Solved: Changing password policy

Former Member · ‎08-07-2009

Hello,

should be an easy one for you. I want to check the current password rules, I remember it has something to do with a parameter. But where can I find it? I want to change the maximum number of password retries before the user gets locked out.

Thanks for any help!

kind regards,

Peter Selter

Former Member · ‎08-07-2009

There is no such thing because the user stays on the outside if the password is not correct.

What happens however is that the password is locked (not the user ID).

Just search tcode RZ11 for login/* and you will find it easily, and it's dependencies.

Cheers,

Julius

Former Member · ‎08-07-2009

There is no such thing because the user stays on the outside if the password is not correct.

What happens however is that the password is locked (not the user ID).

Just search tcode RZ11 for login/* and you will find it easily, and it's dependencies.

Cheers,

Julius

Former Member · ‎08-07-2009

Thanks, I found the parameters. As I see the maximum no. of retries is set to 5, but SAP GUI closes itself after 3 wrong passwords. Is there a way to set it to 5 as well?

Is there also a way to automatically unlock the user after 24 hours? I only see a parameter that unlocks the user at midnight.

Former Member · ‎08-07-2009

>


> Thanks, I found the parameters. As I see the maximum no. of retries is set to 5, but SAP GUI closes itself after 3 wrong passwords. Is there a way to set it to 5 as well?
> 
> Is there also a way to automatically unlock the user after 24 hours? I only see a parameter that unlocks the user at midnight.

There is loads of info here on the profile parameters for passwords:

http://help.sap.com/saphelp_nwmobile71/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm

Take a look at

You can use login/fails_to_user_session_end

There is no standard method for unlocking after 24 hours. You would need to create a batch job to sweep through locked users and unlock them after 24h, though I would definitely not recommend this in a productive environment.

Former Member · ‎08-10-2009

This looks like what I cam looking for. I added "login/fails_to_session_end" with a value of 5 into the default profile. When checking the profile it says "wrong parameters discovered", when shown I see things like "unknown parameter enque/serverhost, cannot be checked"... I haven´t activated the profile yet.

What about the above value 5? Does it have to be "lower" or "lower/even" than the parameter user_lock? Both are on 5 right now...

Former Member · ‎08-10-2009

Having both the same has the disadvantage that the user is not informed that they have just locked their password, as the session disappears first.

Greater makes less sense, as why would the user continue if the PWD is locked? This would only possibly make sense a few seconds before midnight, but that is optional.

The defaults (3 for session and 5 for lock) are good ones to use, in my opinion.

Cheers,

Julius

Former Member · ‎08-07-2009

Hi JP,

All the above answers are correct however I would like to suggest to execute the Standard Parameter report. To achieve this please follow the steps:

Execute SA38 (ABAP Program Execution)

In report section give RSUSR003 and execute

This will report will show maximum of Security Paramters and you can design your security policy.

For doing the changes in parameter execute RZ10.

Thanks

Former Member · ‎08-07-2009

> RSUSR003

There is now also a transaction by the same name, which does the same thing.

But you will need more authorizations to do it this way, than knowing what you are looking for in RZ11.

Cheers,

Julius

Former Member · ‎08-10-2009

This message was moderated.

Former Member · ‎08-10-2009

This message was moderated.