SlideShare a Scribd company logo

SAP Password Rules and Configuration

David Chan
David Chan

The document describes SAP password rules and configuration options. Key points include: - Passwords must meet complexity rules like minimum length, inclusion of digits/special characters, and prohibiting common passwords. These rules are configurable via login parameters. - Invalid passwords can be defined in table USR40 using wildcard characters. - Passwords are stored as hashed values and cannot be decrypted. Network transfer is unencrypted unless SNC is used.

Technology
1 of 10
Download to read offline
SAP Password 1. Which rules apply to changing passwords? When an administrator creates a user account (of the type DIALOG or COMMUNICATION, see Note 622464), they assign an initial password that must be changed immediately when it is first used. The lifetime of initial passwords can be restricted (see Notes 379081 and 450452). Passwords that are reset by the administrator must also be changed by the user during the next (interactive) logon. The lifetime of reset passwords can be restricted (see Notes 379081 and 450452). By default, the password must have at least three characters. You can change this value using the profile parameter login/min_password_lng. The password can have a maximum of eight characters (ABAP systems up to Release 7.0). As of NetWeaver 7.0, ABAP systems support longer passwords (up to 40 characters) and also differentiate between lowercase letters and uppercase letters (see Note 862989). ? or ! cannot be the first character of a password. The first three characters of the password cannot occur in the same order in the user ID. Remark: As of Release 6. 10 (Web Application Server), this rule was removed. It applies only in all releases up to Release 4.6D. The first three characters cannot be identical. The first three characters cannot be blank characters. Remark: As of Release 6. 10 (Web Application Server), this rule no longer applies. The system checks this only in releases up to Release 4.6D. The password cannot be "PASS" or "SAP*". The administrator can define patterns of "illegal passwords" (table USR40). You can use all characters from the syntactical character set, that is, all letters, digits, and some special characters. Remark: As of Release 6. 10 (Web Application Server), the password rules were enhanced. In these releases, you can define the minimum number of digits, characters, or special characters that must be contained in the new password. login/min_password_digits login/min_password_letters login/min_password_specials The system does not differentiate between uppercase and lowercase (ABAP systems up to Release 7.0). As of NetWeaver 7.0, ABAP systems support longer passwords (up to 40 characters) and also differentiate between lowercase letters and uppercase letters (see Note 862989). The password can be changed by the user only after the correct old password was entered. Remark: Prior to Release 6. 20 (Web Application Server), the password can be changed only during the logon procedure. As of Release 6.20, the password can also be changed by following the menu path "System > User Profile > Own Data" (SU3). The new password must differ from the old password by at least one character (that is, they cannot be identical). Page: File: 1 of 10 130466570.doc
SAP Password Remark: As of Release 6. 10 (Web Application Server), you can define the minimum number of characters that must be different between the old password and the new password (login/min_password_diff). The last five passwords that were chosen by the user are stored in a user-specific password history and cannot be reused. Remark: The size of the password history is static (5) and cannot be maintained (ABAP systems up to Release 7.0). As of NetWeaver 7.0, you can define the size of the password history (see Note 862989: login/password_history_size). The password can be changed by the user once a day at the most. This rule prevents users from bypassing the password history rule. As of NetWeaver 7.0, you can configure this lock period (see Note 862989: login/password_change_waittime). Remark: The administrator can reset user passwords at any time. In this case, during the next logon, the system prompts the user to change the password. The lock period mentioned above applies only to cases in which the user requests a password change. For forced password changes, it is disabled. Changed password rules do not affect old passwords. Password rules are evaluated only during the password change itself. As of NetWeaver 7.0, you can specifically prompt certain users to change their passwords early. These are users whose passwords do not comply with the current password rules (see Note 862989: login/password_compliance_to_current_policy). As of Release 6.10, you can use the function module PASSWORD_FORMAL_CHECK to determine whether a given string corresponds to the current password rules. 2. What can be configured in the system? The following profile parameters are available for setting password rules and preventing unauthorized logons: login/min_password_lng This parameter defines the minimum length of the password. Default value: 3 Allowed values: 3 - 8 (as of Release 7.0: 1 - 40) login/min_password_digits (as of Release 6.10) This parameter defines the minimum number of digits (0-9) in passwords. Default value: 0 Allowed values: 0 - 8 (as of Release 7.0: 1 - 40) login/min_password_letters (as of Release 6.10) This parameter defines the minimum number of letters (A-Z) in passwords. Default value: 0 Allowed values: 0 - 8 (as of Release 7.0: 1 - 40) login/min_password_specials (as of Release 6.10) This parameter defines the minimum number of special characters in passwords. Special characters are: !"@ $%&/()=?'`*+~#-_.,;:{[]}<> Default value: 0 Allowed values: 0 - 8 (as of Release 7.0: 1 - 40) login/min_password_diff (as of Release 6.10) This parameter defines the minimum number of characters that must be different in the new password in comparison to the old password. (The system tries to find the best match by rotating both passwords. More detailed information about this is available in the online documentation (RZ11)). Default value: 1 Allowed values: 1 - 8 (as of Release 7.0: 1 - 40) Page: File: 2 of 10 130466570.doc
