Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict changing password for user ?

Former Member

‎05-15-2007 3:20 PM

0 Kudos

Hi All experts ,

We have created users . Users should not change their password without permission of Administrator . How to restrict them by setting Permissions / Authorizations ?

Thanks.

KISHORE SATPUTE

14 REPLIES 14

Former Member

‎05-15-2007 11:16 PM

0 Kudos

This is no an authorization issue. As far as I know, there are no way you can prevent a dialog user from changing their password including from system parameter standpoint. The closest thing will be making the password inactive if SSO is deployed.

Do let me know if my understanding is incorrect.

Thanks,

Lye

manohar_kappala2
Contributor

‎05-16-2007 6:25 AM

0 Kudos

Hi Kishore,

Can you explain where exactly you would encounter a scenario where a dialog user must not change his password?

Because normally even for the first logon to be possible the user should change the password and cannot log into the system without doing so.

Secondly the user needs to have the flexibility to modify the password as and when he feels the need to do so, waiting for the permission from Admin might be a risky approach in such cases.

The reason being the Dialog User ID is created with an intention of keeping it very much unique to that user and access should be only for the user for whom it is intended. Now with this restriction the chances of a compromise are more.

This scenario is required in some cases where the same ID is accessed by different users so the ID's password should remain unchanged. In such cases you can user Service User Type instead of Dialog

Hope this helps

Manohar

Former Member
In response to manohar_kappala2

‎05-16-2007 7:57 AM

0 Kudos

Hi Manohar,

It works by SU01. I have changed user type dialog to service. If i want to keep it dialog user type as it is. Then how ?

manohar_kappala2
Contributor
In response to manohar_kappala2

‎05-16-2007 8:08 AM

0 Kudos

Hi Kishore,

The User Type Dialog is defined not to work that way. If it allows the change of password only on approval from the Admin then you are only defeating the purpose of defining it as Dialog User ID.

Say an End user came to know that his User ID password combination is compromised then he would want to change his password immediately to avoid any misuse of the same. Now in this case waiting for admin to give permission for change of password might not be the best way.

And you always do have the option to track the password changes through the SUIM reports for change documents and based on that you can know who changed the password and when.

I am not sure if there is any way of doing it with the authorizations and user ID maintainence.

Can you please explain as to what is the requirement of the scenario which demands such an approach.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to manohar_kappala2

‎05-20-2007 8:26 PM

0 Kudos

Hi Kishore,

I totally agree with Manohar - there is no reason why someone should not be able to change his own (private!) password; the only exception is: one should not be able to bypass the password history rule and therefore is only allowed to change his/her password once a day (unless the system is prompting him for a password change).

Please explain why you believe that an user should not be allowed to change his own password. Are you performing account sharing ...? (impact on auditibility and software license).

Regards, Wolfgang

paul_gloede
Participant
In response to manohar_kappala2

‎09-12-2007 10:44 PM

0 Kudos

We are currently looking at ways to use password synchronization using Active Directory. If the passwords for all SAP systems are synchronized with Active Directory, where the SAP passwords are changed when the Active Directory passwords are changed, what would happen if a user were to change their password directly in SAP? This is one example where you would not want a user to change their password in SAP.

PG

tim_alsop
Active Contributor
In response to manohar_kappala2

‎09-13-2007 7:49 AM

0 Kudos

Paul,

It is not possible to sync passwords with Active Directory since Active Directory does not allow access to the password which is used by an account for authentication purposes. The account password is used to generate a symmetric key when Kerberos authentication is used with Active Directory. Normally SAP customers configure the SAP app server to use Kerberos authentication so that the SAP passwords are deactivated and not needed anymore, then there is no need to sync passwords, but your users get a common authentication / sso experience if you use the right products to do this. Let me know if you need help with this kind of implementation.

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to manohar_kappala2

‎09-17-2007 12:21 PM

0 Kudos

@Paul:

<b>Password synchronization</b> is a bad idea (in general).

