14 Replies Latest reply: Mar 31, 2012 3:19 PM by Indumathy Narayanan RSS

SAPR/3 - How to restrict one user from multiple GUI logons

Indumathy Narayanan
Currently Being Moderated

Hi.

Am relatively new to SAP BASIS and i have a requirement for doing various systems integration activities.

We want to give ONE USER  Some special rights.

1) Restrict the user to have only one user session.

2) Restrict the password expiry to be valid only for one day.

Regarding requirement 1 above :

Various searches say it is possible. But am not really seeing any list where to include or exclude a paritcular user.

http://scn.sap.com/thread/821232

http://help.sap.com/saphelp_nw70/helpdata/EN/a3/68c6385740b561e10000000a114084/frameset.htm
Recognizing and Preventing Multiple Dialog User Logons


But when i look at RZ11 - am not seeing any list where i could put the name of a paricular user. . But that is also not explanatory as to how this could be achieved.

i want to restrict the user session to just 1 session. where multiple logon is not possible.
To just one user.

Nor do i see a exception list to add users who are allowed multiple logons on GUI.

Can anyone advise please - stepwise as to how this could be achieved. 

Thanks
indu

  • Re: SAPR/3 - How to restrict one user from multiple GUI logons
    Steve Rumsby
    Currently Being Moderated

    The parameter for listing exceptions to the "no multiple logins" rule is login/multi_login_users - you set that to a comma separated list of users that should be allowed to login multiple times. If you want that to me all but on user, that could be a very long list and you've have to always remember to add new users to that list as they are created. I can't remember if this is a parameter you can change on the fly, or if you need a restart for changes to take effect. I suspect a restart is required. If so, this would all get very clumsy if you have lots of users.

    The parameter for disabling multiple logins, for all users except those in the list above, is login/disable_multi_gui_login. Give it the value "1".

    I have set up a system this way before, and it does work. I just had a small number of users allowed to login multiple times (the SAP support team) so it was not difficult to manage.

    Does that help?

    Steve.

  • Re: SAPR/3 - How to restrict one user from multiple GUI logons
    Ajesh Raju Pujari
    Currently Being Moderated

    This is not possible.

    There is no place to give exceptions.

    If you have firefighter, you can give access for one day and restrict the session to one session. Thus, both your requirements will be fulfilled.

    Regards,

    Ajesh.

    • Re: SAPR/3 - How to restrict one user from multiple GUI logons
      Indumathy Narayanan
      Currently Being Moderated

      Hi Steve/Ajesh.

      thanks for your response.

      @ steve : Am not wanting for all users.

      My need is just for one user for one day. When weekend activity is going to happen. Over a period of time. Whenever a request comes in - I have to give special authorisations for a user and restrict the user for a day.

      @ajesh ; thanks. just one doubt. inside firefighter say firefight1 is the id given to me user indu.

      I login as user indu. go into virsa vfat. login to firefight1.

      BUT how is the session restricted to one user session only Firefight1. Could you please help me with this info. Because i dont want anybody else with Firefight1 to login at that time. Because i already have a few super users who have firefight access. And i dont know how to restrict the user session within firefight - to be for one session. So i know for sure. If firefight1 is logged in by indu. another user Guru - who also has access to Firefight1 - cannot login.  How do we restrict that firefight session to be only one. Could you please help me with inputs.

      Many thanks again.

      Kind regards

      indu

      thanks again.

      indu

      • Re: SAPR/3 - How to restrict one user from multiple GUI logons
        Indumathy Narayanan
        Currently Being Moderated

        Ajesh... actually when i checked the firefight, given to 2 users, it gave me errors, saying that already firefight1 is used by indu.  So am just wondering whether, firefight is the fool proof way.

        Or whether firefight would allow also multiple login sessions.

        Thanks

        indu

      • Re: SAPR/3 - How to restrict one user from multiple GUI logons
        Rupali Karbhari
        Currently Being Moderated

        Hi Indu,

        Firefigther session takes care of it by locking FF id # Firefigh1

        e.g. if Firefigh1 is linked to user id "Indu" and "Other"

        when you are using Firefighter session using /n/virsa/vfat Tcode , it indicated green and red colour legends. During 1st user logon checkmark is green that means you can login via Firefigh1.

        when "Other" user tried to logon to Firefigh1 , it indicated FF id already in use and shows RED indicators.

        this is how it controlls FF sessions tobe used by 1 user at a time.

