Skip to Content
Author's profile photo Pragnesh Patel

Restrict SAP user ID login for only one Terminal

Scenario: Client wants to restrict the user to login from any other terminal except allocated one.

Solution :

Step 1 : Use Function Exit : EXIT_SAPLSUSF_001 which is called immediate after login.

Function.png

Step 2 : Create Z table which contain User Id, IP Address, and Terminal Name.

structure.JPG

Step 3 : call function module  TH_USER_INFO in function exit EXIT_SAPLSUSF_001 include : ZXUSRU01


Here TERMINAL is terminal name and ADDRSTR is IP address

/wp-content/uploads/2015/10/userinfo_807549.png

step 4 : If it runs first time add user id, IP address and Terminal Id in table from next time validate from Z table.


step 5 : use function module  WS_MSG to raise error.


message.JPG

step 6 : call ‘SYST_LOGOFF’ if user is not authorize.


log off.JPG

Remarks : Do not use any other method to raise error, because…….

/wp-content/uploads/2015/10/mas_807555.png

if user is not authorize still he/she can login using Create Session

WS_MSG gives only below options.

/wp-content/uploads/2015/10/mas_807555.png

Assigned tags

      20 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi,

      Nice document.

      As well as i want to know is there any method to restrict user not to terminate session of other user?

      Regards

      Ajay

      Author's profile photo Pragnesh Patel
      Pragnesh Patel
      Blog Post Author

      At login time ? please explain.

      Author's profile photo Former Member
      Former Member

      Yes at login time we need user can not be able to disconnect session of another user.

      Regards

      Ajay

      Author's profile photo Pragnesh Patel
      Pragnesh Patel
      Blog Post Author

      Hi Ajay,

      As far as I know

      You can restrict multiple logon,

      but such restriction is not allowed,

      you can discuss with you BASIS guy,

      Please see below link...

      Restrict the user from terminating other's logon

      Author's profile photo Former Member
      Former Member

      Good one ūüôā

      Regards,

      Mounika

      Author's profile photo Former Member
      Former Member

      Good ..

      Author's profile photo Abhay Dhandhalya
      Abhay Dhandhalya

      Nice Document....

      Author's profile photo Thanh Pham Ngoc
      Thanh Pham Ngoc

      Can u share source code for include ZXUSRU01?

      Author's profile photo Pragnesh Patel
      Pragnesh Patel
      Blog Post Author

      Sorry Dear,

      But if you stuck any where just tell, I will definitely help you.

      Author's profile photo Thanh Pham Ngoc
      Thanh Pham Ngoc

      Dear Pragnesh,

      Now, we only have sap Basis, no Developer. So we can't write source code for include ZXUSRU01. We hope that u will share your source code to us. Thanks!

      Author's profile photo Sagar Pambhar
      Sagar Pambhar

      Dear Pragnesh,


      Nice document. We can enhance it like below code as same thing i have developed in past.


      EXIT :

      SUSR0001 -> Include ZXUSRU01


      TABLE : ZUSER_AUTH , USR41

      MANDT

      MANDT

      CLNT3

      Client

      UNAME

      XUBNAME

      CHAR12

      User Name in Master Rec

      IPADDR

      NI_NODEADDR

      CHAR45

      IP Address

      PCNAME

      ZTERMINAl

      CHAR20

      Terminal


      • This enhancement is to authenticate user while login with its authorization with system ip address , system pc name & it's username & password. Also It Read Login User’s Profile (Voice).


      *&---------------------------------------------------------------------*
      *&  Include           ZXUSRU01
      *&---------------------------------------------------------------------*
      * break abapdev2.

      INCLUDE OLE2INCL.

      DATA : GWA_ADDR LIKE BAPIADDR3,
      GIT_RETURN
      TYPE TABLE OF BAPIRET2,
      W_STRING
      TYPE STRING.

      DATA : OLE   TYPE OLE2_OBJECT,
      VOICE
      TYPE OLE2_OBJECT,
      TEXT   TYPE STRING.

      CREATE OBJECT VOICE 'SAPI.SPVOICE'.

      CALL FUNCTION 'BAPI_USER_GET_DETAIL'
      EXPORTING
      USERNAME            
      = SY-UNAME
      CACHE_RESULTS       
      = 'X'
      IMPORTING
      ADDRESS             
      = GWA_ADDR
      TABLES
      RETURN               = GIT_RETURN .

      CLEAR : W_STRING.
      IF GIT_RETURN[] IS INITIAL.
      CONCATENATE 'Welcome' GWA_ADDR-TITLE_P GWA_ADDR-FIRSTNAME GWA_ADDR-LASTNAME 'In the world of SAP' INTO W_STRING SEPARATED BY ' '.
      ENDIF.

      * BREAK-POINT.
      TABLES : USR01 ,ZUSER_AUTH , SOPR.
      DATA : GIT_USR01 TYPE STANDARD TABLE OF USR01,
      GWA_USR01
      TYPE USR01,

      GIT_USR41 TYPE STANDARD TABLE OF USR41,
      GWA_USR41
      TYPE USR41,

      GIT_USR_AUTH TYPE STANDARD TABLE OF ZUSER_AUTH ,
      GWA_USR_AUTH
      TYPE ZUSER_AUTH ,

      GIT_PROFILE TYPE STANDARD TABLE OF SOPR,
      GWA_PROFILE
      TYPE SOPR,

      USER_NAME TYPE SY-UNAME,
      ADDRSTR
      TYPE NI_NODEADDR,
      V_UNAME
      TYPE ZUSER_AUTH-UNAME,
      T_PCNAME
      TYPE ZUSER_AUTH-PCNAME.

