Disable SAP GUI login

plaban_sahoo6 · ‎04-21-2016

Hi All,

I want to prevent end-users of CRM and BI, from logging in, via SAP logon pad.is there any parameter or Security policy, which can achieve this.

i think login/disable_password_logon, will also prevent a user from logging though url. However, there is no SSO, so end-users of CRM and BI use password in CRM and BI specific urls.

Regards

Plaban

LutzR · ‎04-21-2016

Hi Plaban, I also hear this requirement once in a while and therefore did some research some months ago.

The clear result of my research was: no - at least not in a straight forward way.

The answer from SAP would probably be: "Build your authorization roles carefully and do not give any S_TCODE to those users". But of course life is not always that simple.

So what we thought about (and dismissed):

Don't install SAP GUI (hahaha)
Close firewalls for SAP ports (hmhmhm)
Do authentication to web applications only with SAML2 and deactivate the users' passwords (but there are some SAP Shortcut generating SAP web applications that will bypass this measure) (ohohoh)

By questioning the requirement and educating about SAP's authorization concepts we were always able to satisfy people (sufficiently) without "locking down" SAP GUI.

Regards,

Lutz

Former Member · ‎04-25-2016

Hi Plaban,

You can classify your users into 2 groups (on User group for Auth. check) - GUILOGIN and NOGUILOGIN. Now, you can do that by using the combination of 2 parameters

1. login/disable_password_logon - with value 1 (This will allow only the users of GUILOGIN to use Gui route) denying the rest.

2. login/password_logon_usergroup = "GUILOGIN"

Let me know if this helps.

Regards,

Pranaam

plaban_sahoo6 · ‎04-25-2016

Hi,

Password logon for CRM and BI users is required through CRM and BI URL. So, making login/disable_password_logon as 1, will disable URL logging. So, your suggestion will not fit, my requirement.

however, your suggestion will fit for SSO, through portal.

regards

Plaban