SAP Password login/password_expiration_time This parameter defines the number of days after which the password must be changed. Default value: 0 (no limit) Allowed values: Any numeric value login/fails_to_session_end This parameter defines the number of unsuccessful logon attempts before the system closes the session. We recommend that you set this parameter to a lower value than the value of the parameter login/fails_to_user_lock. Default value: 3 Allowed values: 1 - 99 login/fails_to_user_lock This parameter defines the number of unsuccessful logon attempts before the system locks the user. By default, users that were locked due to unsuccessful logon attempts are unlocked at midnight. Default value: 12 (as of Release 7.0: 5) Allowed values: 1 - 99 login/failed_user_auto_unlock This parameter defines whether password locks (that were set due to multiple failed password logon attempts) are automatically to be considered as expired at midnight. Default value: 1 (as of Release 7.0: 0) Allowed values: 0, 1 login/no_automatic_user_sapstar For information, see Notes 2383 and 68048. Remark: The default value was changed as of NetWeaver 7.0. rdisp/gui_auto_logout This parameter defines the maximum idle time in seconds for a user (valid only for SAP GUI connections). Default value: 0 (no limit) Allowed values: Any numeric values In addition, in the table USR40, you can define character combinations or terms that cannot be used as passwords. In this table, you can use the characters "*" and "?" as wildcards. The character "?" represents a single character, and the character "*" represents a character string. Remark: The table USR40 was not designed to contain thousands of single values for "illegal passwords" (negative dictionary). Instead, the system expects pattern values. Possible new passwords are compared with all the entries in the table USR40. Since this restriction was not entirely clear, and because many customers filled their table USR40 with thousands of single values, we have optimized the search within the table. For more information, see Note 618630. Examples: 123* prohibits all passwords that begin with "123", such as "123456" or "123123". P?SS prohibits passwords like "PASS", "PBSS", and so on. *? ?* prohibits passwords that contain blank characters (between words). 3. How is the password stored? The password is stored in the database as a hash value (a reversal is not possible: the relevant plaintext password cannot be determined from the hash value). MD5 and (as of NetWeaver 7.0) SHA-1 with a deterministic "Salt" are used as the hash functions. As of NetWeaver 7.1, password hash procedures with a randomly generated "Salt" are also supported (see Note 991968). 4. How is the password transferred using the network? Currently, the data stream between the front end and the application server is only compressed. To encrypt data for the transfer, use our Secure Network Communications (SNC) and an external security product. Using SNC enables a user authentication that is not based on passwords. Therefore, it is not necessary to send any password data using the network. Page: File: 3 of 10 130466570.doc
SAP Password There is no option for us to encrypt the data stream between the application server and the database server. Contact your database provider for information about which options are available. 5. Can a user without an authorization profile execute functions in the SAP system? Users who do not have an authorization profile can execute only functions for which no authorization checks are carried out. However, there should be very few of these functions. If you discover deficiencies in this area, report them to the SAP Development department. (In the case of an emergency, you can use a modification to implement checks. In transaction SE93, maintain an authorization object and its values to check the affected transaction). Password Control in SAP Systems There are two ways in which you can define your choice of user passwords: • You can use the system profile parameters to assign a minimum length for the passwords and define how often the user has to set new passwords. • Invalid passwords can be entered in the table of reserved passwords, USR40. This table is maintained with transaction SM30. The entries can also be made generically: - ? denotes one character - * denotes a character string The SAP System also has pre-defined password rules. You can control passwords with profile parameters login* login/min_password_lng - Defines the minimum allowed length of a new password. login/password_expiration_time - Defines the expiration period of the password login/fails_to_user_lock - Locks the user after the specified amount of wrong logon attempts; user is unlocked at midnight if the login/failed_user_auto_unlock parameter is set login/fails_to_session_end - Ends the user.s session after the specified amount of wrong logon attempts login/disable_multiple_gui_login - Refuses multiple logon of users; only users listed in login/multi_login_users are allowed for multiple logon login/min_password_diff - Defines the minimum number of different characters between old and new password including rotation login/password_max_new_valid - Defines the validity period of passwords for newly created users login/password_max_reset_valid - Defines the validity period of passwords reset login/min_password_digits/_letters/_specials - Defines the minimum number of digits/letters/special characters in the password login/disable_password_logon and login/password_logon_usergroup Controls the deactivation of password-based logon login/disable_cpic -Refuses incoming connections of type, CPIC rdisp/gui_auto_logout - Defines the time for automatic SAPGUI logout login/no_automatic_user_sapstar Controls the SAP* user Default password, and protecting SAP* Page: File: 4 of 10 130466570.doc
SAP Password Starting with installations of SAP Web Application Server release 6.10 and higher, the passwords of SAP* and DDIC are selected during the installation process. Use the User Information System or report RSUSR003 to monitor the passwords of all predefined users. If possible, make use of the profile parameter, login/no_automatic_user_sapstar. If you create a new client the default password for SAP* is pass. If you delete SAP* userid, logon is possible with SAP* /pass. The DDIC user maintains the ABAP dictionary and software logistics. The system automatically creates a user master record for user SAP* and DDIC in client 000 when the SAP System is installed. This is the only user who can log on to the SAP System during a release upgrade. Do not delete or lock user DDIC because it is required for certain installation and set-up tasks. User DDIC needs extensive authorization. As a result, the profile SAP_ALL is allocated to it. The users, SAP* and DDIC, should be assigned to user group SUPER to prevent unauthorized users from changing or deleting their user master record. Default clients in an SAP System: • Client 000 is used for customizing default settings. SAP imports the customized settings into this client in future SAP System releases during the upgrade process or even with support packages. Client 000 should not be used to customize data input or development. • Client 066 is used by the SAP EarlyWatch service and should not be used ordeleted by the customers. Please refer to new password rules Table USR40 in BK2 / BK1: Page: File: 5 of 10 130466570.doc
