on 02-24-2014 7:57 PM
Hi All,
We are planning to implement the Password Policy for SAP users in our organization...
we want to change next parameters
Login/no_automatic_user_sapstar
Login/fails_to_session_end
Login/password_expiration_time
Login/min_password digit
Login/min_password_letters
Login/min_password_special
Login/min_password_diff
so I have some questions,
first of all this change will be applied in our productive system SAP CRM ABAP 7.0 with MSSQL
so I'm worried about communication users because we have some importants users that communicate BPM(JAVA SAP) or ESB (JAVA IBM),
thank you..
Alfred
Alfredo,
To expand a bit on the answer to your first question, about when it will take effect, the answer is it depends. It's true that the parameters don't take effect for the system until a restart, but as for when, after that, they impact the users depends on several factors. Users will not be required to change their password until the expiration time has passed, but chances are that many of your users, if they've had accounts longer than the expiration time, will already be past that expiration time. In that case, they will be asked to change their password with their next logons following the restart. The exceptions will be people who have recently changed their password already or who have new user accounts.
As for the other parameters mandating password complexity, by default they will be applied the next time the user changes their password (which, for many, will be right away, as just described), but if the current password is not yet expired, it will be allowed to stand even if it doesn't meet the complexity rules until it does expire. You can change this, however, with another parameter: login/password_compliance_current_policy. By default this parameter is inactive, but if you set it to 1, then users with passwords that don't meet the current complexity requirement will be forced to change right away, even if they are not expired.
With regard to your second question, about the impact of the new policy on your Communication users, here is the basic layout of impacts:
User Type | GUI Logon | Password Rules |
Dialog | Yes | Yes |
System | No | No |
Communications | No | Yes* |
Service | Yes | No |
So yes, Communications users are subject to the password rules, but as Sunny was saying, generally the rules only impact interactive logons, and Communications users don't logon interactively (GUI Logon). Still, if you want to be sure, you can change their type to System, and they still will not be able to logon interactively, and they will not be subject to password expiration. Either way, they also will not be counted during license measurement.
Best regards,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Assuming you are using SAPGUI:
Why not using Single Sign On?
In this case you are using the password system of Windows and you are using the same password policy for your Windows accounts and your SAP accounts.
The password policy can be distributed by Domain Group Policies.
kind regards
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi Alfredo,
Please go through sap help. It will clear your concept regarding parameters.
Profile Parameters for Logon and Password
Note: Parametes Impact will be come on server after restart the sap instance.
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Q-1 These parameters will be effective after system restart. It will not ask immediately to change the password but when password will be expired, it will ask to change it.
Q-2 Only system and service users are exempted and they will not ask to change passwords. In case of communication users, it will check whether password is expired or not and based on call whether it is interactive or non-interactive, it will ask to change the password.
Please refer to SAP note 327917 for more information.
Thanks,
Sunny
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
full thanks for your answer,
but I have read the sap note 327917,
and Now I have one more question,
in that documentation says
Communication user 'C'
Individual system access (personalized)
(*) With all non-interactive system accesses (that is, not using the SAPGUI),
the password change rule (which exists for all users except for system and
service users when passwords are initial or have expired) is not enforced by the
system if there is no interaction option. However, provided that you can execute
a password update dialog with the user (=> middleware, such as SAP ITS, for
example,),
!!it says that communication users with an interactive mode must to respect the rules and non interactive the rules ara not enforced :S
But communication users logon with SAPGUI is not possible , so I'm confused,,
What does mean this: !!!!(
caller (interactive/not interactive).
Hello,
Non-interactive communication would be RFC calls where RFC should work even after password is expired. But is you will set parameter rfc/reject_expired_passwd to 1 then your RFC call will also not work as it will check for expired password.
Interactive communication will be there in systems like PI. Last line of SAP note 327917 states that "The user interaction (including handling error and exceptional situations) is provided here with the middleware (= RFC client)."
Thanks,
Sunny
so, My unique worry is my communication user,
for example we have two communication users that works trough RFC's, we have BPM Portal and the user bpmcomm is used each time that one user click and a functionality calls a RFC's from CRM,
this isn't a interactive way with GUI, so this user never would change the password,
this is true?
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.