SAP Security Audit Logs - Intentionally Blocked User

We have a user, manager, it crashes constantly by someone and locked key test for failed attempts, Can I know who is the person trying to enter another user and blocks?

Resolution:

Turn on Security Audit Logging using SM19, and review the audit logs using SM20. Use a filter to log everything available for a particular user id. Analyze the logs in SM20 for that user ID. 

Pay attention to the terminal being used. If you see more than one terminal, it could be someone else trying to use the id. Also depending on what the application is for, it might be necessary to change the user ID to type System to resolve locks or expired passwords for a non-dialog user in some cases. 

Specifically when a non SAP application is able to change the pw of a non dialog id. There is documentation on setting up SAP Security audit logs. It is not difficult. You can even have a CCMS log agent email you in real time if log entries are showing up in the audit logs for that ID and catch the person in the act or identify the underlying cause. 

You should also consider reviewing RFC logs. Turn up the verbosity of the trace and you can see alot of details when the id is being used in RFC scenarios.
 

SAP Security Audit Logs

SAP R/3 supports an internal auditing system, called the Security Audit Log. Each SAP application server maintains a daily audit file. You can specify the name and location of the Security Audit Log using the rsau/local/file profile parameter.

To activate the internal audit system, set the audit log parameters as described in the following table : 

Audit Log parameter settings Audit Log Parameter Set value to... 

rsau/enable 1 
rsau/local/file path to audit log file 
rsau/max_diskspace/local maximum space to allocate for the audit files 
rsau/selection_slots 3 
rec/client ALL 

Note:
The rsau/local/file parameter contains the entire path name to the audit logs, as well as the file name. The file name must include + symbols to contain a variable datepart. Do not include a file extension in the file name. See the following examples for clarification. 

This example shows a valid path and filename: 
/usr/sap/machine1/log/audit_++++++++

This example shows an invalid path and filename; the filename does not include a datepart: 
/usr/sap/machine1/log/audit

This example shows an invalid path and filename; the filename includes a file extension: 
/usr/sap/machine1/log/audit_++++++++.aud

After you set the audit log profile parameters, start transaction SM19 to specify which events to log in the Audit Security Log.

See Also
Regarding The Used of USMM Tcode

Get help for your Basis problems
Do you have a SAP Basis Question?

SAP Basis Admin Books
SAP System Administration, Security, Authorization, ALE, Performance Tuning Reference Books

SAP Basis Tips
SAP BC Tips and Basis Components Discussion Forum

Administration In SAP - Sapgui, Unix, SAP ITS, Router, Client Copy and IDES 

Main Index
SAP ERP Modules, Basis, ABAP and Other IMG Stuff

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of 
www.erpgreat.com or the content authors.