        I hope it clears your doubt.

        Thanks,

      • Re: SAPR/3 - How to restrict one user from multiple GUI logons
        Steve Rumsby
        Currently Being Moderated

        So you normally allow your users to login multiple times, but you want one user to be able to login just once? The only way to do that I'm aware of is to disallow multiple logins, but list all users except that one as exceptions to the rule. Or do I misunderstand?

        For firefighter, only one user at a time can be logged into a firefighter ID - that's a normal restriction of the GRC software, so if you could create this one user with no useful permissions and have them do all their work through a firefighter ID, that seems like it would achieve what you want.

      • Re: SAPR/3 - How to restrict one user from multiple GUI logons
        Ajesh Raju Pujari
        Currently Being Moderated

        Hi Indu,

        Say, User1 Logged into firefighter1, no one else can use the firefighter1 until User1 comes out of it. You can not restrict the user to have only one session. But as this is controlled environment, you can keep a tap on the user activities.

        If you have the fear that other super users will access the fire fighter. Try finding a firefitgher ID thats not assigned to any one or create a new one.

        Regards,

        Ajesh.

        • Re: SAPR/3 - How to restrict one user from multiple GUI logons
          Indumathy Narayanan
          Currently Being Moderated

          Hi All thanks for your kind resply. 

          @ajesh : if i hve 5 firefight. and if 10 super users have access to the 5 firefight ids. And if they are going to do work of the systems integration. I cannot be giving all the 5 firefight ids. All extra privileges.

          If i do that. It basically means - giving all access to all the 10 or 20 whoever have access to firefight. which i really do not want to do.

          Thats why I found this a bit tricky when the requirement came in.

          Tomorrow it might be a huge audit questioning - on systems integration audit when it happens post integration.

          The problem is not of creating firefight ids.

          But not wanting to give all rights to all users who have access to firefight.

          Today user1 asks this privilege. Tomorrow user2 asks other privilege.

          That is why this whole exercise of how to restrict one user session - say if i create a user with special privileges - at the user level. This whole exercise started there. Because we do not want to give everything to the fate of firefight.

           

          Anyhow thanks to all.

          Let us figure out how best we could do this.

          Thanks again.

          indu

          • Re: SAPR/3 - How to restrict one user from multiple GUI logons
            Diego I. Yaryura
            Currently Being Moderated

            Hi!

            I don't understand your point. If a user A is using a FF1, there's no possibility that other user log-on with the same FF1 at the same time. Can you explain in detail your scenario?? I suspect that there's something incorrectly configured in your system...

            Cheers,

            Diego.

            • Re: SAPR/3 - How to restrict one user from multiple GUI logons
              Indumathy Narayanan
              Currently Being Moderated

              Hi Diego.

              Good morning and thanks. Not same FF.  Different FF required to be given major access. As and when required.  And checking whether we could avoid that. By creating a user with special rights - but restrict the session to one with one day validity of pw expiry. That restriction of user session to one, at user level, (NOT FOR ALL USERS) is something not feasible within SAP???

              Thats why we wanted to understand for firefight how session is kept to be ONLY ONE.

              And if we could understand that and apply that principle to a dialogue user level,  session restriction.  Not for all users. At the parameter level. But restrict JUST FOR ONE USER. We did not see any place where an option comes to include our list of users. Either to restrict or to include. Just giving a value one or zero. Becomes applicable to all.  Our requirement is : one user /one session / restrict. How. (not all users)

              And when the requirement came, the simple question was - if system is permitting FF to be restricted to be for ONE user session. Why not the same principle be applicable and be applied to a normal user - and be restricted ???? And whether we could check that and work it out.

              Hence this post Because we were checking each and every option and were not able to find anything which we wanted.

              And We realised it something not feasible within SAP besides FF to do,  for a normal dialogue user.

              In case anyone knows how user sessions are restricted within FF - if they could share that info, that would be helpful, if that could be applied for the normal user. Wherein sessions could be restricted ONLY for a single normal dialogue user, at the user level.

              With no offence to anyone : if that could be done, many things could become restrictive in the use of SAP    Why have a firefight user id then for which we pay for ???

              Thanks

              Regards

              indu

Actions