Just like what Julius said, per me...."prevention is better than cure".

Rather than killing someone's session abruptly, not giving that access would be much nice. Restrict the tcode which you don't want users to run, which would save the programming for exits and other overheads.

Regards,

Zaheer

> Zaheer wrote:

> ...."prevention is better than cure".

Principally yes and you have Wolfgang on your side now as well... , but I was thinking about this and whether there might be special requirements outside of the normal out-of-the-box system.

In addition to there being many transactions for this application, there might not be any transactions at all and any attempt to do anything outside of the boundaries of what the application is permitted to do... should invoke a harsh and immediate reaction toward the caller.

> Rather than killing someone's session abruptly, not giving that access would be much nice. Restrict the tcode which you don't want users to run, which would save the programming for exits and other overheads.

There might be many transactions or no transaction codes at all involved - and any transaction call what-so-ever should be blocked. Perhaps the application has the ability to do this by it's design, in which case just removing all tcodes from the authority of the user might not be enough, considering how many tcodes there are...

I like these sorts of discussions and that it is possible to do stuff like this - but I agree with you that these sorts of requirements in reality often have better possible solutions or they are an under-overkill for the risk (e.g. if the user start tcode SE38 ...).

I have often heard that the golden rule of security is => validate all input; sanitize all output.

Cheers,

Julius

There you go Julius

Ya, it these things are possible, however do we need them ?

Like, if you take SCC4 and want sessions to be closed if someone executes them, then there are so many cases you have to consider

Will this response ("killing sessions") be same for all users or there must be some exception

What if you need to do that thing as a administrator ? (Hope for the best and prepare for the worst

Its a good discussion, but as Bernard pointed out, i would also like to hear from U.V.....

Good Nite !!!

Zaheer

Hi James,

> I am actually quite interested in this approach from a stand point that some users are intentionally trying to access things they know they are not allowed, such as salaries, and other HR related data.

From the above, you can see that the general opinion is to prevent unauthorized access. In this case, the user is not abruptly logged off, but rather an error message is raised to inform them that they don't have access or the data is simply not returned.

> This may be harsh, but it may also stop users that have a wide knowledge base from previous jobs.

Users with a wide knowledge base and the correct access is a good thing, in my opinion. If either are missing, there can be problems...

When speaking to business management people about security, I have often encountered that they are more concerned about user training and skills being the cause of system disruptions and data inconsistencies / loss, than what they are of (intentional) security hanky-panky... they do have a point to a certain extent.

But I think you are refering to something else here...

> Is there away to do this, but have an exception list, and possibly compile a report to tell administrators who this is locking??

One way of doing this is via the security audit log (SM19/SM20N/etc). Not only can you monitor who attempts to unsuccessfully use transaction PA20 (for example) but you can also check that successfull calls to HR transactions are made by users who are authorized for the transaction(s). A sure give-away is anyone who tries to start transaction PA01, PA02, PA03... (don't laugh... it has happened...). You can also monitor reports in this way (and verify authorized users for submitting known reports).

How you then react to it is up to you. A failed submit or navigation in the Easy Access menu might just have been a careless click or a "if I can do it this easily, then why not do it" attitude. You can lock them manually if you want, or write a report which does it automatically and sends emails, etc etc...

> Aside from locking it down by authorization, I would like to do this to find out what users are trying to access sensitive data. Any suggestions? I looked up note 609863 and it was about sys_logoff for users trying to access the wrong version of the GUI, was that an error or is that the only info SAP provides for forced system log off.

That is an example of using the 'syst_logoff' technique (in the specific case, to ensure that only users of a certain GUI version access the system...). You can use it for other purposes as well... however I am still a bit sceptical about this as being an overkill for any normal scenarios - in addition to the risk that you might lock everyone out unintentionally...

Cheers,

Julius

>

> Thanks to both for the information. I actually do use SM19 and 20 to monitor these logs, but with so many users it's has proven hard to be a useful tool outside of trouble-shooting user accounts and authorizations.

What I've done before is to schedule a periodic job to search the security audit log for specific events which I know to be undesirable (for example programs who's names start with "!", or changing role authorizations in production, or any attempts what-so-ever to logon with SAP* / DDIC, etc etc).

There are some reports for this. It's not "realtime" but it saves you having to manually go through thousands of log entries (and therefore not wanting them anymore...).

Cheers,

Julius