SAP Password SAP Password Rule Description New passwords must be 8 letters (and/or numbers and/or most special characters) in length. Cannot use a password that has been used before...... it remembers back 5 passwords. After changing your password, you have to wait one day in order to change it again. When changing your password, the new one must differ by at least one character. SAP passwords are not case sensitive. Passwords expire after 60 days. Passwords expire after 60 days. 6 incorrect passwords and the account is locked, and SAP Helpdesk has to be contacted to unlock account. Passwords can't have the symbols "?" or "!" as the first character. The first 3 characters cannot occur in the same order in the Userid. First 3 chararacters cannot be identical. First 3 characters cannot contain a space. Invalid Passwords: Table USR40 • 12345678 • qwertyui • asdfghjk • zxcvbnm • february • november • december • pass • sap* Password Management in the SAP System A user account must have a password in order to be able to connect to the SAP system. When a user is created in SAP, an initial password is assigned to the user account. The initial password can be explicitly specified or system generated. The user is prompted to change the password on first logon attempt. It is important to ensure that both the initial and new passwords must not be trivial. A number of parameters can be used to manage password in SAP. These include: Login/password_expiration_time: This parameter defines the number of days after which a password must be changed. Login/min_password_lng: This parameter defines the minimum password length. Page: File: 6 of 10 130466570.doc
SAP Password Login/min_password digit: This parameter defines the minimum number of digits (0-9) in a password. Login/min_password_letters: This parameter defines the minimum number of letters or alphabets (A-Z) in a password. Login/min_password_special: This parameter defines the number of special characters in a password. These special characters include (), !, , $, %,:,’, “, ;, =, &, #, },],{,[, >, <. Login/min_password_diff: This parameter defines the number of differing characters from previous password. In order to enforce password complexity and ensure that passwords that can be easily guessed are not specified in the system, SAP provides table USR40, which is used to define prohibited passwords. This table houses words that cannot be used as password in the SAP system. ? and * are two wild characters that can be used in conjunction with words defined in the USR40 table. While ? addresses single character, * addresses sequence of any combination of characters of any length. For example, 123* forbids password that begins with 123; *123* forbids any password that contains the sequence 123 and XY? Forbid password that begin with XY and have additional characters such as XYX, XYY and XYZ. To define prohibited password, use transaction SE16 Page: File: 7 of 10 130466570.doc
SAP Password SAP SYSTEM SECURITY PARAMETERS A good number of parameters in the RSPARAM table define how security is enforced in the SAP system. These parameters have default values defined for them. If many of these default values are not changed, the integrity of the system can be compromised. Find following a concise description of some important security-oriented parameters. Login/no_automatic_user_sapstar By default, the SAP system is installed with a super user master record called SAP*. If this master record is deleted, SAP allows a user to logon with a password of “PASS” for the SAP* user. To disallow this “illegal” entry, set the value to 1. Recommended value is 1. Login/failed_to_user_lock This parameter defines the maximum number of unsuccessful logon attempts before the user is locked by the system. An entry will therefore be recorded in the system log. Recommended value is 6 Login/failed_user_auto_unlock This parameter activates or deactivates the automatic unlocking of locked users at midnight. It is advisable that the system/user administrator performs the unlocking of locked users. Recommended value is 0 Login/fails_to_session_end This parameter defines the number of times a user may enter a wrong password before the login session is terminated. Recommended value is 3 Login/gui_auto_logout This parameter defines the number of inactive seconds after which a user is automatically logged out of the system. Recommended value is 1800 sec Login/password_expiration_time This parameter defines the number of days after which a password must be changed. Recommended value is 35 days Login/min_password_lng Page: File: 8 of 10 130466570.doc
SAP Password This parameter defines the minimum password length. Recommended value is 8 *Login/min_password digit This parameter defines the minimum number of digits (0-9) in a password. *Login/min_password_letters This parameter defines the minimum number of letters or alphabets (A-Z) in a password. *Login/min_password_special This parameter defines the number of special characters in a password. These special characters include (), !, , $, %,:,’, “, ;, =, &, #, },],{,[, >, < *Login/min_password_diff This parameter defines the number of differing characters from previous password. Rec/client This parameter activates or deactivates automatic table logging. It is recommended to switch it on, however, resource utilization, table(s) to be logged and log volume should be critically analyzed. Auth/rfc_authority_check This parameter defined how S_RFC object is checked during RFC calls. When set to a recommended value of 2, check is active and it performed against SRFC-FUGR. It would however be helpful is someone has already found a way to get closer to strong password rules with the help of parameters and/or table USR40. I have not found a way to include a rule that the user password may not include (part of) the user name, firstname, last name and such things. These may help you to restict it. login/disable_cpic = 0 login/disable_multi_gui_login = 0 login/disable_multi_rfc_login = 0 login/disable_password_logon = 0 login/failed_user_auto_unlock = 0 login/fails_to_session_end = 3 login/fails_to_user_lock = 5 login/isolate_rfc_system_calls = 0 login/min_password_diff = 4 login/min_password_digits = 2 login/min_password_letters = 4 login/min_password_lng = 8 login/min_password_specials = 0 login/no_automatic_user_sapstar = 1 login/password_change_for_SSO = 0 login/password_change_for_sso = 0 login/password_charset = 1 login/password_downwards_compatibility = 5 login/password_expiration_time = 90 login/password_max_new_valid = 30 login/password_max_reset_valid = 0 Page: File: 9 of 10 130466570.doc
SAP Password Page: File: 10 of 10 130466570.doc

