Solved: Auto-logout of dialog type users connected via tru...

peter_strauss · ‎10-28-2009

Hello,

We have System AAA. In this system we have users 1234 and 4321 of dialog type.

User 1234 logs in via SAP GUI.

User 4321 logs in via trusted system BBB.

We have set rdisp/gui_auto_logout to 30 seconds.

User 1234 is logged off after 30 seconds.

User 4321 is never logged off.

How can we force user 4321 to be automatically logged off after 30 seconds?

Peter

sdipanjan · ‎10-28-2009

User 4321 is ultimately doing the Dialog logon in system BBB. It's separate phenomena that 4321 is getting access to other system AAA as trusted system via remote function call etc. So the Dialog logon time period while idle should be enforced in the system BBB for 4321 and not in the system AAA. Hope this is clear.

Also the value for rdisp/gui_auto_logout=30 sec is ridiculous. This should be atleast 5 min. I mean, you should not make this value keep in second.

regards,

Dipanjan

peter_strauss · ‎10-28-2009

Hello,

I've found that if I logout from trusted system BBB then the session in AAA for user 4321 also closes.

I suppose that we would need to set rdisp/gui_auto_logout in system BBB as well as for AAA.

Unfortunately setting rdisp/gui_auto_logout is not a favorable workaround for the customer.

Is there any other way of getting rid of forcing user 4321 to logout?

Kind regards,

Peter

Former Member · ‎10-28-2009

With (Trusted) RFC calls in general you are calling a function module and not a transaction. Okay, the FM might call a transaction in a new task and present it to look exactly like a transaction which had been started locally, but if you look in SM04 on that server then you will see that the protocol is not DIAG but rather RFC for the sessions.

So, what you can do for such current user context trusted RFC calls which are dialog capable and interactive with the SAPGui, is simply call FM RFC_CLOSE_CONNECTION whenever you want the connection to the current user to be closed.

Of course, if the user is fast and your security design is sub-optimal, then even 30 seconds might not help you (from a security perspective).

I remember mention a while ago about a profile parameter which gives you an option to timeout an idle but open RFC connection. I tried a quick search but did not find it again. If you keep an eye out for the legendary term "Wolfgang" when searching together with "auto" "timeout" "logout" etc terms then you should be able to find it with some patience.

Please also see the OSS notes on RFC_CLOSE_CONNECTION. You will find more infos there and possible the optional parameter as well.

Cheers,

Julius

peter_strauss · ‎10-29-2009

Hi julius,

That sounds very good. Having RFC users permenantly logged onto the external system probably is a greater overhead than occasionally having to open a new RFC connection, so I think the RFC connections should be closed explicitly when they are no longer needed.

I'll check with the customer whether this method is feasible and if so I'll close this thread.

P.S.

Kind regards,

Peter

Dipanjan,

We have a reason for setting the auto logoff to 30 seconds. It is not ridiculous in our situation as there are no active users at the time when the parameter is changed. The parameter (rdisp/gui_auto_logout) change occurs dynamically via batch input. We are using this as a cute method of scheduling a logoff of all users from the system.

sdipanjan · ‎10-28-2009

User 4321 is ultimately doing the Dialog logon in system BBB. It's separate phenomena that 4321 is getting access to other system AAA as trusted system via remote function call etc. So the Dialog logon time period while idle should be enforced in the system BBB for 4321 and not in the system AAA. Hope this is clear.

Also the value for rdisp/gui_auto_logout=30 sec is ridiculous. This should be atleast 5 min. I mean, you should not make this value keep in second.

regards,

Dipanjan

Auto-logout of dialog type users connected via trusted system