Solved: Force wizard usage to set/reset passwords

Former Member · ‎09-16-2008

Hi, experts,

Once upon a time, a system manager was creating new users and resetting passwords, using always the same password.

The bad ~~fairy~~ auditors then came, and said "YOU SHOULD NEVER MORE USE THIS KIND OF BAD PRATICES !!!".

And the system manager went his road to find the magical trick to force people to use the wizard button, and make the change password disappear on the famous SU01 Scroll.

Do you have any clue for the poor lonesome system manager, please ?

Former Member · ‎09-16-2008

Nothing which I know of can do this.

Possibly you could write your own little application in which you can modify your own screen to prevent a password from being typed into the surface and restrict access to SU01, but I would not modify SU01... as someday you might need to reset the password of an ID with "fixed" or "co-ordinated" logon data (e.g. RFC users).

My suggestion would be to train the (password) managers and invite the auditors to evaluate your training (evidence) and test it... (if they can... ...

What you can also do (in higher releases particularly) is instruct the system to limit the lifetime of initial and reset passwords to a very short period before the validity of a possibly weak password expires again.

If your auditors don't accept a combination of those 2 then they are being a wee bit unreasonable...

Cheers and good luck,

Julius

PS: If you try to write your own little application which can do only this (generated password only), then see [SAP note 832661|https://service.sap.com/sap/support/notes/832661].

Edited by: Julius Bussche on Sep 16, 2008 5:30 PM

Former Member · ‎09-16-2008

Nothing which I know of can do this.

Possibly you could write your own little application in which you can modify your own screen to prevent a password from being typed into the surface and restrict access to SU01, but I would not modify SU01... as someday you might need to reset the password of an ID with "fixed" or "co-ordinated" logon data (e.g. RFC users).

My suggestion would be to train the (password) managers and invite the auditors to evaluate your training (evidence) and test it... (if they can... ...

What you can also do (in higher releases particularly) is instruct the system to limit the lifetime of initial and reset passwords to a very short period before the validity of a possibly weak password expires again.

If your auditors don't accept a combination of those 2 then they are being a wee bit unreasonable...

Cheers and good luck,

Julius

PS: If you try to write your own little application which can do only this (generated password only), then see [SAP note 832661|https://service.sap.com/sap/support/notes/832661].

Edited by: Julius Bussche on Sep 16, 2008 5:30 PM

Former Member · ‎09-16-2008

Yep, unfortunately (is it really unfortune ?), I was in such a thinking. This system was mainly to ensure that, after the training, the password managers were forced to do so.

Well, my main answer toward the auditors will be "Since it's not in standard SAP, this means that the training and tracking solution is sufficient all over the world ..."

Thank you for your help.

Bye

Fred

Former Member · ‎09-16-2008

Of course you could also scare them a little bit by pointing out that the auditors will find out if they use non-cryptic initialized passwords (latest because the whole company normally notices anyway...) and what the consequences can be...

I know of an audit where they worked out that the initialized passwords were not the same each time (an auditor cannot state more than that and most give up at that point)... but tended to have something to do with the prevailing weather conditions from a few samples which they took amongst themselves. So they searched the meteorological websites for the given weather conditions on a certain day way back when... bingo!

An old mistake can become a big new headache...

So the password wizard is a great security measure. The auditors are certainly correct about that...

Cheers,

Julius