05-12-2008 10:42 PM
when a newly created user logs in for the first time, he gets a CHANGE YOUR PASSWORD PROMPT.
Is there a way to disable that Initial Password prompt?
pls help me how to do it.
Thanks
05-12-2008 10:51 PM
Hi Hruser,
Am not sure if this can be handled for dialog users. Also, this feature could have severe security fallouts.
However, if this is for testing / training purposes, then you think of creating the users of type "Service'.
The initial password prompt is not checked for service users. and the passwords do not expire.
Let us know for what scenario you are trying to implement this.
Thank you
Abhishek
05-12-2008 10:51 PM
Hi Hruser,
Am not sure if this can be handled for dialog users. Also, this feature could have severe security fallouts.
However, if this is for testing / training purposes, then you think of creating the users of type "Service'.
The initial password prompt is not checked for service users. and the passwords do not expire.
Let us know for what scenario you are trying to implement this.
Thank you
Abhishek
05-13-2008 10:49 AM
all the users are dialog users,need to disable this as this is causing problems maintaining test scripts for populating n-n portal credentials.
05-13-2008 11:07 AM
There is a way but it requires major surgery & is not recommended.
Depending on what you are using the Dialog users for, you could switch them to a Service user as Abishek recommended which should be OK if it is only for test purposes.
Another simple alternative would be to log in as the user and change the initial password manually. You do thosands of users in a day & the is significantly less effort than changing Standard SAP.
05-13-2008 11:18 AM
I cld change them from dialog to service...but i am dealing with 100,000 users here, so was saving myself some trouble creating a SECAT or use any other tool for Batch change..
I was hoping for a simple enable-diable switch like thing (hoped too much)
With 100,000 manual logging is way out of question..
Thanks anyways
05-13-2008 11:33 AM
I agree, that's too many users to update manually!
Maybe it is worth re-investigating your method of populating the portal credentials, initial login password change is a key control.
05-13-2008 11:52 AM
You do realise that some features of SAP cannot be used by users of type 'service', don't you???
Generic object services are not available for example.
05-13-2008 6:51 PM
WOW!!
100,000 users!!
hmm...... thats some maintenance nightmare Hruser
Hope you manage it without being stressed.
05-13-2008 7:10 PM
>
> You do realise that some features of SAP cannot be used by users of type 'service', don't you???
>
> Generic object services are not available for example.
Hi Mylene, I would appreciate if you could describe this further, am trying to learn.
05-13-2008 10:57 PM
>
> all the users are dialog users,need to disable this as this is causing problems maintaining test scripts for populating n-n portal credentials.
Am I right guessing that you intend to synchronize passwords in order to implement a kind of "poor man's SSO" (based on UID/PWD) ...?
Notice: the reason behind the requirement to change a password which has been set by another person is to ensure that only the authorized user knows that password. Same applies for a (computer-)generated password - since such passwords are impossible to memorize, it's assumed that the user has copied the password to somewhere (which is a security risk).
05-14-2008 12:39 PM
Hi,
please keep in mind, that you need to think about your SAP-contract for extensive use of service-users......
Why not making use of BAPI_USER_CREATE1 with parameter SELF_REGISTER as per SAP note #830493?
That would avoid any 'manual manipulation' after user creation.
b.rgds, Bernhard
05-14-2008 3:50 PM
>
> >
> > You do realise that some features of SAP cannot be used by users of type 'service', don't you???
> >
> > Generic object services are not available for example.
>
>
> Hi Mylene, I would appreciate if you could describe this further, am trying to learn. 🙂
there's nothing much to describe - i am a basis-person and was no longer able to memorize up to 80 passwords for all systems/clients and changing them (asynchronously) every n days. therefore i was classified as a service-user (until noticed that a license audit is going to happen - i did change to developer then ...) - i'm no longer doing this - found another solution
but back to your question. when you move around as a service user you get to notice some things, as for example that every 'normal' dialog-user has that handy thing called 'GOS' all over the place - to view archived prints of invoices, to view the IDOCs that created a sales order ... not having it was why i tried to learn about GOS in the first place.
from my fellow basis persons i hear that the triggering of some workflows does not work with users of type 'service' (i have not experienced that myself) and obviously there's a problem with creating job-steps ...
so i'm assuming that a couple of other things might be different for users of type 'service'. i cannot say which, except for GOS (Generic Object Services) - not available for type 'service'-users.
Edited by: Mylene Euridice Dorias on May 14, 2008 4:57 PM
05-14-2008 5:23 PM
Mylene Euridice Dorias wrote:
> there's nothing much to describe - i am a basis-person and was no longer able to memorize up to 80 passwords for all systems/clients and changing them (asynchronously) every n days ...
Well, that sounds like using a proper SSO mechanism (which is not based on passwords) would resolve that problem.
I'm using SSO since many years - and frankly speaking: in many systems I do no longer have any password.
It's like with the (radio-controlled) central locking of your car: once you got it, you get used to it and do not want to miss it any more ...
Cheers, Wolfgang
05-14-2008 10:01 PM
He Mylene,
Thank you very much
I had never ever heard this before, but a security person should be aware of something like this. Thank you for sharing this
The link was very helpful.
>
GOS again should be re-named - "there she GOS again" xD
LOL
Hi Wolfgang,
😛 yeah.... single sign on makes life so easy. We are implementing it across all systems here, there abt half which are still being configured..... so, my car system is getting an upgrade
Ha ha
Edited by: Abhishek Belokar on May 14, 2008 11:06 PM
05-13-2008 7:39 PM
you can write ABAP program to update ltime column of USR02 table to '000001' for all the user ids you don't want to change password while loging first time.
< declaration >
loop
update usr02
set ltime = '000001'
where bname = <id>.
end loop.
<end>
05-13-2008 10:08 PM
How about login/password_logon_usergroup (Disables Logon based on password for certain User Group) and login/disable_password_logon(Disable Logon based on password for the entire system.
Gp
05-13-2008 10:13 PM
>
> How about login/password_logon_usergroup (Disables Logon based on password for certain User Group) and login/disable_password_logon(Disable Logon based on password for the entire system.
>
> Gp
Is this recommended without ensuring some other form of authentication has been implemented?
05-13-2008 10:30 PM
i dont want to disable password altogether..i just want to disable initial password change prompt.