on 07-21-2012 1:13 PM
Hi All,
Has any one thought of a "possible" security loophole in registering security questions for PSS?
Let me tell you my scenario.
I have activated the End User Logon Page and I have following only two links enabled:
1. Register Self-Service Questions
2. Password Self-Service
Please pay attention to the scenario below:
When an End User accesses this page, he has the above 2 links available to him. Suppose that somebody comes to know about my user id without my knowledge. Now he can access the End User Logon Page click on "Register Self-Service Questions". Here my security questions are displayed and he can tweak and play with them and change my security questions/answers!!!
How can I control that?
System does not ask for any security questions or something like that while accessing the "Register Self-Service Questions". Which means that, anybody who knows my SAP ID can access this link and change my security questions/answers? There is not security check!
Is there anyway by which we can restrict/control this?
How this is being used/implemented in your business scenarios.
Please share.
Regards,
Faisal
Hi Faisal,
Please refer to the attached sap note-1666204 for detailed
information on PSS.
If you have "end user verification required"
checked, the user will be required to enter the ID and the password for
that authentication system prior to requesting a password reset.
This means,if the user forgets their password on the actual
authentication system, they will not be able to use password
self service since they will notbe able to authenticate.
They will be able to request password resets
for other SAP systems if they know the specific password for the SAP
authentication system.
I would request you to Please close this thread by marking it as "Answered" as I have provided the complete details over the CSS message.
Best Regards,
Nandita
Best Regards,
Nandita
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Can anybody please update me on this?
Regards,
Faisal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.