Solved: how to hide the option 'delete password' in su3 di...

Lee3 · ‎03-25-2010

Hi Experts,

When we start SU3 in the backend system and choose change password, the change password screen appears with the option 'change password' and 'cancel'. When we dispay this transaction in the portal with a "com.sap.portal.appintegrator.sap.Transaction" iview, the screen has a third button with the option 'delete password'. How is this possible? Where does that option come from? and most important question how to hide this option?

Thanks in advance,

Joeri

mvoros · ‎04-13-2010

Hi,

I guess that the note 379081 is an answer for you why you can see an extra button. The extra button disables password-based logon. You don't need password based logon in some scenarios such as SSO. I guess that you are using SSO for portal. The note 942001 mentiones how to hide this button using profile parameter login/password_change_for_SSO.

Cheers

Former Member · ‎04-13-2010

Joeri,

I am not fimilar with that portal iView for SU3 but can you get a portal developer or java developer to go in and change the code to hide/disable it?

Thanks,

Matt

mvoros · ‎04-13-2010

Hi,

I guess that the note 379081 is an answer for you why you can see an extra button. The extra button disables password-based logon. You don't need password based logon in some scenarios such as SSO. I guess that you are using SSO for portal. The note 942001 mentiones how to hide this button using profile parameter login/password_change_for_SSO.

Cheers

Lee3 · ‎04-13-2010

Hi Martin,

thanks for your reaction. Indeed, we use SSO to the portal. Our value is 0, because we don't want to change the password is determined by the system. If we set the parameter value to 2, it will be determind by the system, right?

Greetings

Joeri

mvoros · ‎04-13-2010

Hi,

yes, you are right. Meaning of this parameter is described [here|http://help.sap.com/SAPHELP_NW70/helpdata/EN/6a/3faf42ede3b911e10000000a1550b0/content.htm]. I don't know you scenario but if your users use only SSO then you could delete passwords for all users, leave them only SSO logon and set this parameter to 2.

If you can't change this parameter then have a look at screen 42 in program SAPMSYST. This screen should be your dialog screen. I don't have access to SAP system so I can't check it right now. Maybe you can modify the logic of this screen using enhancement framework to disable this button for all scenarios. If you don't have ABAP skills then ask somebody who has them.

Cheers

Lee3 · ‎04-13-2010

Hi Martin,

thanks for your quick reply.

I'll ask a developer to resolve this issue.

Thanks a lot.

Joeri

Former Member · ‎04-13-2010

Adding an enhancement or modification to screen 0042 of the SAPGui logon program will cause BIG problems for you! Avoid that at all costs!

Please take a closer look at [SAP Note 869218|https://service.sap.com/sap/support/notes/869218] before you start developments and compare it to your release and SP levels, also on the Java side.

It may be that the portal UI is not aware of the ABAP API to check the parameter value - you can easily test this by simply clicking on it and inspecting USR02 to see whether anything happened.

Cheers,

Julius

Lee3 · ‎04-14-2010

Hi Julius,

thanks for the warning. What for BIG problems?

I will check the parameter value, may take a while because I'm not a SAP Expert :-).

gr

Joeri

Former Member · ‎04-14-2010

The logon program SAPMSYST protects itself from being accessed for security reasons. If it's consistency-checks detect any modifications or foreign code, then it dumps.

This is also known as a "lockout", and everyone will have a tough time trying to get back into your system at all.

Cheers,

Julius

Lee3 · ‎04-14-2010

even if you change only the GUI Status?

I Check the parameters with USR02, but it was all the same. I start su3 in r/3 and from the portal.

gr

Joeri

Former Member · ‎04-14-2010

> even if you change only the GUI Status?

Try it and you will find out... (Don't say that you were not warned!)

> I Check the parameters with USR02, but it was all the same. I start su3 in r/3 and from the portal.

I understand from this that clicking on the "Delete password" does not do anything then. So that is good!

Specifically check whether field CODVN changes for your user when you click on it from the portal?

Cheers,

Julius

Lee3 · ‎04-15-2010

Ok, I believe you !

I checked USR02 before I clicked on 'delete password'. When I click on 'delete password' the value of CODVN is set to X (was G). When I start the SU3 from R/3 there is no option for 'delete password'.

gr

Joeri

Former Member · ‎04-15-2010

Okay, then it is not good and the RFC is not respecting the parameter.

Did you compare your SP level to that of the SAP Note I mentioned above in my first post?

Cheers,

Julius

Lee3 · ‎04-15-2010

yes I did, our system is 7.00 level 18 (SAPKB70018).

gr

Joeri

mvoros · ‎04-17-2010

Hi Julius,

thanks for pointing this issue. I still don't have access to any system but as far as I remember you can't even display program SAPMSYST in SE38. Also when you look at the notes related to this program most of them have to be implemented via support package. BTW SAP also locks some packages for enhancements. I've been wondering since releasing the enhancement framework how easy it is to implement rootkit using this powerful tool. At least there are some security measures.

Joeri: Have you tried to define new transaction ZSU3 which will correspond to SU3 with a screen variant (transaction SHD0) which will hide the unwanted button? I haven't tested it.

Cheers

Former Member · ‎04-17-2010

Or an ABAP botnet...

I thought the problem here was on the Java side and not SU3?

Cheers,

Julius

mvoros · ‎04-17-2010

>


> I thought the problem here was on the Java side and not SU3?

It's about displaying SU3 in portal.

Cheers

Former Member · ‎04-17-2010

> When we dispay this transaction in the portal with a "com.sap.portal.appintegrator.sap.Transaction" iview, the screen has a third button with the option 'delete password'.

Ahh.. it is a transaction iview! I missed that detail.

That it still updates USR02-CODVN when login/password_change_for_SSO = 2 is strange...

I would have thought that the portal has the same behaviour as the Java stack in general...

What are the values for params in this case?

login/disable_password_logon
login/password_expiration_time
login/password_change_waittime
login/password_max_idle_initial
login/password_max_idle_productive
login/password_compliance_to_current_policy

Also, what is the user type (Dialog, Service, etc) here?

Cheers,

Julius

Lee3 · ‎04-19-2010

Hi Martin,

We created ZSU3 as variant but I am not familiar with abap. So can you tell me what to do, do I have copy screen 42?

The problem is not the first screen but the screen that appear after clicking on button password.

is it possible to copy the first screem also?

gr

Joeri

how to hide the option 'delete password' in su3 displayed in the portal?