07-23-2010 5:11 PM
Hello experts,
I must handle with this issue. I'm creating emergency user account in SAP system and I must restrict this account to only one log on in the same time. Few people will have access to this account and I must be sure that they can't use the account in the same time. Have you got any clue how to do that? Maybe, decreasing maximum opened session to just one can solve this problem? But how to do that?
Thanks in advance.
07-23-2010 5:21 PM
Ask Basis to set the profile parameter at the SYSTEM level ,
using RZ10 login/disable_multi_gui_login
07-23-2010 5:36 PM
Hi Franklin,
thanks for your reply. I'm wondering if that affect all accounts? I need set up single log in only for this emergency account.
Thank you for your time.
07-23-2010 5:42 PM
This will effect all users, I think you cannot have exclusive settings using standard SAP objects.
07-23-2010 6:07 PM
I didn't mention that I will provide access to this account through my transaction. I was thinking about blocking this account in default that it's unavailable from GUI and in last step before switching accounts to unblock this emergency account. But there is security issue because during an usage, the account is unblocked and accessible by gui. Do you know if user will be logged off if I block account during the usage? I mean if I change in system table record that account is blocked. If not that could solve my problem another user can't log in. Of course I could store in table information about logged in user and block another logging but I don't want track logging off and I don't want to let users log in through gui.
07-23-2010 6:19 PM
From SAP LIcensing perspective this is not recommended, but you can do it
what it means is user will still be able to work but if he logs out , he cannot login again
since he is locked now.
If you want to log that user off from the system after you do this then you might take BASIS help and kill his session using
SM04.
Edited by: Franklin Jayasim on Jul 23, 2010 7:20 PM
07-23-2010 9:43 PM
>
> From SAP LIcensing perspective this is not recommended, but you can do it
> what it means is user will still be able to work but if he logs out , he cannot login again
> since he is locked now.
>
> If you want to log that user off from the system after you do this then you might take BASIS help and kill his session using
> SM04.
>
> Edited by: Franklin Jayasim on Jul 23, 2010 7:20 PM
That is not exactly scalable advise...
More likely the OP wants to have one user context with scalable access.
Killing sessions means that you do not trust the sessions you have given this access to in the first place...
Cheers,
Julius
07-23-2010 11:16 PM
One other scalable solution we can consider is using SAP GRC SPM 5.3 ( Firefighter ) user based access.
07-24-2010 7:27 AM
Yep, exactly that is what such "fire fighter" solutions are usefull for. To prevent them from being misused you can constantly change the password programatically (like GRC does), or activate exits to prevent some types of logons (like GRC used to), or can define the user type "Reference" to block a direct logon of any type.
Cheers,
Julius