You may want to have a look onto <a href="https://service.sap.com/sap/support/notes/376856">SAP Note 376856</a> for reasons why that approach is considered error-prone.

Obviously, you intend that users have only one single password - having "<b>Single Sign-On</b>" (SSO) in mind. Apparently, you intend to use the "Windows authentication" for SSO. Well, there are multiple ways how to achieve this:

- for SAPGUI and RFC clients: use SNC (see <a href="https://service.sap.com/sap/support/notes/352295">SAP Note 352295</a>)

- for browser-based access: use SPNEGO (only WebAS Java, see <a href="https://service.sap.com/sap/support/notes/968191">SAP Note 968191</a> as a starting point)

In addition to those solutions (offered by SAP) you can consider to use (certified) partner products.

Regards, Wolfgang

Former Member

‎05-21-2007 6:03 AM

0 Kudos

While SAP logging in , user puts user name , password but before entering if he click new password , he can change his password there itself. As a system administrator How to restrict changing password for user ?

That is the problem.

Thanks.

l_borsboom
Active Participant
In response to Former Member

‎05-21-2007 8:39 AM

0 Kudos

You will notice that a password change is only possible if the user first enters his present password, so no security risk here.

Furthermore, it is only possible to change you password at logon. If you would restrict this possibility, a user would not be able to change his password in another way.

Kind regards,

Lodewijk

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎05-21-2007 8:53 AM

0 Kudos

That's true: a <b>password change</b> always requires that you enter the (correct) old/current password. If you are performing a password logon using SAPGUI and request a password change (or are prompted to change your password by the system) you only need to enter the new password (twice, since you'll have to enter it without being able to see what you are typing).

As of ABAP release 6.20 you can also change your password after logon (via menu 'System' > 'User Profile' > 'Own Data' = transaction SU3: button 'Password'); then, you'll have to enter both, your old/current and your new password.

In contrast to that, an user administrator can (<b>re)set a user's password</b>; (s)he does not need to know the user's password (of course) but can simply 'overwrite' it; however, that requires a certain authorization, of course. And the user will then be prompted to change his/her new password (which is also known to the admin - and that's why).

Regards, Wolfgang

former_member190272
Active Contributor

‎05-22-2007 6:46 AM

0 Kudos

Hi,

In "USER MAINTENANCE- SU01" --> in the "logon tab" there are 5 different "user type"

1. dialog

2. system

3. communication

4. service

5. reference

Kindly mention the function and role of all the above mentioned user types specifically and hows is one user type different from another.

These are as follows:-

1. Dialogue:-

For this kind of users:-

GUI login is possible.

Initial password and expiration of passowrd are checked.

Multi GUI logins are checked.

Usage:- These are used for GUI logins.

2. System

For this kind of users:-

GUI login is not possible.

Initial password and expiration of passowrd are not checked.

Usage:- These are used for internal use in system like background jobs.

3. Communication

For this kind of users:-

GUI login is not possible.

Users are allowed to change password through some software in middle tier.

Usage:- These are used for login to system through external systems like web application

4. Service

For this kind of users:-

GUI login is possible.

Initial password and expiration of passowrd are not checked.

Multiple logins are allowed.

Users are not allowed to change the password. Only admin can change the password

Usage:- These are used for anonymous users. This type of users should be given minimum authorization.

5. Reference

For this kind of users:-

GUI login is not ible.

Initial password and expiration of passowrd are not checked.

Usage:- These are special kind of users which are used to give authorization to other users.

Rewads point if helpful

Thanks

Pankaj Kumar

Former Member

‎06-04-2007 7:38 AM

0 Kudos

http://www.sap-basis-abap.com/sapbs004.htm

Remove the password change option

To disable the password change option, you will have to change the Status used on that screen

Status 0020 for program SAPMSYST done in transaction code SE41

and don`t forget to change the screen SU3

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎06-11-2007 12:44 PM

0 Kudos

That effects all users - and it is not recommended to modify SAP coding / screens (you might also face problems in modifying SAPMSYST, at least in later releases).