issue gathering some info on a user activity.

Former Member · ‎09-14-2011

25 days back some changes were made by one of our users in transaction code CO02 the problem is that i want to find out with which system IP address , the changes were made since we schedule the job RSTCDEL on weekly basis hence no ogs are vailable for the last 25 days is there any other way out by which we track that from which system or a IP address the changes were made although the *USER* ID with which the changes were made is known to me but unable to find the exact details.

Your help will be highly appreciated.

Former Member · ‎09-14-2011

Hi,

Option # 1 - If you have audit log enabled, you can view the IP address or Terminal #.

Option # 2 - Ask the user on which terminal he has logged in

But, what you would like to do by tracing the IP address??

Regards,

Raghu

Former Member · ‎09-15-2011

The issue is we just want find out the person who has made the changes although the USER ID is know but still its used by multiple people .

Former Member · ‎09-15-2011

If you tolerate this and dont turn your audit log on as compensation, then that is your problem.

At most you could start a forensic investigation.

Sorry,

Julius

Former Member · ‎09-14-2011

So what you mean to say is that you know the user ID but a multiple of people are using it - hence you need to know the terminal IP?

Cheers,

Julius

Former Member · ‎09-15-2011

Yes thats correct the same USER ID is ebing used by multipe people.

Regards

Abhishek

koehntopp · ‎09-15-2011

Let me summarize:

- you're deleting logs before being clear that you might still need them

- you have users sharing the same user ID

Are you serious? I suggest you hire someone to help you analyze basic security concepts for your environment. What does your auditing department think about these practices?

Frank.

Former Member · ‎09-28-2011

It's for the first time that a case like this has come up thats why we dont usually keep the logs for more than 7 days and yes 1 LOGIN id is used by multiple users but the issues is with my another branch ie a Remote location where more than 500 users are working although the company is the same .

Former Member · ‎09-28-2011

So you have two legal entities using the same company code (in zhe same system and client) and in there 500 people using the same user ID?

Nice...

So who runs the payment program?

Cheers,

Julius

Former Member · ‎09-28-2011

500 as a whole not like 500 using the same id

Former Member · ‎09-28-2011

And you pay one SAP user licence per 500 users ?

Former Member · ‎09-28-2011

You could start the forensics by using SM19 to gather a list of terminals subsequently using that ID.

When the list seems complete, disable the multi_gui login parameter.

When one of them on those terminals call you, ask them where they were 25 days ago at that time. Also verify in the document headers whether other records give you a clue. Also check the joblog and who else has S_BTCH_NAM for that user ID.

For all the others who call you, send them a user registration form

Cheers,

Julius

Former Member · ‎10-01-2011

Thanks !