Solved: Password Complexity Options (3 of 4) with IdM Inte...

Former Member · ‎03-08-2012

All:

I have been looking for SAP Notes and throughout SNC to see if SAP ABAP can implement the "OR" function when it comes to the Password Complexity validations. We would like to set the parameters (see below) to check incoming passwords with an "OR" statement. For example, most passwords in our orgainzation will be reset from Active Directory or IBM Tivoli and pushed down into the SAP ABAP as a productive password (for password sync). Since the options at Active Directory / Tivoli level check for 3 of the 4 options when validating passwords, SAP will not.

login/min_password_digits = 1

login/min_password_letters = 1

login/min_password_lowercase = 1

login/min_password_specials = 1

login/min_password_uppercase = 1

Example1: 1Password$ (AD/Tivoli = Password is validated; SAP = Password is validated)

Example2: Password$ (AD/Tivoli = Password is validated; SAP = Password will FAIL)

Does anyone have any SAP Notes or technical documents on how meet the requirement of password complextity validations on SAP with an "OR" statement (meaning 3 of the 4 options must be met)? As a last resort we are looking to change the Active Directory / Tivoli password complexity requirements to become an "AND" statement to were 3 of 3 or 4 of 4 must be met.

NOTE: SAP password complexity must be set becuase local accounts/admin accounts/system/service accounts are not being integrated with AD/Tivoli and we need to enfore password rules on them.

Any and all help is greatly appreciated.

Matt U.

WolfgangJanzen · ‎03-12-2012

Short answer: no, that's not possible - all password policy rules are AND-combined.
When allowing arbitrary boolean operators (AND, OR, NOT) the resulting password policy would be quite complex - yes, it would be powerful, but it would also be hard to explain / to comprehend.

martin_voros · ‎03-08-2012

Hi,

I don't think this is possible. But in new Netweaver release there should be some improvements in this area. I know that you should be able to assign different policy to different groups of users. But I don't know if you can specify more complex policies (in your case with logical OR).

Cheers

Former Member · ‎03-09-2012

Thought long and hard about this, but also cannot see a way to achieve it.

Even relaxing the AD rule would not ensure which of the ABAP rules could be relaxed, as it is "1 of n".

But a very simply solution is actually possible --> a real SSO based on (for example) AD authentication, without any PWD synchronization. You should anyway give this solution preference over synchronization technologies or trust chains.

Cheers,

Julius

WolfgangJanzen · ‎03-12-2012

Short answer: no, that's not possible - all password policy rules are AND-combined.
When allowing arbitrary boolean operators (AND, OR, NOT) the resulting password policy would be quite complex - yes, it would be powerful, but it would also be hard to explain / to comprehend.

Former Member · ‎03-13-2012

Hi Wolfgang,

I think the problem is that some directory services offer this optional feature and SAP IdM offers the "hook" and ability to set the user's own productive password.

As long as the backend system can be missing one policy rule, it would have to relax them all.

I suspect this problem will not go away...

Cheers, Julius

WolfgangJanzen · ‎03-13-2012

In general, it will not be possible to ensure that a chosen password will be compliant with all password policies of all systems - especially when dealing with inhomogenous systems in a large landscape.

The conclusion might be: use a central authentication service, e.g. a SAML 2.0 Identity Provider.

Password Complexity Options (3 of 4) with IdM Integration