- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Best practice - backend R/3 password for Portal us...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Best practice - backend R/3 password for Portal users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2008 1:34 PM
What do you guys consider best practice when it comes to the backend R/3 password for a Portal-only user?
I have +700 Portal users which off course have normal R/3 accounts with Portal related authorization roles. When created they are assigned a password, but as they only access the Portal via SSO they are never prompted for password change in the backend R/3 system. Hence the password remains “Initial Password” but at the same time “Last Logon” changes every day as they access the Portal.
Imagine the confusion when executing the RSUSR200 report I (and the auditors) am presented with the fact that users have logged on but have not yet changed the initial password.
Do I make the password “Inactive” in SU01?
/vitofava
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2008 9:17 AM
Hi Vito,
I do have the same situation as you and also some of the guys mentioned above as well. I have Portal only users and also users who uses the SAP GUI.
Thus, what I would advise, taking into consideration of audit as well, is to have the below scenerios:
1) Users who login to backend with SAP GUI on Citrix only
We have changed the system parameter: login/password_change_for_SSO=2
The password change dialog box appears and the password must be changed (input: old and new password). Also we have setup SNC (CyberSafe) so that in our SAP GUI, users can click on the system with SNC setup and login to backend without having to enter userID and password
2) Users who login to backend with SAP GUI on client (local)
Users will login with userID and password
3) Portal user with SSO and no login to backend vwith SAP GUI
Portal users will have their password deactivated.
Explaination to Audit for Portal users:
We have 90days password reset on Windows (AD). So our Portal users are respecting the audit request of having 90days password reset, but instead of having it in SAP, its in our Windows. Furthermore, SSO is setup as such that the coinnection for these Portal users to the backend is secure.
We are not able to set login/password_change_for_SSO=3 as we have sites which does not use Citrix. Thus, these sites will have local SAP GUI install.
Hope that can share some experience of mine to those who are also in my past situation.
Ray
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2008 1:41 PM
Recommend, as you mentioned, inactivating their backend passwords since they are already authenticated on their portal accounts. Also avoids the backend popup for password change even though they already did that on their portal ids.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2008 10:13 PM
Yes i agree that we need to inactivate the passwords in the backend. We are doing it as all our users will access the system via portal with a SSO to AD.
Thanks
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2008 10:57 PM
If you have a seperate set of users who still needs GUI logon for your SAP systems, Probably you need to take a look at SAP Note 379081.
.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2008 9:17 AM
Hi Vito,
I do have the same situation as you and also some of the guys mentioned above as well. I have Portal only users and also users who uses the SAP GUI.
Thus, what I would advise, taking into consideration of audit as well, is to have the below scenerios:
1) Users who login to backend with SAP GUI on Citrix only
We have changed the system parameter: login/password_change_for_SSO=2
The password change dialog box appears and the password must be changed (input: old and new password). Also we have setup SNC (CyberSafe) so that in our SAP GUI, users can click on the system with SNC setup and login to backend without having to enter userID and password
2) Users who login to backend with SAP GUI on client (local)
Users will login with userID and password
3) Portal user with SSO and no login to backend vwith SAP GUI
Portal users will have their password deactivated.
Explaination to Audit for Portal users:
We have 90days password reset on Windows (AD). So our Portal users are respecting the audit request of having 90days password reset, but instead of having it in SAP, its in our Windows. Furthermore, SSO is setup as such that the coinnection for these Portal users to the backend is secure.
We are not able to set login/password_change_for_SSO=3 as we have sites which does not use Citrix. Thus, these sites will have local SAP GUI install.
Hope that can share some experience of mine to those who are also in my past situation.
Ray
- SAP Managed Tags:
- Security
