cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BAPI_USER_CHANGE - any alternative

Go to solution
Former Member

on ‎08-21-2008 12:38 PM

0 Kudos

Hi,

I'm using BAPI_USER_CHANGE for reseting a user's pass.

The problem with this function is that it sets an initial pass => in the next logon the user will be prompted to change it.

Is there a way to change this behavior?

If not, do I have any other BAPI alternative?

tx a lot,

s.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-21-2008 7:01 PM
0 Kudos

Hi S.,

>in the next logon the user will be prompted to change it.

This is intentional for security reasons.

Best Regards,

Matt

Show replies
Show replies
Former Member
‎08-24-2008 10:05 AM
0 Kudos

yes, I understand that.

but - I looking for some a bypass:

some other function that can help me reset the pass without this limitation.

tx

Former Member
‎08-24-2008 2:26 PM
0 Kudos

Hi Matt,

Let me explain something here.

I'm writing a program that manage the passwords - so if I'm reseting a pass I don't want it to be changed again.

therefore I'm looking for a way to solve it.

tx.

Former Member
‎08-26-2008 5:37 PM
0 Kudos

Hi dev,

I did not have time the other day to post a more thorough answer, so let me please explain what I mean.

I understand your requirements. We hear this request often, so let me state some of our (SAPs) thoughts on this matter.

- We know about the issue that BAPI_USER_CHANGE offers no official way to set a productive password.

- SAP does not want to built a simple remote callable set-productive-password function - it would not match our security rules

See Note 376856. However with the increased adoption of Identity Management solutions in many cases the controlling entity for identities transfers to the IDM system (being it SAP NW IDM, IBM TIM, SUN IDM, or other). It is quite a common requirement for customers to have a central u201Cchange passwordu201D workflow/web page on top of an IDM solution which allows the IDM solution to call multiple connectors to set the identical passwords in several systems. Naturally there are far reaching security impacts that customers need to be aware off.

That being said, the "identity management" is the task of an IDM system - but not the "identity validation" (here: "password authentication"). The "controlling entity" is still the backend system (validating the password, implementing it's own password security policy). So, please do not mix up "Identity Manager" with "Identity Provider" (like SAML defines this system entity's role). An Identity Provider (IdP) is the central place where credential validation takes place - making "synchronization" obsolete.

Unfortunately, many people believe that password authentication is the one and only way of user authentication. So, they conclude that "Single Sign-On" (logon only once and then be able to use many service providers in a system landscape) would impose the requirement for "password synchronization". SSO does not impose this requirement, though.

There could be alternatives to set a productive password:

0) Wait until SAP offers an official API for setting productive passwords.

SAP position:

- SAP strategic solution is to work with single sign-on instead of distributing passwords. This could change in the future, though.

A) Call BAPI_USER_CHANGE to set a new random initial password. Then call SUSR_USER_CHANGE_PASSWORD_RFC using this password to set the new productive password

SAP position:

We do not recommend it because there are several drawbacks and limitations. Examples:

- The central server does not know about the local password policy. It might happen that the 2nd step fails but the 1st step has already "destroyed" the old password of the user.

- The new password is transported as a normal function parameter field. Therefore, you would see the value in a trace or a dump.

Best Regards,

Matt

Answers (5)

Answers (5)

Former Member
‎02-07-2015 11:40 PM
0 Kudos

Hello,

I am having an issue with BAPI_USER_CHANGE. The client has the users centralized system in 250 and the program i am creating has to change any system password. So, for example, when i try to change system 700 password if i execute the FM it will throw me an error because the password change has to be done in 250, and if I do the password change in 250 it will change the password for 250, not for 700.

Do you know any other BAPI i can use or if i can set the parameters correctly in a different way to use BAPI_USER_CHANGE?

Thanks for any inputs, regards,

Gustavo

Show replies
Show replies
Former Member
‎11-04-2009 11:44 AM
0 Kudos

Hi Dev Shlolm,

I have one requirement to reset the password of a user. Can you please explain How to reset password by using "BAPI_USER_CHANGE" function module....!

