Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Changing User Log In Error Messages

chris_hall2
Participant
0 Kudos

We would like to align the error messages for the following:

1. User Out of Validity

2. Locked by System Administrator

3. Locked due to incorrect number of log in attempts

The reason behind this is we have just installed GRC 5.3 and would like to align the error messages with a specific category/ticket in CUP.

Can we change the message to be a pop up instead of the message appearing on the status bar? Can links/url be added? Has anyone else done something similar? What we are finding is that the error messages are too generic and not being aligned to GRC, many users are submitting the wrong request and the user experience needs to be flawless.

Thanks Everyone,

Chris

27 REPLIES 27

Former Member
0 Kudos

Hi Chris

Sorry - I can't answer your question but this may be relevant for the GRC forum instead?

Kind regards

David

0 Kudos

This really isn't a GRC question and thought it would get moved to this forum

0 Kudos

If this is not GRC specific question, then the status of the user account via and even the password messages can easily be retrieved (see SAP note 899614 and the user BAPIs).

If it is GRC related then it is not easy at all and we need to move this to the GRC forum.

Cheers,

Julius

0 Kudos

Yes, this is not really GRC related. We are looking to change the messages in our R/3 (4.6C) environments.

Maybe an example of our issue would help clarify. We have a standard job that adjusts the validity date of our users in R/3 when they have not logged in for 45 days. At this point a user is not locked and the error message is " User is not in validity ". To the average user this means very little and they assume they are locked and therefore submit a GRC request " Unlock ". When they get the completion notification back saying there account is still out of validity many escalations occur. The correct request would be a change ID to extend the validity date so we want to modify the existing error message to something like " User is not in validity, please submit GRC Change ID reqest ". We are hoping this will help our end users understand what type of request to submit in GRC.

0 Kudos

So you want to change the message texts to add your own custom instructions?

The logon program uses those messages so rather be carefull and change them in an expendable sandbox first.

Anyway, your users are being silly. Possibly they are playing a joke on you?

Cheers,

Julius

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Has anybody thought of training the users before giving them access to the system...?

Frank.

0 Kudos

An idea for "online training" would be for them to chose the message themselves via the popup. If they chose the wrong one, then they are briefly electricuted via the SAPGui each time.

Dzzzt ... Dzzzzzzt ...

0 Kudos

Frank, Trying to train 10,000 ++ users in multiple languages has not been the easiest

We also have a high turnover rate in certain regions of the world.

Edited by: Chris Hall on Jun 5, 2011 8:32 PM

0 Kudos

hahahaha, I love the idea Julius; however, I doubt this would be very legal in many areas

0 Kudos

Julius,

" So you want to change the message texts to add your own custom instructions?

The logon program uses those messages so rather be carefull and change them in an expendable sandbox first. "

So modifying the logon program would accomplish this? Anywhere I can readup on this?

Thanks,

Chris

0 Kudos

You cannot change the logon program SAPMSYST! Think of the implications if you did...

However changing the texts of the messages might work, even if a modification to the message class. You must test this in a sandbox because SAPMSYST makes several checks - so you couls easily cause a "lock-out"!!

Better options would be to include this question in the CUP request form or consider SSO instead of passwords?

Cheers,

Julius

0 Kudos

Thanks Julius, yes I realize there are certain implications here. Tough to come up with a solution when we are running 40+ SAP clients (DEV/QA/PRD -> R/3 (2 different models), SolMan, XI, IPC, APO, CRM, BI and an instance of ECC6) and a SSO has not been proposed strictly for SAP, management is looking for a single ID/password for the 100+ applications we use.

0 Kudos

and a SSO has not been proposed strictly for SAP, management is looking for a single ID/password for the 100+ applications we use.

The plot thickens....

So... you are synchronizing the passwords at the hash level accross systems to mimic real SSO and this error message for validity is causing the password to be reset and then your "poor man's SSO" fails.

That is not the end user's fault. This is a "hack" in my books which is not sustainable for many reasons.

I cannot help you further if you do not disclose that you are using such "hacks" and these cause problems, because I do not believe in them. They are typically also very easily exploitable... (how well protected is the function which resets the password?).

Perhaps by assumptions are barking up the wrong tree here, but it seems to me that you are having to live with the consequences of a bad design.

Cheers,

Julius

0 Kudos

HAHAHA, no Julius, there is no SSO Hack Job done "yet". We still use an individual ID and Password for each of our systems, I did say this is "Proposed"

I think even with a SSO solution I am still going to have the same issue. User is locked by admin, the user submits an unlock request in GRC which is all good. User is out of validity and submits an unlock request and is technically unlocked but is still out of validity. Maybe education is the only real solution here. I was really hoping that there was a quick easy way to modify the error message on log on.

