DevOps and System Administration Discussions
Dive into SAP DevOps and system administration. Join discussions to collaborate on optimizing workflows, share knowledge, and leverage resources effectively.
cancel
Showing results for 
Search instead for 
Did you mean: 

login/disable_multi_gui_login parameter concerns

0 Kudos
1,345

I would like to understand the risks or concerns for setting

login/disable_multi_gui_login to 0

1 ACCEPTED SOLUTION

Matt_Fraser
Active Contributor
623

To build upon Dennis' answer, your SAP license contract most likely stipulates that one named user account can only be used by one named user. Sharing of accounts and passwords, therefore, is not only bad for security, it's a license violation, and the annual license audit will catch it if two or more people logon at the same time with the same user ID. So, while it's a never-ending effort to educate users not to share passwords, one thing you can do is prevent simultaneous usage by setting this parameter to 1.

The parameter only affects dialog (GUI) logins, so it will not impact multiple sessions from, say, an Enterprise Portal, or even simultaneous portal and GUI logins, nor will it impact RFC logins. So, there's not much risk beyond annoying people who are used to getting away with bad practices.

Cheers,
Matt

View solution in original post

2 REPLIES 2

dennispadia
Active Contributor
623

Hello Katia,

The risk of allowing multiple login to the same user is below -

1. If you are using service user to logon and it is actually shared among large set of user then there are chances that multiple people are trying to access SAP system at the same time if multiple logon is enabled. If you disable it will restrict one logon at a time.

2. In real case scenario, people do share their password (which should not be done) to other user(s) to check some functionality which other user might not be able to access due to authorization or some other issue. By disabling multiple login, it is made sure that other user don't use the session in parallel to the actual user when it is been used.

3. As per company's compliance, it's been asked to disable multiple logon and it is also one of the security best practice.

https://wiki.scn.sap.com/wiki/display/Basis/Disable+Multiple+SAP+Logons

Regards,

Dennis

Matt_Fraser
Active Contributor
624

To build upon Dennis' answer, your SAP license contract most likely stipulates that one named user account can only be used by one named user. Sharing of accounts and passwords, therefore, is not only bad for security, it's a license violation, and the annual license audit will catch it if two or more people logon at the same time with the same user ID. So, while it's a never-ending effort to educate users not to share passwords, one thing you can do is prevent simultaneous usage by setting this parameter to 1.

The parameter only affects dialog (GUI) logins, so it will not impact multiple sessions from, say, an Enterprise Portal, or even simultaneous portal and GUI logins, nor will it impact RFC logins. So, there's not much risk beyond annoying people who are used to getting away with bad practices.

Cheers,
Matt