Un-authorizing Logons Protections

To implement security in a SAP system, it is required to monitor unsuccessful login in a SAP environment. When someone tries to login to a system using an incorrect password, the system should either lock the username for some time or that session should be terminated after a defined number of attempts.

Various security parameters can be set for unauthorized logon attempts −

• Terminating a Session
• Locking User
• Activating Screen Savers
• Monitoring unsuccessful logon attempts
• Recording logon attempts

Let us now discuss each of these in detail.

Terminating a Session

When there are a multiple number of unsuccessful login attempts made on a single user id, the system ends the session for that user. This should be sent using a Profile parameter − login/fails_to_session_end.

To change the Parameter value, run Transaction RZ10 and select the Profile as shown in the following screenshot. Select Extended Maintenance and click on Display.

Select the parameter that you want to change and click on the Parameter button at the top as shown below.

When you click on the Parameter tab, you can change the value of the parameter in a new window. You can also create the new parameter by clicking on the Create (F5) button.

To see the details of this parameter, run Transaction Code: RZ11 and enter the profile name – login/fails_to_session_end and the click on Display Document.

• Parameter − login/fails_to_session_end

• Short text − Number of invalid login attempts until the session ends.

• Parameter Description − Number of invalid login attempts that can be made with a user master record until the logon procedure is terminated.

• Application Area − Logon

• Default Value − 3

• Who is permitted to make changes? − Customer

• Operating System Restrictions − None

• Database System Restrictions − None

• Are other parameters affected or dependent? − None

• Values allowed − 1 - 99

In the above screenshot, you can see value of this parameter is set to 3, i.e. the default value too. After 3 unsuccessful login attempts, session will be terminated for a single user.

Locking User

You can also put a check on a specific User Id, if a set number of consecutive unsuccessful attempts to logon is exceeded under a single User Id. Set the number of invalid logon attempts that are allowed in the profile parameter: login/fails_to_user_lock.

• It is possible to set a lock on specific User ID’s.

• Locks are applied on a User Id till midnight. However, it can also be removed manually at any time by a System Administrator.

• In a SAP system, you can also set a parameter value that allows lock to be placed on the User Id till they are manually removed. Parameter name: login/failed_user_auto_unlock.

Profile parameter: login/fails_to_user_lock

Every time an incorrect logon password is entered, the failed logon counter for the relevant user master record is increased. The logon attempts can be logged in the Security Audit Log. If the limit specified by this parameter is exceeded, the relevant user is locked. This process is also logged in Syslog.

The lock is no longer valid after the current day is over. (Other Condition −login/failed_user_auto_unlock)

The failed logon counter is reset once the user logs on using the correct password. Logons that are not password-based do not have any effect on the failed logon counter. However, active logon locks are checked for every logon.

• Values allowed − 1 – 99

To see the current value of this parameter, use T-Code: RZ11.

• Parameter name − login/failed_user_auto_unlock

• Short text − Disable automatic unlocking of locked user at midnight.

• Parameter Description − Controls the unlocking of users locked by logging on incorrectly. If the parameter is set to 1, locks that were set due to failed password logon attempts only apply on the same day (as the locking). If the parameter is set to 0, the locks remain in effect.

• Application Area − Logon.

• Default Value − 0.

Activating Screen Savers

System administrators can also enable screen savers to protect the frontend screen from any unauthorized access. These screensavers can be password protected.

Monitoring Unsuccessful Logon Attempts and Recording Logon Attempts

In a SAP system, you can use report RSUSR006 to check if there are users who have tried any unsuccessful logon attempts in the system. This report contains detail about the number of incorrect login attempts by a user and the user locks and you can schedule this report as per your requirement.

Go to ABAP Editor SE38 and enter the report name and then click on EXECUTE.

In this report, you have different details like Username, Type, Created On, Creator, Password, Lock and Incorrect Login Details.

In a SAP system, it is also possible that you use Security Audit Log (transactions SM18, SM19 and SM20) to record all the successful and unsuccessful logon attempts. You can analyze the security audit logs using SM20 transaction, but security audit should be activated in the system to monitor security audit logs.

Logging off Idle Users

When a user is already logged into a SAP system and session is inactive for a specific period, you can also set them to logoff to avoid any unauthorized access.

To enable this setting, you need to specify this value in the profile parameter: rdisp/gui_auto_logout.

• Parameter Description − You can define that inactive SAP GUI users are automatically logged off from a SAP system after a predefined period. The parameter configures this time. Automatic logoff in the SAP system is deactivated by default (value 0), that is, the users are not logged off even if they do not execute any actions for a longer period.

• Values allowed − n [unit], where n >= 0 and Unit = S | M | H | D

To see the current value of parameter, run T-Code: RZ11.

The following table shows you the list of key parameters, their default and permitted value in a SAP system −