cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CUP Password Self Service

Go to solution
Former Member

on ‎05-25-2009 9:24 AM

0 Kudos

Hi,

I have some problems with using the password self service.

The user has answered the challenge response and is registered. After losing the password the user tries to access the password self service link. Therefore he has to login - why??? This doesn't makes at all, as the user lost his password! Did I miss a setting or did I misunderstood the functionality???

Best regards,

Christian

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

macarranza
Explorer
‎08-26-2009 9:41 PM
0 Kudos

Here's how:

- You go into Self-Service config and configure an authentication source (usually SAP HR)

- In "Select Service to disable verification" choose "Password Self-service". This eliminates the need to authenticate the user via logon, but the user still HAS to be authenticated. This is where the authentication source comes in.

- For SAP HR, create a verification field that can be used to authenticate the user. For example, if you want the user to authenticate with social security number, then create a verification field for infotype 002, field PERID, description "Social Security Number". Activate this field.

- Further down, on "Verification Data Source", select the SAP HR system that will be used for verification. This is the system that CUP will check when the user goes to the self-service link.

Voila! The user can now authenticate in the self-service area, even if they forgot their actual SAP password. Now, when the user goes to password self-service, the screen will prompt for User ID, Social Security Number, and System. If the User ID matches the Social Security Number stored in IT002, then the password will be reset for the system.

Show replies
Show replies
Former Member
‎08-28-2009 8:52 AM
0 Kudos

Thanks Jose,

but what if we do not have an HR System?

I want to use the challenge password option, where a user is asked for a answer to a specified question.

Regards,

Christian

macarranza
Explorer
‎08-31-2009 6:03 PM
0 Kudos

Christian,

If you don't have an HR system (SAP or PeopleSoft) that you can authenticate against, then your users will need to register for self-service. You configure Self-Service to authenticate via challenge response and configure the questions (challenges) that will be used for authentication. When your users register for self-service, they will answer those questions and CUP will store the answers so that they can be used for authentication later.

Jose

Former Member
‎09-01-2009 8:35 AM
0 Kudos

Thanks Jose, and now we are at the very first message of this thread

Unfortunately you need an UME User for the Users who should be able to reset their passwords. And this doesn't make sense to me.

Regards,

Christian

macarranza
Explorer
‎09-01-2009 6:48 PM
0 Kudos

Duh, OK - so the challenge response is not working the way it should in your system. We currently use SAPHR for authentication, so I can't go back and test it but when we initially did this, we tested both SAPHR and the challenge response authentication and it worked as described in the configuration guide... What version/SP are you running? There is a fix in 5.3 SP5 ("Unable to get a challenge response during password reset"). If it isn't working the right way for you and you have the latest SPs, open a message to SAP...

If all else fails, you can always get creative... Self service uses function module /VIRSA/USER_AUTHENTICATION to do the authentication in this screen. You can change it very easily to authenticate in a different way.

Answers (4)

Answers (4)

Former Member
‎01-07-2010 2:52 AM
0 Kudos

Hello everyone,

Has anyone found a resolution for this yet? I am in the same situation right now with a client. Please let me know.

Thank you!

Johonna

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎01-07-2010 8:14 AM
0 Kudos

Hi Johonna,

the solutions are all in here.

- if your authentication source is SAP, you must have an HR system that can replace the CUP authentication for PSS

- if your authentication source is UME, every user must have a login in UME to reset his SAP password(s)

I usually advise my customers to link ActiveDirectory to UME and login with their Windows password, this is the way this scenario makes the most sense.

In a nutshell: make sure users have a way to authenticate OTHER THAN SAP if you want to use PSS for SAP (kinda makes sense when you say it this way, doesn't it? )

Frank.

Former Member
‎01-19-2010 9:22 PM
0 Kudos

Christian & Johanna

<br>

<br>

Reference SAP <u>[Note 1379468|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1379468]</u> - <b>Password Self-Service and End User Verification</b>

<br>

<br>

This note explains all scenarios and explains why this is not working for either of you.

<br>

<br>

Thanks and hope this helps!

Edited by: suggsda on Jan 19, 2010 10:22 PM

Former Member
‎01-20-2010 3:36 PM
0 Kudos

It doesn't really solve the problem , but now I know that this works as designed.

Former Member
‎01-20-2010 3:38 PM
0 Kudos

> 

> In a nutshell: make sure users have a way to authenticate OTHER THAN SAP if you want to use PSS for SAP (kinda makes sense when you say it this way, doesn't it?  )
> Frank.

OTHER THAN SAP: what's the challenge response good for?

Hopefully SAP decides to improve this useful function.

Former Member
‎07-28-2009 4:03 PM
0 Kudos

Does anybody have news on this one?

Show replies
Show replies
Former Member
‎06-03-2009 2:50 PM
0 Kudos

Hi,

does anyone have news on that or a similar issue?

Regards,

Christian

Show replies
Show replies
Former Member
‎06-08-2009 2:55 PM
0 Kudos

Hi Christian,

sure this authentication depends on the "Authentication" configuration, but I wouldn't change this data source as you probably had a reason for choosing a SAP system as data source.

