cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10: Possible Security Loophole in registration of security questions for PSS???

Go to solution
former_member184114
Active Contributor

on ‎07-21-2012 1:13 PM

0 Kudos

Hi All,

Has any one thought of a "possible" security loophole in registering security questions for PSS?

Let me tell you my scenario.

I have activated the End User Logon Page and I have following only two links enabled:

1. Register Self-Service Questions

2. Password Self-Service

Please pay attention to the scenario below:

When an End User accesses this page, he has the above 2 links available to him. Suppose that somebody comes to know about my user id without my knowledge. Now he can access the End User Logon Page click on "Register Self-Service Questions". Here my security questions are displayed and he can tweak and play with them and change my security questions/answers!!!

How can I control that?

System does not ask for any security questions or something like that while accessing the "Register Self-Service Questions". Which means that, anybody who knows my SAP ID can access this link and change my security questions/answers? There is not security check!

Is there anyway by which we can restrict/control this?

How this is being used/implemented in your business scenarios.

Please share.

Regards,

Faisal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-29-2012 1:56 PM
0 Kudos

Hi Faisal,

Please refer to the attached sap note-1666204 for detailed
information on PSS.

If you have "end user verification required"
checked, the user will be required to enter the ID and the password for
that authentication system prior to requesting a password reset.

This means,if the user forgets their password on the actual
authentication system, they will not be able to use password
self service since they will notbe able to authenticate.
They will be able to request password resets
for other SAP systems if they know the specific password for the SAP
authentication system.

I would request you to Please close this thread by marking it as "Answered" as I have provided the complete details over the CSS message.

Best Regards,

Nandita

Best Regards,

Nandita

Show replies
Show replies
former_member184114
Active Contributor
‎07-30-2012 7:46 AM
0 Kudos

Nandita,

Thanks for your kind help

Regards,

Faisal

Former Member
‎09-17-2012 11:41 PM
0 Kudos

In response to Nandita-

Hi-Nandita replied in her reply above why would a user request a password reset if he\she already knows their password

Answers (1)

Answers (1)

former_member184114
Active Contributor
‎07-23-2012 8:12 AM
0 Kudos

Can anybody please update me on this?

Regards,

Faisal

Show replies
Show replies
Former Member
‎07-23-2012 9:44 AM
0 Kudos

Hi Faisal,

I have replied to this thread in the CSS message.Kindly review the same.

Let us know if you still have any concerns.

Best Regards,

Nandita

Former Member
‎07-23-2012 9:44 AM
0 Kudos

Hi Faisal,

I have replied to this thread in the CSS message.Kindly review the same.

Let us know if you still have any concerns.

Best Regards,

Nandita

former_member184114
Active Contributor
‎07-23-2012 10:52 AM
0 Kudos

Nandita,

I again sent back to you. Please do the necessary.

Regards,

Faisal

Former Member
‎07-23-2012 11:17 AM
0 Kudos

Hi Faisal,

I have done the needful.

Best Regards,

Nandita

Ask a Question