13 Replies Latest reply: Mar 5, 2012 8:10 AM by Julius von dem Bussche RSS

How to setup the access duration for user

Phu Quoc Si
Currently Being Moderated

Dear experts,

 

As requrement of users, we need to setup the access duration for all users of our company . It's mean users only access into SAP on defined duration

 

Ex : Working time is 8h00 am to 17h00 pm, after 17h00 pm, users cannot access into system

 

Please help.

 

Thanks,

 

Neo

  • Re: How to setup the access duration for user
    murali reddy
    Currently Being Moderated

    Hi,

     

    Try this

     

    Create two operation modes in RZ04

     

    1.Day mode ->from 8 to  17 .In this give more Dialog WP and less Background Wp

    So after this switch the operation mode

    2.Night mode ->from 17 to 8.In this remove all the Dialog WP and assign it to Background Wp so that no Dialog WP will be available and no  Dialog user can login.Normal  Background  operatins will go as usual

     

    Regards,

    Murali

    • Re: How to setup the access duration for user
      Martin Voros
      Currently Being Moderated

      Hi,

       

      are you sure that this will work? There must be always at least two dialog processes in the system.

       

      If we are talking about only dialog users connecting via SAP GUI then you could user user exit SUSR00001 that is called right after successful logon. You could restrict you custom logic to only subset of users (e.g. based on user group).

       

      Cheers

    • Re: How to setup the access duration for user
      Julius von dem Bussche
      Currently Being Moderated

      What happens if this should only apply to the company code users for Vietman, but not the rest of the world?

       

      And then one of the Vietnamese big shot managers travels to London, Paris, New York, Frankfurt, etc to make a BIG presentation to a whole bunch of fat banks and when he wants his data at 3 pm to make them all go "Wow!!! message stating that all system resources are occupied and they should all take a break before having a cup of tea... 

       

      The world is not flat! You should also not share SAP IDs just because some physical access control system only works until 17:00 ...

       

      Cheers,

      Julius

      • Re: How to setup the access duration for user
        Phu Quoc Si
        Currently Being Moderated

        Hi all,

         

        Thanks for your solution

         

        We want to set the access duration for end-user but sometimes, we need to flexible to allow user access to system in some special case.

         

        Let me detail users's requirements

         

        - Users can access to SAP fom 8h00 to 16h00

         

        - At 16h00, system will send the warning message to user to inform that system will aunomatic turn offf after 15 minutes, it's mean system will automatic kick out users after 15 minutes

         

        - From 16h00 to 8h00, users can not access to SAP

         

        - However, in some special case, we can grant the acess to system to specific user.

         

        Can we setup these steps on SAP ?

         

        Thanks,

         

        Neo

        • Re: How to setup the access duration for user
          Martin Voros
          Currently Being Moderated

          Hi,

           

          if users access only via SAP GUI then user access can be controlled by user exit mentioned above. A custom background job to send a message to all users that need to finish their work. Another job that will log out all relevant users after 15 mins. I would probably control access by combination of user group and authorization. So this restriction would apply only to users from some user groups. I would still check if a user has authorization for custom authorization object. All users with this authorization would be able to logon without restrictions. Hence for exception you would just assign a security role to a user.

           

          Cheers

        • Re: How to setup the access duration for user
          Julius von dem Bussche
          Currently Being Moderated

          Would it be acceptable to use "one-time-passwords" for the users each day, which are only issued / requestable at 8:00 a.m. and expire at 16:00 the same day, after which they must wait until the next morning (unless you give them a special new password for exceptions)?

           

          That should work and be very easy when combined with Martin Voros's roundhouse kick at 16:15 each day... 

           

          Is it acceptable that the passwords continously change each day and can only be used once each?

           

          Cheers,

          Julius

          • Re: How to setup the access duration for user
            Martin Voros
            Currently Being Moderated

            Julius,

             

            that's a nice idea. Let assume that you are able to deliver password to user on daily basis. Then you could do:

             

            1) 16:00 Send a message to logged users that they will be kicked out at 16:15

            2) 16:10 Generate new password for each user. So users won't be able to logon with their old passwords

            3) 16:15 Kick out all users

            4) 7:55 next day just send new passwords to all users

             

            Main advantage is that it would work for web dynpro and bsp apps as well. The only issue is that you would have to keep new passwords in plaintext between 16:10 and 7:55 next day. Solution could be generating two new passwords (16:10 and 7:55) and send out only the second password.

             

            One disadvantage of this solution is that it would pollute change documents for users. It would generate at least one change password record for each user.

             

            Cheers

  • Re: How to setup the access duration for user
    David Berry
    Currently Being Moderated

    Hi Neo

     

    I've read some very interesting solutions but I just wondered what the reason was for trying to do this in the first place?

     

    Just trying to balance requirements and solutions!

     

    Cheers

    David

    • Re: How to setup the access duration for user
      Phu Quoc Si
      Currently Being Moderated

      Hi David,

       

      We had discussed with our users about these requirements, but they really want to do that for controlling.

       

      Hi all,

       

      I had read the solution but is it possible to set new password for users everyday .  We are hypermarket and retail company so we have over 300 users . I think we will got trouble when we do this solution

       

      Is there any better solution ?

       

      Thank so much for your help.

       

      Regards,

       

      Neo

      • Re: How to setup the access duration for user
        Martin Voros
        Currently Being Moderated

        Hi,

         

        I thought that you will be retail. The problem is not to generate and set password every day. That can be easily implemented with a simple custom program. The issue is how to reliable distribute password to user every day. If your users will connect only via SAP GUI then I would go with user exit to control access and background job to terminate user sessions.

         

        Cheers

        • Re: How to setup the access duration for user
          Phu Quoc Si
          Currently Being Moderated

          HI Martin,

           

          That's right, we are retail and the issue is how to reliable distribute password to user every day

           

          Now our users connect only via SAP GUI soI would we go with user exit to control access and background job to terminate user sessions. ?

           

          But can we apply for specific user or group of users in case that they want to access ?

           

          Thanks and regards,

           

          DuyLD

          • Re: How to setup the access duration for user
            Martin Voros
            Currently Being Moderated

            In user exit you will put your own code. So you can do there almost everything. Definitely, you can check for authorization and user group.

             

            Cheers

            • Re: How to setup the access duration for user
              Julius von dem Bussche
              Currently Being Moderated

              Another way of isolating their SAPGui access to the system is to give them all a SAProuter connection to the system and protect your other connection with a password in the string.

               

              At 16:15 each day you stop the router, and start it again at 7:00 (this can be done automatically as an OS script).

               

              You can then additionally monitor that no one is working too long or found a way around the router.

               

              Depending on how often there are exceptions, a 2nd router can be used to give special IPs special access to the systems at special times, otherwise just start the 1st router and monitor that only those users are logging in.

               

              This will be less disruptive to the backend system - actually it will know nothing of it...

               

              Cheers,

              Julius

Actions