Skip to Content

Scenario: Client wants to restrict the user to login from any other terminal except allocated one.

Solution :

Step 1 : Use Function Exit : EXIT_SAPLSUSF_001 which is called immediate after login.

Function.png

Step 2 : Create Z table which contain User Id, IP Address, and Terminal Name.

structure.JPG

Step 3 : call function module  TH_USER_INFO in function exit EXIT_SAPLSUSF_001 include : ZXUSRU01


Here TERMINAL is terminal name and ADDRSTR is IP address

/wp-content/uploads/2015/10/userinfo_807549.png

step 4 : If it runs first time add user id, IP address and Terminal Id in table from next time validate from Z table.


step 5 : use function module  WS_MSG to raise error.


message.JPG

step 6 : call ‘SYST_LOGOFF’ if user is not authorize.


log off.JPG

Remarks : Do not use any other method to raise error, because…….

/wp-content/uploads/2015/10/mas_807555.png

if user is not authorize still he/she can login using Create Session

WS_MSG gives only below options.

/wp-content/uploads/2015/10/mas_807555.png

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. Ajay Goel

    Hi,

    Nice document.

    As well as i want to know is there any method to restrict user not to terminate session of other user?

    Regards

    Ajay

    (0) 
      1. Thanh Pham Ngoc

        Dear Pragnesh,

        Now, we only have sap Basis, no Developer. So we can’t write source code for include ZXUSRU01. We hope that u will share your source code to us. Thanks!

        (0) 
    1. Sagar Pambhar

      Dear Pragnesh,


      Nice document. We can enhance it like below code as same thing i have developed in past.


      EXIT :

      SUSR0001 -> Include ZXUSRU01


      TABLE : ZUSER_AUTH , USR41

      MANDT

      MANDT

      CLNT3

      Client

      UNAME

      XUBNAME

      CHAR12

      User Name in Master Rec

      IPADDR

      NI_NODEADDR

      CHAR45

      IP Address

      PCNAME

      ZTERMINAl

      CHAR20

      Terminal


      • This enhancement is to authenticate user while login with its authorization with system ip address , system pc name & it’s username & password. Also It Read Login User’s Profile (Voice).


      *&———————————————————————*
      *&  Include           ZXUSRU01
      *&———————————————————————*
      * break abapdev2.

      INCLUDE OLE2INCL.

      DATA : GWA_ADDR LIKE BAPIADDR3,
      GIT_RETURN
      TYPE TABLE OF BAPIRET2,
      W_STRING
      TYPE STRING.

      DATA : OLE   TYPE OLE2_OBJECT,
      VOICE
      TYPE OLE2_OBJECT,
      TEXT   TYPE STRING.

      CREATE OBJECT VOICE ‘SAPI.SPVOICE’.

      CALL FUNCTION ‘BAPI_USER_GET_DETAIL’
      EXPORTING
      USERNAME            
      = SYUNAME
      CACHE_RESULTS       
      = ‘X’
      IMPORTING
      ADDRESS             
      = GWA_ADDR
      TABLES
      RETURN               = GIT_RETURN .

      CLEAR : W_STRING.
      IF GIT_RETURN[] IS INITIAL.
      CONCATENATE ‘Welcome’ GWA_ADDRTITLE_P GWA_ADDRFIRSTNAME GWA_ADDRLASTNAME ‘In the world of SAP’ INTO W_STRING SEPARATED BY ‘ ‘.
      ENDIF.

      * BREAK-POINT.
      TABLES : USR01 ,ZUSER_AUTH , SOPR.
      DATA : GIT_USR01 TYPE STANDARD TABLE OF USR01,
      GWA_USR01
      TYPE USR01,

      GIT_USR41 TYPE STANDARD TABLE OF USR41,
      GWA_USR41
      TYPE USR41,

      GIT_USR_AUTH TYPE STANDARD TABLE OF ZUSER_AUTH ,
      GWA_USR_AUTH
      TYPE ZUSER_AUTH ,

      GIT_PROFILE TYPE STANDARD TABLE OF SOPR,
      GWA_PROFILE
      TYPE SOPR,

      USER_NAME TYPE SYUNAME,
      ADDRSTR
      TYPE NI_NODEADDR,
      V_UNAME
      TYPE ZUSER_AUTHUNAME,
      T_PCNAME
      TYPE ZUSER_AUTHPCNAME.