Thanks in Advance.

Edited by: sreelakshmi.B on Nov 4, 2009 5:15 PM

Show replies
Show replies
Former Member
‎11-04-2009 11:44 AM
0 Kudos

Hi,

Can you please explain How to reset password by using "BAPI_USER_CHANGE" function module....!

Thanks in Advance.

Show replies
Show replies
Former Member
‎11-04-2009 11:44 AM
0 Kudos

Hi,

Can you please explain How to reset password by using "BAPI_USER_CHANGE" function module....!

Thanks in Advance.

Show replies
Show replies
Former Member
‎03-18-2015 4:20 PM
0 Kudos

Hi,

If someone ever needs this info:

DATA      lt_return         TYPE                   bapiret2 OCCURS 1.

CALL FUNCTION 'BAPI_USER_CHANGE'

               EXPORTING

                 username  = 'USERXYZ'

                 password  = 'newpassword123'

                 passwordx = 'X'

               TABLES

                 return    = lt_return.


This sets the password for USERXYZ to newpassword123. However, you should implement several checks like: May the user reset/change his password? Is the user locked, may we unlock him? etc., confirm your security manager for details.


Regards,


Simon Ging

Former Member
‎08-27-2008 10:05 AM
0 Kudos

Hi Matt,

thanks for the detailed answer.

I uinderstand SAP point of view here.

I have another question to you:

Is it possible to user ME_USER_CHANGE_PASSWORD instead the SUSR function that you specified?

(When using the .net connector I couldn't find the SUSR in the BAPI functions list)

Is there any major difference between these two?

thanks a lot,

shlom

Show replies
Show replies
Former Member
‎08-27-2008 10:13 AM
0 Kudos

and by the way, Matt:

1. where is the trace in which I can see the password content?

2. if I user BAPI_USER_CAHNGE - I won't have this problem? will the password sent encrypted?

tx again.

s.

Former Member
‎08-27-2008 4:30 PM
0 Kudos

Hi,

>Is it possible to user ME_USER_CHANGE_PASSWORD instead the SUSR function that you specified?

I do not know. I am familiar with our discussions on this topic, but I am not a programmer and I am not an expert on BAPIs.

>1. where is the trace in which I can see the password content?

System or user trace, ST05, and dumps, ST22

>2. if I user BAPI_USER_CAHNGE - I won't have this problem? will the password sent encrypted?

I don't think so, but, again, I am not an expert here.

In a nutshell, your method is not recommended and presents serious security risks that should be discussed with the customer before implementing. It is highly recommended to implement SSO solutions instead.

Best Regards,

Matt

Frank_Buchholz
Product and Topic Expert
Product and Topic Expert
‎11-19-2008 3:01 PM
0 Kudos

> 

> 2. if I user BAPI_USER_CHANGE - I won't have this problem? will the password sent encrypted?
>

Well, the new initial password which is set with BAPI_USER_CHANGE would be visible in traces and dumps, too. However, it gets changed during next dialog logon. Therefore, we might accept the risk in opposite to a longterm risk if a productive password is traced.

(Encryption of the communication channel is possible if you use SNC, Secure Network Communications, but this wouldn't touch the issue about traces and dumps.)

Kind regards

Frank

Former Member
‎02-07-2015 11:40 PM
0 Kudos

Hello,

I am having an issue with BAPI_USER_CHANGE. The client has the users centralized system in 250 and the program i am creating has to change any system password. So, for example, when i try to change system 700 password if i execute the FM it will throw me an error because the password change has to be done in 250, and if I do the password change in 250 it will change the password for 250, not for 700.

Do you know any other BAPI i can use or if i can set the parameters correctly in a different way to use BAPI_USER_CHANGE?

Thanks for any inputs, regards,

Gustavo

Ask a Question