Recommended

Sap fiori-ux-architecture-for-s4h
Sap fiori-ux-architecture-for-s4hSap fiori-ux-architecture-for-s4h
Sap fiori-ux-architecture-for-s4hAkhilendra Singh
 
rise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdf
rise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdfrise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdf
rise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdfBangLuuVan
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
SAP Technical Consultant CV
SAP Technical Consultant CVSAP Technical Consultant CV
SAP Technical Consultant CVBhavesh Panchal
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
Maintenance planner
Maintenance plannerMaintenance planner
Maintenance plannerAasish Varghese
 

Recommended

Sap fiori-ux-architecture-for-s4h
Sap fiori-ux-architecture-for-s4hSap fiori-ux-architecture-for-s4h
Sap fiori-ux-architecture-for-s4hAkhilendra Singh
 
rise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdf
rise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdfrise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdf
rise-with-sap-s4hana-cloud-private-edition-and-sap-erp-pce-english-v2-2021.pdfBangLuuVan
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
SAP Technical Consultant CV
SAP Technical Consultant CVSAP Technical Consultant CV
SAP Technical Consultant CVBhavesh Panchal
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
Maintenance planner
Maintenance plannerMaintenance planner
Maintenance plannerAasish Varghese
 
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)Gary Jackson MBCS
 
SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics Global Business Solutions SME
 
Successfactors ec concepts
Successfactors ec conceptsSuccessfactors ec concepts
Successfactors ec conceptsVerity Solutions
 
SAP Cloud Platform Product Overview
SAP Cloud Platform Product OverviewSAP Cloud Platform Product Overview
SAP Cloud Platform Product OverviewSAP Cloud Platform
 
SAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
SAP's Business Technology Platform: A Game-Changer for Intelligent EnterprisesSAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
SAP's Business Technology Platform: A Game-Changer for Intelligent EnterprisesExtentia Information Technology
 
Sap transport procedures and best practices
Sap transport procedures and best practicesSap transport procedures and best practices
Sap transport procedures and best practicesMILUDW
 
Synopsis on billing system
Synopsis on billing systemSynopsis on billing system
Synopsis on billing systemAlok Sharma
 
Sap overview
Sap overviewSap overview
Sap overviewDIVAKAR SINGH
 
SAP Cloud Strategy
SAP Cloud StrategySAP Cloud Strategy
SAP Cloud StrategyOpen Data Center Alliance
 
Solution Manager 7.2 SAP Monitoring - Part 2 - Configuration
Solution Manager 7.2 SAP Monitoring - Part 2 - ConfigurationSolution Manager 7.2 SAP Monitoring - Part 2 - Configuration
Solution Manager 7.2 SAP Monitoring - Part 2 - ConfigurationLinh Nguyen
 
What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP HANA SPS09 - Backup and Recovery
SAP HANA SPS09 - Backup and RecoverySAP HANA SPS09 - Backup and Recovery
SAP HANA SPS09 - Backup and RecoverySAP Technology
 
Sap abap
Sap abapSap abap
Sap abapJugul Crasta
 
SAP Overview
SAP Overview SAP Overview
SAP Overview Poovarasan Shanmugasundaram
 
Sap Intro
Sap IntroSap Intro
Sap Introneerajmal
 
Sap basis-notes-keylabs-training
Sap basis-notes-keylabs-trainingSap basis-notes-keylabs-training
Sap basis-notes-keylabs-trainingnanda nanda
 
Backend roles for sap bpc
Backend roles for sap bpcBackend roles for sap bpc
Backend roles for sap bpcdaniyariskakov
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
SAP INTRO
SAP INTROSAP INTRO
SAP INTRODr.Ravi
 
SAP BTP Enablement
SAP BTP EnablementSAP BTP Enablement
SAP BTP EnablementLuis Carrasco
 
Ds interest (HS)
Ds interest (HS)Ds interest (HS)
Ds interest (HS)barcombe
 
Rabbits
RabbitsRabbits
Rabbitsbarcombe
 

More Related Content

What's hot

SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)Gary Jackson MBCS
 
Successfactors ec concepts
Successfactors ec conceptsSuccessfactors ec concepts
Successfactors ec conceptsVerity Solutions
 
SAP Cloud Platform Product Overview
SAP Cloud Platform Product OverviewSAP Cloud Platform Product Overview
SAP Cloud Platform Product OverviewSAP Cloud Platform
 
SAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
SAP's Business Technology Platform: A Game-Changer for Intelligent EnterprisesSAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
SAP's Business Technology Platform: A Game-Changer for Intelligent EnterprisesExtentia Information Technology
 
Sap transport procedures and best practices
Sap transport procedures and best practicesSap transport procedures and best practices
Sap transport procedures and best practicesMILUDW
 
Synopsis on billing system
Synopsis on billing systemSynopsis on billing system
Synopsis on billing systemAlok Sharma
 
Solution Manager 7.2 SAP Monitoring - Part 2 - Configuration
Solution Manager 7.2 SAP Monitoring - Part 2 - ConfigurationSolution Manager 7.2 SAP Monitoring - Part 2 - Configuration
Solution Manager 7.2 SAP Monitoring - Part 2 - ConfigurationLinh Nguyen
 
SAP HANA SPS09 - Backup and Recovery
SAP HANA SPS09 - Backup and RecoverySAP HANA SPS09 - Backup and Recovery
SAP HANA SPS09 - Backup and RecoverySAP Technology
 
Sap basis-notes-keylabs-training
Sap basis-notes-keylabs-trainingSap basis-notes-keylabs-training
Sap basis-notes-keylabs-trainingnanda nanda
 
Backend roles for sap bpc
Backend roles for sap bpcBackend roles for sap bpc
Backend roles for sap bpcdaniyariskakov
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
SAP INTRO
SAP INTROSAP INTRO
SAP INTRODr.Ravi
 

What's hot (20)

SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)
 
SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics SAP HANA - Understanding the Basics
SAP HANA - Understanding the Basics
 
Successfactors ec concepts
Successfactors ec conceptsSuccessfactors ec concepts
Successfactors ec concepts
 
SAP Cloud Platform Product Overview
SAP Cloud Platform Product OverviewSAP Cloud Platform Product Overview
SAP Cloud Platform Product Overview
 
SAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
SAP's Business Technology Platform: A Game-Changer for Intelligent EnterprisesSAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
SAP's Business Technology Platform: A Game-Changer for Intelligent Enterprises
 
Sap transport procedures and best practices
Sap transport procedures and best practicesSap transport procedures and best practices
Sap transport procedures and best practices
 
Synopsis on billing system
Synopsis on billing systemSynopsis on billing system
Synopsis on billing system
 
