09-14-2011 11:52 AM
25 days back some changes were made by one of our users in transaction code CO02 the problem is that i want to find out with which system IP address , the changes were made since we schedule the job RSTCDEL on weekly basis hence no ogs are vailable for the last 25 days is there any other way out by which we track that from which system or a IP address the changes were made although the *USER* ID with which the changes were made is known to me but unable to find the exact details.
Your help will be highly appreciated.
09-14-2011 12:03 PM
Hi,
Option # 1 - If you have audit log enabled, you can view the IP address or Terminal #.
Option # 2 - Ask the user on which terminal he has logged in
But, what you would like to do by tracing the IP address??
Regards,
Raghu
09-15-2011 10:09 AM
The issue is we just want find out the person who has made the changes although the USER ID is know but still its used by multiple people .
09-15-2011 10:14 AM
If you tolerate this and dont turn your audit log on as compensation, then that is your problem.
At most you could start a forensic investigation.
Sorry,
Julius
09-14-2011 12:53 PM
So what you mean to say is that you know the user ID but a multiple of people are using it - hence you need to know the terminal IP?
Cheers,
Julius
09-15-2011 10:10 AM
Yes thats correct the same USER ID is ebing used by multipe people.
Regards
Abhishek
09-15-2011 10:19 AM
Let me summarize:
- you're deleting logs before being clear that you might still need them
- you have users sharing the same user ID
Are you serious? I suggest you hire someone to help you analyze basic security concepts for your environment. What does your auditing department think about these practices?
Frank.
09-28-2011 10:12 AM
It's for the first time that a case like this has come up thats why we dont usually keep the logs for more than 7 days and yes 1 LOGIN id is used by multiple users but the issues is with my another branch ie a Remote location where more than 500 users are working although the company is the same .
09-28-2011 10:49 AM
So you have two legal entities using the same company code (in zhe same system and client) and in there 500 people using the same user ID?
Nice...
So who runs the payment program?
Cheers,
Julius
09-28-2011 12:11 PM
09-28-2011 4:57 PM
09-28-2011 6:08 PM
You could start the forensics by using SM19 to gather a list of terminals subsequently using that ID.
When the list seems complete, disable the multi_gui login parameter.
When one of them on those terminals call you, ask them where they were 25 days ago at that time. Also verify in the document headers whether other records give you a clue. Also check the joblog and who else has S_BTCH_NAM for that user ID.
For all the others who call you, send them a user registration form
Cheers,
Julius
10-01-2011 10:24 AM