2019 May 29 3:13 PM
I would like to understand the risks or concerns for setting
login/disable_multi_gui_login to 0
2019 May 29 5:01 PM
To build upon Dennis' answer, your SAP license contract most likely stipulates that one named user account can only be used by one named user. Sharing of accounts and passwords, therefore, is not only bad for security, it's a license violation, and the annual license audit will catch it if two or more people logon at the same time with the same user ID. So, while it's a never-ending effort to educate users not to share passwords, one thing you can do is prevent simultaneous usage by setting this parameter to 1.
The parameter only affects dialog (GUI) logins, so it will not impact multiple sessions from, say, an Enterprise Portal, or even simultaneous portal and GUI logins, nor will it impact RFC logins. So, there's not much risk beyond annoying people who are used to getting away with bad practices.
Cheers,
Matt
2019 May 29 3:39 PM
Hello Katia,
The risk of allowing multiple login to the same user is below -
1. If you are using service user to logon and it is actually shared among large set of user then there are chances that multiple people are trying to access SAP system at the same time if multiple logon is enabled. If you disable it will restrict one logon at a time.
2. In real case scenario, people do share their password (which should not be done) to other user(s) to check some functionality which other user might not be able to access due to authorization or some other issue. By disabling multiple login, it is made sure that other user don't use the session in parallel to the actual user when it is been used.
3. As per company's compliance, it's been asked to disable multiple logon and it is also one of the security best practice.
https://wiki.scn.sap.com/wiki/display/Basis/Disable+Multiple+SAP+Logons
Regards,
Dennis
2019 May 29 5:01 PM
To build upon Dennis' answer, your SAP license contract most likely stipulates that one named user account can only be used by one named user. Sharing of accounts and passwords, therefore, is not only bad for security, it's a license violation, and the annual license audit will catch it if two or more people logon at the same time with the same user ID. So, while it's a never-ending effort to educate users not to share passwords, one thing you can do is prevent simultaneous usage by setting this parameter to 1.
The parameter only affects dialog (GUI) logins, so it will not impact multiple sessions from, say, an Enterprise Portal, or even simultaneous portal and GUI logins, nor will it impact RFC logins. So, there's not much risk beyond annoying people who are used to getting away with bad practices.
Cheers,
Matt