Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How can I make my users password unchangable

Former Member
0 Kudos

Hi Expert,

i faced a problme currently. we have a training system which a lot of people have full authorization.

my users password have been changed several times by someone else. so i do not know if i can make it unchangable? and do you know if i can make the system do not lock my user after failed login attempt.

THANKS IN ADVANCE!

Cliff

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

> i faced a problme currently. we have a training system which a lot of people have full authorization.

>

> my users password have been changed several times by someone else. so i do not know if i can make it unchangable?

Well, I'd suggest to create proper authorizations with which the trainees cannot change other peoples' password. Or make the training system a CUA client and keep the trainees away from the CUA master. That way they can never really lock you out.

>and do you know if i can make the system do not lock my user after failed login attempt.

Have a look at the system parameter "login/fails_to_user_lock".

Jurjen

4 REPLIES 4

jurjen_heeck
Active Contributor
0 Kudos

> i faced a problme currently. we have a training system which a lot of people have full authorization.

>

> my users password have been changed several times by someone else. so i do not know if i can make it unchangable?

Well, I'd suggest to create proper authorizations with which the trainees cannot change other peoples' password. Or make the training system a CUA client and keep the trainees away from the CUA master. That way they can never really lock you out.

>and do you know if i can make the system do not lock my user after failed login attempt.

Have a look at the system parameter "login/fails_to_user_lock".

Jurjen

0 Kudos

Hi Heeck,

Thanks for your answer however some trainee have full access to the system due to the basis course needs..

for the second part why i can not change login/fails_to_user_lock in RZ11? I have "SAP_ALL" authorization

0 Kudos

> Thanks for your answer however some trainee have full access to the system due to the basis course needs..

Have a look at grouping users and make sure the trainers are in a group that cannot be modified by the trainees. As a security consultant I tend to disbelieve anyone who claims to need 'full access'. What is this course about? "How to administer a complete SAP system all alone? "

Apart from that I always tell my trainees to behave or they'll fail the course/test/certification. I always assume I deal with adults when SAP is concerned.

> for the second part why i can not change login/fails_to_user_lock in RZ11? I have "SAP_ALL" authorization

That could be because it is in the default profile or instance profile. Have a look at RZ10 instead. (http://help.sap.com/saphelp_nw04/helpdata/EN/22/41c43ac23cef2fe10000000a114084/frameset.htm and http://help.sap.com/saphelp_nw04/helpdata/EN/c4/3a6247505211d189550000e829fbbd/frameset.htm)

Jurjen (Heeck is my last name)

Edited by: Jurjen Heeck on Sep 3, 2008 9:12 AM

0 Kudos

I agree with Jurjen,

You will need to give up the SAP_ALL to prevent them from changing the password as administrators of the user group they are in => object S_USER_GRP and the "Group for Authorization Checks" field in SU01 .

There are a number of other things to consider as well to make this "water-tight"...

To prevent them from changing their own passwords as user who knows the password => transaction SCU3 or F5 on the logon screen you can change the user type to SERVICE, but you should check with your licensing folks first (license implications for named user licenses).

Cheers,

Julius