09-18-2008 9:33 PM
09-18-2008 9:46 PM
One way is to track the IP address from which the user has logged into.
SM04 will show you currently logged in users, so you can track users who are sharing same ID. Sort on terminal.
You may consider login/disable_multi_gui_login parameter also, if you want to enforce this.
Keep a track of terminals from where the suspected IDs login and you can track those IDs.
Regards,
Zaheer
09-18-2008 11:55 PM
09-19-2008 12:38 AM
Create a **Disclaimer** system message via SM02...
"Sharing ids is agaisnt company policies and compliance....all ids with their IP addresses are tracked and audited every week. Violation will result in strict actions and/or termination of employment.. if you agree click "Continue"! "
P.S. -- > System messages ONLY have the continue button!
09-19-2008 1:05 AM
Just to add to Abi.. create a banner also with the same disclaimer so whenever user will enter user ID and password they will see that....
Regards,
Zaheer
09-19-2008 8:52 AM
09-19-2008 6:23 PM
Table USR41_MLD can help find Multiple Logons by a User. Still doesn't prove if they are sharing the P/w or not.
With all the things that happen outside of SAP that could not be monitored, SAP has powerful tools to trace the transactions related to a User ID with in SAP.
So with all these tools, Code of Ethics also play a part in these kind of issues.
AB.
09-19-2008 6:35 PM
> Table USR41_MLD can help find Multiple Logons by a User. Still doesn't prove if they are sharing the P/w or not.
True.
In this case monitoring the failed logon attempts can be usefull though (report RSUSR006).
> So with all these tools, Code of Ethics also play a part in these kind of issues.
Very true.
And from a certain system size onwards Single-Sign-On becomes the only realistic solution.
Cheers,
Julius
09-19-2008 9:13 PM
Ha ha..thanks Julius...
Just to add... Single Sign On + Disabling password ( might be a difficult call though)
09-19-2008 9:24 PM
09-20-2008 8:13 AM
>
> Table USR41_MLD can help find Multiple Logons by a User. Still doesn't prove if they are sharing the P/w or not.
Yes, it's not a "proof" (regarding legal prosecution) but at least a "strong indicator". In conjunction with a "system policy statement" (displayed on the logon screen - prior to authentication) this should be sufficient to take disciplinary actions, if required (applicable for internal systems, effecting employees).
Yes, using SSO is another (better) approach.
09-22-2008 8:29 AM
Hi,
You can find in the security audit log which terminal is used by which user. It is a way to see it they are using different terminals. It is just an indication, but everything helps. (transactions sm19 and sm20).
have fun
Bye Jan van Roest
12-24-2009 12:23 PM
Hi,
I have gone through the table usr41_mld whichc is really useful to findout the users login from multiple locations.
But there are 2 columns with name Counter can you please confirm which is considered to count multiple logins.
thanks in advance.
Regards
JIggi.
12-26-2009 9:17 AM
These entries are written from a program which you cannot access easily and there is no publicly available documentation.
You can look in transaction USMM's code to work out how it is evaluated (good luck in that one!) and might get some clues.
From memory, one counter is the max number of concurrently terminals per used, and the other is how often this counter was reached... in the period between the dates from / to.
If you filter on a known user ID and look at the entries over time then it will make a bit more sense.
Cheers,
Julius
12-28-2009 7:14 AM
Hi Julies,
Counter (PEAK) 2
Counter (COUNTER) 9
Modification date (FIRST DATE) 16.06.2008
Modification time (FIRST TIME) 15:06:16
Modification date (LAST DATE) 26.12.2008
Modification time (LAST TIME) 16:42:04
Modification date (PEAK DATE) 26.12.2008
Modification time (PEAK TIME) 16:42:04
these are the values in the table usr41_mld.
I think 2(logged from 2 multiple terminals on a day ) is the peak value on dated 26.12.2008 and the 9 is the value between 16.06.08 and 26.12.2008.
Please correct am wrong.
regards
Jiggi
12-28-2009 10:38 AM
It is similar to this:
> Name: jiggi - View user's Business Card
> Registered: Mar 19, 2009
> Total Posts: 39
> Total Questions: 19 (10 unresolved)
I can count questions asked 19 times by the same user ID "jiggi", out of a total of 39 posts.
The user ID was created on 19th March 2009.
> Modification date (FIRST DATE) 09.07.2009
The ID first started asking questions on 9th July 2009
> Modification date (LAST DATE) 17.11.2009
The most recent one was on 17th December 2009, which was also the 19th one.
> Modification date (PEAK DATE) 17.11.2009
It reached a maximum peak of 10 unresolved questions, the most recent of which was also on 17th December 2009.
> Forum Points: 0
When the user ID asks a new question, it closes a previous question - only for this reason, because the maximum number of questions has been reached (10 questions in parallel). On at least one occasion, other user's questions were hijacked...
The user ID and any others associated with the same terminal have not been deleted, yet.
Hope that is clearer for you now...