Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Quiz: understanding security policies in SAP (SECPOL)

Go to solution
Former Member

‎10-30-2015 11:51 PM

Scenario:

Imagine your SAP system (1 application server) is running with the following system profile parameter settings (RZ10):

Kernel default values:

login/min_password_digits = 0

login/min_password_lng = 6

login/min_password_lowercase = 0

login/min_password_specials = 0

Default profile values:

login/min_password_lng = 8

login/min_password_lowercase = 1

Instance profile values:

login/min_password_digits = 1

login/min_password_lowercase = 2

login/min_password_specials = 1

Due to strict security requirements for employees in the IT department of your company, you now want to ensure that all of them use at least 4 digits in their password. You have heard about security policies in the SAP system and therefore you created the following new security policy using transaction SECPOL and assigned it to all IT employees.

Security policy values:

MIN_PASSWORD_DIGITS = 4

Question:

Which of the following password options can be used by IT employees after the new security policy has been assigned to their user master record?

Possible options to choose:

  1. ab-1234
  2. abcd-123
  3. 123456
  4. abc-1234
  5. abcd1234

Choose wisely and please explain your choice.

Hint:

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-02-2015 11:32 AM

Not sure whether I'm allowed to participate but, the answer is:

effective values:

login/min_password_digits = 4

login/min_password_lng = 6

login/min_password_lowercase = 0

login/min_password_specials = 0

The matching passwords thus are:

1.ab-1234

3.123456

4.abc-1234

5.abcd1234

Reason can be found in the docs and also in tx SECPOL. Profile parameters values will ONLY be used for users where no security policy was assigned to. As soon as you assign values using security policies, you will have to assign all values using the security policy. For all other values the defaults will be used (which was listed as kernel defaults above and which also can be seen by clicking effective values in secpol).

Why is this the case? Because security policies can be transported and thus need to be selfcontained. This would not work, if they would be an extension to the profile parameters, because in this case the effective policy on different systems could be different.

Kind regards,

Patrick

10 REPLIES 10

Go to solution
Former Member

‎10-31-2015 7:55 PM

0 Kudos

It depends on whether it is a new installation of 7.31 or higher, or an older installation which has been upgraded.

If login/password_compliance_to_current_policy has it's default, then all of the above is the possible.

If, depending on above, USR40 is maintained with very basic policies then probably none of them will be possible unless it is a password set by an admin.

So if the IT employees can set productive passwords for themselves in SU01, then it is again just a warning about the characters, so most tempting answer would be 4 in that case.

But most likely answer is that after assigning the policy, all of the above would still continue to work.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎10-31-2015 10:30 PM

0 Kudos

Hi Julius,

thanks for sharing your thoughts. I do not want to make the quiz more complicated, but in real life you are right and these things need to be considered too.

Concerning your input I want to define these additional conditions for my quiz question:

  • System parameter login/password_compliance_to_current_policy is set to value 0 in default profile (out of scope).
  • USR40 is not maintained (out of scope).
  • IT employees do not have access to SU01.
  • User type of IT employees is set to Dialog (A).
  • Question focusses on the next password change being performed by IT employees.


Optimized Question (now more precise):

Which of the following password options can be used by IT employees when performing a password change via transaction SU3 after the new security policy has been assigned to their user master record?


You get another chance to answer the question.


Best regards

Stefan

Go to solution
madhumsr
Participant

‎10-31-2015 8:25 PM

0 Kudos

Hi,

Answer - 4.

Instance profile takes precedence and along with Sec policy.

Thanks.

Go to solution
Former Member
In response to madhumsr

‎10-31-2015 10:32 PM

0 Kudos

Hi,

sorry, but your answer is not entirely correct.

Best regards

Stefan

Go to solution
Former Member
In response to madhumsr

‎10-31-2015 11:12 PM

0 Kudos

More questions..  🙂

Is the behaviour only for SU3 and the user is authorized for the debugger or meant is only F5 (change password) on the logon screen regardless of their other authorizations and the password must be changed?

What is the load balancing policy to the instance with lowercase = 2 and specials = 1 policy? Does the IT employee have access to SM51 or SA38 or commands to start SAPGUI or connect to the server to avoid that instance?

Are you sure that the IT employees do not have access to SE37 workbench etc which is equivalent to SU01 (see SAP note 587410)? So there is no way for them to set / use an administrator password and are really just end users in the SAP Logon screen with no option to influence the instance they are connecting to?

For the moment I still stick to "all of the above", but 2, 4 and 5 will certainly do the trick still... 🙂

Cheers,

Julius

Go to solution
Former Member
In response to madhumsr

‎11-01-2015 6:59 PM

0 Kudos

Hi Julius,

sorry, but your answer is not correct.

There is only one application server available in that system and IT employees only have display rights assigned (without debugger access).

Best regards

Stefan


PS: no more questions will be accepted. 😉

Go to solution
Former Member
In response to madhumsr

‎11-01-2015 7:25 PM

0 Kudos

Ah, I got it!

No passwords are being changed because all the IT employees have left the company because of the confusing password rules? 😉

Just joking - I am going to have to pass here then and go back to reading the docs for the moment...

Cheers,

Julius

Go to solution
Former Member

‎11-02-2015 11:32 AM

Not sure whether I'm allowed to participate but, the answer is:

effective values:

login/min_password_digits = 4

login/min_password_lng = 6

login/min_password_lowercase = 0

login/min_password_specials = 0

The matching passwords thus are:

1.ab-1234

3.123456

4.abc-1234

5.abcd1234

Reason can be found in the docs and also in tx SECPOL. Profile parameters values will ONLY be used for users where no security policy was assigned to. As soon as you assign values using security policies, you will have to assign all values using the security policy. For all other values the defaults will be used (which was listed as kernel defaults above and which also can be seen by clicking effective values in secpol).

Why is this the case? Because security policies can be transported and thus need to be selfcontained. This would not work, if they would be an extension to the profile parameters, because in this case the effective policy on different systems could be different.

Kind regards,

Patrick

Go to solution
Former Member
In response to Former Member

‎11-02-2015 12:09 PM

0 Kudos

Hi Patrick,

perfect, with a very good explanation!

I was hoping the question would survive a bit longer, because it is not as easy as it seems to be and the docu must be read carefully to really understand the concept of security policies.

Best regards

Stefan

Go to solution
OttoGold
Active Contributor
In response to Former Member

‎11-11-2015 6:53 PM

0 Kudos

I will need to find this thread a couple times in the future again, I am sure of that. How will I find it? Beer, girls, SECPOL, wellness