Sap overview
Sap overviewSap overview
Sap overview
 
SAP Cloud Strategy
SAP Cloud StrategySAP Cloud Strategy
SAP Cloud Strategy
 
Solution Manager 7.2 SAP Monitoring - Part 2 - Configuration
Solution Manager 7.2 SAP Monitoring - Part 2 - ConfigurationSolution Manager 7.2 SAP Monitoring - Part 2 - Configuration
Solution Manager 7.2 SAP Monitoring - Part 2 - Configuration
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
SAP HANA SPS09 - Backup and Recovery
SAP HANA SPS09 - Backup and RecoverySAP HANA SPS09 - Backup and Recovery
SAP HANA SPS09 - Backup and Recovery
 
Sap abap
Sap abapSap abap
Sap abap
 
SAP Overview
SAP Overview SAP Overview
SAP Overview
 
Sap Intro
Sap IntroSap Intro
Sap Intro
 
Sap basis-notes-keylabs-training
Sap basis-notes-keylabs-trainingSap basis-notes-keylabs-training
Sap basis-notes-keylabs-training
 
Backend roles for sap bpc
Backend roles for sap bpcBackend roles for sap bpc
Backend roles for sap bpc
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
 
SAP INTRO
SAP INTROSAP INTRO
SAP INTRO
 
SAP BTP Enablement
SAP BTP EnablementSAP BTP Enablement
SAP BTP Enablement
 

Viewers also liked

Ds interest (HS)
Ds interest (HS)Ds interest (HS)
Ds interest (HS)barcombe
 
Great white sharks project
Great white sharks projectGreat white sharks project
Great white sharks projecteric57
 
Great white sharks
Great white sharksGreat white sharks
Great white sharksNicole Terry
 
4-H Rabbit Project 101: In Depth Basics
4-H Rabbit Project 101: In Depth Basics4-H Rabbit Project 101: In Depth Basics
4-H Rabbit Project 101: In Depth Basicsmothermayirabbitry
 
All secret codes of samsung mobile phone
All secret codes of samsung mobile phoneAll secret codes of samsung mobile phone
All secret codes of samsung mobile phonenendydoank
 
Samsung Mobile Phone Codes
Samsung Mobile Phone CodesSamsung Mobile Phone Codes
Samsung Mobile Phone CodesLenny Henningham
 
21 reasons why we should get a dog
21 reasons why we should get a dog21 reasons why we should get a dog
21 reasons why we should get a dogchrisknudsen
 
Phone security code unlock message
Phone security code unlock messagePhone security code unlock message
Phone security code unlock messageMansoor Rafeeq
 
Fingerprint presentation
Fingerprint presentationFingerprint presentation
Fingerprint presentationrajarose89
 

Viewers also liked (19)

Ds interest (HS)
Ds interest (HS)Ds interest (HS)
Ds interest (HS)
 
Rabbits
RabbitsRabbits
Rabbits
 
Rabbits Integrated Pest Management
Rabbits Integrated Pest ManagementRabbits Integrated Pest Management
Rabbits Integrated Pest Management
 
Can Dogs Drink Coffee
Can Dogs Drink CoffeeCan Dogs Drink Coffee
Can Dogs Drink Coffee
 
Great white sharks project
Great white sharks projectGreat white sharks project
Great white sharks project
 
Great white sharks
Great white sharksGreat white sharks
Great white sharks
 
Password management
Password managementPassword management
Password management
 
4-H Rabbit Project 101: In Depth Basics
4-H Rabbit Project 101: In Depth Basics4-H Rabbit Project 101: In Depth Basics
4-H Rabbit Project 101: In Depth Basics
 
A report about rabbits
A report about rabbitsA report about rabbits
A report about rabbits
 
Rabbit
RabbitRabbit
Rabbit
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
 
All secret codes of samsung mobile phone
All secret codes of samsung mobile phoneAll secret codes of samsung mobile phone
All secret codes of samsung mobile phone
 
Samsung Mobile Phone Codes
Samsung Mobile Phone CodesSamsung Mobile Phone Codes
Samsung Mobile Phone Codes
 
Rabbit production
Rabbit productionRabbit production
Rabbit production
 
21 reasons why we should get a dog
21 reasons why we should get a dog21 reasons why we should get a dog
21 reasons why we should get a dog
 
Rabbits
RabbitsRabbits
Rabbits
 
Phone security code unlock message
Phone security code unlock messagePhone security code unlock message
Phone security code unlock message
 
Secret Codes
Secret CodesSecret Codes
Secret Codes
 
Fingerprint presentation
Fingerprint presentationFingerprint presentation
Fingerprint presentation
 

Similar to SAP Password Rules and Configuration

Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsPortalGuard
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityAcademic Research Paper Writing Services
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityAcademic Research Paper Writing Services
 
Sap implementation
Sap implementationSap implementation
Sap implementationsydraza786
 
Sql interview question part 7
Sql interview question part 7Sql interview question part 7
Sql interview question part 7kaashiv1
 
Racf psw enhancement
Racf psw enhancementRacf psw enhancement
Racf psw enhancementLuigi Perrone
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
SAP ADMINISTRATION
SAP ADMINISTRATIONSAP ADMINISTRATION
SAP ADMINISTRATIONAly Adel
 
Online job portal java project report
Online job portal java project reportOnline job portal java project report
Online job portal java project reportIIUM
 
SE - Software Requirements
SE - Software RequirementsSE - Software Requirements
SE - Software RequirementsJomel Penalba
 
Dell Password Manager Introduction
Dell Password Manager IntroductionDell Password Manager Introduction
Dell Password Manager IntroductionAidy Tificate
 

Similar to SAP Password Rules and Configuration (20)

Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
 
Sap
SapSap
Sap
 
SAP BASIS Training in Chennai
SAP BASIS Training in ChennaiSAP BASIS Training in Chennai
SAP BASIS Training in Chennai
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
 
