04-21-2016 1:50 PM
Hi All,
I want to prevent end-users of CRM and BI, from logging in, via SAP logon pad.is there any parameter or Security policy, which can achieve this.
i think login/disable_password_logon, will also prevent a user from logging though url. However, there is no SSO, so end-users of CRM and BI use password in CRM and BI specific urls.
Regards
Plaban
04-21-2016 3:22 PM
Hi Plaban, I also hear this requirement once in a while and therefore did some research some months ago.
The clear result of my research was: no - at least not in a straight forward way.
The answer from SAP would probably be: "Build your authorization roles carefully and do not give any S_TCODE to those users". But of course life is not always that simple.
So what we thought about (and dismissed):
By questioning the requirement and educating about SAP's authorization concepts we were always able to satisfy people (sufficiently) without "locking down" SAP GUI.
Regards,
Lutz
04-25-2016 11:17 AM
Hi Plaban,
You can classify your users into 2 groups (on User group for Auth. check) - GUILOGIN and NOGUILOGIN. Now, you can do that by using the combination of 2 parameters
1. login/disable_password_logon - with value 1 (This will allow only the users of GUILOGIN to use Gui route) denying the rest.
2. login/password_logon_usergroup = "GUILOGIN"
Let me know if this helps.
Regards,
Pranaam
04-25-2016 2:34 PM
Hi,
Password logon for CRM and BI users is required through CRM and BI URL. So, making login/disable_password_logon as 1, will disable URL logging. So, your suggestion will not fit, my requirement.
however, your suggestion will fit for SSO, through portal.
regards
Plaban