0 Kudos

You can educate the admin (or the program) to check the validity, and react to it?

As you are are programmatically restricting the validity via a rule (not actuve password based logons), you can programmatically reactive it.

When using SSO, you can do the same for those who still have active passwords.

So it is an admin and program problem?

ps: When your custom program detects an inactive user, how does it select these users and how does it lock them (or their password)?

Please post your code....

Cheers,

Julius

0 Kudos

Thanks for working through this with me. I'm not sure the coding will help with the issue. Our Corporate Policy states that for any of our production systems, inactive users have their validity date changed to the current day so they can no longer log in. We do not initiate an administrative lock or scramble their password, just simply change the valid to on the ID. We don't want to create a solution to automatically change the validity period back to the original valid to date, we want to ensure that these users go through an approval process to get back their access.

Each month we then run reports and any inactive user for 6 months is removed from the system, this part is manual.

0 Kudos

Hi Chris

Sorry if I confused matters by mentioning GRC before but I couldn't imagine changing R3.

From a day to day BAU aspect I always find the validity perid a bit of a bugger when getting an unlock user request anyway - a second email saying 'now it says user not in validity' gives a 'd'oh'...

It's not a user issue but rather a service desk step to double-check the end date and to also wonder whether this should then be sent for approval by line manager and if a Pa30 record is present etc.

Cheers

David

0 Kudos

Hi David and Chris,

For the validity period to have been probed, the password must have been correct.

It is an order of preference via which the logon program issues the message. If the user read the message, then they will know what to request.

E.g. In the special case of a user having locked their own password (not account!) and not been active, hence validity period of the account and possibly also then locked by admin, the order of preference is the strictest one --> admin lock of the account (regardless of whether passwords are used or not).

This means that admin must unlock.

If "real" SSO is used, this layer of confusion for end users and admins is removed and you can delete the password (without deleting the account).

I would be curious to know whether and how Chris's program respects the difference between a password based logon and any other type of logon - as it is easy to make mistakes here when interpreting single fields of USR02 and (god forbid) updating them...

Cheers,

Julius

0 Kudos

No Problem David.

Doing a lot more reading today I came across information on table T100 and BINGO this is a start to what I've been looking for.

http://help.sap.com/saphelp_nw2004s/helpdata/en/d1/801b3e454211d189710000e8322d00/content.htm

I found the messages I am wanting to change the text of.

148 - User not in validity date. Please inform administrator.

158 - User is locked. Please notify the person responsible

0 Kudos

Julius - what is meant by the following where you mention other types of logon?

" I would be curious to know whether and how Chris's program respects the difference between a password based logon and any other type of logon "

The info is based on usr02-trdat. I tried just posting the code here but it wouldn't go through and don't see where I can add a pdf attachment.

0 Kudos

The info is based on usr02-trdat

That is a nice example of a single field...

Please post your code (only the relevant parts about the selects or BAPI calls and parameters used) and which release and SP you are on.

Cheers,

Julius

0 Kudos
* Too much spagetti. Could not repair formatting

Edited by: Julius Bussche on Jun 6, 2011 10:29 PM

0 Kudos

Sorry Julius, I cannot figure out how to submit the code with line returns/formatting

0 Kudos

Sorry, the code is too long for formatting. But you reset the validity date (be carefull of user types NE dialog!

That will give the correct message, they just need to read it...

Cheers,

Julius

martin_voros
Active Contributor
0 Kudos

Hi,

it seems like all messages related to logon are in class RSEC. The issue is that it seems like all are raised from kernel, not from ABAP code. So there is no way how to start issuing multiple messages instead of one. It also does not feel right for me to start more info. It could be misused by attacker.

Cheers

Former Member
0 Kudos

Hi Chris,

you have below three scenarios:

1. User Out of Validity

2. Locked by System Administrator

3. Locked due to incorrect number of log in attempts

for case 1: if a user is already end dated and if he tries to log in to the system, he will automatically receive message " user account not in validity date"

for case 2/3 : for a locked user if we check the change documents information, you can see that if a user is locked by administrator or it is due to incorrect login also in both cases the lock value is different and when user id is locked by admin user will get teh following message " locked by administrator" and for incorrect login's " incorrect login : user locked no further login contact system administrator"

hope this helps..

pls let me know if i answered your question.

Thanks.

Sandeep

0 Kudos

Hi Sandeep

I suspect the requirement is to make CUP give similar messages.

Regards

David