2012 Mar 01 6:13 AM
Dear experts,
As requrement of users, we need to setup the access duration for all users of our company . It's mean users only access into SAP on defined duration
Ex : Working time is 8h00 am to 17h00 pm, after 17h00 pm, users cannot access into system
Please help.
Thanks,
Neo
2012 Mar 01 6:27 AM
Hi,
Try this
Create two operation modes in RZ04
1.Day mode ->from 8 to 17 .In this give more Dialog WP and less Background Wp
So after this switch the operation mode
2.Night mode ->from 17 to 8.In this remove all the Dialog WP and assign it to Background Wp so that no Dialog WP will be available and no Dialog user can login.Normal Background operatins will go as usual
Regards,
Murali
2012 Mar 01 10:20 PM
Hi,
are you sure that this will work? There must be always at least two dialog processes in the system.
If we are talking about only dialog users connecting via SAP GUI then you could user user exit SUSR00001 that is called right after successful logon. You could restrict you custom logic to only subset of users (e.g. based on user group).
Cheers
2012 Mar 02 5:55 PM
What happens if this should only apply to the company code users for Vietman, but not the rest of the world?
And then one of the Vietnamese big shot managers travels to London, Paris, New York, Frankfurt, etc to make a BIG presentation to a whole bunch of fat banks and when he wants his data at 3 pm to make them all go "Wow!!! message stating that all system resources are occupied and they should all take a break before having a cup of tea...
The world is not flat! You should also not share SAP IDs just because some physical access control system only works until 17:00 ...
Cheers,
Julius
2012 Mar 03 2:38 AM
Hi all,
Thanks for your solution
We want to set the access duration for end-user but sometimes, we need to flexible to allow user access to system in some special case.
Let me detail users's requirements
- Users can access to SAP fom 8h00 to 16h00
- At 16h00, system will send the warning message to user to inform that system will aunomatic turn offf after 15 minutes, it's mean system will automatic kick out users after 15 minutes
- From 16h00 to 8h00, users can not access to SAP
- However, in some special case, we can grant the acess to system to specific user.
Can we setup these steps on SAP ?
Thanks,
Neo
2012 Mar 03 7:06 AM
Hi,
if users access only via SAP GUI then user access can be controlled by user exit mentioned above. A custom background job to send a message to all users that need to finish their work. Another job that will log out all relevant users after 15 mins. I would probably control access by combination of user group and authorization. So this restriction would apply only to users from some user groups. I would still check if a user has authorization for custom authorization object. All users with this authorization would be able to logon without restrictions. Hence for exception you would just assign a security role to a user.
Cheers
2012 Mar 03 8:49 PM
Would it be acceptable to use "one-time-passwords" for the users each day, which are only issued / requestable at 8:00 a.m. and expire at 16:00 the same day, after which they must wait until the next morning (unless you give them a special new password for exceptions)?
That should work and be very easy when combined with Martin Voros's roundhouse kick at 16:15 each day...
Is it acceptable that the passwords continously change each day and can only be used once each?
Cheers,
Julius
2012 Mar 04 3:50 AM
Julius,
that's a nice idea. Let assume that you are able to deliver password to user on daily basis. Then you could do:
1) 16:00 Send a message to logged users that they will be kicked out at 16:15
2) 16:10 Generate new password for each user. So users won't be able to logon with their old passwords
3) 16:15 Kick out all users
4) 7:55 next day just send new passwords to all users
Main advantage is that it would work for web dynpro and bsp apps as well. The only issue is that you would have to keep new passwords in plaintext between 16:10 and 7:55 next day. Solution could be generating two new passwords (16:10 and 7:55) and send out only the second password.
One disadvantage of this solution is that it would pollute change documents for users. It would generate at least one change password record for each user.
Cheers
2012 Mar 04 9:11 AM
Hi Neo
I've read some very interesting solutions but I just wondered what the reason was for trying to do this in the first place?
Just trying to balance requirements and solutions!
Cheers
David
2012 Mar 05 3:15 AM
Hi David,
We had discussed with our users about these requirements, but they really want to do that for controlling.
Hi all,
I had read the solution but is it possible to set new password for users everyday . We are hypermarket and retail company so we have over 300 users . I think we will got trouble when we do this solution
Is there any better solution ?
Thank so much for your help.
Regards,
Neo
2012 Mar 05 4:06 AM
Hi,
I thought that you will be retail. The problem is not to generate and set password every day. That can be easily implemented with a simple custom program. The issue is how to reliable distribute password to user every day. If your users will connect only via SAP GUI then I would go with user exit to control access and background job to terminate user sessions.
Cheers
2012 Mar 05 4:55 AM
HI Martin,
That's right, we are retail and the issue is how to reliable distribute password to user every day
Now our users connect only via SAP GUI soI would we go with user exit to control access and background job to terminate user sessions. ?
But can we apply for specific user or group of users in case that they want to access ?
Thanks and regards,
DuyLD
2012 Mar 05 6:22 AM
In user exit you will put your own code. So you can do there almost everything. Definitely, you can check for authorization and user group.
Cheers
2012 Mar 05 7:10 AM
Another way of isolating their SAPGui access to the system is to give them all a SAProuter connection to the system and protect your other connection with a password in the string.
At 16:15 each day you stop the router, and start it again at 7:00 (this can be done automatically as an OS script).
You can then additionally monitor that no one is working too long or found a way around the router.
Depending on how often there are exceptions, a 2nd router can be used to give special IPs special access to the systems at special times, otherwise just start the 1st router and monitor that only those users are logging in.
This will be less disruptive to the backend system - actually it will know nothing of it...
Cheers,
Julius