Skip to Content
Author's profile photo Naor Shalom

How to restrict the login of users during maintenance – with Security policies.

Information:

The concept of the security policies is to make the SAP system more secure, you can use this function to make your SAP system more protected, with collection of security policy attributes.

Introduction:

We all know the situations in daily work we need to maintenance the SAP system, and we want to restrict the users to login to the system, while system is in maintenance, and only the administrators, should be able to log on to the system.

SAP provides us this new feature with the amazing tool – Security policies.

Prerequisites:

This function is provided only with kernel releases 721, 740, 741 and subsequent versions as of SAP_BASIS 731.

Configuration:

First weneed to allow the administrators to login to the system while the system is in maintenance. For this we need to create new security policies

  1. Use transaction SECPOL to create new security policies and assign the new attribute SERVER_LOGON_PRIVILEGE with the value 1.

          /wp-content/uploads/2016/02/1_891961.png

               Picture 1.0

               Please check SAP Security policies / Group policies blog by Gowrinadh Challagundla

               This will give you more information regarding the Security policies, and how to create it.

     2. Change the value of SAP parameter login/server_logon_restriction to 1.

         This value will allow only those users whose assigned security policy contains the new attribute

           SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system

               /wp-content/uploads/2016/02/2_892007.png

                   Picture 1.1

                    Remember this value is dynamic value.

                   

The following values are possible:

    • 0 – No restriction All users can log on to the application server
    • 1 – Logon to the application server only permitted with special authorization. (SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system.)
    • 2 – No logon to the application server permitted
    • 3 – External logon to the application server now only permitted with special authorization. (SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system.)
    • 4 – No external logon to the application server permitted

     3. Add the security policies to the users – Go to SU01 and assign the Security policies

         to the administrator’s users.

               /wp-content/uploads/2016/02/3_892008.png

               Picture 1.2


So after we finish the configuration, we can start the tests.

                   

                    /wp-content/uploads/2016/02/4_892009.png

               Picture 2.0

               Users without security policies cannot login to the system. (Restricted logon). Users with security

               policies will succeed.


SAP Sources:


1891583 – Restricting logon to the application server

http://scn.sap.com/community/security/blog/2013/01/04/sap-security-policies-group-policies

Caution:


Logon to the system with the SAP* user is always possible.



Thanks


Naor Shalom


Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Sarthak Mayekar
      Sarthak Mayekar

      Hi Naor,

       

      is the parameter automatically gets reseted after the upgrade or maintenance work gets done?

       

      Regards,

      Sarthak