Following things I figured:

- setting the Self-Service to "SAP HR" and configuring the "Disable Verification" to "Password Self-Service" will do exactly what you need: no authentication needed but verification by HR info types. This extra logon before the verification can be disabled like it was in 5.2

Unfortunately you will need an HR system with data configured for all users using PSS

- setting Self-Service to "Challenge Response", by setting the "Disable Verification" to "None" you can disable the questions but NOT the initial logon

I can't really figure why this is working the opposite way for both types of password self-service. Let me know if you find a nice solution. Or did you open an OSS?

Regards,

Daniela

Former Member
‎05-25-2009 7:14 PM
0 Kudos

Christian,

Did the use loose password for AC (UME)? CUP expects user to login to request any kind of access or to reset password.

Regards,

Alpesh

Show replies
Show replies
Former Member
‎05-26-2009 8:03 AM
0 Kudos

HI Alpesh,

the User lost his ERP password and has no User/Password for AC/UME. We were able to register the challenge response by using for the SAP logon data - the password self service is explicitly asking for the sap logon data!

But when we try to retrieve a new password (= "lost the sap password") we cannot login, because Password Self Service is asking for the password we have lost. This doesn't make sense to me! Do you know what I mean?

Regards,

Christian

Former Member
‎05-26-2009 10:34 AM
0 Kudos

Hi Christian,

To use Password Self-Service you need to have a user ID in UME, only then it will work. It is almost like you create a new user ID in ERP once you are loggid in to GRC, then same way you can reset password for backend system using GRC UME user ID.

Regards,

Sabita

Former Member
‎05-26-2009 11:40 AM
0 Kudos

Hi Sabita,

unfortunately I cannot paste a picture here. Following the Self-Service link AC says:

"Use Your SAP UserID to Login" Which does make sense to me as, because otherwise I had to map the SAP UserID with the UME UserID. Do you know what I mean? Anyway I'll give it a try. Thanks

Former Member
‎05-26-2009 11:50 AM
0 Kudos

Well, I created an UME User and a SAP User (both same UserID). I cannot login nor register the challenge response for the self service with the UME User.

So there must be another problem!

Former Member
‎05-26-2009 1:20 PM
0 Kudos

Hi Christian,

Goto CUP-Configuration-Authentication-

If you want to keep it UME authentication - Select UME.

Then in Password sel service link you can use UME credentials.

I guess in your case it is SAP. If it is the case, check the system name, and use the credentials of that particuler system.

I hope it will work.

Regards,

Sabita

Former Member
‎05-26-2009 1:28 PM
0 Kudos

Hi Sabita,

Thanks for your reply.

 If it is the case, check the system name, and use the credentials of that particuler system.

Exactly this is the problem! In case I have lost my password and want to login to retrieve a new one I do not have the credentials anymore. And in case I know my password I do not need the self-service. That's why I am wondering about the sense of this kind of self service!

Former Member
‎05-26-2009 1:52 PM
0 Kudos

Hi CHristian,

If there is no authentication check, anyone could retrive other's password. better if you set it to UME and use your UME user credentials. In that case, you can retrive your backend password.

Regards,

Sabita

Former Member
‎05-26-2009 1:57 PM
0 Kudos

Hi Sabita,

thanks, but anyone is wrong - that's why I have registered a challenge response and an email-adress.

I cannot believe, that this is the way the self service is supposed to work. What do you do with an erp-system with a couple of 100 users? Do all of them get a second UME user? This would make things even worse.

Former Member
‎05-26-2009 2:08 PM
0 Kudos

Hi Christian,

But anyway you have to create UME users for those 100 users who will be the owners of business and sub-business. They will be responsible for approving roles creating in ERM.

Regards,

Sudip.

Former Member
‎05-27-2009 6:58 AM
0 Kudos

Hi Christian,

You are right, but that is the way it works right now. Even we are not configuring self-service due to this problem, that we will have to create 500 plus users in UME if we want to use this facility, some users are end users, they will eventually forget UME password too because there is no other need to use it for them.

You may ask SAP if there is a way to achieve this.

Regards,

Sabita

Former Member
‎05-27-2009 3:03 PM
0 Kudos

Christian:

Are you using GRC5.3? I am using 5.3.

When I am at "self service", I do not see the credential is asked.

Could you give the steps to re-produce it?

Thanks!

Former Member
‎05-27-2009 3:13 PM
0 Kudos

Hi Christy,

yes I'm using GRC 5.3. You have to log out and access the Password Self-Service link. ("Self-Service Use this link to reset or request to change the password"). As we are using SAP for authentication there is a message "Use Your SAP UserID to Login" below the UserID and Password field.

How do you use the password self service? Am I missing a setting?

Cheers,

Christian

Former Member
‎05-27-2009 3:17 PM
0 Kudos

We have not tried yet. Let me try it. Thanks!

Former Member
‎05-27-2009 3:24 PM
0 Kudos

I see what you say, it is a catch-22.

If I find out how to break this catch-22, I will share with people here.

Thanks!

Ask a Question