Show TOC Start of Content Area

Background documentation Preventing Unauthorized Logons  Locate the document in its SAP Library structure

Use the following measures to protect against unauthorized logons:

·        Terminate sessions after a number of unsuccessful logon attempts under a single user ID. (Set the number of allowed unsuccessful logon attempts in the profile parameter: login/fails_to_session_end).

·        Lock users after a number of consecutive unsuccessful logon attempts under a single user ID.

Set the number of invalid logon attempts that are allowed in the profile parameter login/fails_to_user_lock. Note the following:

¡        You can explicitly set locks for specific users.

¡        The system removes locks at midnight on the same day; however, you can also manually remove them at any time.

¡        You can specify that the SAP system should not remove user locks automatically. (Set this flag in the profile parameter login/failed_user_auto_unlock).

¡        The System Log records all locks. For more information, see Auditing and Logging.

·        End users should activate password-protected screen savers.

·        Monitor unsuccessful logon attempts with report RSUSR006.

This report records the number of incorrect logon attempts by a user and user locks. We recommend scheduling this report to run on a regular basis (daily).

·        Record logon attempts in the Security Audit Log (transactions SM18, SM19 and SM20).

For more information, see Auditing and Logging.

·        Log off idle users.

Specify the amount of time a user can be idle in the profile parameter rdisp/gui_auto_logout.

·        Use the customer exist SUSR0001 to add your own checks. (See SAP Note 37724.)

For example, you can add a check to prevent multiple dialog logons (see Recognizing and Preventing Multiple Dialog User Logons and SAP Note 142724).

·        Use SAP Logon Pad or customize SAP Logon

You can use the SAP Logon Pad to prevent users from changing the SAP Logon configuration, which provides easy access to the SAP systems that are maintained in the list of systems. For example, if your users use the SAP Logon Pad, they cannot add systems to the list of hosts or change the host name for the selected server.

(As of Release 4.5, SAP Logon Pad is no longer delivered, but you can still customize SAP Logon so that users cannot change the configuration.)

See also:

Profile Parameters for Logon and Password (Login Parameters)

 

 

 

End of Content Area