Display number of unsaccesful since a user's last ...

Former Member · ‎01-11-2007

Hi,

For security sake we would like a message to be displayed with the number of unsuccessful attempts.

For example If a user logs (in SAP) once unsuccessfully and then logs once more unsuccessfully and in the third attempt if he/she logs successfully the system should display the message.

"Number of failed attempts since your last logon is 2".

Any idea how this could be done or managed. Currently we're on 46C and working on moving into ECC.6.

Thanks

WolfgangJanzen · ‎01-11-2007

Good idea - but unfortenately you'll have hard times to implement it (yourself).

I assume that you are referring to unsuccessful password logon attempts, only.

Well, there is a counter for unsuccessful password logon attempts, but it will be reset on a consecutive successful password verification (by the kernel); so, at the time you can evaluate the user master record that counter is already reset ...

Well, feel encouraged to submit a development request (for future releases).

The more co-supporters you find, the more likely it will be implemented.

Regards, Wolfgang

former_member190272 · ‎01-12-2007

Hi Theodora

You can check Unsuccessful logon attempt Code :-SUIM

And you can set it Profile Parameter :- login/fails_to_user_lock this parameter we set Number of invalid login attempts until user lock .Default value for this 5 you can set this .

And we set Parameter Profile login/fails_to_session_end.This parameter we can set Number of invalid login attempts until session end Default value for this 3 you set this.

If helpful rewards points

Thanks & Regards

Pankaj kumar

WolfgangJanzen · ‎01-12-2007

See above: SUIM just evaluates those user master data records.

But that is not useful for the desired feature for the reasons I've highlighted in my previous posting. Such a feature does make sense - I appreciate the idea - but it must be more than just a "nice to have" feature, otherwise it has very limited chances to be implemented. To express that a feature is "really important" kindly submit a development request.

Cheers, Wolfgang

frederic_hemmer · ‎02-08-2007

Hi Wolfgang,

I clearly understand the way of SAP Kernel checks the unsuccessfull password logon attempt. So we might request for development.

But, by the way, what about functionalities such as

"last successfull login date"

"last unsuccessfull login date"

unstead of "Number of failed attempts since last logon"

Might be easier to implement?

Regards

Frederic.

WolfgangJanzen · ‎02-08-2007

Frankly speaking, all that is "chicken feet" (i.e. not much effort to implement).

However, unfortenately we do have a software logistics problem: all authentication checks are implemented in the kernel (that is, out of any doubt, the right place); changes can be delivered only be kernel patches. In order to access DB tables, the kernel requires data dictionary information (i.e. information on table fields: type, offset, length); those can only be modified and delivered by ABAP Support Packages.

The challenge is: to deliver both corrections in a synchronized / coupled way.

By definition, the kernel needs to be downwards-compatible. Therefore it must never harm to apply a kernel correction, first. However, it is also required to ensure that the DDIC changes are not applied prior to the kernel change. The kernel is using a static DDIC image (-> header files) and is not able to deal with unexpected DDIC changes (-> additional / appended table fields).

Believe me, I'd like to implement those "low hanging fruits". But I also have to ensure that under no circumstances delivering those changes will cause problems. "No risk, no fun" is not a suitable motto, I'm afraid.

Cheers, Wolfgang

Former Member · ‎02-08-2007

Hi Wolfgang,

I am also having some difficulties on my ST01 "development request", but irrespective of that, I would like to thank you for all your contributions to SDN and insights into how SAP works and how it may, or may not, work in future. And the many things which are needed to be considered to ensure sustainability of both the product, and the customer specific implementation of it.

If I could also contribute more, I would, but I am very busy with "chicken feet"

Cheers and thanks again!

Julius

Message was edited by:

Julius Bussche

Former Member · ‎02-08-2007

I am not offering solution, just a thought. I am going thru Certification & Accreditation process right now. One of the requirement is the system should not show too much info during failed login.

Example: The system should not tell the user a failed login is due to the incorrect password or due to wrong UID. Same idea for the number of failed login attempts.

BTW, I am managing a system where the UID is randomly generated.

Thanks,

WolfgangJanzen · ‎02-08-2007

> I am not offering solution, just a thought. I am going thru Certification & Accreditation process

> right now. One of the requirement is the system should not show too much info during failed login.

>

> Example: The system should not tell the user a failed login is due to the incorrect password or

> due to wrong UID. Same idea for the number of failed login attempts.

Well, that always has been the case - the system typically replies with "Name or password is incorrect". That does not disclose whether the user exists or not. Of course, the system will also not tell you that "you have 5 more attempts to type in the correct password".

As of SAP NetWeaver 2004s (basis for mySAP ERP 2005, aka "7.00") some improvements have been implemented for the ABAP application server; have a kind look on <a href="https://service.sap.com/sap/support/notes/862989">SAP Note 862989</a> (section with title "Compromising error messages are avoided").

Regards, Wolfgang

Display number of unsaccesful since a user's last logon