Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to setup the access duration for user

Former Member
0 Kudos
284

Dear experts,

As requrement of users, we need to setup the access duration for all users of our company . It's mean users only access into SAP on defined duration

Ex : Working time is 8h00 am to 17h00 pm, after 17h00 pm, users cannot access into system

Please help.

Thanks,

Neo

13 REPLIES 13

former_member204080
Active Contributor
0 Kudos
166

Hi,

Try this

Create two operation modes in RZ04

1.Day mode ->from 8 to 17 .In this give more Dialog WP and less Background Wp

So after this switch the operation mode

2.Night mode ->from 17 to 8.In this remove all the Dialog WP and assign it to Background Wp so that no Dialog WP will be available and no Dialog user can login.Normal Background operatins will go as usual

Regards,

Murali

0 Kudos
166

Hi,

are you sure that this will work? There must be always at least two dialog processes in the system.

If we are talking about only dialog users connecting via SAP GUI then you could user user exit SUSR00001 that is called right after successful logon. You could restrict you custom logic to only subset of users (e.g. based on user group).

Cheers

0 Kudos
166

What happens if this should only apply to the company code users for Vietman, but not the rest of the world?

And then one of the Vietnamese big shot managers travels to London, Paris, New York, Frankfurt, etc to make a BIG presentation to a whole bunch of fat banks and when he wants his data at 3 pm to make them all go "Wow!!! message stating that all system resources are occupied and they should all take a break before having a cup of tea...

The world is not flat! You should also not share SAP IDs just because some physical access control system only works until 17:00 ...

Cheers,

Julius

0 Kudos
166

Hi all,

Thanks for your solution

We want to set the access duration for end-user but sometimes, we need to flexible to allow user access to system in some special case.

Let me detail users's requirements

- Users can access to SAP fom 8h00 to 16h00

- At 16h00, system will send the warning message to user to inform that system will aunomatic turn offf after 15 minutes, it's mean system will automatic kick out users after 15 minutes

- From 16h00 to 8h00, users can not access to SAP

- However, in some special case, we can grant the acess to system to specific user.

Can we setup these steps on SAP ?

Thanks,

Neo

0 Kudos
166

Hi,

if users access only via SAP GUI then user access can be controlled by user exit mentioned above. A custom background job to send a message to all users that need to finish their work. Another job that will log out all relevant users after 15 mins. I would probably control access by combination of user group and authorization. So this restriction would apply only to users from some user groups. I would still check if a user has authorization for custom authorization object. All users with this authorization would be able to logon without restrictions. Hence for exception you would just assign a security role to a user.

Cheers

0 Kudos
166

Would it be acceptable to use "one-time-passwords" for the users each day, which are only issued / requestable at 8:00 a.m. and expire at 16:00 the same day, after which they must wait until the next morning (unless you give them a special new password for exceptions)?

That should work and be very easy when combined with Martin Voros's roundhouse kick at 16:15 each day...

Is it acceptable that the passwords continously change each day and can only be used once each?

Cheers,

Julius

0 Kudos
166

Julius,

that's a nice idea. Let assume that you are able to deliver password to user on daily basis. Then you could do:

1) 16:00 Send a message to logged users that they will be kicked out at 16:15

2) 16:10 Generate new password for each user. So users won't be able to logon with their old passwords

3) 16:15 Kick out all users

4) 7:55 next day just send new passwords to all users

Main advantage is that it would work for web dynpro and bsp apps as well. The only issue is that you would have to keep new passwords in plaintext between 16:10 and 7:55 next day. Solution could be generating two new passwords (16:10 and 7:55) and send out only the second password.

One disadvantage of this solution is that it would pollute change documents for users. It would generate at least one change password record for each user.

Cheers

Former Member
0 Kudos
166

Hi Neo

I've read some very interesting solutions but I just wondered what the reason was for trying to do this in the first place?

Just trying to balance requirements and solutions!

Cheers

David

0 Kudos
166

Hi David,

We had discussed with our users about these requirements, but they really want to do that for controlling.

Hi all,

I had read the solution but is it possible to set new password for users everyday . We are hypermarket and retail company so we have over 300 users . I think we will got trouble when we do this solution

Is there any better solution ?

Thank so much for your help.

Regards,

Neo

0 Kudos
166

Hi,

I thought that you will be retail. The problem is not to generate and set password every day. That can be easily implemented with a simple custom program. The issue is how to reliable distribute password to user every day. If your users will connect only via SAP GUI then I would go with user exit to control access and background job to terminate user sessions.

Cheers

0 Kudos
166

HI Martin,

That's right, we are retail and the issue is how to reliable distribute password to user every day

Now our users connect only via SAP GUI soI would we go with user exit to control access and background job to terminate user sessions. ?

But can we apply for specific user or group of users in case that they want to access ?

Thanks and regards,

DuyLD

0 Kudos
166

In user exit you will put your own code. So you can do there almost everything. Definitely, you can check for authorization and user group.

Cheers

0 Kudos
166

Another way of isolating their SAPGui access to the system is to give them all a SAProuter connection to the system and protect your other connection with a password in the string.

At 16:15 each day you stop the router, and start it again at 7:00 (this can be done automatically as an OS script).

You can then additionally monitor that no one is working too long or found a way around the router.

Depending on how often there are exceptions, a 2nd router can be used to give special IPs special access to the systems at special times, otherwise just start the 1st router and monitor that only those users are logging in.

This will be less disruptive to the backend system - actually it will know nothing of it...

Cheers,

Julius