Sap implementation
Sap implementationSap implementation
Sap implementation
 
Ebook7
Ebook7Ebook7
Ebook7
 
Sql interview question part 7
Sql interview question part 7Sql interview question part 7
Sql interview question part 7
 
Racf psw enhancement
Racf psw enhancementRacf psw enhancement
Racf psw enhancement
 
Clientadmin
ClientadminClientadmin
Clientadmin
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
 
Userpasswrd
UserpasswrdUserpasswrd
Userpasswrd
 
Ridge weigh technical writeup
Ridge weigh technical writeupRidge weigh technical writeup
Ridge weigh technical writeup
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
 
Ppts
PptsPpts
Ppts
 
SAP ADMINISTRATION
SAP ADMINISTRATIONSAP ADMINISTRATION
SAP ADMINISTRATION
 
HANA SPS07 Security
HANA SPS07 Security HANA SPS07 Security
HANA SPS07 Security
 
Online job portal java project report
Online job portal java project reportOnline job portal java project report
Online job portal java project report
 
SE - Software Requirements
SE - Software RequirementsSE - Software Requirements
SE - Software Requirements
 
Dell Password Manager Introduction
Dell Password Manager IntroductionDell Password Manager Introduction
Dell Password Manager Introduction
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

SAP Password Rules and Configuration

  • 1. SAP Password 1. Which rules apply to changing passwords? When an administrator creates a user account (of the type DIALOG or COMMUNICATION, see Note 622464), they assign an initial password that must be changed immediately when it is first used. The lifetime of initial passwords can be restricted (see Notes 379081 and 450452). Passwords that are reset by the administrator must also be changed by the user during the next (interactive) logon. The lifetime of reset passwords can be restricted (see Notes 379081 and 450452). By default, the password must have at least three characters. You can change this value using the profile parameter login/min_password_lng. The password can have a maximum of eight characters (ABAP systems up to Release 7.0). As of NetWeaver 7.0, ABAP systems support longer passwords (up to 40 characters) and also differentiate between lowercase letters and uppercase letters (see Note 862989). ? or ! cannot be the first character of a password. The first three characters of the password cannot occur in the same order in the user ID. Remark: As of Release 6. 10 (Web Application Server), this rule was removed. It applies only in all releases up to Release 4.6D. The first three characters cannot be identical. The first three characters cannot be blank characters. Remark: As of Release 6. 10 (Web Application Server), this rule no longer applies. The system checks this only in releases up to Release 4.6D. The password cannot be "PASS" or "SAP*". The administrator can define patterns of "illegal passwords" (table USR40). You can use all characters from the syntactical character set, that is, all letters, digits, and some special characters. Remark: As of Release 6. 10 (Web Application Server), the password rules were enhanced. In these releases, you can define the minimum number of digits, characters, or special characters that must be contained in the new password. login/min_password_digits login/min_password_letters login/min_password_specials The system does not differentiate between uppercase and lowercase (ABAP systems up to Release 7.0). As of NetWeaver 7.0, ABAP systems support longer passwords (up to 40 characters) and also differentiate between lowercase letters and uppercase letters (see Note 862989). The password can be changed by the user only after the correct old password was entered. Remark: Prior to Release 6. 20 (Web Application Server), the password can be changed only during the logon procedure. As of Release 6.20, the password can also be changed by following the menu path "System > User Profile > Own Data" (SU3). The new password must differ from the old password by at least one character (that is, they cannot be identical). Page: File: 1 of 10 130466570.doc
  • 2. SAP Password Remark: As of Release 6. 10 (Web Application Server), you can define the minimum number of characters that must be different between the old password and the new password (login/min_password_diff). The last five passwords that were chosen by the user are stored in a user-specific password history and cannot be reused. Remark: The size of the password history is static (5) and cannot be maintained (ABAP systems up to Release 7.0). As of NetWeaver 7.0, you can define the size of the password history (see Note 862989: login/password_history_size). The password can be changed by the user once a day at the most. This rule prevents users from bypassing the password history rule. As of NetWeaver 7.0, you can configure this lock period (see Note 862989: login/password_change_waittime). Remark: The administrator can reset user passwords at any time. In this case, during the next logon, the system prompts the user to change the password. The lock period mentioned above applies only to cases in which the user requests a password change. For forced password changes, it is disabled. Changed password rules do not affect old passwords. Password rules are evaluated only during the password change itself. As of NetWeaver 7.0, you can specifically prompt certain users to change their passwords early. These are users whose passwords do not comply with the current password rules (see Note 862989: login/password_compliance_to_current_policy). As of Release 6.10, you can use the function module PASSWORD_FORMAL_CHECK to determine whether a given string corresponds to the current password rules. 2. What can be configured in the system? The following profile parameters are available for setting password rules and preventing unauthorized logons: login/min_password_lng This parameter defines the minimum length of the password. Default value: 3 Allowed values: 3 - 8 (as of Release 7.0: 1 - 40) login/min_password_digits (as of Release 6.10) This parameter defines the minimum number of digits (0-9) in passwords. Default value: 0 Allowed values: 0 - 8 (as of Release 7.0: 1 - 40) login/min_password_letters (as of Release 6.10) This parameter defines the minimum number of letters (A-Z) in passwords. Default value: 0 Allowed values: 0 - 8 (as of Release 7.0: 1 - 40) login/min_password_specials (as of Release 6.10) This parameter defines the minimum number of special characters in passwords. Special characters are: !"@ $%&/()=?'`*+~#-_.,;:{[]}<> Default value: 0 Allowed values: 0 - 8 (as of Release 7.0: 1 - 40) login/min_password_diff (as of Release 6.10) This parameter defines the minimum number of characters that must be different in the new password in comparison to the old password. (The system tries to find the best match by rotating both passwords. More detailed information about this is available in the online documentation (RZ11)). Default value: 1 Allowed values: 1 - 8 (as of Release 7.0: 1 - 40) Page: File: 2 of 10 130466570.doc
