Solved: Disable password change

Former Member · ‎06-30-2008

Hi friends,

I want to disable the password change for the user. We have few basis administrators with full authorization for SU01. So only the the user id of the respective user should have the authorization to change or modify the password...

As the user only has the rights to change his/her password. Other users are not authorized to modify the password and they can only reset the password...

thank you...

Former Member · ‎07-02-2008

First of all, only security responsible persons should be able to change other user's passwords, not basis administrators. There should be a clear segregation between these two duties/teams. As a consequence, no basis admins should have access to SU01.

Secondly, as already pointed out, users should themselves be able to change their own passwords. If this is not desirable, for instance regarding specific training accounts where passwords should remain whatever is defined by the training responsible person), you can set the user type to S (Service). This will disable the request for the user to change his/her password upon first login after a password reset.

Of course, such accounts should be kept locked between training sessions and have new passwords attributed every time they're activated. Also, such accounts should be in segregated systems without any rfc-connectibility to other SAP environments (but this is another topic altogether).

To sum up:

- Password resets/master changes are handled by Security team

- No SU01 for Basis admins (possibly except to handle RFC/system users in dev/sbx systems, but even this is disputable)

- Users can change their own passwords, but not those of anybody else

Regards,

Trond

former_member74904 · ‎06-30-2008

in order to achieve this, you should restrict acces to S_USER_GRP with ACTVT 05 to everyone except your administrators.

it may also be a good idea to restrict access to SU01 alltogether and give the endusers e.g. SU3 instead.

Former Member · ‎06-30-2008

Basis administrators should have access to change password.

As who will change the password if a user is locked(due to incorrect logons)

Do you have any specific requirement that administartors should not have this access?

if yes then there should be someone who should do this.

hope this helps

WolfgangJanzen · ‎06-30-2008

>


> Hi friends,
>          I want to disable the password change for the user. We have few basis administrators with full authorization for SU01. So only the the user id of the respective user should have the authorization to change or modify the password...  
> 
>           As the user only has the rights to change his/her password. Other users are not authorized to modify the password and they can only reset the password...
> 
> thank you...

Frankly speaking I do not understand the motivation for your inquiry.

A password is a private secret - supposed to be known only by the user him-/herself. For exactly that reason the system prompts the user to change the password if the password was set by an administrator (who then also knows the password) or when the password was generated (since then the password was not chosen by the user, as well).

That kind of password change (performed by the user) requires that the user is able to present a valid current password ("old password"). Only if the "old password" was valiated successfully (s)he can set a "new password". No special authorization is required for that action.

That's different from the operation an user administrator performs (using SU01): the admin sets a new password - without being forced to know the current password. But that action requires user administration authorizations.

Former Member · ‎07-02-2008

First of all, only security responsible persons should be able to change other user's passwords, not basis administrators. There should be a clear segregation between these two duties/teams. As a consequence, no basis admins should have access to SU01.

Secondly, as already pointed out, users should themselves be able to change their own passwords. If this is not desirable, for instance regarding specific training accounts where passwords should remain whatever is defined by the training responsible person), you can set the user type to S (Service). This will disable the request for the user to change his/her password upon first login after a password reset.

Of course, such accounts should be kept locked between training sessions and have new passwords attributed every time they're activated. Also, such accounts should be in segregated systems without any rfc-connectibility to other SAP environments (but this is another topic altogether).

To sum up:

- Password resets/master changes are handled by Security team

- No SU01 for Basis admins (possibly except to handle RFC/system users in dev/sbx systems, but even this is disputable)

- Users can change their own passwords, but not those of anybody else

Regards,

Trond

Former Member · ‎02-29-2016

When you have an Identity Management system for your password management solution and want the users to leverage this solution instead of SAP systems individually. Allowing them to reset in each SAP systems could cause sync issues.

Former Member · ‎09-28-2016

Hello Patrick and ALL.

We have the same issue here. We use an Identity Management system for password management solution adn we traing to avoid the user change password on inicial screed but we don´t know how. When the user change we have a lot of sync issue.

Did you find a soluiton to garantee the Enduser only have acesse to change pass on the IDM?