Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Set password NOT to expire upon next logon - how to?

Former Member
0 Kudos

We are using a 3rd party tools to reset passwords on our systems.

I understand there is a way to flag a password NOT to automatically expire upon next logon.

Does anyone know how this is accomplished?

If a password is reset manually by our call center, we would like it to expire. But, if it is set using this tool, we would like to flag it not to expire.

Any ideas?

7 REPLIES 7

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

What kind of "systems" are you referring to?

I suppose it's an ABAP system (not an NWAS Java).

Please notice that ABAP systems have a strict password policy:

- passwords can either by changed by an user (providing the correct old password), or

- passwords can be set by an administrator (authorizations required); since the password was not set by the user itself, the user will be prompted to change that password on the next subsequent logon

Both is possible via APIs as well as via delivered user interfaces.

But both type of operations are totally different (targeting at different user groups) and need not to be mixed up.

Since you are referring to "3rd party tools to reset passwords" that clearly falls into the 2nd category (administrative operation). Well, obviously you agree with me that "if a password is reset manually by [y]our call center" it needs to be changed by the user afterwards. I'm surprised to see that you expect a different system reaction when this "password reset" is performed by that tool. What is that tool doing differently? How is supposed to use that tool? What if that tool is used by the call center agents?

Please provide some insight.

Regards, Wolfgang

0 Kudos

The tool is actually a self-service password reset tool, where the user is indeed really resetting their own password. But, the tool uses an administrator logon to reset the password, therefore, the password automatically expires upon next logon, as expected.

The user must first be authenticated to our network as themselves, then provide several pieces of information only they know, or the password will not be reset by the tool.

The Call Center can't use this tool, because they can't authenticate as the user. The also don't have access to the tool to reset passwords, nor can they impersonate the user due to other controls.

I think your reply and the reply prior to that have answered my question. I was fairly certain these would be the answers, and this is satisfactory.

0 Kudos

And in answer to your other question, it is an ABAP system, not NWAS Java.

Thank you for your helpful replies.

0 Kudos

Well, how does that "self-service password reset tool" prevent misuse?

It somehow needs to authenticate the user - otherwise one user could simply reset the password of another user; even if he would not obtain the new password (e.g. in case it would be send to the user via mail) that would be at least "annoying" (and could end-up as "denial-of-service" attack if resetting the passwords of thousands of users).

On the other hand: if such authentication is possible (obviously without using the password) why not using that mechanism for authentication, then? I'm not sure whether you know about the various SSO mechanisms that can be used with SAP products.

Best regards,

Wolfgang

0 Kudos

As I stated above "The user must first be authenticated to our network as themselves, then provide several pieces of information only they know, or the password will not be reset by the tool."

Yes, I am aware that we can eventually use SSO, but we are not there yet. It is a complicated tale not worthy of this forum!

Thank you so much for your response, if the user did not authenticate, the tool would indeed be worthless.

Former Member
0 Kudos

Thanks everyone