Help
SAP SuccessFactors Learning Life Sciences User Group Discussions
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Report unsuccessful PIN attempts

ftarnaws
Galactic 1
Galactic 1

‎12-18-2017 9:02 AM

Dear All,

are you planning to implement report related to unsuccessful PIN attempts per user?

According to the Code of Federal Regulations Title 21 the log of e-sig failed attempts is mandatory for every validated system. Please refer to below description for context and to point (d) for precise reference.

Currently ELN does not support this log which is treated as a deviation to below regulation. Please assess the possibility to add this log as soon as possible and communicate back the release date. Else, provide the justification why it is not treated as mandatory for the VSaaS solution by SFSF.

[Code of Federal Regulations]

[Title 21, Volume 1]

[Revised as of April 1, 2017]

[CITE: 21CFR11]

[…]

Sec. 11.300 Controls for identification codes/passwords. 

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

[…]

Thanks and regards,

Filip

3 REPLIES 3

racheljordan
Galactic 2
Galactic 2

‎12-18-2017 8:12 PM

(d) is met via email.  When you enter an email address in the global variables > Electronic Signature settings, the admin is notified of unsuccessful attempts at entering a PIN.  The notification template used is named "ESigPinFailedNotification".  The body of the template displays the name and account that had the attempted access, and the date and time of the attempt.

In response to racheljordan

‎01-02-2018 8:20 PM

This would require the admins to keep all emails pertaining to unsuccessful attempts.  Emails can be deleted and are not a substitute for a report.

RonnyD
Galactic 3
Galactic 3

‎08-24-2021 11:02 AM

0 Kudos

Hi Filip,

Your request was submitted 4 years ago... did you get a viable solution in the meantime?

Thanks

-Ronny

PS> I would love to see SAP change their PIN implementation and link the password with the LDAP, which would solve this issue too (cf https://community.successfactors.com/t5/Learning-Forum/E-Signature-PIN-with-LDAP-in-LMS/td-p/271464