Online Tutorials & Training Materials |
Register Login

Prevention of multiple SAPGUI logons

rekha || 21 Oct 2010 10:12 am || 0

You want to prevent the multiple dialog logon (using SAPGUI) by users on your SAP system:

* A user should always only be able to logon to the SAP system using SAPGUI (WinGUI/JavaGUI) exactly one time. Also, multiple logons to the same system from the same front-end PC should be prevented.

* System access using the Internet Transaction Server (ITS) should not be affected by this (=> WebGUI, IACs);

* as long as the user is logged on to the Workplace or Enterprise Portal and calls a SAPGUI transaction (using the SAP logon ticket created by the Workplace or Enterprise Portal) using a URL (iView) generated there , this should not be regarded as a new logon (since the log on was carried out centrally in the workplace or the Enterprise Portal, the SAPGUI transaction is called using Single ign-On).

* Also, RFC accesses should not be regulated.

Customer request (Security Policy) is for the prevention of multiple logons.

As of Release 4.6A, the possibility to prevent the multiple dialog logon by profile parameters (login/disable_multi_gui_login) exists in the standard R/3 system.

The profile parameter is available in Release 4.5B after applying Support Package 4 (SAPKH45B04). We cannot deliver online documentation for this preliminary development. Therefore, the profile parameter is described in this note (see the section below).
Special feature in Release 4.5: Multiple dialog messages in different languages are tolerated (no dialog box).

In Release 4.5B the application of Support Package 9 (SAPKH45B09) can be confirmed in the dialog box with the Enter key. It is no longer required to confirm the dialog box by using the mouse.

As of Release 3.0D, you can prevent a multiple dialog logon through a separate ABAP source code (in the dialog logon user exit SUSR0001, see Note 37724).
Important additional notes

However, the following requirements must be taken into account:

* R/3 Release 3.0D - 3.1I:

- Kernel 3.1I, as of patch level 103
(for this, read Note 102445)

- Profile parameter rdisp/gui_cleanup_delay = 0
(in all instance profiles, not in DEFAULT.PFL)

* Release 4.0A + 4.0B:

- Kernel 4.0B, as of patch level 202
(for this, read Note 102461)

- Profile parameter rdisp/gui_cleanup_delay = 0
(in all instance profiles, not in DEFAULT.PFL)

* Release 4.5A, 4.5B, 4.6A + 4.6B:

- Profile parameter rdisp/gui_cleanup_delay = 0
(in all instance profiles, not in DEFAULT.PFL)

If these requirements are not observed, the danger exists that users are mistakenly interpreted as "already logged on" and consequently, the system logon is prohibited although no multiple dialog logon actually exists. By setting the (undocumented) profile parameter rdisp/gui_cleanup_delay to 0, the option for the session transfer is deactivated. Generally this option allows the activation of a terminated SAPGUI session by establishing a connection to the same application server within a certain period of time (approx. 5 minutes). For this purpose, session information is kept on the server for this period of time even if the session terminated. However, this behaviour is not useful when multiple dialog logons should be prevented, and should therefore be deactivated.

In addition, you must declare function module TH_USER_LIST as suitable for RFC in all Releases before 4.5A (3.0D - 4.0B) (Modifcation):

1. Call Transaction SE37 and select function module TH_USER_LIST

2. Change interface: Administration: Process type "Remote Function Call supported"

3. Activate the function module.

If you do not carry out this modification, dialog messages to remote R/3 servers are not recognized and multiple logons would still be possible.

You can retrieve the example source code attached to this note using 'Note administration' ==> 'Corrections' ==> 'Correction instructions'.
If you already use the include ZXUSRU01 with your own source code, you should implement the call "PERFORM CHECK_MULTI_LOGON" in the appropriate place in the already existing source code.

Documentation for profile parameter "login/disable_multi_gui_login"

If this parameter is set to value 1, multiple SAPGUI logons (in the same client and with the same user) are blocked by the system.
The parameter is effective during the SAPGUI logon. Logons to the system using the Internet Transaction Server (ITS) or Remote Function Call (RFC) are not influenced by the profile parameter. Furthermore, SAPGUI transaction calls (iViews) that are placed through the Workplace or the Enterprise Portal are not controlled with regard to multiple logons.
Application area: Login
Unit: Boolean value 0 / 1
Default value: 0