04-21-2016 11:21 AM
Hello,
There's a user called SOLMANCONFIG that keeps getting locked in my (Solution Manager) system. It's getting called by some rogue RFC (could be external - this SolMan installation is connected to 30+ systems) which does not have the correct credentials for the ID.
Turned SM19 audit log for the ID yesterday.
Id got locked today once again.
Generated the audit log for a short time period around the time of locking, in SM20.
Results as attached.
As you can see, there's nothing in the "Terminal" column! It's not there in the detailed display either.
This problem has bugged me for quite a while now. Would really appreciate any help that would let me fix this. Mind you, this could be an RFC call from a satellite system, so checking the RFC destinations maintained in my own landscape (i.e. contents of the RFCDES table) might not be enough.
EDIT : If I recall correctly, there are also some profile parameters that need to be enabled to generate detailed logs in SM19/20. Is that relevant here?
04-21-2016 11:57 AM
Hi
In most cases blank terminal entry means: its from internal system.
You can enter into message details to see "Work Process Number" and "Work Process Type" responsible for this.
Maybe in process dev trace you will find something useful.
To see IPs in logs you can play with parameter: rsau/ip_only.
Regards
Przemek
04-26-2016 8:40 PM
04-26-2016 8:54 PM
Hi Rohit, please ensure you have implemented these SAP Security Notes in your system:
Those 3 notes are related on how the Security Audit Log handles the "terminal" field, there are some issues around it that you need to fix.