Disable password change for new user

Former Member · ‎12-11-2006

Hi All,

Does anyone know is there a possiblity of disabling password change for the new user ? ( Meaning new user will not get any password changing prompt when he first login to the system).

Regardss

Lauran

former_member185864 · ‎12-11-2006

Hi Lauran kerry,

Yes we have 2 ways to disabling password change for new user.

Method 1: Disabling password change for only perticular new user through Visual Admin(VA).

Please follow below steps:

1. Login to UI-URL "http://<host>:<Port>/useradmin/index.jsp" with "Administrator"

2. Create one user and give initial password.

Ex: New UserID: SDNUser; Password: init1

3. Start the Visual Admin Tool;Goto D:\usr\sap\<Inst-ID>\JCxx\j2ee\admin --> go.bat

Example: D:\usr\sap\F04\JC04\j2ee\admin --> go.bat

4. Login with admin user.

5. Go to Server 0 xxxx --> Services --> Security Provider --> User Management

4. Then edit the VA; Search for new user(SDNUser) which is created in UI.

5. Select that user(SDNUser) and Check OK for “No password change required” for user.

6. Login with New User(SDNUser/init1). UI will not ask change password.

Method 2: Disabling password change for all new user through Configtoll.

Please follow below steps:

1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat

Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat

2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service

3.Double-click on the property "ume.logon.security_policy.password_change_allowed = FALSE"

4.Save.

5.Restart the engine.

6. Login to UI-URL "http://<host>:<Port>/useradmin/index.jsp" with "Administrator"

7. Create new users and give initial passwords.

Ex: New UserID: SDNUser-1; Password: init1

8. Login with new users like SDNUser-1 / init1. UI will not ask change password.

Thanks,

Nagaraju

morten_nielsen · ‎12-11-2006

Hi

If you create the user as a service user (in user type on the logon data tab) this user will never be prompted for changing password. - From at security point of view - you should of course limit the use of this type of users.

Regards

Morten Nielsen

WolfgangJanzen · ‎12-11-2006

The reason for the requirement to change the password after the first logon is: the password has been set by the admin and is therefore known to the admin - however, a password should be only known to the user.

So, it is a security measure (which cannot be deactivated in ABAP systems).

Using a SERVICE user has other implications (see <a href="https://service.sap.com/sap/support/notes/642464">SAP Note 642464</a>), so it's not really an option.

If your application allows users to request a new account (=> self-registration) then you should consider using the appropriete API function (ABAP systems: see <a href="https://service.sap.com/sap/support/notes/830493">SAP Note 830493</a>).

Cheers, Wolfgang

Former Member · ‎12-12-2006

guys,

easiest way is, change the password of a user, then login as that user and after getting prompt, change it to permenant password.

WolfgangJanzen · ‎12-12-2006

Well, of course that cannot be avoided by the system - but the user should get alerted if the system does not prompt him to change his password which he has been told by the admin ...

It's actually very similiar to PINs of credit cards or online banking - usually you can change them and typically you are kindly informed about that ability (and it's also recommended to do so). In contrast to passwords such PINs are generated by a machine and send to you without a human being having seen it before - but you never know ... (and obviously the bank does also not have unlimited trust in their own mechanism).

Cheers, Wolfgang

Former Member · ‎12-29-2006

Hi,

There is one way to disable the password request for everytime you login.

You have to use third party tools like we use "Keon".

Using the third party software , first the user has to login to Keon and later he can directly login to any SAP system as well user internet.

This is SIngle Singon(SSO) concept, using SNC string.

Under SNC tab in SU01 the user must have SNC string and "Unsecure communication permited" must be unchecked to enable user to login using Keon.

If the user doesn't have SNC string or if there is SNC String and there is a check against "Unsecure communication permited", then user will nto be able to use Secure connection.

Cheero

Pradeep Gali

WolfgangJanzen · ‎01-02-2007

Well, avoiding to use password-based user authentication (by using SSO mechanisms instead) resolves the problem of password changes - but only if the user does not have the option to logon to the system using his (existing) password in addition (see <a href="https://service.sap.com/sap/support/notes/869218">SAP Note 869218</a>).

"Keon" is then only an example of SNC solutions - although it does not seem to be a certified solution, at least it is not listed on the <a href="http://www.sap.com/partners/directories/ProductSearchResults.epx?context=21B87D61C0F646A215C3710256DFC9D4C9E6D8C96AC2ED69F09E0FFFFC5877D22B29FC7CF6061524E9AE9D6304DC5E54D913733DD3EFA69CD632258FB4FFAC4277CBA82EDF68A45914D042BC5614094B635A67635F752DB62487A54123AC1495F709995579C87BE53675131631A4759229A11A03F108D862%7c6F12B862C581661D8500A3DD09DCD602CA61858146D8A3E4267CA4DD00D4644BF033654CFCB8A2FCE91941815A779613BE6F27BEE111343324229F3DF5A964AC8CBF5952F54DE70680C955A26EA637563080423385662515B5CF6D196B9EE806AF7F3EE7D2853106">official SAP site</a>

Regards, Wolfgang

Former Member · ‎12-30-2006

Hi All,

There no way to do this way

Anaveer