Solved: How to catch the IP address of user who is neterin...

former_member185116 · ‎04-18-2017

Hello all,

user is getting locked if he/she enters wrong password more than three times,

in our organization we have a user called SAP**** which can accessed by an end user,

sometimes the user is getting locked because some one is entering wrong password more than 3 times(i think intentionally),,

how do i catch who is entering wrong password ,

is there any FM or Table by which i can find the IP of that user..

thanks in advance...

kiran_k8 · ‎04-18-2017

Vinay,

Did you checked the FM TH_USER_INFO ?

Info related to no.of failed logon attempts, you can get it from USR02-LOCNT.

Info on whether a User ID got locked or not, you can get it from USR02-UFLAG.

Info related to latest terminal details of a User login, you can get it from USR41-TERMINAL.

K.Kiran.

kiran_k8 · ‎04-18-2017

Vinay,

Did you checked the FM TH_USER_INFO ?

Info related to no.of failed logon attempts, you can get it from USR02-LOCNT.

Info on whether a User ID got locked or not, you can get it from USR02-UFLAG.

Info related to latest terminal details of a User login, you can get it from USR41-TERMINAL.

K.Kiran.

former_member185116 · ‎04-18-2017

Hi kiran,

thanks for your reply,

yes i have checked it, but contains the details of the user who logged just recently,

but how do we find because of whom the the user has been locked(i.e how entered the wrong password)..

horst_keller · ‎04-18-2017

"netering worng pasword" ?

No wonder user is rejected ...

Nicolas · ‎04-18-2017

Hello,

Did you checked transactions SM21 or SM20 ? When a dialog user has been locked due to incorrect logon, an entry is registered in these transactions. The user's terminal is mentionned.

Regards,

Nicolas

matt · ‎04-18-2017

I do wonder if I can be bothered tohelp people who themselves can't be bothered to quickly check what they've written before posting.

matt · ‎04-18-2017

What is the nature of the account you suspect is being hacked? Is it used only by a single named person, or is it used to access a service provided on your SAP system - via RFC for example?

ChrisSolomon · ‎04-18-2017

"in our organization we have a user called SAP**** which can accessed by an end user"

So you are saying you have multiple people (all end users?) sharing a single SAP user account?

Jelena · ‎04-24-2017

I hope SAP legal department does not browse SCN...

antoine_foucault · ‎04-25-2017

"oh la la" sounds like Diageo 🙂

Former Member · ‎04-18-2017

Hi Vinay,

You can check the details of terminal in tcode STAD but, this depends on the how much old data is retained in your system.

Else the only way is by enabling auditing in the system (tcode SM19) and check the logs in SM20.

USR41-TERMINAL will only give the details of current user.

Regards

Prithviraj

ChrisSolomon · ‎04-24-2017

Matthew Billingham writes:

"I do wonder if I can be bothered to people who themselves can't be bothered to quickly check what they've written before posting."

I will assume this was intended as part of the joke and not correct you, MB! haha

matt · ‎04-24-2017

All I can say is... thank goodness for moderator enhanced privileges!

ChrisSolomon · ‎04-24-2017

And you STILL didn't correct it! hahahahaha

Former Member · ‎04-24-2017

in our organization we have a user called SAP**** which can accessed by an end user

Sharing a generic account by many people is a license violation, First go and fix it. You can take a look at audit logs (SM20) to identify the terminal Id from which this Id got locked. But for this you need to have audit log enabled in your system.

Regards,

Harish Karra

matt · ‎04-25-2017

Incremental improvements! 😄

Former Member · ‎04-28-2017

1. What is the purpose of the user ID?

2. Why it is shared with multiple people (It's against the SAP rules of usage). Shared ID is never recommended.

Further, SM20 audit logs will only give you the information when the audit log is enabled. It is never a recommendation to set audit log if the ID is extensively used especially when the activity of the user is high.

For your requirement, I advise to have one custom program developed to find out the login/logout time and the user terminal along with the lock status. There is no standard report available.

Regards, Raghu Boddu

Former Member · ‎05-01-2017

Couldn't you could do an implicit enhancement in SAP's code where that logon failure message is coming from, adding any code you need? This seems like a very reasonable use of implicit enhancement.

Buce

kiran_k8 · ‎05-02-2017

Buce,

Agree that creating an IMPLICIT Enhanement is much easier wherever it is possible to create one.But,imho it should not be the option for every custom requirement within the Standard Process flow.Developer should be judicious before creating an Implicit Enh.

To my knowledge,I don't see any need here to interfere with the Standard Process flow by creating an Implicit enhancement.Awaiting experts to Opine.

K.Kiran.

How to catch the IP address of user who is netering worng pasword more than 3 times?