Restrict SAP user ID login for only one Terminal
Scenario: Client wants to restrict the user to login from any other terminal except allocated one.
Solution :
Step 1 : Use Function Exit : EXIT_SAPLSUSF_001 which is called immediate after login.
Step 2 : Create Z table which contain User Id, IP Address, and Terminal Name.
Step 3 : call function module TH_USER_INFO in function exit EXIT_SAPLSUSF_001 include : ZXUSRU01
Here TERMINAL is terminal name and ADDRSTR is IP address
step 4 : If it runs first time add user id, IP address and Terminal Id in table from next time validate from Z table.
step 5 : use function module WS_MSG to raise error.
step 6 : call ‘SYST_LOGOFF’ if user is not authorize.
Remarks : Do not use any other method to raise error, because…….
if user is not authorize still he/she can login using Create Session
WS_MSG gives only below options.
Hi,
Nice document.
As well as i want to know is there any method to restrict user not to terminate session of other user?
Regards
Ajay
At login time ? please explain.
Yes at login time we need user can not be able to disconnect session of another user.
Regards
Ajay
Hi Ajay,
As far as I know
You can restrict multiple logon,
but such restriction is not allowed,
you can discuss with you BASIS guy,
Please see below link...
Restrict the user from terminating other's logon
Good one 🙂
Regards,
Mounika
Good ..
Nice Document....
Can u share source code for include ZXUSRU01?
Sorry Dear,
But if you stuck any where just tell, I will definitely help you.
Dear Pragnesh,
Now, we only have sap Basis, no Developer. So we can't write source code for include ZXUSRU01. We hope that u will share your source code to us. Thanks!
Dear Pragnesh,
Nice document. We can enhance it like below code as same thing i have developed in past.
EXIT :
SUSR0001 -> Include ZXUSRU01
TABLE : ZUSER_AUTH , USR41
MANDT
MANDT
CLNT3
Client
UNAME
XUBNAME
CHAR12
User Name in Master Rec
IPADDR
NI_NODEADDR
CHAR45
IP Address
PCNAME
ZTERMINAl
CHAR20
Terminal
*&---------------------------------------------------------------------*
*& Include ZXUSRU01
*&---------------------------------------------------------------------*
* break abapdev2.
INCLUDE OLE2INCL.
DATA : GWA_ADDR LIKE BAPIADDR3,
GIT_RETURN TYPE TABLE OF BAPIRET2,
W_STRING TYPE STRING.
DATA : OLE TYPE OLE2_OBJECT,
VOICE TYPE OLE2_OBJECT,
TEXT TYPE STRING.
CREATE OBJECT VOICE 'SAPI.SPVOICE'.
CALL FUNCTION 'BAPI_USER_GET_DETAIL'
EXPORTING
USERNAME = SY-UNAME
CACHE_RESULTS = 'X'
IMPORTING
ADDRESS = GWA_ADDR
TABLES
RETURN = GIT_RETURN .
CLEAR : W_STRING.
IF GIT_RETURN[] IS INITIAL.
CONCATENATE 'Welcome' GWA_ADDR-TITLE_P GWA_ADDR-FIRSTNAME GWA_ADDR-LASTNAME 'In the world of SAP' INTO W_STRING SEPARATED BY ' '.
ENDIF.
* BREAK-POINT.
TABLES : USR01 ,ZUSER_AUTH , SOPR.
DATA : GIT_USR01 TYPE STANDARD TABLE OF USR01,
GWA_USR01 TYPE USR01,
GIT_USR41 TYPE STANDARD TABLE OF USR41,
GWA_USR41 TYPE USR41,
GIT_USR_AUTH TYPE STANDARD TABLE OF ZUSER_AUTH ,
GWA_USR_AUTH TYPE ZUSER_AUTH ,
GIT_PROFILE TYPE STANDARD TABLE OF SOPR,
GWA_PROFILE TYPE SOPR,
USER_NAME TYPE SY-UNAME,
ADDRSTR TYPE NI_NODEADDR,
V_UNAME TYPE ZUSER_AUTH-UNAME,
T_PCNAME TYPE ZUSER_AUTH-PCNAME.
DATA : logo TYPE SSM_PATH,
USER TYPE ZMANDT,
LOGIN_CLIENT LIKE SY-MANDT.
LOGIN_CLIENT = SY-MANDT.
