10-13-2015 3:17 PM
Hello Experts,
I am trying to enforce SSO only access on production users (no more user name password, only this option is allowed for admin) by deactivate password for users.
I can do it for single user in the Logon Data tab, How can I do a mass change ? Please advise.
Thank you in advance.
Ab
10-14-2015 12:11 PM
Thank you all for your contributions. I am not familiar with security policies and need to look into this. I assume I can create a policy for my requirement. I couldn't find one for the deactivation.
Tim: Within the SSO users, some users require both options (10 % of users). Setting at the profile level is not a good idea (little I know) unless I can further categories the user group. Also I have to implement at country level.Thx.
10-14-2015 7:36 AM
The easiest way is to set the profile parameter login/password_change_for_SSO to 3 and this will mean that when the user logs on using SSO if their SAP password has expired, it will be deactivated automatically without the user being told.
Thanks
TIm
10-14-2015 9:55 AM
Hi Tim,
Thank you. When I set the parameter to 3, all users password will be expired. How to implement for selected group of users not for all.
regards
10-14-2015 10:02 AM
Hi,
please search the documentation/SAP notes for 'security policy' (secpol') . That will help you further.
b.rgd,s Bernhard
10-14-2015 10:05 AM
It will only deactivate users who logon using SSO, not all users.
Thanks
Tim
10-14-2015 10:08 AM
Hi Ab,
depending on the system release, you can also use policies for users and set the value within the policy. Please check the docs on security policies in the help portal.
Regards,
Patrick
10-14-2015 12:11 PM
Thank you all for your contributions. I am not familiar with security policies and need to look into this. I assume I can create a policy for my requirement. I couldn't find one for the deactivation.
Tim: Within the SSO users, some users require both options (10 % of users). Setting at the profile level is not a good idea (little I know) unless I can further categories the user group. Also I have to implement at country level.Thx.
10-14-2015 1:41 PM
If you want to disable password at mass level, you can use SU10. Select all users that you want to disable the password for and deactivae the password for all of them.
But Security Policies would be a better option if you can use them.
10-14-2015 1:42 PM
If you read up on SECPOL (sap.help documentation is very good on this topic) you will see that you build the policies and apply them at user master level (via SU01). This allows you to choose which users get the specific policy for your scenarios
The documentation also explains the policy parameters and equivalent/interactions with RZ10 parameters.
Regards
Colleen
10-14-2015 1:52 PM
Hi Abdul,
with security policies you could create one with PASSWORD_CHANGE_FOR_SSO set to 3 for your normal users and an other one with some other value, depending on your requirements for your admins.
You would then assign the first security policy to all users except admins and the second one to only admins. You are then also free to set tighter requirements for the admins if you like.
You could also set in the profile PASSWORD_CHANGE_FOR_SSO to 3 and just assign a security policy to the admins with PASSWORD_CHANGE_FOR_SSO set to some other level.
Kind regards,
Patrick
10-15-2015 6:19 PM
Hi Patrick,
I followed the steps as mentioned but I was able to login with my user name and password second time. I created a new user and assigned the policy.
My first login asked me to change the password, I did.
MY second login it asked me for username & password.
I have attached the screen for the policy creation and assignment, I am not sure I need to activate something, help would be appreciated.
Thanks you in advance.
ZAhi
10-16-2015 7:24 AM
did you log on using SSO in between? The password will only be deleted when you access the system using SSO and the password being expired.
If you want to completly block this group from using passwords, you can use disable_password_logon for this group.
You can see this when looking up the docs for PASSWORD_CHANGE_FOR_SSO.
Kind regards,
Patrick
10-15-2015 8:17 AM
Try looking into parameters
login/disable_password_logon
login/password_logon_usergroup
Thanks,Krishna
10-16-2015 10:19 AM
Hi All,
Thank you all it worked.
We have few options to deactivate the password, what is the best practice or recommended by sap (deactivate password - when creating new users)?
Any inside will be appreciated. Regards.
10-16-2015 11:30 AM
Hi Zahi,
this depends on the requirements of your company.
From what you stated, I would suggest to create a password only for those users, that require password based authentication. However I would suggest to always assign a matching password policy both to avoid issues when users are changing roles and for documentation purposes in administration. The password policy should contain the disable_password_logon if this is a company requirement.
Regards,
Patrick