Sharing ids and pwd

Former Member · ‎09-18-2008

Hi Experts,

How to find out if people are sharing ids and pwd.

Thanks,

Lisa

Former Member · ‎09-18-2008

One way is to track the IP address from which the user has logged into.

SM04 will show you currently logged in users, so you can track users who are sharing same ID. Sort on terminal.

You may consider login/disable_multi_gui_login parameter also, if you want to enforce this.

Keep a track of terminals from where the suspected IDs login and you can track those IDs.

Regards,

Zaheer

former_member248712 · ‎09-18-2008

Or you can tap their phone conversations or hack into their emails.

AB.

Former Member · ‎09-19-2008

Create a **Disclaimer** system message via SM02...

"Sharing ids is agaisnt company policies and compliance....all ids with their IP addresses are tracked and audited every week. Violation will result in strict actions and/or termination of employment.. if you agree click "Continue"! "

P.S. -- > System messages ONLY have the continue button!

Former Member · ‎09-19-2008

Just to add to Abi.. create a banner also with the same disclaimer so whenever user will enter user ID and password they will see that....

Regards,

Zaheer

Former Member · ‎09-19-2008

Very creative...

Also see here:

(found using the search)

Edited by: Julius Bussche on Sep 19, 2008 9:58 AM

former_member248712 · ‎09-19-2008

Table USR41_MLD can help find Multiple Logons by a User. Still doesn't prove if they are sharing the P/w or not.

With all the things that happen outside of SAP that could not be monitored, SAP has powerful tools to trace the transactions related to a User ID with in SAP.

So with all these tools, Code of Ethics also play a part in these kind of issues.

AB.

Former Member · ‎09-19-2008

> Table USR41_MLD can help find Multiple Logons by a User. Still doesn't prove if they are sharing the P/w or not.

True.

In this case monitoring the failed logon attempts can be usefull though (report RSUSR006).

> So with all these tools, Code of Ethics also play a part in these kind of issues.

Very true.

And from a certain system size onwards Single-Sign-On becomes the only realistic solution.

Cheers,

Julius

Former Member · ‎09-19-2008

Ha ha..thanks Julius...

Just to add... Single Sign On + Disabling password ( might be a difficult call though)

Former Member · ‎09-19-2008

... and changing the parameter for multiple login....

WolfgangJanzen · ‎09-20-2008

>


> Table USR41_MLD can help find Multiple Logons by a User. Still doesn't prove if they are sharing the P/w or not.

Yes, it's not a "proof" (regarding legal prosecution) but at least a "strong indicator". In conjunction with a "system policy statement" (displayed on the logon screen - prior to authentication) this should be sufficient to take disciplinary actions, if required (applicable for internal systems, effecting employees).

Yes, using SSO is another (better) approach.

Former Member · ‎09-22-2008

Hi,

You can find in the security audit log which terminal is used by which user. It is a way to see it they are using different terminals. It is just an indication, but everything helps. (transactions sm19 and sm20).

have fun

Bye Jan van Roest

Former Member · ‎12-24-2009

Hi,

I have gone through the table usr41_mld whichc is really useful to findout the users login from multiple locations.

But there are 2 columns with name Counter can you please confirm which is considered to count multiple logins.

thanks in advance.

Regards

JIggi.

Former Member · ‎12-26-2009

These entries are written from a program which you cannot access easily and there is no publicly available documentation.

You can look in transaction USMM's code to work out how it is evaluated (good luck in that one!) and might get some clues.

From memory, one counter is the max number of concurrently terminals per used, and the other is how often this counter was reached... in the period between the dates from / to.

If you filter on a known user ID and look at the entries over time then it will make a bit more sense.

Cheers,

Julius

Former Member · ‎12-28-2009

Hi Julies,

Counter (PEAK) 2

Counter (COUNTER) 9

Modification date (FIRST DATE) 16.06.2008

Modification time (FIRST TIME) 15:06:16

Modification date (LAST DATE) 26.12.2008

Modification time (LAST TIME) 16:42:04

Modification date (PEAK DATE) 26.12.2008

Modification time (PEAK TIME) 16:42:04

these are the values in the table usr41_mld.

I think 2(logged from 2 multiple terminals on a day ) is the peak value on dated 26.12.2008 and the 9 is the value between 16.06.08 and 26.12.2008.

Please correct am wrong.

regards

Jiggi

Former Member · ‎12-28-2009

It is similar to this:

> Name: jiggi - View user's Business Card

> Registered: Mar 19, 2009

> Total Posts: 39

> Total Questions: 19 (10 unresolved)

I can count questions asked 19 times by the same user ID "jiggi", out of a total of 39 posts.

The user ID was created on 19th March 2009.

> Modification date (FIRST DATE) 09.07.2009

The ID first started asking questions on 9th July 2009

> Modification date (LAST DATE) 17.11.2009

The most recent one was on 17th December 2009, which was also the 19th one.

> Modification date (PEAK DATE) 17.11.2009

It reached a maximum peak of 10 unresolved questions, the most recent of which was also on 17th December 2009.

> Forum Points: 0

When the user ID asks a new question, it closes a previous question - only for this reason, because the maximum number of questions has been reached (10 questions in parallel). On at least one occasion, other user's questions were hijacked...

The user ID and any others associated with the same terminal have not been deleted, yet.

Hope that is clearer for you now...