Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Password Policy implementation for SAP users

former_member238852
Participant
0 Kudos

Dear Friends,

We are planning to implement the Password Policy for SAP users in our organization...

Here my question is,

Letu2019s say that the Password Policy is implemented today, what will happen to the SAP usersu2019 passwords?

Will they be locked out until they create a new password that follows the policy? Will there be a dialog box that will tell them what the criteria is for new passwords and its the time to change the password?

Thank you,

Nikee

15 REPLIES 15

Former Member
0 Kudos

They will not be affected until they next change their passwords.

Assuming you are on a recent version of SAP then you can use parameter login/password_compliance_to_current_policy to force reset if the password is not compliant. There is plenty of info on that parameter in SAP help if you wish to know more.

0 Kudos

Hi Alex

Exactly what I was just looking for - we're on a 4.6C and the password length 6/ special char 0 parameters need to be made more secure and we wondered what would happen if changed - day one all users get a mesage/error or just a gentle time to reset your password old chap (needs to be 8 char and at least one special please)

Cheers

David

0 Kudos

Hi David,

4.6C was a long time ago......from memory it still applies! If not then salutary beers are on me

0 Kudos

If you raise that bet to eating your hat I will explain the release dependency.

Little tip: you must first set the user types correctly -> this has only been mainstream since the major password rule changes were introduced (code version E and upwards).

There are a number of dependencies, but the most important one is the user type.

Cheers,

Julius

0 Kudos

Hi Julius

I reckon Alex has done his bit remembering back to 4.6c bag o' nails

Now I know why I preferred remediation instead of this day to day s&a detail

In these dark times eating your hat is a treat the children of today don't know how lucky they are...in my day we'd have to lick the road clean never mind having a full hat to eat (lucky lucky barstewards)

Cheers

David

0 Kudos

>

> If you raise that bet to eating your hat I will explain the release dependency.

> Julius

I will bet my hat when you have eaten yours! We are still waiting

0 Kudos

We are also implementing new password policy and I have the following concerns:

1) If any dialog users are used for background jobs instead of system users, what would be the impact of change in password policy on the background jobs. Will the background jobs fail until the password of the dialog user is changed or will they continue to run normally?

Is there a table to find which background job is scheduled under which user?

2) Impact on communication users that will be taking to the SAP syste,? will they be promted to change the password complying with the new password.

Thanks.

Neha.

Former Member
0 Kudos

Hi

Letu2019s say that the Password Policy is implemented today, what will happen to the SAP usersu2019 passwords?

SAP Users password will be intact till it prompts for next password change. Say, 90 Days. (Provided Parameter is not set)

Will they be locked out until they create a new password that follows the policy? Will there be a dialog box that will tell them what the criteria is for new passwords and its the time to change the password?

They will not be locked out until they create a new password that follows the policy (provided parameter is not set), During the time of changing the password they would get a dialog box if they have not met the specified criteria indicating that it should have specific values.

Once the password change prompt appears, in order to login to SAP they are forced to change password with password criteria set, other wise they can not login.

Thanks and Regards

Arun R

0 Kudos

1) When a user is prompted to change their own password in a background jobstep, then it will be the day when a mime in a forest becomes president...

It is not a password based logon and no SAPGui is attached to the session, so it is unaffected regardless of the user type.

2) Important here is the user type. SYSTEM and SERVICE type users will not be subject to the password validity rules.

Depending on your config (RZ11 parameters) the user type COMMUNICATION will be subject to the password rules and the RFC connections will fail - either immediately or latest after 90 days.

Cheers,

Julius

0 Kudos

So am I correct when I say that none of the background jobs will be affected(irrespective of the user type used) when we implement the new passward policy?

Communication users are used by different applications to talk to our SAP systems. To implement the new password policy the different applications should also support the new password standards. Can this be overcome if we use single signon. Or does the change in password policy affect applications using communication users even though if we use single signon.

Edited by: Neha Kapoor on Jan 14, 2011 4:23 PM

0 Kudos

The requirements and solution are described in [SAP Note 498889 - Logon locks with background jobs and internal RFCs|https://service.sap.com/sap/support/notes/498889] . Your background processing and internal RFC will be fine.

Different will be external RFC for COMMUNICATION type users if you harden the policy and check compliance of the current password or instruct the system to reject an expired password or have mechanisms where the COMMUNICATION users are infact changing their own passwords... Changing the user type to SYSTEM also for external RFC connections solves this problem.

Cheers,

Julius

0 Kudos

Can we use Single Sign on using SAP logon tickets instead of password synchronization so that the user types of communication are not affected by the change in the password related profile parametes?

Or will they be affected even if we use SSO using logon ticket.

0 Kudos

It depends...

System type users cannot issue a logon ticket. Communication type users can...

Use SYSTEM type users, if that is your strategy (recommended!) and then delete their passwords to prevent misuse from other clients.

Cheers,

Julius

ps: if you are not familiar with this then you must be carefull. You will have lots of enemies if you cause business process disruptions and will probably not have a second chance to secure your connections.

0 Kudos

We have external applications connecting to SAP using communication type user type and I found out that they are using SSO using logon tickets. So the applications using communication user types will not be impacted with the changes to security parameters.

Since changing communication user types to System users would cause an issue as they do not issue logon tickets. I am planning not to make any change to users who are of type communication.

0 Kudos

ISSUE

!