Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Quiz: understanding security policies in SAP (SECPOL)

Scenario:

Imagine your SAP system (1 application server) is running with the following system profile parameter settings (RZ10):

Kernel default values:

login/min_password_digits = 0

login/min_password_lng = 6

login/min_password_lowercase = 0

login/min_password_specials = 0

Default profile values:

login/min_password_lng = 8

login/min_password_lowercase = 1

Instance profile values:

login/min_password_digits = 1

login/min_password_lowercase = 2

login/min_password_specials = 1

Due to strict security requirements for employees in the IT department of your company, you now want to ensure that all of them use at least 4 digits in their password. You have heard about security policies in the SAP system and therefore you created the following new security policy using transaction SECPOL and assigned it to all IT employees.

Security policy values:

MIN_PASSWORD_DIGITS = 4

Question:

Which of the following password options can be used by IT employees after the new security policy has been assigned to their user master record?

Possible options to choose:

  1. ab-1234
  2. abcd-123
  3. 123456
  4. abc-1234
  5. abcd1234

Choose wisely and please explain your choice.

Hint: SAP Security policies / Group policies

Former Member
Former Member replied

Not sure whether I'm allowed to participate but, the answer is:

effective values:

login/min_password_digits = 4

login/min_password_lng = 6

login/min_password_lowercase = 0

login/min_password_specials = 0

The matching passwords thus are:

1.ab-1234

3.123456

4.abc-1234

5.abcd1234

Reason can be found in the docs and also in tx SECPOL. Profile parameters values will ONLY be used for users where no security policy was assigned to. As soon as you assign values using security policies, you will have to assign all values using the security policy. For all other values the defaults will be used (which was listed as kernel defaults above and which also can be seen by clicking effective values in secpol).

Why is this the case? Because security policies can be transported and thus need to be selfcontained. This would not work, if they would be an extension to the profile parameters, because in this case the effective policy on different systems could be different.

Kind regards,

Patrick

4 View this answer in context
Not what you were looking for? View more on this topic or Ask a question