How to restrict an account to just one log on.

Former Member · ‎07-23-2010

Hello experts,

I must handle with this issue. I'm creating emergency user account in SAP system and I must restrict this account to only one log on in the same time. Few people will have access to this account and I must be sure that they can't use the account in the same time. Have you got any clue how to do that? Maybe, decreasing maximum opened session to just one can solve this problem? But how to do that?

Thanks in advance.

Former Member · ‎07-23-2010

Ask Basis to set the profile parameter at the SYSTEM level ,

using RZ10 login/disable_multi_gui_login

Former Member · ‎07-23-2010

Hi Franklin,

thanks for your reply. I'm wondering if that affect all accounts? I need set up single log in only for this emergency account.

Thank you for your time.

Former Member · ‎07-23-2010

This will effect all users, I think you cannot have exclusive settings using standard SAP objects.

Former Member · ‎07-23-2010

I didn't mention that I will provide access to this account through my transaction. I was thinking about blocking this account in default that it's unavailable from GUI and in last step before switching accounts to unblock this emergency account. But there is security issue because during an usage, the account is unblocked and accessible by gui. Do you know if user will be logged off if I block account during the usage? I mean if I change in system table record that account is blocked. If not that could solve my problem another user can't log in. Of course I could store in table information about logged in user and block another logging but I don't want track logging off and I don't want to let users log in through gui.

Former Member · ‎07-23-2010

From SAP LIcensing perspective this is not recommended, but you can do it

what it means is user will still be able to work but if he logs out , he cannot login again

since he is locked now.

If you want to log that user off from the system after you do this then you might take BASIS help and kill his session using

SM04.

Edited by: Franklin Jayasim on Jul 23, 2010 7:20 PM

Former Member · ‎07-23-2010

>


> From SAP LIcensing perspective this is not recommended, but you can do it 
> what it means is user will still be able to work but if he logs out , he cannot login again 
> since he is locked now.
> 
> If you want to log that user off from the system after you do this then you might take BASIS help and kill his session using 
> SM04.
> 
> Edited by: Franklin Jayasim on Jul 23, 2010 7:20 PM

That is not exactly scalable advise...

More likely the OP wants to have one user context with scalable access.

Killing sessions means that you do not trust the sessions you have given this access to in the first place...

Cheers,

Julius

Former Member · ‎07-23-2010

One other scalable solution we can consider is using SAP GRC SPM 5.3 ( Firefighter ) user based access.

Former Member · ‎07-24-2010

Yep, exactly that is what such "fire fighter" solutions are usefull for. To prevent them from being misused you can constantly change the password programatically (like GRC does), or activate exits to prevent some types of logons (like GRC used to), or can define the user type "Reference" to block a direct logon of any type.

Cheers,

Julius