      DATA : logo TYPE SSM_PATH,
      USER
      TYPE ZMANDT,
      LOGIN_CLIENT
      LIKE SYMANDT.

      LOGIN_CLIENT = SYMANDT.

      SELECT SINGLE ZCLIENT
      ZPATH
      FROM ZLOGIN_LOGO
      INTO (user , logo)
      WHERE ZCLIENT = LOGIN_CLIENT.

      USER_NAME = SYUNAME.

      SELECT *
      FROM USR01
      INTO TABLE GIT_USR01
      WHERE BNAME = USER_NAME .

      SELECT *
      FROM USR41
      INTO TABLE GIT_USR41
      WHERE BNAME = USER_NAME .

      SELECT SINGLE UNAME
      FROM ZUSER_AUTH
      INTO V_UNAME
      WHERE UNAME = USER_NAME.

      IF SYSUBRC = 0.

      CALL FUNCTION ‘TH_USER_INFO’
      EXPORTING
      CLIENT                    = SYMANDT
      USER                     
      = USER_NAME
      *       CHECK_GUI                 = 0
      IMPORTING
      *       HOSTADDR                  =
      TERMINAL                 
      = T_PCNAME
      *       ACT_SESSIONS              =
      *       MAX_SESSIONS              =
      *       MY_SESSION                =
      *       MY_INTERNAL_SESSION       =
      *       TASK_STATE                =
      *       UPDATE_REC_EXIST          =
      *       TID                       =
      *       GUI_CHECK_FAILED          =
      ADDRSTR                  
      = ADDRSTR
      *       RC                        =
      .

      TRANSLATE T_PCNAME TO UPPER CASE.
      SELECT * FROM ZUSER_AUTH
      INTO TABLE GIT_USR_AUTH
      WHERE UNAME = USER_NAME.

      READ TABLE GIT_USR_AUTH
      INTO GWA_USR_AUTH
      WITH KEY UNAME = USER_NAME
      IPADDR
      = ADDRSTR
      PCNAME
      = T_PCNAME
      MANDT
      = SYMANDT.
      .
      IF SYSUBRC = 0
      AND ADDRSTR = GWA_USR_AUTHIPADDR
      AND T_PCNAME = GWA_USR_AUTHPCNAME
      AND SYMANDT = GWA_USR_AUTHMANDT.

      CALL METHOD OF VOICE ‘SPEAK’ = OLE
      EXPORTING #1 = W_STRING. “TEXT.
      *

      ELSE.
      CLEAR SYUCOMM.
      MESSAGE : ‘You are not authorized to login on this terminal.’
      TYPE ‘E’.
      EXIT.
      *     call ‘SYST_LOGOFF’.
      ENDIF.

      ELSE.

      CALL METHOD OF VOICE ‘SPEAK’ = OLE
      EXPORTING #1 = W_STRING. “TEXT.

      ENDIF.

      (0) 
  2. Juwin Pallipat Thomas

    Please read the documentation of the enhancement SUSR0001. SAP specifically says “Do not log off the user”.

    Logoff is ranked 1st in the list of things you should absolutely avoid in a User exit/ Badi/ Enhancement.

    Thanks,

    Juwin

    (0) 
    1. Pragnesh Patel Post author

      Hi Juwin ,

      Do you have any alternative solution ? If yes then please share I will definitely update,

      Actually first we have implemented without logoff option, but we didn’t find any other way to restrict users,

      Thanks for Input.

      (0) 
      1. Juwin Pallipat Thomas

        Finding a solution shouldn’t be done by breaking the system, isn’t it? That was the only intent of my comment. I am not trying to sell my own solution here. Sorry, if I let you believe otherwise.

        Thanks,

        Juwin

        (0) 
        1. Pragnesh Patel Post author

          Hi Juwin,

          If you think such solution break the system you can definitely alert the moderator for this type of content and SAP itself gives such syntax to use, no doubt SAP alert also do not use some syntax at some place because it is not preferable but Software run because of business not business because of software, so I think you can understand what I mean.

          (0) 
  3. Andreas Knoefel

    With SAP DAM by NextLabs we use the same user exit to restrict access from specific locations. This allows us to dynamically restrict access to BOM’s or recipes to specific locations, prevent exposure of IP and secrets via VPN and for the enforcement of Export Compliance like ITAR, EAR, BAFA or EU Dual Use.

     

    (0) 

Leave a Reply