How to restrict the login of users during maintenance – with Security policies.
Information:
The concept of the security policies is to make the SAP system more secure, you can use this function to make your SAP system more protected, with collection of security policy attributes.
Introduction:
We all know the situations in daily work we need to maintenance the SAP system, and we want to restrict the users to login to the system, while system is in maintenance, and only the administrators, should be able to log on to the system.
SAP provides us this new feature with the amazing tool – Security policies.
Prerequisites:
This function is provided only with kernel releases 721, 740, 741 and subsequent versions as of SAP_BASIS 731.
Configuration:
First weneed to allow the administrators to login to the system while the system is in maintenance. For this we need to create new security policies
- Use transaction SECPOL to create new security policies and assign the new attribute SERVER_LOGON_PRIVILEGE with the value 1.
Picture 1.0
Please check SAP Security policies / Group policies blog by Gowrinadh Challagundla
This will give you more information regarding the Security policies, and how to create it.
2. Change the value of SAP parameter login/server_logon_restriction to 1.
This value will allow only those users whose assigned security policy contains the new attribute
SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system
Picture 1.1
Remember this value is dynamic value.
The following values are possible:
- 0 – No restriction All users can log on to the application server
- 1 – Logon to the application server only permitted with special authorization. (SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system.)
- 2 – No logon to the application server permitted
- 3 – External logon to the application server now only permitted with special authorization. (SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system.)
- 4 – No external logon to the application server permitted
3. Add the security policies to the users – Go to SU01 and assign the Security policies
to the administrator’s users.
Picture 1.2
So after we finish the configuration, we can start the tests.
Picture 2.0
Users without security policies cannot login to the system. (Restricted logon). Users with security
policies will succeed.
SAP Sources:
1891583 – Restricting logon to the application server
http://scn.sap.com/community/security/blog/2013/01/04/sap-security-policies-group-policies
Caution:
Logon to the system with the SAP* user is always possible.
Thanks
Naor Shalom
Hi Naor,
is the parameter automatically gets reseted after the upgrade or maintenance work gets done?
Regards,
Sarthak