01-11-2007 8:00 PM
Does anyone know if you can enter multiple User Groups in the parameter: login/password_logon_usergroup? If so, what is the format for entering multiple values?
Background information:
We are using SSO to authenticate to Enterprise Portal. From there, the user will launch SAPGUI to logon to the backend (ERP2005). The authentication method to the backend is SAP logon ticket.
We have implemented the parameter "login/disable_password_logon = 1" to globally disable password logon. We want to use the parameter "login/password_logon_usergroup" to allow several user groups to continue to log on via username and password.
Thanks in advance,
Mike
01-11-2007 8:10 PM
No, you can't. The profile parameter is designed to hold only a single value. Sorry.
Cheers, Wolfgang
01-11-2007 8:10 PM
No, you can't. The profile parameter is designed to hold only a single value. Sorry.
Cheers, Wolfgang
01-11-2007 8:49 PM
Thank you for the quick response.
It would be a nice feature for future releases to use multiple groups. We are a hosted system, and they use different groups than we do.
Best regards,
Mike
01-12-2007 11:25 AM
Well, the problem is: there are too many ideas for "nice features".
Since development resources are limited we need to focus on the important issues. So, if there is a "strong demand" for a feature (not just "nice to have") then please submit this as development request inquiry. I know that this is quite some effort - but that's the first step to take (to differentiate between "nice to have" and "really important" feature requests).
Cheers, Wolfgang
01-12-2007 2:54 PM
Thanks for the recommendation. I think it would be a "nice to have". I can still accomplish the end result by deactivating the passwords of the SSO users via SU10.
However, I did find that I even users in the single group named in this parameter could not logon after I changed it to a single group. I tried a couple different values. Do you have any suggestions of things to look at before submitting an OSS message? The system is ECC 6.0 (NW2004s)
Thanks,
Mike
01-12-2007 3:19 PM
Thanks for being honest (-> "nice to have").
Yes, SU10 can be used to accomplish about the same - just that it lacks the required option to "deactivate" passwords. Or at least I have not been able to identify such an option ...
Regarding login/password_logon_usergroup:
did you specify the name of the user group in upper letters? (same as displayed in SU01)
Cheers, Wolfgang
01-16-2007 6:32 PM
01-17-2007 8:01 AM
Hmm - can you analyse the problem by tracing (according to <a href="https://service.sap.com/sap/support/notes/495911">SAP Note 495911</a>)?
08-29-2008 1:03 PM
Hai, A little late but this parameter is actualy to exclude a group of users to use the password.
If you start page http://help.sap.com/saphelp_nw04/helpdata/EN/22/41c43ac23cef2fe10000000a114084/content.htm
your request is answered correctly (deactivation of password usage)
KR
Hans
08-29-2008 1:11 PM
> Hai, A little late but
How's that for an understatement.
Why did you post it? And why the "S.Admin" display name if you're called Hans?
Just curious.
04-11-2016 12:24 PM
Update:
As of SAP_BASIS 7.31 there's a new concept called "Security Policies".
For users who are assigned to a Security Policy the profile parameter parameters (such as "login/password_logon_usergroup") are no longer relevant; instead, the Security Policy (and its contained Security Policy Attributes) is evaluated.
Like PFCG roles, a Security Policy can be created (using t-code SECPOL) and then assigned to users (using t-code SU01 and SU10). Security Policies are client-specific customizing settings and can be transported.
Best regards,
Wolfgang