Solved: Profile Parameter: login/password_logon_usergroup

Former Member · ‎01-11-2007

Does anyone know if you can enter multiple User Groups in the parameter: login/password_logon_usergroup? If so, what is the format for entering multiple values?

Background information:

We are using SSO to authenticate to Enterprise Portal. From there, the user will launch SAPGUI to logon to the backend (ERP2005). The authentication method to the backend is SAP logon ticket.

We have implemented the parameter "login/disable_password_logon = 1" to globally disable password logon. We want to use the parameter "login/password_logon_usergroup" to allow several user groups to continue to log on via username and password.

Thanks in advance,

Mike

WolfgangJanzen · ‎01-11-2007

No, you can't. The profile parameter is designed to hold only a single value. Sorry.

Cheers, Wolfgang

WolfgangJanzen · ‎01-11-2007

No, you can't. The profile parameter is designed to hold only a single value. Sorry.

Cheers, Wolfgang

Former Member · ‎01-11-2007

Thank you for the quick response.

It would be a nice feature for future releases to use multiple groups. We are a hosted system, and they use different groups than we do.

Best regards,

Mike

WolfgangJanzen · ‎01-12-2007

Well, the problem is: there are too many ideas for "nice features".

Since development resources are limited we need to focus on the important issues. So, if there is a "strong demand" for a feature (not just "nice to have") then please submit this as development request inquiry. I know that this is quite some effort - but that's the first step to take (to differentiate between "nice to have" and "really important" feature requests).

Cheers, Wolfgang

Former Member · ‎01-12-2007

Thanks for the recommendation. I think it would be a "nice to have". I can still accomplish the end result by deactivating the passwords of the SSO users via SU10.

However, I did find that I even users in the single group named in this parameter could not logon after I changed it to a single group. I tried a couple different values. Do you have any suggestions of things to look at before submitting an OSS message? The system is ECC 6.0 (NW2004s)

Thanks,

Mike

WolfgangJanzen · ‎01-12-2007

Thanks for being honest (-> "nice to have").

Yes, SU10 can be used to accomplish about the same - just that it lacks the required option to "deactivate" passwords. Or at least I have not been able to identify such an option ...

Regarding login/password_logon_usergroup:

did you specify the name of the user group in upper letters? (same as displayed in SU01)

Cheers, Wolfgang

Former Member · ‎01-16-2007

Yes, the parameter was specified in caps.

WolfgangJanzen · ‎01-17-2007

Hmm - can you analyse the problem by tracing (according to <a href="https://service.sap.com/sap/support/notes/495911">SAP Note 495911</a>)?

Former Member · ‎08-29-2008

Hai, A little late but this parameter is actualy to exclude a group of users to use the password.

If you start page http://help.sap.com/saphelp_nw04/helpdata/EN/22/41c43ac23cef2fe10000000a114084/content.htm

your request is answered correctly (deactivation of password usage)

KR

Hans

jurjen_heeck · ‎08-29-2008

> Hai, A little late but

How's that for an understatement.

Why did you post it? And why the "S.Admin" display name if you're called Hans?

Just curious.

WolfgangJanzen · ‎04-11-2016

Update:

As of SAP_BASIS 7.31 there's a new concept called "Security Policies".

For users who are assigned to a Security Policy the profile parameter parameters (such as "login/password_logon_usergroup") are no longer relevant; instead, the Security Policy (and its contained Security Policy Attributes) is evaluated.

Like PFCG roles, a Security Policy can be created (using t-code SECPOL) and then assigned to users (using t-code SU01 and SU10). Security Policies are client-specific customizing settings and can be transported.

Best regards,

Wolfgang