Restrict SAP user ID login for only one Terminal

Pragnesh_7se7 · ‎2015 Oct 10

Scenario: Client wants to restrict the user to login from any other terminal except allocated one.

Solution :

Step 1 : Use Function Exit : EXIT_SAPLSUSF_001 which is called immediate after login.

Step 2 : Create Z table which contain User Id, IP Address, and Terminal Name.

Step 3 : call function module TH_USER_INFO in function exit EXIT_SAPLSUSF_001 include : ZXUSRU01

Here TERMINAL is terminal name and ADDRSTR is IP address

step 4 : If it runs first time add user id, IP address and Terminal Id in table from next time validate from Z table.

step 5 : use function module WS_MSG to raise error.

step 6 : call 'SYST_LOGOFF' if user is not authorize.

Remarks : Do not use any other method to raise error, because.......

if user is not authorize still he/she can login using Create Session

WS_MSG gives only below options.

Former Member · ‎2015 Oct 10

Hi,

Nice document.

As well as i want to know is there any method to restrict user not to terminate session of other user?

Regards

Ajay

Former Member · ‎2015 Oct 10

Good one :smile:

Regards,

Mounika

Former Member · ‎2015 Oct 10

Good ..

Pragnesh_7se7 · ‎2015 Oct 10

At login time ? please explain.

Former Member · ‎2015 Oct 10

Yes at login time we need user can not be able to disconnect session of another user.

Regards

Ajay

Pragnesh_7se7 · ‎2015 Oct 10

Hi Ajay,

As far as I know

You can restrict multiple logon,

but such restriction is not allowed,

you can discuss with you BASIS guy,

Please see below link...

Restrict the user from terminating other's logon

former_member229075 · ‎2016 Jan 29

Nice Document....

FPT · ‎2016 Feb 26

Can u share source code for include ZXUSRU01?

Pragnesh_7se7 · ‎2016 Feb 26

Sorry Dear,

But if you stuck any where just tell, I will definitely help you.

Juwin · ‎2016 Feb 26

Please read the documentation of the enhancement SUSR0001. SAP specifically says "Do not log off the user".

Logoff is ranked 1st in the list of things you should absolutely avoid in a User exit/ Badi/ Enhancement.

Thanks,

Juwin

Pragnesh_7se7 · ‎2016 Feb 27

Hi Juwin ,

Do you have any alternative solution ? If yes then please share I will definitely update,

Actually first we have implemented without logoff option, but we didn't find any other way to restrict users,

Thanks for Input.

Juwin · ‎2016 Feb 27

Finding a solution shouldn't be done by breaking the system, isn't it? That was the only intent of my comment. I am not trying to sell my own solution here. Sorry, if I let you believe otherwise.

Thanks,

Juwin

FPT · ‎2016 Feb 29

Dear Pragnesh,

Now, we only have sap Basis, no Developer. So we can't write source code for include ZXUSRU01. We hope that u will share your source code to us. Thanks!

Pragnesh_7se7 · ‎2016 Mar 02

Hi Juwin,

Thanks for your input, will try to improve if possible.

Juwin · ‎2016 Mar 02

I respect your enthusiasm. Thanks.

former_member210770 · ‎2016 May 09

Dear Pragnesh,

Nice document. We can enhance it like below code as same thing i have developed in past.

EXIT :

SUSR0001 -> Include ZXUSRU01

TABLE : ZUSER_AUTH , USR41

MANDT	MANDT	CLNT3	Client
UNAME	XUBNAME	CHAR12	User Name in Master Rec
IPADDR	NI_NODEADDR	CHAR45	IP Address
PCNAME	ZTERMINAl	CHAR20	Terminal

This enhancement is to authenticate user while login with its authorization with system ip address , system pc name & it's username & password. Also It Read Login User’s Profile (Voice).

*&---------------------------------------------------------------------*
*& Include           ZXUSRU01
*&---------------------------------------------------------------------*
* break abapdev2.

INCLUDE OLE2INCL.

DATA : GWA_ADDR LIKE BAPIADDR3,
GIT_RETURN TYPE TABLE OF BAPIRET2,
W_STRING TYPE STRING.

DATA : OLE   TYPE OLE2_OBJECT,
VOICE TYPE OLE2_OBJECT,
TEXT   TYPE STRING.

CREATE OBJECT VOICE 'SAPI.SPVOICE'.

CALL FUNCTION 'BAPI_USER_GET_DETAIL'
EXPORTING
USERNAME             = SY-UNAME
CACHE_RESULTS        = 'X'
IMPORTING
ADDRESS              = GWA_ADDR
TABLES
RETURN               = GIT_RETURN .

CLEAR : W_STRING.
IF GIT_RETURN[] IS INITIAL.
CONCATENATE 'Welcome' GWA_ADDR-TITLE_P GWA_ADDR-FIRSTNAME GWA_ADDR-LASTNAME 'In the world of SAP' INTO W_STRING SEPARATED BY ' '.
ENDIF.

