Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Password Generation in Access Enforcer - Self Service

Former Member
0 Kudos

Hello

We have implemented GRC Access Enforcer (AE) Password Self Service on our ECC 6.0 system (BASIS version 7.0).

Everything works ok - except on some occasions (not all) - the password supplied in the email sent to users to be able to reset their password - does not work.

This is because the password supplied does not meet our password rules (password length, # of Uppercase etc) as configured in the system parameter (RZ10).

Examples of password sent include:

1

nb

%9

(Our minimum Password length is 8 and we require, 1 numeric and 1 uppercase required)

Does anyone know - where I can find out any information about how AE or SAP is generating passwords?

And any ideas about how I can get AE to send passwords that are able to be used by end users?

Thanks in advance

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Michael,

I am sure (but for the life of me cannot remember the name) that there is a system parameter which can be used to instruct the password wizard to generate passwords which are conform with the password rules.

Unfortunately I didn't take a note of it, so if your cannot find it, I can search again (as a reminder to myself as well :-).

Of course, even with such an "instruction" the "Access Enforcer" could contain programming or processing errors, or the password wizard might even be "protected" from "external programs" or techniques used to "get" the plaintext password for further processing / sending?

Cheers,

Julius

14 REPLIES 14

Former Member
0 Kudos

Hi Michael,

I am sure (but for the life of me cannot remember the name) that there is a system parameter which can be used to instruct the password wizard to generate passwords which are conform with the password rules.

Unfortunately I didn't take a note of it, so if your cannot find it, I can search again (as a reminder to myself as well :-).

Of course, even with such an "instruction" the "Access Enforcer" could contain programming or processing errors, or the password wizard might even be "protected" from "external programs" or techniques used to "get" the plaintext password for further processing / sending?

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

I cannot tell anything about the password generator provided by the GRC Access Enforcer.

The password generator as part of the SAP_BASIS component (ABAP) is (always) ensuring to generate only such passwords which comply with the current password rule; that password generator is also used by the ABAP User Management (transaction SU01) itself.

API: function module SUSR_GENERATE_PASSWORD (see [SAP Note 832661|https://service.sap.com/sap/support/notes/832661]).

In addition to the password rules you can also define other constraints (which must, of course, not conflict with the password rules) for the generation of passwords (see [SAP Note 915488|https://service.sap.com/sap/support/notes/915488]).

Regards, Wolfgang

Edited by: Wolfgang Janzen on Jan 11, 2008 9:45 AM

0 Kudos

Maybe the password used is external to SAP and this is why AE is not working correctly ? e.g. if SNC is used the password might be deactivated, and I am wondering if AE supports passwords which are deactive in ABAP user store ?

Thanks,

Tim

Former Member
0 Kudos

Thanks Wolfgang for the notes... I had found them yesterday as I was looking for a solution.

Note 915488 - was useful, and I have used GEN_PSW_MAX_SPECIALS in table PRGN_CUST to solve my problem.

What I believe this issue is/was - is that when the password is auto generated by SAP - it can include the character ¦

(as suggested by http://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm)

However neither our email system or SAP - can deal with ¦ - so I think it was returning a blanks (after) in the email each time this character was encountered.

By setting GEN_PSW_MAX_SPECIALS to 0 - I have stopped special characters being used in the generated password. Since have not had any issues.

Note: By way of a test - try and manually reset the password of a user to Black12¦

The try and logon as that user using this password - I get the error message "The password contains prohibited characters (already deleted)"

So what I believe is happening is that although SAP allows the password to be reset using the character ¦ - it doesnot allow users to logon using this character. Strange?!

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Oops - that should not happen !!!

When did you receive the error message "The password contains prohibited characters (already deleted)" ?

I assume: when performing a SAPGUI logon. In that case it would be helpful to know the SAPGUI version and also the version (especially kernel patchlevel) of the ABAP backend.

Question: How did you set the password "Black12¦" - using SU01 (and therefore: using SAPGUI) ...?

Cheers, Wolfgang

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

I think I got it, now: I've found SAP Note 382285 describing the problem. So, I assume that you are using a non-unicode system.

Character 0xA6 ('¦') also seems to be effected.

Cheers, Wolfgang

PS: unless using a unicode system I strongly recommend to use only ASCII characters in passwords (since they are available in any codepage and never cause any conversion problems).

Former Member
0 Kudos

Wolfgang

When did you receive the error message "The password contains prohibited characters (already deleted)" ? This was when performing a SAPGUI Logon.

SAP GUI version 710 Final Release - Patch Level 1

ABAP Version: SAP ECC 6.0

SAP BASIS Release 7.00 - Support Pack SAPKB70012

Question: How did you set the password "Black12¦" - using SU01 (and therefore: using SAPGUI)? Correct set password using SU01 via SAPGUI.

This happens if you change the password or enter Black12¦ as the initial password.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

I'll try to reproduce the problem in an inhouse system.

In addition you might report this problem to SAP (component BC-ABA-SC) - with reference to this SDN thread.

Regards, Wolfgang

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, the problem cannot be reproduced in the inhouse system (SAP_BASIS 7.00, latest SP, kernel: 7.00 PL 142).

I've used various different SAPGUI versions (6.40 PL 26, 7.10 PL 5) - but I was always able to logon with the password 'Black12|' and I did not receive the error / info message you've reported.

I assume that it will be required to analyze the problem in your system using a remote connection (type WTS).

Regards, Wolfgang

Former Member
0 Kudos

Hello Wolfgang - thanks for investigating this issue for me.

Can you please check the character you are using in the testing?

This issue we have is with the character ¦ - looking at your last reply it appears you have been using | .

When we use | in a password we have no problem logging in either. The issue is with ¦

Sorry if this is what you have already tested - and your reply was just a typo.

Thanks

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Yes, you are right - last time it did try with "Black12|" but now I repeated my tests with "Black12¦" - still with the same result: it works.

Are you using a Unicode system or a non-Unicode system ...?

Mine is a Unicode system ...

-

-


I've also tested with a Non-Unicode system: still, it works ...

Edited by: Wolfgang Janzen on Jan 15, 2008 10:44 AM

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

The only error messages (with similiar text) I've found are "Input field contains prohibited characters. (Already replaced)" \[00 077\] and "The input field contains prohibited characters (already deleted)" \[00 195\].

Can you please tell me which of them you've seen?

-


Worse comes worse you should activate the trace (level 3 for component "Scrn.proc.") using transaction SM50 (similiar to what has been described in note 495911) and reproduce the problem. Then search the trace file for the string "E-00-195 on BSD_BADINCHAR". (Make sure to reset the trace level immediately after having reproduced the problem ...).

Edited by: Wolfgang Janzen on Jan 15, 2008 5:41 PM

Former Member
0 Kudos

Hi Wolfgang

We have Unicode installed on our ECC 6 system.

Also - this issue related to the auto generation of the password - so we do not have the choice of characters are entered into the inital password.

I have read the note - but not sure this relates to us as the password is auto generated.

For now we have deacivated special characters from being supplied in the generated password and this seems to have fixed the problem

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

That's even more surprising, then.

Because SUSR_GENERATE_PASSWORD uses a subset of ASCII characters as alphabet of which characters are chosen.

I suspect that not SUSR_GENERATE_PASSWORD but the legacy function module RSEC_GENERATE_PASSWORD is called - providing an alphabet which contains such illegal characters ...

However, in unicode systems the reported error should actually never occur.

The problem you describe is really very strange. Most likely the problem can only be reproduced and therefore analyzed in your system. I propose to report this as bug (component BC-I18).

Regards, Wolfgang