  • 3. SAP Password login/password_expiration_time This parameter defines the number of days after which the password must be changed. Default value: 0 (no limit) Allowed values: Any numeric value login/fails_to_session_end This parameter defines the number of unsuccessful logon attempts before the system closes the session. We recommend that you set this parameter to a lower value than the value of the parameter login/fails_to_user_lock. Default value: 3 Allowed values: 1 - 99 login/fails_to_user_lock This parameter defines the number of unsuccessful logon attempts before the system locks the user. By default, users that were locked due to unsuccessful logon attempts are unlocked at midnight. Default value: 12 (as of Release 7.0: 5) Allowed values: 1 - 99 login/failed_user_auto_unlock This parameter defines whether password locks (that were set due to multiple failed password logon attempts) are automatically to be considered as expired at midnight. Default value: 1 (as of Release 7.0: 0) Allowed values: 0, 1 login/no_automatic_user_sapstar For information, see Notes 2383 and 68048. Remark: The default value was changed as of NetWeaver 7.0. rdisp/gui_auto_logout This parameter defines the maximum idle time in seconds for a user (valid only for SAP GUI connections). Default value: 0 (no limit) Allowed values: Any numeric values In addition, in the table USR40, you can define character combinations or terms that cannot be used as passwords. In this table, you can use the characters "*" and "?" as wildcards. The character "?" represents a single character, and the character "*" represents a character string. Remark: The table USR40 was not designed to contain thousands of single values for "illegal passwords" (negative dictionary). Instead, the system expects pattern values. Possible new passwords are compared with all the entries in the table USR40. Since this restriction was not entirely clear, and because many customers filled their table USR40 with thousands of single values, we have optimized the search within the table. For more information, see Note 618630. Examples: 123* prohibits all passwords that begin with "123", such as "123456" or "123123". P?SS prohibits passwords like "PASS", "PBSS", and so on. *? ?* prohibits passwords that contain blank characters (between words). 3. How is the password stored? The password is stored in the database as a hash value (a reversal is not possible: the relevant plaintext password cannot be determined from the hash value). MD5 and (as of NetWeaver 7.0) SHA-1 with a deterministic "Salt" are used as the hash functions. As of NetWeaver 7.1, password hash procedures with a randomly generated "Salt" are also supported (see Note 991968). 4. How is the password transferred using the network? Currently, the data stream between the front end and the application server is only compressed. To encrypt data for the transfer, use our Secure Network Communications (SNC) and an external security product. Using SNC enables a user authentication that is not based on passwords. Therefore, it is not necessary to send any password data using the network. Page: File: 3 of 10 130466570.doc
  • 4. SAP Password There is no option for us to encrypt the data stream between the application server and the database server. Contact your database provider for information about which options are available. 5. Can a user without an authorization profile execute functions in the SAP system? Users who do not have an authorization profile can execute only functions for which no authorization checks are carried out. However, there should be very few of these functions. If you discover deficiencies in this area, report them to the SAP Development department. (In the case of an emergency, you can use a modification to implement checks. In transaction SE93, maintain an authorization object and its values to check the affected transaction). Password Control in SAP Systems There are two ways in which you can define your choice of user passwords: • You can use the system profile parameters to assign a minimum length for the passwords and define how often the user has to set new passwords. • Invalid passwords can be entered in the table of reserved passwords, USR40. This table is maintained with transaction SM30. The entries can also be made generically: - ? denotes one character - * denotes a character string The SAP System also has pre-defined password rules. You can control passwords with profile parameters login* login/min_password_lng - Defines the minimum allowed length of a new password. login/password_expiration_time - Defines the expiration period of the password login/fails_to_user_lock - Locks the user after the specified amount of wrong logon attempts; user is unlocked at midnight if the login/failed_user_auto_unlock parameter is set login/fails_to_session_end - Ends the user.s session after the specified amount of wrong logon attempts login/disable_multiple_gui_login - Refuses multiple logon of users; only users listed in login/multi_login_users are allowed for multiple logon login/min_password_diff - Defines the minimum number of different characters between old and new password including rotation login/password_max_new_valid - Defines the validity period of passwords for newly created users login/password_max_reset_valid - Defines the validity period of passwords reset login/min_password_digits/_letters/_specials - Defines the minimum number of digits/letters/special characters in the password login/disable_password_logon and login/password_logon_usergroup Controls the deactivation of password-based logon login/disable_cpic -Refuses incoming connections of type, CPIC rdisp/gui_auto_logout - Defines the time for automatic SAPGUI logout login/no_automatic_user_sapstar Controls the SAP* user Default password, and protecting SAP* Page: File: 4 of 10 130466570.doc
  • 5. SAP Password Starting with installations of SAP Web Application Server release 6.10 and higher, the passwords of SAP* and DDIC are selected during the installation process. Use the User Information System or report RSUSR003 to monitor the passwords of all predefined users. If possible, make use of the profile parameter, login/no_automatic_user_sapstar. If you create a new client the default password for SAP* is pass. If you delete SAP* userid, logon is possible with SAP* /pass. The DDIC user maintains the ABAP dictionary and software logistics. The system automatically creates a user master record for user SAP* and DDIC in client 000 when the SAP System is installed. This is the only user who can log on to the SAP System during a release upgrade. Do not delete or lock user DDIC because it is required for certain installation and set-up tasks. User DDIC needs extensive authorization. As a result, the profile SAP_ALL is allocated to it. The users, SAP* and DDIC, should be assigned to user group SUPER to prevent unauthorized users from changing or deleting their user master record. Default clients in an SAP System: • Client 000 is used for customizing default settings. SAP imports the customized settings into this client in future SAP System releases during the upgrade process or even with support packages. Client 000 should not be used to customize data input or development. • Client 066 is used by the SAP EarlyWatch service and should not be used ordeleted by the customers. Please refer to new password rules Table USR40 in BK2 / BK1: Page: File: 5 of 10 130466570.doc
