Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Password expiry warning message

Former Member
0 Kudos

Hi all,

the password expiration time can be controlled using the parameer login/password_expiration_time .

Is there a parameter using which we can give a warning message saying that the users password is about to expire say in 5 days.

Thanks.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

No .there isn't one. system prompts the user to change the password after the number of days in

login/password_expiration_time. user can change the password next time he or she login.

if your users are getting 'Password was not used for a long period and therefore deactivated'message

then the parameter you need to check for is login/password_max_idle_productive(in productive password cases).

yeah I understand it is tempting for this feature when we see the security policy as in windows where a user/admin can set a warning message for certain days before expiration.but IMO, there is no real need for one more parameter for this purpose.

12 REPLIES 12

Former Member
0 Kudos

No .there isn't one. system prompts the user to change the password after the number of days in

login/password_expiration_time. user can change the password next time he or she login.

if your users are getting 'Password was not used for a long period and therefore deactivated'message

then the parameter you need to check for is login/password_max_idle_productive(in productive password cases).

yeah I understand it is tempting for this feature when we see the security policy as in windows where a user/admin can set a warning message for certain days before expiration.but IMO, there is no real need for one more parameter for this purpose.

Former Member
0 Kudos

I suspect that another problem is the issue of where to raise such a message and should it be a warning or information or error.

Those same existing screens which permit access to messages and field symbols prior to loading the user's session and authorizations might not find information messages to be acceptable to the user's reaction.

After the login is completed, you can easily use the SAPGui logon exit to issue such information, but it only applies if a SAPGui session context is attached.

Personally I find the sudden "Change your password" popup tempting to use a weaker one, or silos, or the name of something on my desk which I then make a mental "snapshot" of to avoid post-it's under my keyboard...

Giving people a "warning" would on the other hand encourage timely synchronization of passwords more than they are already attempted (via unencrypted routes and weaker hashing, which makes the weakest link applicable for all).

SSO solves much of this, but has it's own risks. If you really dig deep, then SSO is not more secure than a very good password policy and smart end users....

Cheers,

Julius

Former Member
0 Kudos

Well though I have not done that I think it is possible to create a small piece of code which checks table USR02 for fields USR02-TRDAT (Last logon date ) and sy-datum ( system present date) and based on the calculation (like if sy-datum minus USR02-TRDAT is Greater or equal to say 60 days) then selects the user id and sends email to them. Put this program in a batch job to run daily. Talk to your developer and they might be able to do it if you really need it.

Just to add if you are really want there is function module in the SDN wiki that will import the user id and the email id from your program and use it to send email to users email address and user business workplace inbox.

[Message to External email id and SAP User id via ABAP|http://wiki.sdn.sap.com/wiki/display/ABAP/SendMessagetoExternalemailidandSAPUseridvia+ABAP]

Edited by: Nishant Sourabh on Jan 21, 2011 3:19 AM : Added the wiki link with the FM for sending email

Edited by: Nishant Sourabh on Jan 21, 2011 3:24 AM

0 Kudos

Put this program in a batch job to run daily.

Hmmm... would this not encourage people to logon simply to keep their password active? That's cheating...

My understanding was that they must actually logon, for the warning to appear that their password will expire within the next xxx days. I.e. you want to give them a fair chance to make the change and think of a good password, but not wake "sleeping dogs".

Another related and cool feature is a message after successfull authentication stating for example:

xxx failed logon attempts occurred since the last time you logged in:
19.01.2011  12:37:01  IP=123.456.78.90 - this is your current workstation
20.01.2011  09:42:51  IP=123.456.78.90 - this is your current workstation
21.01.2011  18:38:22  IP=987.654.32.10 " this is NOT your current workstation

Cheers,

Julius

0 Kudos

Hi Nishanth,

I think the logic you mentioned is to inform the users that they are inactive in the system for a certain period of time.

What I am looking for is a feature that will inform or warn the users (who have successfully logged in) that their current password is going to expire in certain number of days .

If SAP logon Exit is used I think it will apply only for GUI logon and will not be invoked when user is logging in from web. Correct me if I am worng.

Thanks.

Edited by: Neha Kapoor on Jan 21, 2011 4:24 PM

0 Kudos

If SAP logon Exit is used I think it will apply only for GUI logon and will not be invoked when user is logging in from web. Correct me if I am worng.

Correct. The exit is only executed by the SAPGui Logon program using the DIAG protocol.

Users logging on via other protocols communicating with the ABAP system are not affected. This includes RFC communication.

Cheers,

Julius

0 Kudos

Yep, I misinterpreted the question actually. For SAPGUI, I can still think of using USH02 table and your password expiration parameter to code something but for Web as you and Julius has already mentioned it would not work.

actually IMO this would be cool feature to have ...does anybody else have any idea?

Julius : Is it possible to have this in our Security wishlist ?

0 Kudos

Hi Nishant,

It is already on the wishlist, as it has been discussed a few times before already.

USH02

FYI: USH02 is almost obsolete now, depending on your password compatibility with the old code version A and B hashing mechanisms.

Change documents are now written to CDHDR and CDPOS tables and the length of history to be kept is recorded in USRPWDHISTORY.

This is a nice example of why using released API functions is much moer reliable than remembering the names of tables...

Cheers,

Julius

0 Kudos

>

> USH02

> FYI: USH02 is almost obsolete now, depending on your password compatibility with the old code version A and B hashing mechanisms.

>

> Change documents are now written to CDHDR and CDPOS tables and the length of history to be kept is recorded in USRPWDHISTORY.

>

> This is a nice example of why using released API functions is much moer reliable than remembering the names of tables...

>

> Cheers,

> Julius

Thanks for the Info, Julius !! I did not know that our good old USH tables are getting obsoleted now ..

0 Kudos

Hi,

you could use custom HTTP handler for any services provided via ICM such as web dynpro and BSP applications. For example redirecting user to custom page with info and link to redirect back. Obviously, you have to be more careful here, for example redirecting only once a day.

Cheers

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, up to now this feature request was not added to the "[wish list|http://wiki.sdn.sap.com/wiki/display/Security/SecurityFunctionalityWishlist-Topics]"

0 Kudos

Yes, you are correct.

The ability to warn about failed password based authentication was added but not the ability to warn about a (configuration and user type dependent) warning to change the password in advance.

I will add it, but suspect some complexity here...

What about the warning that idle passwords will become effective as of xx.xx.xxxx or current policy would request a change in xxx days time which is yyy days prior the validity date? (system and now client dependent configuration dependencies).

Customers bugger around a lot in USR02 and client / system copies create additional confusion - particularly in QAS systems which should automatically be "the same" but relieved of any production system requirements and everything should be the same as it was before after the copy.

Idea: A configurable password "warning" based on the client role ("TEST") which automatically deletes the password and locks the user ID regardless of the authentication type if the user type NE 'SYSTEM' or 'SERVICE' and NE <special user group>, in which case all roles are set to validity date 31.12.9999 for the users in the group.

That will work nicely, but certainly confuse the hell out of some other "auditor tools" which 9 times out of 10 download data from the system for external evaluation... e.g, they have sever trouble with the idle password parameter dependencies and produce a lot of nonsense... many customer reports also produce a lot of nonsense or no data at all.

Anyway, that is their fault for disrespecting API's...

Cheers,

Julius