Solved: Protecting user accounts - Reducing user account s...

dionisio_bustillogalvez · ‎02-10-2015

Dear friends,

Our Internal Audit Dept believes that some employees may be sharing SAP users (and password) to avoid the SoD in place. With password-based authentication, that we must use, there is no chance that the system can prevent it.

However, to reduce the share of users, and incidentally, protect unauthorized use of someone else's account, we are trying to do something similar to what many organizations do.

The idea is that our (ECC 6.0) system stores a statistic of the computers from which a user connects, and in the event of an "unusual" login it will send a message to the user email account. It will explaining how to react if the access is not recognized, but also will inform of the the legal consequences of the misuse of his/her user account.

We have the option of using the SAL, but prefer it to be online. Is there an user-exit, or similar, to capture the event of an user login and to send an email to the user's address, or perform other actions? The right moment seems to be the login event used by SAL...

Surely someone has already developed a similar solution in SAP. We would appreciate any information or idea.

Thanks in advance,

Best regards,

dionisio

Former Member · ‎02-10-2015

Hi, Bernhard has pointed out the most obvious method of reducing this. If you do need to put in additional validation after logon then you can use exit SUSR001 to insert new code (caveat, this will cover gui logon but not other methods of accessing the system).

More strategically would be to use an SSO solution. It may be anecdotal but in my experience users are much less likely to share the password to their laptop/workstation/email/network than they are an application like SAP.

Former Member · ‎02-10-2015

Hello Dionisio,

have you alread activet the parameter "login/disable_multi_gui_login" to disable multi logon from users?

the other thing with your idea about the e-mail notification is, that you must have a internal table where you match the Terminal ID and the user. Otherwise you can't decide at what point you must send an email to the user.

Kind regards,

Bernhard Schöberl

dionisio_bustillogalvez · ‎02-10-2015

Thanks Bernhard,

Yes, we have multilogin disabled and sure, we will need an internal table to control the user's terminal (probably more than one, and through and authorization process)

Regards,

Dionisio

Former Member · ‎02-10-2015

Hi, Bernhard has pointed out the most obvious method of reducing this. If you do need to put in additional validation after logon then you can use exit SUSR001 to insert new code (caveat, this will cover gui logon but not other methods of accessing the system).

More strategically would be to use an SSO solution. It may be anecdotal but in my experience users are much less likely to share the password to their laptop/workstation/email/network than they are an application like SAP.

dionisio_bustillogalvez · ‎02-10-2015

Dear Alex,

I have the same experience about sharing their "only" password, and I believe, it will best address the sharing issue. Unfortunately that solution is out of our reach for now...

About the SUSR001, I am not really looking for extra validation. Do you believe then that it is the best place for recording the terminal ID and so on?

Thanks for you help.

Dionisio

Former Member · ‎02-10-2015

Hi Dionisio, I used the term "validation" inappropriately. SUSR001 is the exit that happens immediately after logon so if you want something to happen such as sending an email, recording something, providing extra validation etc, that is a logical place to put additional code.

In your situation this is the exit in which you can record the terminal ID, trigger the email etc.

dionisio_bustillogalvez · ‎02-10-2015

Thanks so much Alex,

We are going to work in that direction.

Best regards,

dionisio

Protecting user accounts - Reducing user account sharing