This website is not affiliated with, sponsored by, or approved by SAP AG.

SAP license and maximum number of Multiple Logon's per user

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SAP license and maximum number of Multiple Logon's per user

Postby adi2011 » Wed Jun 01, 2011 5:41 am

Hello,

under transaction rz10 I would like to change disable login/disable_multi_gui_login (set value from 1 to 0) but as I read it on Internet this is unfortunatly considered as violating SAP license agreement.

I am not sure for which is purpose of this option if setting this parameter to value 0 means violating SAP License agreement? In which case I am able to use this possibilitie?

Also one another important question: In case I set this option to value 0 (*enable* multiple login) what are the damages/risks? I tried to find it on Internet but no luck.

Many thanks in advance for prompt replys and kind regards,
Adi
adi2011
 
Posts: 18
Joined: Thu Apr 28, 2011 1:13 am

Re: SAP license and maximum number of Multiple Logon's per user

Postby Al. » Wed Jun 01, 2011 11:22 pm

adi2011 wrote:Hello,

under transaction rz10 I would like to change disable login/disable_multi_gui_login (set value from 1 to 0) but as I read it on Internet this is unfortunatly considered as violating SAP license agreement.


Speak to your SAP Account Manager. SAP licence agreements are negotiated on a company-by-company basis. If you have agreement (or can get it) to use generic ID's then this would not contravene the licence. Some of my clients have had this in the past (not that I agree with it).

adi2011 wrote:I am not sure for which is purpose of this option if setting this parameter to value 0 means violating SAP License agreement? In which case I am able to use this possibilitie?


The licence agreement (generally) relates to the prod instances. Having the ability to have multiple logins increases flexibility of use of the system for non-prod purposes.

adi2011 wrote:Also one another important question: In case I set this option to value 0 (*enable* multiple login) what are the damages/risks? I tried to find it on Internet but no luck.


Main risk is that users will share passwords. If users are sharing passwords then you lose the ability to easily identify who changed data in the system. This is a core principle of information security & process control.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SAP license and maximum number of Multiple Logon's per user

Postby Gary Morris » Wed Jun 08, 2011 10:40 am

It is a High Risk security issue. Consider the possiblity of someone compromising your pw and logging in as you while you were in the system and making security changes with your ID showing up in the history changes or security audit logs. This parameter is a pretty simple solution to make that impossible. Of course there are ways to see which terminal they came from but that is not much help if they were sitting behind someone elses computer as well. I think all auditors will consider it a High Risk.
Gary Morris
SAP Security Consultant
garydavidmorris@gmail.com
Gary Morris
 
Posts: 399
Joined: Sun Oct 20, 2002 10:42 pm
Location: San Antonio, Texas

Re: SAP license and maximum number of Multiple Logon's per user

Postby Al. » Thu Jun 09, 2011 12:48 pm

Gary Morris wrote:I think all auditors will consider it a High Risk.


It's generally rated around medium by external auditors & in my experience <50% of implementations have it switched to disallow multiple logins. Regardless of their rating, it's such a no-brainer and so easy to implement that there really is no excuse in my opinion.

The general reason for their rating is that when you are running a H/M/L risk rating system, your H is taken up with the likes of SAP_ALL, SAP* with default password, debug & replace access etc.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 4 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.