      DATA : logo TYPE SSM_PATH,
      USER
      TYPE ZMANDT,
      LOGIN_CLIENT
      LIKE SY-MANDT.

      LOGIN_CLIENT = SY-MANDT.

      SELECT SINGLE ZCLIENT
      ZPATH
      FROM ZLOGIN_LOGO
      INTO (user , logo)
      WHERE ZCLIENT = LOGIN_CLIENT.

      USER_NAME = SY-UNAME.

      SELECT *
      FROM USR01
      INTO TABLE GIT_USR01
      WHERE BNAME = USER_NAME .

      SELECT *
      FROM USR41
      INTO TABLE GIT_USR41
      WHERE BNAME = USER_NAME .

      SELECT SINGLE UNAME
      FROM ZUSER_AUTH
      INTO V_UNAME
      WHERE UNAME = USER_NAME.

      IF SY-SUBRC = 0.

      CALL FUNCTION 'TH_USER_INFO'
      EXPORTING
      CLIENT                    = SY-MANDT
      USER                     
      = USER_NAME
      *       CHECK_GUI                 = 0
      IMPORTING
      *       HOSTADDR                  =
      TERMINAL                 
      = T_PCNAME
      *       ACT_SESSIONS              =
      *       MAX_SESSIONS              =
      *       MY_SESSION                =
      *       MY_INTERNAL_SESSION       =
      *       TASK_STATE                =
      *       UPDATE_REC_EXIST          =
      *       TID                       =
      *       GUI_CHECK_FAILED          =
      ADDRSTR                  
      = ADDRSTR
      *       RC                        =
      .

      TRANSLATE T_PCNAME TO UPPER CASE.
      SELECT * FROM ZUSER_AUTH
      INTO TABLE GIT_USR_AUTH
      WHERE UNAME = USER_NAME.

      READ TABLE GIT_USR_AUTH
      INTO GWA_USR_AUTH
      WITH KEY UNAME = USER_NAME
      IPADDR
      = ADDRSTR
      PCNAME
      = T_PCNAME
      MANDT
      = SY-MANDT.
      .
      IF SY-SUBRC = 0
      AND ADDRSTR = GWA_USR_AUTH-IPADDR
      AND T_PCNAME = GWA_USR_AUTH-PCNAME
      AND SY-MANDT = GWA_USR_AUTH-MANDT.

      CALL METHOD OF VOICE 'SPEAK' = OLE
      EXPORTING #1 = W_STRING. "TEXT.
      *

      ELSE.
      CLEAR SY-UCOMM.
      MESSAGE : 'You are not authorized to login on this terminal.'
      TYPE 'E'.
      EXIT.
      *     call 'SYST_LOGOFF'.
      ENDIF.

      ELSE.

      CALL METHOD OF VOICE 'SPEAK' = OLE
      EXPORTING #1 = W_STRING. "TEXT.

      ENDIF.

      Author's profile photo Pragnesh Patel
      Pragnesh Patel
      Blog Post Author

      Hi Sagar,

      Thanks for Input.

      Author's profile photo Juwin Pallipat Thomas
      Juwin Pallipat Thomas

      Please read the documentation of the enhancement SUSR0001. SAP specifically says "Do not log off the user".

      Logoff is ranked 1st in the list of things you should absolutely avoid in a User exit/ Badi/ Enhancement.

      Thanks,

      Juwin

      Author's profile photo Pragnesh Patel
      Pragnesh Patel
      Blog Post Author

      Hi Juwin ,

      Do you have any alternative solution ? If yes then please share I will definitely update,

      Actually first we have implemented without logoff option, but we didn't find any other way to restrict users,

      Thanks for Input.

      Author's profile photo Juwin Pallipat Thomas
      Juwin Pallipat Thomas

      Finding a solution shouldn't be done by breaking the system, isn't it? That was the only intent of my comment. I am not trying to sell my own solution here. Sorry, if I let you believe otherwise.

      Thanks,

      Juwin

      Author's profile photo Pragnesh Patel
      Pragnesh Patel
      Blog Post Author

      Hi Juwin,

      If you think such solution break the system you can definitely alert the moderator for this type of content and SAP itself gives such syntax to use, no doubt SAP alert also do not use some syntax at some place because it is not preferable but Software run because of business not business because of software, so I think you can understand what I mean.

      Author's profile photo Juwin Pallipat Thomas
      Juwin Pallipat Thomas

      I respect your enthusiasm. Thanks.

      Author's profile photo ananthachari enjarapu
      ananthachari enjarapu

      tq

      Author's profile photo Former Member
      Former Member

      With SAP DAM by NextLabs we use the same user exit to restrict access from specific locations. This allows us to dynamically restrict access to BOM's or recipes to specific locations, prevent exposure of IP and secrets via VPN and for the enforcement of Export Compliance like ITAR, EAR, BAFA or EU Dual Use.

       

      Author's profile photo Shoaib Rehman
      Shoaib Rehman

      hi  ,

      I have successfully implemented this enhancement, it works well but the problem rite now I'm experiencing is the popping up of two popup message windows:

      1 -Information message of failed user login attempts
      2- Flash Messages popup window

      After popping up any of above message window the SAP system waits for user input if user click OK the system will move further & called user exit(SUSR0001), & if user right clicks & opt for create new session on the top of any of the window if will safely bypasses the user exit (SUSR0001). Here this solution seems fail by not calling the exit for which the solution was actually developed.

      If any body experienced the same & resolved please share .