Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Insert Button on SAP GUI Logon Screen

sapcccdbsystelg
Discoverer

‎10-16-2008 2:16 PM

0 Kudos

Hello,

is it possible to insert a button on the SAP GUI logon screen like the "new password" button?

We want to insert a button, with which the user can generate a new initial password, if he has forgotten his password.

Thanks for answers

regards

Christian

12 REPLIES 12

JozsefSzikszai
Active Contributor

‎10-16-2008 2:20 PM

0 Kudos

if my understanding is right, this would simply mean, that anyone could logon with anyone else's userid...

Former Member

‎10-16-2008 2:21 PM

0 Kudos

Hi,

This is possible only when you design you own Login screen...and interface the same with SAPGUI in backend....

Former Member
In response to Former Member

‎10-16-2008 4:44 PM

0 Kudos

> This is possible only when you design you own Login screen...

I would be interested in this one as well... as I am fairly sure (like as in 99,99999% sure) that there is no intended way to do this and the system will react very badly to such a modification...

sapcccdbsystelg
Discoverer

‎10-16-2008 2:46 PM

0 Kudos

@Eric

after pushing the "reset password" button the user will get an email with a confirmation link.

@AJAY

Thank you.

How can I do that?

Is therefore a "how to" or a SAP help available?

Former Member

‎10-16-2008 4:46 PM

0 Kudos

Moved to the security forum...

I would recommend abandoning this approach and rather investigating a password reset service as an external application which is calling a service or a user BAPI on the inside to reset passwords of selected user groups (you would for example not want the service to change it's own password, which would then subsequently stop the service...).

You should also ensure that this application and the communication with the backend system is secured and restricted.

Cheers,

Julius

Edited by: Julius Bussche on Oct 16, 2008 5:47 PM

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎10-16-2008 5:06 PM

0 Kudos

> 

> Hello,
> 
> is it possible to insert a button on the SAP GUI logon screen like the "new password" button?
> Christian

Please refrain from attempting to modify that dynpro.

The module pool is intentionally marked as "system program" - it is not released for customer modifications. The risk is quite high that you (accidentially) cause a severe problem (i.e. being unable to logon to the system afterwards) - notice: it did happen, already.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎10-16-2008 5:10 PM

0 Kudos

> 

> We want to insert a button, with which the user can generate a new initial password, if he has forgotten his password.

Such "password self-services" are offered by various Identity Management solutions. Before you consider to develop your own solution (which you'll then have to maintain) you might take a look on what's available on the market ...

Maybe a posting in the SDN group "[SAP NetWeaver Identity Management|;" makes sense.

Former Member

‎10-19-2008 10:13 AM

0 Kudos

Hi,

I very strictly advice to avoid of providing "Reset password" button to user, this will make any user to reset the password of other users. This is one of the security violation.

If you want to provide option for reseting the passwords to user, you can make a custom program which can be executed by user and can reset the password for their own user, but not for others.

Regards

Anandm

Former Member
In response to Former Member

‎10-19-2008 10:23 AM

0 Kudos

> 

> I very strictly advice to avoid of providing "Reset password" button to user, this will make any user to reset the password of other users.  This is one of the security violation.

Actually, you can restrict that using object S_USER_GRP if the user ID is protected by an authorization group (USR02-CLASS). The opposite is also true...

> 

> If you want to provide option for reseting the passwords to user, you can make a custom program which can be executed by user and can reset the password for their own user, but not for others.

That is the F5 button (change own password). You cannot restrict a user to "resetting his own initial password" via SAPGUI only, as you first need to authenticate the user ID to be able to "reset new password" for the correct one.

The only safish way to do this is to provide a service which resets a correctly generated password on request and sends the password to a secured mail account of the user whose password was reset (the user who requested it should obviously not be able to enter or change the mail account...) and the accounts which the service is authorized to reset passwords for should be restricted to dialog type end-user groups only).

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎10-20-2008 9:12 AM

0 Kudos

> 

> Hi,
> 
> I very strictly advice to avoid of providing "Reset password" button to user, this will make any user to reset the password of other users.  This is one of the security violation.
I fully agree.
> If you want to provide option for reseting the passwords to user, you can make a custom program which can be executed by user and can reset the password for their own user, but not for others.
> 
> Regards
> Anandm

Well, I'd propose to leave the SAPGUI screen untouched but only place a comment on the logon screen (see [note 205487|https://service.sap.com/sap/support/notes/205487]) which informs the user on a URL to a web application (BSP) which provides the desired "forgotten password" self-service functionality.

In the internet you find many examples of such "forgotten password" self-services - good ones and not so good ones. What all of them have in common is the requirement that the user has provided a valid email address or mobile number (during the account registration) which can be used for the required off-band communication. However they differentiate in the way they try to mitigate misuse: some prompt for a so-called passphrase (in most cases: the user has entered a free-text answer to a question chosen from a fixed set of predefined questions, during accoutn registration) before sending a newly created password to the email address retrieved from the user account; others generate a (random) "password change token" which they send to the email address and prompt the user to enter this "password change token" on the webpage (the account remains untouched until the correct "password change token" was entered, in most cases this is also time-restricted). I prefer the latter one.

Cheers, Wolfgang

sapcccdbsystelg
Discoverer

‎10-21-2008 7:52 AM

0 Kudos

Thank you for answers!

Can you give me some good tools (self-services) that make this possible?

regards

Christian

Former Member
In response to sapcccdbsystelg

‎10-21-2008 8:15 AM

0 Kudos

Hi there,

depends what you are looking for. NetWeaver Identity Management provides a functionality called "Password Hook" working with Microsoft Active Directory and the Netweaver Identity Center. The product provides much more you can use.

There are also loads of dedicated non-SAP password reset and synchronization products out there on the market, I don't know if there are SAP certified ones.

Kind regards,

Richard