Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Impact of changing the user type of users from Communication to System user

Former Member

‎11-08-2011 11:26 AM

0 Kudos

Hi Experts,

Due to change in password policy we are required to make changes to below mentioned profile parameters and hence would like to know your advice on few questions :

login/min_password_lng

login/password_max_idle_initial

login/password_change_waittime

login/password_charset

Below mentioned are the purpose of communication users in the existing landsacpe:

Standard sap user used for RFC connections

communication user which is to be used for the Segregation of Duties proof of concept work

RFC Connection for Central User Admin

User for creating RFC connection with the Gentran application

Used for the ALE connection between SAP R/3 and OPS SAP systems .

For the Travel & Expenses application ( Infor XM ) to call a HTTP service held on SAP system to retrieve exchange rate information. Duration = forever

Created to communicate with the Production System via RFC Connection

Running scheduling background jobs and interfaces

Standard sap user used for RFC connections with utilites like Ixos,HPOMS.

1.In our existing landsacpe there are certain users with user type as communication , as per SAP note 862989 only Service and System users are exempt from password policy so will it be fine to change the user type of the existing users from communication to system users ? Will there be any sort of issue if the user type of the exisiting users is changed from communication to system , please provide your suggestion w.r.t the password parameter that are mentioned above ?

2.Both system as well communication users can be used in RFC connection , what else are the points that should be taken care while decidiing the user type of users or system and communication users are interchangable (apart from the password policy restriction for communication users ) ?

13 REPLIES 13

Bernhard_SAP
Employee
Employee

‎11-09-2011 10:14 AM

0 Kudos

Hi,

I am aware of only one impact, and that is, that system users don't get logontickets. But if you don't use such (sso)scenarios, no impacts..... Licensing should also not be an issue from my knowledge....

b.rgds, Bernhard

Former Member

‎11-09-2011 2:01 PM

0 Kudos

login/password_max_idle_initial also applies to Communication type users and will lock the password!

Same for login/password_max_idle_productive and compliance_with_current_policy!

System users can accept logon tickets, but not issue them.

Cheers,

Julius

Former Member
In response to Former Member

‎11-22-2011 1:46 PM

0 Kudos

HI Julius,

Thanks for your valuable inputs , however appreciate if you can please highlight what is possibility of implementing the below mentioned requirements :

As per the new password standards for our client , there are certain categories of users like the administrators and the emergency users for which the password length is different for the rest of the user accounts , in addition to the password length admin accounts need not be locked in any situation ( parameter : login/fails_to_user_lock and login/password_change_waittime) and there has to no restriction on the password expiry period which is currently set at 90 days for all the users . ( setting them as service users which are exempted from the password policy ? )

Please provide your inputs on whether its possible to achieve the above explained requirement with help of profile parameters ?

As per the SAP documentation I know there is one such parameter i.e. login/password_logon_usergroup which allows the flexibility based on user groups , Is there any such profile parameter which allows this sought of solution for password length , account lockout , lockout duration and password expiry ?

Former Member
In response to Former Member

‎11-22-2011 3:22 PM

0 Kudos

Yes, this is possible but not widely known (yet).

See --> https://wiki.sdn.sap.com/wiki/display/Security/Solved-Abilitytoassignsecuritypoliciestospecific+users

It is however only available as of release 7.30 Ehp 1 - however that is available already so you only need to upgrade and everything should be fine...

Cheers,

Julius

Former Member
In response to Former Member

‎11-22-2011 5:18 PM

0 Kudos

Hi,

I checked the corresponding post on SDN however can you please explain in detail as to where these options are available ?

Please mention under which transaction I need to check these new policies ?

Our system is at Kernel Level 701SP 69.

Below is details from the post :

Well, all users of group "BASIS" could be assigned to a Security Policy "BASIS" which contains a Security Policy Attribute "PASSWORD_HISTORY_SIZE" being set to value "1" - while other users will be assigned to other Security Policies which specify other PASSWORD_HISTORY_SIZE values. That's all.

Any detailed information or SAP documentation on this that explain about this new options will be quite useful .

Former Member
In response to Former Member

‎11-22-2011 8:20 PM

0 Kudos

They will not be available for you yet, but when they are then you can create the policies in customizing.

The UIs to assign the policies will appear on the Logon Data tab in SU01. I assume that the user BAPIs will also be extended and the SUIM reporting and of course the logon program itself too. So it takes a bit of time and the downward compatibility was solved by eliminating it.

So you have to upgrade to get there.

Cheers,

Julius

mvoros
Active Contributor
In response to Former Member

‎11-23-2011 2:44 AM

0 Kudos 
> It is however only available as of release 7.30 Ehp 1 - however that is available already so you only need to upgrade and everything should be fine...

As far as I know you can't run ECC on top of 7.3. So we need wait for 7.03. If I am not mistaken then 7.03 is same as 7.31. They finally merged these two branches.

Cheers

Former Member
In response to Former Member

‎11-23-2011 7:44 AM

0 Kudos

I have a mental block against understanding SAP's release naming conventions:

Wolfgang Janzen wrote:

The start release is 7.03 / 7.31 (SAP_BASIS component).

So, yes. You are correct and I got it wrong again.. ;-(

Cheers,

Julius

Former Member
In response to Former Member

‎11-23-2011 8:22 AM

0 Kudos 
I have a mental block against understanding SAP's release naming conventions:

Nobody, including SAP employees, understand them anymore...

Olivier

mvoros
Active Contributor
In response to Former Member

‎11-23-2011 10:51 PM

0 Kudos

Actually, it's more complex. 7.03 is equal to 7.31 but only for ABAP. It's not true for Java stack. It also seems like I was wrong and SAP Business Suite is released for Netweaver 7.3. More info in [SAP presentation|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/70096c68-b5e6-2e10-899f-ba197cf5c5d7?QuickLink=index&overridelayout=true].

Cheers

Former Member

‎11-11-2011 6:09 AM

0 Kudos

Hi,

There should not be any impact for the changes of the user type from communicatio to System.

Regards,

Sandip

Former Member
In response to Former Member

‎11-11-2011 6:33 AM

0 Kudos 
should not

Read the above mentioned SAP note and the documentation of the parameters mentioned. They explicitly state that there will be an impact if you do not change the user type.

Cheers,

Julius

Former Member

‎12-07-2011 9:17 AM

0 Kudos

Hi All,

Thanks so much for your valuable suggestions ..It helped me a lot