  • 6. SAP Password SAP Password Rule Description New passwords must be 8 letters (and/or numbers and/or most special characters) in length. Cannot use a password that has been used before...... it remembers back 5 passwords. After changing your password, you have to wait one day in order to change it again. When changing your password, the new one must differ by at least one character. SAP passwords are not case sensitive. Passwords expire after 60 days. Passwords expire after 60 days. 6 incorrect passwords and the account is locked, and SAP Helpdesk has to be contacted to unlock account. Passwords can't have the symbols "?" or "!" as the first character. The first 3 characters cannot occur in the same order in the Userid. First 3 chararacters cannot be identical. First 3 characters cannot contain a space. Invalid Passwords: Table USR40 • 12345678 • qwertyui • asdfghjk • zxcvbnm • february • november • december • pass • sap* Password Management in the SAP System A user account must have a password in order to be able to connect to the SAP system. When a user is created in SAP, an initial password is assigned to the user account. The initial password can be explicitly specified or system generated. The user is prompted to change the password on first logon attempt. It is important to ensure that both the initial and new passwords must not be trivial. A number of parameters can be used to manage password in SAP. These include: Login/password_expiration_time: This parameter defines the number of days after which a password must be changed. Login/min_password_lng: This parameter defines the minimum password length. Page: File: 6 of 10 130466570.doc
  • 7. SAP Password Login/min_password digit: This parameter defines the minimum number of digits (0-9) in a password. Login/min_password_letters: This parameter defines the minimum number of letters or alphabets (A-Z) in a password. Login/min_password_special: This parameter defines the number of special characters in a password. These special characters include (), !, , $, %,:,’, “, ;, =, &, #, },],{,[, >, <. Login/min_password_diff: This parameter defines the number of differing characters from previous password. In order to enforce password complexity and ensure that passwords that can be easily guessed are not specified in the system, SAP provides table USR40, which is used to define prohibited passwords. This table houses words that cannot be used as password in the SAP system. ? and * are two wild characters that can be used in conjunction with words defined in the USR40 table. While ? addresses single character, * addresses sequence of any combination of characters of any length. For example, 123* forbids password that begins with 123; *123* forbids any password that contains the sequence 123 and XY? Forbid password that begin with XY and have additional characters such as XYX, XYY and XYZ. To define prohibited password, use transaction SE16 Page: File: 7 of 10 130466570.doc
  • 8. SAP Password SAP SYSTEM SECURITY PARAMETERS A good number of parameters in the RSPARAM table define how security is enforced in the SAP system. These parameters have default values defined for them. If many of these default values are not changed, the integrity of the system can be compromised. Find following a concise description of some important security-oriented parameters. Login/no_automatic_user_sapstar By default, the SAP system is installed with a super user master record called SAP*. If this master record is deleted, SAP allows a user to logon with a password of “PASS” for the SAP* user. To disallow this “illegal” entry, set the value to 1. Recommended value is 1. Login/failed_to_user_lock This parameter defines the maximum number of unsuccessful logon attempts before the user is locked by the system. An entry will therefore be recorded in the system log. Recommended value is 6 Login/failed_user_auto_unlock This parameter activates or deactivates the automatic unlocking of locked users at midnight. It is advisable that the system/user administrator performs the unlocking of locked users. Recommended value is 0 Login/fails_to_session_end This parameter defines the number of times a user may enter a wrong password before the login session is terminated. Recommended value is 3 Login/gui_auto_logout This parameter defines the number of inactive seconds after which a user is automatically logged out of the system. Recommended value is 1800 sec Login/password_expiration_time This parameter defines the number of days after which a password must be changed. Recommended value is 35 days Login/min_password_lng Page: File: 8 of 10 130466570.doc
  • 9. SAP Password This parameter defines the minimum password length. Recommended value is 8 *Login/min_password digit This parameter defines the minimum number of digits (0-9) in a password. *Login/min_password_letters This parameter defines the minimum number of letters or alphabets (A-Z) in a password. *Login/min_password_special This parameter defines the number of special characters in a password. These special characters include (), !, , $, %,:,’, “, ;, =, &, #, },],{,[, >, < *Login/min_password_diff This parameter defines the number of differing characters from previous password. Rec/client This parameter activates or deactivates automatic table logging. It is recommended to switch it on, however, resource utilization, table(s) to be logged and log volume should be critically analyzed. Auth/rfc_authority_check This parameter defined how S_RFC object is checked during RFC calls. When set to a recommended value of 2, check is active and it performed against SRFC-FUGR. It would however be helpful is someone has already found a way to get closer to strong password rules with the help of parameters and/or table USR40. I have not found a way to include a rule that the user password may not include (part of) the user name, firstname, last name and such things. These may help you to restict it. login/disable_cpic = 0 login/disable_multi_gui_login = 0 login/disable_multi_rfc_login = 0 login/disable_password_logon = 0 login/failed_user_auto_unlock = 0 login/fails_to_session_end = 3 login/fails_to_user_lock = 5 login/isolate_rfc_system_calls = 0 login/min_password_diff = 4 login/min_password_digits = 2 login/min_password_letters = 4 login/min_password_lng = 8 login/min_password_specials = 0 login/no_automatic_user_sapstar = 1 login/password_change_for_SSO = 0 login/password_change_for_sso = 0 login/password_charset = 1 login/password_downwards_compatibility = 5 login/password_expiration_time = 90 login/password_max_new_valid = 30 login/password_max_reset_valid = 0 Page: File: 9 of 10 130466570.doc
  • 10. SAP Password Page: File: 10 of 10 130466570.doc