Hey Nablan,

I think his question is "how to force SAP to NOT show the change password prompt after change it with the transaction"

Our english is too bad 😛

I think the answer will be found locating that field who marks the pwd as initial and un-marking it.

Now I understand completely your question. The answer is you need to set field LTIME in table USR02 to non '000000'. This is because when you reset the password using SU01, this field will be set to initial. Then when you login, the login program will prompt for changing the password if this field is '000000'. Just set is to any time except '000000'.

Hi Mark,

sorry but I think that you are not right stating that using BAPI_USER_CHANGE with setting LOGONDATA-LTIME was considered a "legal feature" (as part of a validation).

If you take a close look on the function module documentation (in SE37) you'll see that LOGONDATA-LTIME is marked as "For internal use only" (same as LOGONDATA-BCODE and LOGONDATA-CODVN).

The system enforces now what has been specified in the interface documentation: it checks if invalid input value combinations are used.

Please notice: the BAPI itself was not changed and no certified interfaces have been invalidated. Because the BAPI interface covers only those features that are not marked as "For internal use only".

The discontinuity of "bug features" (i.e. features that did work but are not intended to work) always causes complaints. But in this case the enforcement of assured security features (i.e. that an administrator cannot set a non-initial password for a normal user) had a higher priority which did justify that painful cut.

"Does NetWeaver effectively override the security features of the R/3 platform?"

Definetly no - take a kind look into SAP note 2467 (which is pretty old) to see that this security feature was present since decades.

Of course there is also some progress in the security functions. So, not surprisingly NetWeaver offers enhanced security features in comparison with the R/3 platform.

To a certain degree downwards-compatibility has to be abandoned for the sake of progression. For example: with the next NetWeaver version (NetWeaver 2004 S, based on WebAS 7.00) the ABAP stack made some significant progress regarding password policies. However it was necessary to modify some internal data structures in order to accomplish this task. For those that have implemented own coding operating directly on those data structures (which anyway is not recommended) this will have some negative consequences (old coding will fail to work). However those that only use the APIs are not effected.

Regarding password synchronization:

it's not a matter of implementation - the entire approach is subject to failure (by nature). Knowing that, it is our duty to prevent anyone from falling into the trap - e.g. by documenting the constraints (=> SAP note 376856) and by actively preventing unintended usage of provided APIs.

Preventing customers from falling into traps has nothing to do with dictating requirements / desires. I hope you can agree with me.

Wolfgang

Hi Mark,

then maybe let me add the following remark:

the main counter-argument against password synchronization is not security risk (i.e. having the same password in all systems) but robustness and correctness.

It can simply happen that it is impossible to set the same password in all systems (because the password might violate a local password policy of some of the systems, or because some systems are temporarily not able to process the password change request, or ...).

And guess what happens, then?

They will report a support case which will first be send to SAP where it will be analysed (notice: such problems are not reproducable in most cases => problem analysis might take time) and finally delegated to the partner. In the end someone will have to tell the truth to the customer: "sorry, but this is an intrinsic problem; it cannot be resolved (in general)." And SAP will add: this is known since a long time, before (pointing to note 376856).

SAP considers itself as "Trusted Advisor".

I strongly believe that "educational work" is part of it.

Best regards,

Wolfgang

Hi Mark,

sorry but I doubt that any product (including "DirXML") is able to resolve all intrincic problems mentioned above; especially the fact that each system holds (and controls) its local password history will cause problems when the password once has run out of sync. Only by dirty DB table syncs you would be able to "resolve" the problem (=> resynchronization). But that only works when the data structure remains unchanged - which is not the case (USR02 was changed in 6.20 and another time in 7.00).

Regarding your comment that "the password for the SAP accounts are auto-generated and the User never even knows what it is". That does not make the slightest sense: what are the passwords for, then? That only imposes a security risk (since passwords can be guessed). If the user does not know the password he will not be able to use it. In such a case it is strongly recommended not to assign a password at all (notice: as of 4.6x it is possible to "deactivate" a user's password, see note 780485).

Regarding your last question:

yes, this is a general patch - not only effecting SAP NetWeaver but all ABAP systems (down to 4.6x). That is explained in note 750390; it states that it used(!) to be possible to call BAPI_USER_CREATE/CREATE1/CHANGE in a way which was not intended (to be possible). The note contains a correction that will prevent this (unintended mis-)usage.

Regards,

Wolfgang

Hi Aziz,

I have not verified whether the procedure you've described works but please keep in mind: every usage that is not intended might be considered a malfunction which might be discontinued by some future correction.

