Manufacturing plants often operate using shared Windows desktop machines that are accessed by multiple users throughout the day. These devices typically run critical applications such as SAP, where sensitive transaction codes (Tcodes) are used to perform operational tasks. However, when all users log in using a single shared Windows account, organizations lose visibility into:
- Which user accessed which device at what time?
- What SAP transactions are being performed?
- How long they are logged in for?
- Whether a sensitive activity was performed by an authorized user?
- How to enforce proper authentication, session control, and accountability?
To address these challenges, miniOrange Data Loss Prevention (DLP) provides a Shared User Login Solution combined with SAP Activity Monitoring, offering full visibility, traceability, and security for shared environments.
A customer with multiple Windows desktops deployed across their plant floor faced the following issues:
1. Lack of User-Level Accountability : All machines were accessed using the same local Windows user account. As a result:
- There was no way to identify which actual user logged into a specific system.
- All activities appeared under the same username.
- Misuse, policy violations, or security breaches could not be traced.
2. No SAP User Identification : SAP was installed on these shared machines, but:
- Users logged into SAP without any monitoring or identity mapping.
- There was no tracking of which real user launched SAP.
- Sensitive Tcodes could be executed without oversight.
3. No Control Over User Access & Sessions : Since all devices shared a common login:
- Users could not be individually authenticated.
- MFA could not be enforced.
- Idle users could not be logged out automatically.
- Risky users could not be remotely signed out.
- These gaps posed significant security, compliance, and auditing challenges.
To resolve these challenges, miniOrange implemented two coordinated components:
1. Shared User Login for Windows Devices
Instead of directly entering the local Windows credentials, users now authenticate using their miniOrange Identity Provider (IdP) account.
Workflow:
- User enters their miniOrange username and password on the login screen.
- MFA is enforced (OTP, push notification, biometric, etc.).
- Once authenticated, the system automatically logs them into the same local Windows account.
- The login is recorded in the miniOrange dashboard with the complete user identity.
Benefits:
- Clear visibility of which miniOrange user accessed the machine.
- MFA enforcement ensures strong authentication.
- Risk-based access control and policies can be applied.
- Admins can remotely sign out users if suspicious activity is detected.
- Idle session timeout / auto-lock ensures devices are secured.
2. SAP Activity Monitoring Application
A custom miniOrange SAP Monitoring application was deployed on each device.
Workflow:
a. SAP Login Monitoring:
- Detects when SAP is launched.
- Reports which miniOrange user started SAP.
- Tracks SAP logins and logouts.
b. SAP Tcode Monitoring:
- Detects when a user enters predefined restricted/sensitive Tcodes.
- Reports the event along with user identity, timestamp, and device.
c. SAP Application Lifecycle Tracking:
- Detects when SAP is launched.
- Reports which miniOrange user started SAP.
- Tracks SAP logins and logout sessions.
Benefits:
- Complete visibility of SAP usage per user.
- Traceability for compliance and audit teams.
- Real-time detection of unauthorized Tcode access.
- Ability to take action based on user behavior.
1. Identity-Based Login Flow
- miniOrange IdP stores all user identities.
- Then, User authentication is routed through the Shared Login Module.
- The module validates the user against the miniOrange IdP and grants access to the local Windows account.
- The Local Windows login is standardized across all systems. So multifactor authentication can be enforced based on policies.
2. SAP Monitoring Integration
- The SAP GUI scripting is used to read Tcodes entered by users.
- A lightweight monitoring agent captures all user actions.
- Logs are securely transmitted to the miniOrange DLP backend.
3. Centralized Visibility Console: Admins can see:
- Each user’s login activity across all devices.
- SAP usage reports.
- Tcode violation alerts.
- Idle timeout and forced logout events.
1. Accountability & Traceability Restored: Even though devices continue to use a shared Windows account, miniOrange ensures:
- You will always know which real user accessed the system.
- Detailed user-level reports are available.
2. SAP Activity Visibility: Track everything happening inside the SAP GUI:
- Login/Logout events are tracked.
- SAP launch/exit events are tracked.
- Sensitive Tcodes accessed are tracked.
- User session flow is tracked.
3. Strong Security Enforcement: With miniOrange capabilities:
- MFA is enforced for all users.
- Remote user signout is possible.
- Idle session timeout is enforced.
- Policy-based access control is enforced.
4. Operational Efficiency:
- No need to create individual Windows accounts for every user.
- Users authenticate using existing identity provider credentials.
- Works seamlessly across all shared devices.
By deploying miniOrange Shared User Login and SAP Activity Monitoring, organizations can transform insecure shared desktops into fully auditable, identity-driven access points. The solution provides:
- Verified user identity for each access
- Strong authentication controls.
- Complete SAP usage visibility.
- Protection against unauthorized activity.
- Centralized reporting for audits and compliance.
This ensures both operational efficiency and strong security for shared device environments.