SELECT SINGLE ZCLIENT
ZPATH
FROM ZLOGIN_LOGO
INTO (user , logo)
WHERE ZCLIENT = LOGIN_CLIENT.
USER_NAME = SY-UNAME.
SELECT *
FROM USR01
INTO TABLE GIT_USR01
WHERE BNAME = USER_NAME .
SELECT *
FROM USR41
INTO TABLE GIT_USR41
WHERE BNAME = USER_NAME .
SELECT SINGLE UNAME
FROM ZUSER_AUTH
INTO V_UNAME
WHERE UNAME = USER_NAME.
IF SY-SUBRC = 0.
CALL FUNCTION 'TH_USER_INFO'
EXPORTING
CLIENT = SY-MANDT
USER = USER_NAME
* CHECK_GUI = 0
IMPORTING
* HOSTADDR =
TERMINAL = T_PCNAME
* ACT_SESSIONS =
* MAX_SESSIONS =
* MY_SESSION =
* MY_INTERNAL_SESSION =
* TASK_STATE =
* UPDATE_REC_EXIST =
* TID =
* GUI_CHECK_FAILED =
ADDRSTR = ADDRSTR
* RC =
.
TRANSLATE T_PCNAME TO UPPER CASE.
SELECT * FROM ZUSER_AUTH
INTO TABLE GIT_USR_AUTH
WHERE UNAME = USER_NAME.
READ TABLE GIT_USR_AUTH
INTO GWA_USR_AUTH
WITH KEY UNAME = USER_NAME
IPADDR = ADDRSTR
PCNAME = T_PCNAME
MANDT = SY-MANDT.
.
IF SY-SUBRC = 0
AND ADDRSTR = GWA_USR_AUTH-IPADDR
AND T_PCNAME = GWA_USR_AUTH-PCNAME
AND SY-MANDT = GWA_USR_AUTH-MANDT.
CALL METHOD OF VOICE 'SPEAK' = OLE
EXPORTING #1 = W_STRING. "TEXT.
*
ELSE.
CLEAR SY-UCOMM.
MESSAGE : 'You are not authorized to login on this terminal.'
TYPE 'E'.
EXIT.
* call 'SYST_LOGOFF'.
ENDIF.
ELSE.
CALL METHOD OF VOICE 'SPEAK' = OLE
EXPORTING #1 = W_STRING. "TEXT.
ENDIF.
Hi Sagar,
Thanks for Input.
Please read the documentation of the enhancement SUSR0001. SAP specifically says "Do not log off the user".
Logoff is ranked 1st in the list of things you should absolutely avoid in a User exit/ Badi/ Enhancement.
Thanks,
Juwin
Hi Juwin ,
Do you have any alternative solution ? If yes then please share I will definitely update,
Actually first we have implemented without logoff option, but we didn't find any other way to restrict users,
Thanks for Input.
Finding a solution shouldn't be done by breaking the system, isn't it? That was the only intent of my comment. I am not trying to sell my own solution here. Sorry, if I let you believe otherwise.
Thanks,
Juwin
Hi Juwin,
If you think such solution break the system you can definitely alert the moderator for this type of content and SAP itself gives such syntax to use, no doubt SAP alert also do not use some syntax at some place because it is not preferable but Software run because of business not business because of software, so I think you can understand what I mean.
I respect your enthusiasm. Thanks.
tq
With SAP DAM by NextLabs we use the same user exit to restrict access from specific locations. This allows us to dynamically restrict access to BOM's or recipes to specific locations, prevent exposure of IP and secrets via VPN and for the enforcement of Export Compliance like ITAR, EAR, BAFA or EU Dual Use.
hi ,
I have successfully implemented this enhancement, it works well but the problem rite now I'm experiencing is the popping up of two popup message windows:
1 -Information message of failed user login attempts
2- Flash Messages popup window
After popping up any of above message window the SAP system waits for user input if user click OK the system will move further & called user exit(SUSR0001), & if user right clicks & opt for create new session on the top of any of the window if will safely bypasses the user exit (SUSR0001). Here this solution seems fail by not calling the exit for which the solution was actually developed.
If any body experienced the same & resolved please share .
Dear Shoaib Rehman ,
Would you mind to share the update for your finding of this solution. I'm so exciting with this.
Best Regards,
Luan