So kindly stay on the safe side and only use the API functions in a way that is <u>documented</u>. As you see (e.g. in note 780485) we enhance the documentation, if required, when an intended ("legal") API function usage was not covered by the documentation.

<b>Please resist from using undocumented features</b>.

If you believe that a feature is missing contact us to clarify the issue. Maybe the feature is either already existing but not documented (in that case the documentation should be updated) or not implemented but considered useful (in that case it might be implemented in a future release and, if possible, downported to previous releases; see note 830493 for example).

Regards,

Wolfgang

PS: for those who might not know, yet:

The SAP Security Product Management team will

respond to mails send to <b>security@sap.com</b>.

You can use that mail address to submit general

questions but please do not misuse that mailbox

to submit problem messages.

Hi Mark,

I've used Google to determine which company you are working for ... (search for "Mark Worwetz").

(PS: sorry to disagree - but if those non-SAP products state to be "SAP certified" and if arising problems will be reported to SAP this is a topic for SDN; I strongly believe in preventive actions - warning on known issues is one of it).

Regarding SUSR_USER_CHANGE_PASSWORD_RFC:

notice the function documentation - it clearly states that this function is intended to be used (only) when a user changes his own password. In contrast to BAPI_USER_CHANGE (respectively SU01) this function will not require user administration authorizations and will also not result in an initial password (that will need to be changed by the user) - but it will prevent passwords to be set that have been chosen previouly by the user (password history). And, SUSR_USER_CHANGE_PASSWORD_RFC will also check that the old and new passwords are different (as of 6.20 a "minimal password distance" can be customized).

I've heard of some "smart guys" that combined RSEC_GENERATE_PASSWORD, BAPI_USER_CHANGE and SUSR_USER_CHANGE_PASSWORD_RFC in a way that a random (intermediate) password is set by BAPI_USER_CHANGE that will be changed immediately afterwards using SUSR_USER_CHANGE_PASSWORD_RFC. The problem is that those password rules mentioned above (password history, password distance) might prevent the password change. And in future we might implement additional password rules ... (on customer request).

<b>Please notice that the mixed usage of function modules that are intended for administrative usage and user usage is also a kind of "API misuse".</b>

Officially SUSR_USER_CHANGE_PASSWORD_RFC is not a BAPI (but just an ordinary function module). That's why the documentation of that function module is very weak. One weak point of that function module is that it does not return very detailed error information (e.g. on the reason why a new password is rejected = which password rule was violated).

Regards, Wolfgang

Hi Satyajit,

please have a kind look on the conversation Mark and me had previously. That should provide some insights into this topic (motivation, background information).

Regards, Wolfgang

The only "legal" / "approved" / "supported" method to set a non-initial password for an existing user is to let the user change his/her password (providing the old and new password). The RFC-enabled function module SUSR_USER_CHANGE_PASSWORD_RFC can be used for that.

The only "legal" / "approved" / "supported" scenario where a non-initial password is set for a non-existing user is a self-registration scenario. BAPI_USER_CREATE(1) has an (optional) parameter (SELF_REGISTER) to request that feature (see also SAP note 830493).

Once again: any password synchronization "solution" is not supported (see also SAP note 376856).

Please notice: instead of using passwords (=> requirement to synchronize them if using multiple systems) it is possible (and recommended) to use Single SignOn (SSO) solutions. Most SSO solutions are also available for other products. This allows to use one single SSO mechanism for SAP and non-SAP products.

Regards, Wolfgang

BAPI_USER_CHANGE is intended to be used by user administrators (=> requires proper authorizations).

How should a system make sure that only the effected user and not another person (which could also be an attacker) is requesting to reset the user's password?

We recommend that any service which offers such a "forgotten password" self-service first prompts the user for some data (of course not the password) which is supposed to be known only by the user (e.g. birthday). That will prevent at least some unauthorized password reset attempts.

In addition, the system should not allow the (unauthenticated) user to set a new password. Instead the system should generate a random password and send it to the mail address retrieved from the user record. Only the user which has access to the mailbox will be able to read the generated password (plus those guys that know how to capture mail traffic). You might also use other message transmission mechanisms (such as SMS / pager / ...).

When the user logs onto the system using the obtained generated password he will be asked to change the password (since we assume that noone can remember such a generated random password) to a password chosen by him.

Kind regards,

Wolfgang

Hi Satyajit

I am looking for simillar solution, Can you share your java code working one.

Thanks

Ashok