RLFW_SD_DISABLEE_LOGON: ZDM: Logon Restriction

Posted by — March 8, 2021 in SAP PROGRAM Leave a reply

Report RLFW_SD_DISABLEE_LOGON sets dynamic, instance profile parameter login/server_logon_restriction, which prohibits some users from logging on to an application server (cf, note 1891583 – Restricting logon to the application server).

There are three levels of restrictions:

  • (1) no restriction,
  • (2) users with a specific security policy attribute and
  • (3) full restriction. For details, see “Selection” section below.

Prerequisites

You must have PADM authority in S_ADMI_FCD of authority object S_ADMI_FCD.

Selection

“Servers” group

  • You can specify application server(s) on which a logon restriction will be imposed. It is an optional parameter and no entry means the restriction will be imposed on all the application servers.

“Who Can Logon” group

  • In this group you can select the logon restriction level.
    • “Everyone” means there is no restriction. Any previously-set restriction will be removed.
    • “server_logon_privilege Users” means only users with server_logon_privilege attribute in an assigned security policy can logon.
    • “None” means no user except SAP* is allowed to logon to an application server.

“Operation Mode” group

  • No change will be made if “Test Mode” checkbox is checked.

Output

A simple message will be written on the screen. There are three kinds of messages:

  • Successful.
  • Authority error. This message will be written when you have no authority to perform the profile parameter change.
  • Communication error. This message will be written when an attempt to change the profile parameter of another application server has failed due to a communication problem.

Activities

The following steps are suggested:

  1. Set attribute server_logon_privilege to a security policy and assign the policy to users who will be allowed to logon after a logon restriction has been imposed. Do not forget to assign it to yourself. You must think about not only normal GUI users but other users such as an external program that logs on to the system via an RFC connection.
  2. Execute the report with “Test Mode” checked. Rectify the situation when an error is reported.
  3. Notify users that you are going to impose the logon restriction. Report RLFW_SD_NOTIFY_USERS can do such a task.
  4. Execute the report with “Test Mode” unchecked. A dialog box will popup to confirm you are sure.

You May Also Like

RSAU_TRANSFER: File-Based Transports of SAL Configuration

REGENERATE_SAP_APP: Create Full Authorizations for Applications

RS_ICF_SERV_MASS_PROCESSING: Mass processing of ICF services

How to Export All Active and Inactive SICF Services in SAP

Leave a Reply?