cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Changing Login Parameters

Former Member

on ‎02-24-2014 7:57 PM

0 Kudos

Hi All,

We are planning to implement the Password Policy for SAP users in our organization...

we want to change next parameters

Login/no_automatic_user_sapstar

Login/fails_to_session_end

Login/password_expiration_time

Login/min_password digit

Login/min_password_letters

Login/min_password_special

Login/min_password_diff

so I have some questions,

first of all this change will be applied in our productive system SAP CRM  ABAP 7.0 with MSSQL

  • what will be the impact when this change will be applied?, I mean the policies is inmediatly or for example it will be reflect until one user ask to be reset or until the expiration time defined will be get,
  • what will happen with comunication users?, I have seen some documentation when mentiion that just communication users of certain type will be affected,  I can't understand it,, someone has experience doing that?

so I'm worried about communication users because we have some importants users that communicate BPM(JAVA SAP) or ESB (JAVA IBM),

thank you..

Alfred

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Matt_Fraser
Active Contributor
‎03-05-2014 9:43 PM
0 Kudos

Alfredo,

To expand a bit on the answer to your first question, about when it will take effect, the answer is it depends.  It's true that the parameters don't take effect for the system until a restart, but as for when, after that, they impact the users depends on several factors.  Users will not be required to change their password until the expiration time has passed, but chances are that many of your users, if they've had accounts longer than the expiration time, will already be past that expiration time.  In that case, they will be asked to change their password with their next logons following the restart.  The exceptions will be people who have recently changed their password already or who have new user accounts.

As for the other parameters mandating password complexity, by default they will be applied the next time the user changes their password (which, for many, will be right away, as just described), but if the current password is not yet expired, it will be allowed to stand even if it doesn't meet the complexity rules until it does expire.  You can change this, however, with another parameter:  login/password_compliance_current_policy.  By default this parameter is inactive, but if you set it to 1, then users with passwords that don't meet the current complexity requirement will be forced to change right away, even if they are not expired.

With regard to your second question, about the impact of the new policy on your Communication users, here is the basic layout of impacts:

                            

User TypeGUI LogonPassword Rules
DialogYesYes
SystemNoNo
CommunicationsNoYes*
ServiceYesNo

So yes, Communications users are subject to the password rules, but as Sunny was saying, generally the rules only impact interactive logons, and Communications users don't logon interactively (GUI Logon).  Still, if you want to be sure, you can change their type to System, and they still will not be able to logon interactively, and they will not be subject to password expiration.  Either way, they also will not be counted during license measurement.

Best regards,

Matt

Show replies
Show replies
Former Member
‎02-25-2014 8:30 AM
0 Kudos

Assuming you are using SAPGUI:

Why not using Single Sign On?

In this case you are using the password system of Windows  and you are using the same password policy for your Windows accounts and your SAP accounts.

The password policy can be distributed by Domain Group Policies.

kind regards

Peter

Show replies
Show replies
Former Member
‎02-25-2014 7:15 PM
0 Kudos

I didn't know that it could be possible, but most of users use Web acces, not just GUI, in fact we have installed SSO to auto sign  other portal BPM (Java), but

former_member182034
Active Contributor
‎02-25-2014 3:59 AM
0 Kudos

hi Alfredo,

Please go through sap help. It will clear your concept regarding parameters.

Profile Parameters for Logon and Password

Note: Parametes Impact will be come on server after restart the sap instance.

Regards,

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎02-25-2014 12:51 AM
0 Kudos

Hello,

Q-1 These parameters will be effective after system restart. It will not ask immediately to change the password but when password will be expired, it will ask to change it.

Q-2 Only system and service users are exempted and they will not ask to change passwords. In case of communication users, it will check whether password is expired or not and based on call whether it is interactive or non-interactive, it will ask to change the password.

Please refer to SAP note 327917 for more information.

Thanks,

Sunny

Show replies
Show replies
Former Member
‎02-25-2014 1:14 AM
0 Kudos

full thanks for your answer,

but I have read the sap note 327917,

and Now I have one more question,

in that documentation says

Communication user 'C'

Individual system access (personalized)

  • Logon with SAPGUI is not possible. The user is therefore not
    interaction-capable with the SAPGUI.


  • Expired or initial passwords are checked but the conversion of the password
    change requirement that applies in principle to all users depends on the caller
    (interactive/not interactive). (*)

(*) With all non-interactive system accesses (that is, not using the SAPGUI),

the password change rule (which exists for all users except for system and

service users when passwords are initial or have expired) is not enforced by the

system if there is no interaction option. However, provided that you can execute

a password update dialog with the user (=> middleware, such as SAP ITS, for

example,),

!!it says that communication users with an interactive mode must to respect the rules and non interactive the rules ara not enforced :S

But communication users logon with SAPGUI is not possible , so I'm confused,,

What does mean this: !!!!(

caller (interactive/not interactive).

sunny_pahuja2
Active Contributor
‎02-25-2014 2:59 AM
0 Kudos

Hello,

Non-interactive communication would be RFC calls where RFC should work even after password is expired. But is you will set parameter rfc/reject_expired_passwd to 1 then your RFC call will also not work as it will check for expired password.

Interactive communication will be there in systems like PI. Last line of SAP note 327917 states that "The user interaction (including handling error and exceptional situations) is provided here with the middleware (= RFC client)."

Thanks,

Sunny

Former Member
‎02-25-2014 7:20 PM
0 Kudos

so, My unique worry is my communication user,

for example we have two communication users that works trough RFC's,  we have BPM Portal and the user bpmcomm is used each time that one user click and a functionality calls a RFC's from CRM,

this isn't a interactive way with GUI, so this user never would change the password,

this is true?

Ask a Question