* BREAK-POINT.
TABLES : USR01 ,ZUSER_AUTH , SOPR.
DATA : GIT_USR01 TYPE STANDARD TABLE OF USR01,
GWA_USR01 TYPE USR01,

GIT_USR41 TYPE STANDARD TABLE OF USR41,
GWA_USR41 TYPE USR41,

GIT_USR_AUTH TYPE STANDARD TABLE OF ZUSER_AUTH ,
GWA_USR_AUTH TYPE ZUSER_AUTH ,

GIT_PROFILE TYPE STANDARD TABLE OF SOPR,
GWA_PROFILE TYPE SOPR,

USER_NAME TYPE SY-UNAME,
ADDRSTR TYPE NI_NODEADDR,
V_UNAME TYPE ZUSER_AUTH-UNAME,
T_PCNAME TYPE ZUSER_AUTH-PCNAME.

DATA : logo TYPE SSM_PATH,
USER TYPE ZMANDT,
LOGIN_CLIENT LIKE SY-MANDT.

LOGIN_CLIENT = SY-MANDT.

SELECT SINGLE ZCLIENT
ZPATH
FROM ZLOGIN_LOGO
INTO (user , logo)
WHERE ZCLIENT = LOGIN_CLIENT.

USER_NAME = SY-UNAME.

SELECT *
FROM USR01
INTO TABLE GIT_USR01
WHERE BNAME = USER_NAME .

SELECT *
FROM USR41
INTO TABLE GIT_USR41
WHERE BNAME = USER_NAME .

SELECT SINGLE UNAME
FROM ZUSER_AUTH
INTO V_UNAME
WHERE UNAME = USER_NAME.

IF SY-SUBRC = 0.

CALL FUNCTION 'TH_USER_INFO'
EXPORTING
CLIENT                    = SY-MANDT
USER                      = USER_NAME
*       CHECK_GUI                 = 0
IMPORTING
*       HOSTADDR                  =
TERMINAL                  = T_PCNAME
*       ACT_SESSIONS              =
*       MAX_SESSIONS              =
*       MY_SESSION                =
*       MY_INTERNAL_SESSION       =
*       TASK_STATE                =
*       UPDATE_REC_EXIST          =
*       TID                       =
*       GUI_CHECK_FAILED          =
ADDRSTR                   = ADDRSTR
*       RC                        =
.

TRANSLATE T_PCNAME TO UPPER CASE.
SELECT * FROM ZUSER_AUTH
INTO TABLE GIT_USR_AUTH
WHERE UNAME = USER_NAME.

READ TABLE GIT_USR_AUTH
INTO GWA_USR_AUTH
WITH KEY UNAME = USER_NAME
IPADDR = ADDRSTR
PCNAME = T_PCNAME
MANDT = SY-MANDT.
.
IF SY-SUBRC = 0
AND ADDRSTR = GWA_USR_AUTH-IPADDR
AND T_PCNAME = GWA_USR_AUTH-PCNAME
AND SY-MANDT = GWA_USR_AUTH-MANDT.

CALL METHOD OF VOICE 'SPEAK' = OLE
EXPORTING #1 = W_STRING. "TEXT.
*

ELSE.
CLEAR SY-UCOMM.
MESSAGE : 'You are not authorized to login on this terminal.'
TYPE 'E'.
EXIT.
*     call 'SYST_LOGOFF'.
ENDIF.

ELSE.

CALL METHOD OF VOICE 'SPEAK' = OLE
EXPORTING #1 = W_STRING. "TEXT.

ENDIF.

former_member194965 · ‎2016 May 09

tq

Pragnesh_7se7 · ‎2016 May 09

Hi Sagar,

Thanks for Input.

Former Member · ‎2017 Feb 21

With SAP DAM by NextLabs we use the same user exit to restrict access from specific locations. This allows us to dynamically restrict access to BOM's or recipes to specific locations, prevent exposure of IP and secrets via VPN and for the enforcement of Export Compliance like ITAR, EAR, BAFA or EU Dual Use.

former_member259275 · ‎2018 Aug 27

hi ,

I have successfully implemented this enhancement, it works well but the problem rite now I'm experiencing is the popping up of two popup message windows:

1 -Information message of failed user login attempts
2- Flash Messages popup window

After popping up any of above message window the SAP system waits for user input if user click OK the system will move further & called user exit(SUSR0001), & if user right clicks & opt for create new session on the top of any of the window if will safely bypasses the user exit (SUSR0001). Here this solution seems fail by not calling the exit for which the solution was actually developed.

If any body experienced the same & resolved please share .

former_member453202 · ‎2023 Feb 17

Dear shoaib.rehman2 ,

Would you mind to share the update for your finding of this solution. I'm so exciting with this.

Best Regards,

Luan

We have launched new Developer forums/groups in the SAP Community. If you are here to publish developer- or SAP-technology related blog posts, please check out our new groups instead. You can find more information about the developer forums in this What's New post.

Restrict SAP user ID login for only one Terminal