Solved: Deactivate password for users (mass) with SSO

Former Member · ‎10-13-2015

Hello Experts,

I am trying to enforce SSO only access on production users (no more user name password, only this option is allowed for admin) by deactivate password for users.

I can do it for single user in the Logon Data tab, How can I do a mass change ? Please advise.

Thank you in advance.

Ab

Former Member · ‎10-14-2015

Thank you all for your contributions. I am not familiar with security policies and need to look into this. I assume I can create a policy for my requirement. I couldn't find one for the deactivation.

Tim: Within the SSO users, some users require both options (10 % of users). Setting at the profile level is not a good idea (little I know) unless I can further categories the user group. Also I have to implement at country level.Thx.

tim_alsop · ‎10-14-2015

The easiest way is to set the profile parameter login/password_change_for_SSO to 3 and this will mean that when the user logs on using SSO if their SAP password has expired, it will be deactivated automatically without the user being told.

Thanks

TIm

Former Member · ‎10-14-2015

Hi Tim,

Thank you. When I set the parameter to 3, all users password will be expired. How to implement for selected group of users not for all.

regards

Bernhard_SAP · ‎10-14-2015

Hi,

please search the documentation/SAP notes for 'security policy' (secpol') . That will help you further.

b.rgd,s Bernhard

tim_alsop · ‎10-14-2015

It will only deactivate users who logon using SSO, not all users.

Thanks

Tim

Former Member · ‎10-14-2015

Hi Ab,

depending on the system release, you can also use policies for users and set the value within the policy. Please check the docs on security policies in the help portal.

Regards,

Patrick

Former Member · ‎10-14-2015

Thank you all for your contributions. I am not familiar with security policies and need to look into this. I assume I can create a policy for my requirement. I couldn't find one for the deactivation.

Tim: Within the SSO users, some users require both options (10 % of users). Setting at the profile level is not a good idea (little I know) unless I can further categories the user group. Also I have to implement at country level.Thx.

niteshgupta87 · ‎10-14-2015

If you want to disable password at mass level, you can use SU10. Select all users that you want to disable the password for and deactivae the password for all of them.

But Security Policies would be a better option if you can use them.

Colleen · ‎10-14-2015

If you read up on SECPOL (sap.help documentation is very good on this topic) you will see that you build the policies and apply them at user master level (via SU01). This allows you to choose which users get the specific policy for your scenarios

The documentation also explains the policy parameters and equivalent/interactions with RZ10 parameters.

Regards

Colleen

Former Member · ‎10-14-2015

Hi Abdul,

with security policies you could create one with PASSWORD_CHANGE_FOR_SSO set to 3 for your normal users and an other one with some other value, depending on your requirements for your admins.

You would then assign the first security policy to all users except admins and the second one to only admins. You are then also free to set tighter requirements for the admins if you like.

You could also set in the profile PASSWORD_CHANGE_FOR_SSO to 3 and just assign a security policy to the admins with PASSWORD_CHANGE_FOR_SSO set to some other level.

Kind regards,

Patrick

Former Member · ‎10-15-2015

Hi Patrick,

I followed the steps as mentioned but I was able to login with my user name and password second time. I created a new user and assigned the policy.

My first login asked me to change the password, I did.

MY second login it asked me for username & password.

I have attached the screen for the policy creation and assignment, I am not sure I need to activate something, help would be appreciated.

Thanks you in advance.

ZAhi

Former Member · ‎10-16-2015

did you log on using SSO in between? The password will only be deleted when you access the system using SSO and the password being expired.

If you want to completly block this group from using passwords, you can use disable_password_logon for this group.

You can see this when looking up the docs for PASSWORD_CHANGE_FOR_SSO.

Kind regards,

Patrick

former_member298454 · ‎10-15-2015

Try looking into parameters

login/disable_password_logon

login/password_logon_usergroup

Thanks,Krishna

Former Member · ‎10-16-2015

Hi All,

Thank you all it worked.

We have few options to deactivate the password, what is the best practice or recommended by sap (deactivate password - when creating new users)?

Deactivate when creating new user using deactivate button in the logon tab
Create a security policy and assign to the user
Use diable_password_logon

Any inside will be appreciated. Regards.

Former Member · ‎10-16-2015

Hi Zahi,

this depends on the requirements of your company.

From what you stated, I would suggest to create a password only for those users, that require password based authentication. However I would suggest to always assign a matching password policy both to avoid issues when users are changing roles and for documentation purposes in administration. The password policy should contain the disable_password_logon if this is a company requirement.

Regards,

Patrick