small, or even non-existent. I don't have any exceptions in my landscape, not even for myself, and not even in DEV. I used to have one developer who insisted she needed multiple login capability, but that turned out to be a training issue (multiple sessions is all she really needed, and of course she already had that, just like everyone else).

Cheers,

Matt

former_member183044
Active Participant
‎10-28-2015 6:19 AM
0 Kudos

Hi Matt,

We have only 44 licensed users here. But some senior most users users want to restrict their own ID from others. That's why i checked and found this problem.

Regards

Praveen

former_member183044
Active Participant
‎10-28-2015 6:27 AM
0 Kudos

Hi Reagen,

According to note, i have changed, But it is not coming for all users.

"_" is not coming for all users. For the first 3 users it is coming , but for the remaining it is not coming.

Please have a look and kindly reply

Regards

Praveen

former_member183044
Active Participant
‎10-29-2015 8:48 AM
0 Kudos

Hi Reagen,

Can u please explain me how to enter like the above pic based on the SAP note mentioend by you ?

Regards

Praveen

Reagan
Advisor
Advisor
‎10-31-2015 12:11 AM
0 Kudos

Hello Praveen

If this is a production system then go back to the management and make them aware of the SAP licensing conditions. In the past I have seen this practice but only for a few users (5 or 6) just because of the number of service providers involved.

Regarding the implementation of the note, you need to first set the local variables as suggested in the KBA and enter values there (based on what I have understood).

Eg:

_P1=ABC#EFG#HIJ

_P2=KLM#NOP#QRS

Afterwards you will provide these local variables as values to the parameter login/multi_login_users

Eg:

login/multi_login_users=$(_P1)$(_P2)

Answers (2)

Answers (2)

cris_hansen
Advisor
Advisor
‎10-27-2015 2:13 PM
0 Kudos

Hello Praveen,

It is not possible to have more users than the space available in RZ10 (80 characters in total).

Note that allowing users to login more than once is not a general feature, but should be seen as exception from the rule. The profile parameter login/multi_login_users is designed only for a smaller group of users who need to login multiple times even if the setting of login/disable_multi_gui_login generally prohibits the multiple login.

Regards,

Cris

Show replies
Show replies
Sriram2009
Active Contributor
‎10-27-2015 1:21 PM
0 Kudos

Hi Praveen

1. You can refer the SDN link Disable Multiple SAP Logons - Basis Corner - SCN Wiki

2. If the number of user id are more, you can switch the user id type from Dialog to Service in transaction code SU01.

Regards

SS

Show replies
Show replies
former_member183044
Active Participant
‎10-28-2015 6:39 AM
0 Kudos

Hi SS,

//2. If the number of user id are more, you can switch the user id type from Dialog to Service in transaction code SU01.//

If i switch my production users from dialog to service, that will make any changes in RZ10 ?? What's the use of that ?

Regards

Praveen

Sriram2009
Active Contributor
‎10-28-2015 7:31 AM
0 Kudos

Hi Praveen



 If i switch my production users from dialog to service, that will make any changes in RZ10 ?? What's the use of that ?

Nothing, You no need to do any changes in RZ10. refer the snapshot

Regards

SS

former_member183044
Active Participant
‎10-28-2015 9:15 AM
0 Kudos

Hi SS,

I got that. But suppose, if i change one of the senior person's ,say "A" ,ID from dialog to service that person can allow multiple logon. All the users here are Dialog users. So if i ant to restrict one user (he is already Dialog user) what should i do ?

in the snapshot u mentioned changed it to service user. Service user can allow "Multiple logons" , RIGHT ??

Regards

Praveen

Sriram2009
Active Contributor
‎10-28-2015 10:58 AM
0 Kudos

Hi Praveen.

You are already restricted the end user id's based on authorizations. Based on the business need you can change the user id type to service, others remaining in dialog.



 in the snapshot u mentioned changed it to service user. Service user can allow "Multiple logons" , RIGHT ??

Yes,

Regards

SS

Matt_Fraser
Active Contributor
‎10-28-2015 7:31 PM
0 Kudos

If you switch an actual user's account in the production system from Dialog to Service, you will be in violation of your license contract, because service users are not counted in the license audit. This is not the correct approach. Service users are intended for just what it sounds like and just what is described in SS' screenshot -- non-human processes, such as batch users that only run background jobs, or interface users, or anonymous web access, that sort of thing.

Praveen, I'm still unclear on your business requirement. I thought you said at the beginning that your requirement was to prevent multiple simultaneous logins by the same user. If this is the case, you don't need to mess with the login/multi_login_users parameter at all. Just delete this parameter. The parameter you should set is login/disable_multi_gui_login and set it to 1.

Sriram2009
Active Contributor
‎10-29-2015 5:17 AM
0 Kudos

Hi Matt

Yes, You are correct. In our environment based on the business requirement  we have created /switched the user id type as "service" with concurrence of local SAP account manager . those user id are licence type as " Cats User".

Regards

SS

former_member183044
Active Participant
‎10-29-2015 8:45 AM
0 Kudos

Hi Matt,

My Business requirement is this. In our envireonment, all the user ID's are using my multiple people. In our management some senior officers want to have restrict their own ID's so that their ID should be used by them only.

If i set  "login/disable_multi_gui_login" to 1 , then all users will be restricted. That i don't wnat . I want some particular users only.


Means, i should give "login/multi_login_users" in RZ10 and give the names of all users who want multiple logons. For those ID, which i won't give will be restricted , according to SAP.


But in RZ10, only 80 charecters is allowing. I want to add more.



Regards


Praveen

Matt_Fraser
Active Contributor
‎10-29-2015 3:51 PM
0 Kudos

Ok, this is a different requirement. In this case, just delete both parameters. You don't need to mess with login/multi_login_users at all, and you want login/disable_multi_gui_login to be set to 0, which is the default, therefore simply deleting the parameter should achieve this (but if you want to be sure, set the parameter in your profile to 0). Then multiple simultaneous logins by the same dialog user ID will be allowed.

In the case of your senior officers, the answer is even simpler. Have them change their passwords and don't give them out to anyone else. That's basic security.

However, this raises another possible license violation. Again, in most license contracts, use of a single dialog user account by more than one person is prohibited. In fact, it's precisely this behavior that the audit is trying to detect when it looks to see if the same account is logged in from more than one workstation at the same time. Your contract could conceivably be different, but probably it isn't. If this is a production system, or if these are developers with SSCR keys in a development system, then most likely they are required to be named users and only the person so named is authorized to use that account.

The exception would be test and training accounts in a test/training system (or likewise and also non-developers in a dev system), but generally you can't have dialog accounts in a production system used in this way. Everyone needs their own unique account.

Again, your contract may be different, but this would be the typical case.

Ask a Question