This blog will explain an elegant new way to keep end users out of the system during maintenance.
Questions that will be answered are:
- How does the login/server_logon_restriction parameter work?
- How do I assign the right to logon during maintenance?
Traditional ways of keeping users out of the system during maintenance
Traditional ways of keeping users out of the system is by locking the users either via SU10 or custom built program.
Major setbacks of both methods:
- Locking and unlocking takes time
- In the user history you see constant lock and unlocks that you need to explain to auditors
New login/server_logon_restriction parameter
In more recent SAP systems (7.5 and up) there is a new parameter called login/server_logon_restriction (formal OSS note is 1891583 – Restricting logon to the application server).
If you set this to 1 then only people with the right privilege can log on to the system. The parameter is immediately effective. All non-privileged users will get this error when they try to log on to the system:
After the system maintenance you can set the parameter back to normal and everybody can log on again. User history is not touched.
Be aware this is a dynamically switchable parameter. If you set the value to 1 and need to restart the system during your maintenance the value after restart is back to 0, which means everybody can log on again.
How to assign the privilege to log on to basis administrators?
First you need to create or extend the user security policy for basis admins using transaction SECPOL. Add the policy attribute SERVER_LOGON_PRIVILEGE and set it to value 1.
Now you can add this security policy to all basis team members in SU01:
All persons with security policy ADMIN are now still allowed to log on during the maintenance when parameter login/server_logon_restriction is set to 1 in RZ11.
Other use of security policies
Security policies can also be used to enhance security of specific user groups (like basis team). See this blog for more on this feature.