- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Unlock specified users which locked due to incorre...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Unlock specified users which locked due to incorrect logon automatically
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 4:32 AM
Hi experts, All users will be locked if he logon incorrectly 3 times in our system now and unlocked in the midnight.
Can I unlock some specified users automatically in specified time I set or is there any method to exclude these specified users to be locked even logon incorrectly 3 times ?
Best wishes,
Evan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 8:23 AM
>
> Hi experts, All users will be locked if he logon incorrectly 3 times in our system now and unlocked in the midnight.
>
> Can I unlock some specified users automatically in specified time I set or is there any method to exclude these specified users to be locked even logon incorrectly 3 times ?
>
> Best wishes,
>
> Evan
Hi Evan,
Is this your production system? If so then I would not recommend that users are automatically unlocked at midnight. (param login/failed_user_auto_unlock )
You may also want to extend your param login/fails_to_user_lock to 5 or 6 to give the users a bit more leeway.
Moving on to your questions, there is no way to exclude certain users from being locked if they enter wrong password 3 times (or however many you have set). Some user types e.g. service have some of the rules relaxed, however adherence to login/fails_to_user_lock is not one of those.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 8:23 AM
>
> Hi experts, All users will be locked if he logon incorrectly 3 times in our system now and unlocked in the midnight.
>
> Can I unlock some specified users automatically in specified time I set or is there any method to exclude these specified users to be locked even logon incorrectly 3 times ?
>
> Best wishes,
>
> Evan
Hi Evan,
Is this your production system? If so then I would not recommend that users are automatically unlocked at midnight. (param login/failed_user_auto_unlock )
You may also want to extend your param login/fails_to_user_lock to 5 or 6 to give the users a bit more leeway.
Moving on to your questions, there is no way to exclude certain users from being locked if they enter wrong password 3 times (or however many you have set). Some user types e.g. service have some of the rules relaxed, however adherence to login/fails_to_user_lock is not one of those.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 8:39 AM
Hi Alex, yes, it is production system. But the times to lock user is fixed by auditor.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 8:48 AM
>
> Hi Alex, yes, it is production system. But the times to lock user is fixed by auditor.
Hi Evan,
That's interesting, it shows how auditors can be inconsistent. General audit advice is lock after incorrect password has been entered after 5-6 times (to try and limit the problem you are having)
It is also unusual that they have not commented on users being unlocked after midnight, generally that is something auditors do not like to see.
Finally, it is no problem to challenge auditors if you have a valid reason. Often they are following a work program and do not have a good understanding of the implications of what they are recommending. (for purposes of balance there are also lots of good auditors out there!)
Cheers
Alex
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 9:25 AM
Hi Alex, thank you for your reply, it seems there is no normal method to do it. Maybe I need ABAPer to help solve it.
Best wishes,
Evan
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2008 10:14 AM
>
> Hi Alex, thank you for your reply, it seems there is no normal method to do it. Maybe I need ABAPer to help solve it.
>
> Best wishes,
>
> Evan
Hi Evan,
Alex is right: it's worth to clarify (with the auditors) which system behavior is desired before taking any action (in terms of coding). Let me guess: those "special" users are belonging to the "upper management" user group ... - they just don't like the feeling of being "locked out" (even if it was their own fault not to memorize the password). Unfortenately, exactly those users are critical and potentially subject of password attacks (since they are equipped with powerful authorizations).
Maybe it would sense to convince the management to invest in smardcards (at least for that special user group). Using a non-password based user authentication mechanism eliminates the risk of undesired password locks - without imposing other (even greater) risks.
If you still want to implement such automatic unlocking (despite the advice given above) you should write your own tiny ABAP report which then submits function calls to BAPI_USER_UNLOCK and schedule a periodic background job for that report.
Cheers, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2008 6:55 AM
