Am relatively new to SAP BASIS and i have a requirement for doing various systems integration activities.
We want to give ONE USER Some special rights.
1) Restrict the user to have only one user session.
2) Restrict the password expiry to be valid only for one day.
Regarding requirement 1 above :
Various searches say it is possible. But am not really seeing any list where to include or exclude a paritcular user.
Recognizing and Preventing Multiple Dialog User Logons
But when i look at RZ11 - am not seeing any list where i could put the name of a paricular user. . But that is also not explanatory as to how this could be achieved.
i want to restrict the user session to just 1 session. where multiple logon is not possible.
To just one user.
Nor do i see a exception list to add users who are allowed multiple logons on GUI.
Can anyone advise please - stepwise as to how this could be achieved.
The parameter for listing exceptions to the "no multiple logins" rule is login/multi_login_users - you set that to a comma separated list of users that should be allowed to login multiple times. If you want that to me all but on user, that could be a very long list and you've have to always remember to add new users to that list as they are created. I can't remember if this is a parameter you can change on the fly, or if you need a restart for changes to take effect. I suspect a restart is required. If so, this would all get very clumsy if you have lots of users.
The parameter for disabling multiple logins, for all users except those in the list above, is login/disable_multi_gui_login. Give it the value "1".
I have set up a system this way before, and it does work. I just had a small number of users allowed to login multiple times (the SAP support team) so it was not difficult to manage.
Does that help?
thanks for your response.
@ steve : Am not wanting for all users.
My need is just for one user for one day. When weekend activity is going to happen. Over a period of time. Whenever a request comes in - I have to give special authorisations for a user and restrict the user for a day.
@ajesh ; thanks. just one doubt. inside firefighter say firefight1 is the id given to me user indu.
I login as user indu. go into virsa vfat. login to firefight1.
BUT how is the session restricted to one user session only Firefight1. Could you please help me with this info. Because i dont want anybody else with Firefight1 to login at that time. Because i already have a few super users who have firefight access. And i dont know how to restrict the user session within firefight - to be for one session. So i know for sure. If firefight1 is logged in by indu. another user Guru - who also has access to Firefight1 - cannot login. How do we restrict that firefight session to be only one. Could you please help me with inputs.
Many thanks again.
And the only problem i now have is - i hve multiple users - who would be doing some major activity. And i cannot afford to give multiple authorisation for multiple firefight ids. Which means there is actually no restriction at all.
hence wanting to know whetehr we could restrict user session besides firefight.
I undersatnd your situation where there are multiple users trying to perform same activity.
You can set Firefighter configurations like this:
Hence all the users will not be able to access FF session at the same time hence perticuler activity.
When FF session is locked by user "Indu" other users OtherUser1,OtherUser2 and OtherUser3 will not be able to connect to FF session.
This is how you can restrict multiple FF sessions accessing same Tcode.
Firefigther session takes care of it by locking FF id # Firefigh1
e.g. if Firefigh1 is linked to user id "Indu" and "Other"
when you are using Firefighter session using /n/virsa/vfat Tcode , it indicated green and red colour legends. During 1st user logon checkmark is green that means you can login via Firefigh1.
when "Other" user tried to logon to Firefigh1 , it indicated FF id already in use and shows RED indicators.
this is how it controlls FF sessions tobe used by 1 user at a time.
I hope it clears your doubt.
So you normally allow your users to login multiple times, but you want one user to be able to login just once? The only way to do that I'm aware of is to disallow multiple logins, but list all users except that one as exceptions to the rule. Or do I misunderstand?
For firefighter, only one user at a time can be logged into a firefighter ID - that's a normal restriction of the GRC software, so if you could create this one user with no useful permissions and have them do all their work through a firefighter ID, that seems like it would achieve what you want.
Say, User1 Logged into firefighter1, no one else can use the firefighter1 until User1 comes out of it. You can not restrict the user to have only one session. But as this is controlled environment, you can keep a tap on the user activities.
If you have the fear that other super users will access the fire fighter. Try finding a firefitgher ID thats not assigned to any one or create a new one.
Hi All thanks for your kind resply.
@ajesh : if i hve 5 firefight. and if 10 super users have access to the 5 firefight ids. And if they are going to do work of the systems integration. I cannot be giving all the 5 firefight ids. All extra privileges.
If i do that. It basically means - giving all access to all the 10 or 20 whoever have access to firefight. which i really do not want to do.
Thats why I found this a bit tricky when the requirement came in.
Tomorrow it might be a huge audit questioning - on systems integration audit when it happens post integration.
The problem is not of creating firefight ids.
But not wanting to give all rights to all users who have access to firefight.
Today user1 asks this privilege. Tomorrow user2 asks other privilege.
That is why this whole exercise of how to restrict one user session - say if i create a user with special privileges - at the user level. This whole exercise started there. Because we do not want to give everything to the fate of firefight.
Anyhow thanks to all.
Let us figure out how best we could do this.
Good morning and thanks. Not same FF. Different FF required to be given major access. As and when required. And checking whether we could avoid that. By creating a user with special rights - but restrict the session to one with one day validity of pw expiry. That restriction of user session to one, at user level, (NOT FOR ALL USERS) is something not feasible within SAP???
Thats why we wanted to understand for firefight how session is kept to be ONLY ONE.
And if we could understand that and apply that principle to a dialogue user level, session restriction. Not for all users. At the parameter level. But restrict JUST FOR ONE USER. We did not see any place where an option comes to include our list of users. Either to restrict or to include. Just giving a value one or zero. Becomes applicable to all. Our requirement is : one user /one session / restrict. How. (not all users)
And when the requirement came, the simple question was - if system is permitting FF to be restricted to be for ONE user session. Why not the same principle be applicable and be applied to a normal user - and be restricted ???? And whether we could check that and work it out.
Hence this post Because we were checking each and every option and were not able to find anything which we wanted.
And We realised it something not feasible within SAP besides FF to do, for a normal dialogue user.
In case anyone knows how user sessions are restricted within FF - if they could share that info, that would be helpful, if that could be applied for the normal user. Wherein sessions could be restricted ONLY for a single normal dialogue user, at the user level.
With no offence to anyone : if that could be done, many things could become restrictive in the use of SAP Why have a firefight user id then for which we pay for ???
The FF session is kept to only one using ABAP code. You can check the VIRSA sources in order to know how this can be done. The point is that, as per my understanding, there's no way to do what you want to do changing parameters in the server, because you want this functionality only for ONE user and not for all users in the system.
Then, I recommend you to check the VIRSA Firefighter logic to understand how this is done. Also you'll find a hint in here