Define Profile Parameters to Secure Passwords and Logins

Objectives

After completing this lesson, you will be able to:
  • Identify profile parameters to secure user passwords and user logins
  • Implement security policies
  • State how to restrict user logons during maintenance work
  • Name standard users in the SAP system

Login Parameters

This section considers authorizations in the SAP system from an operational perspective. Among other things, the following questions are considered:

  • Which system settings can be used to influence logon behavior?

  • How can errors and problems be analyzed?

As the figure Profile Parameters for User Passwords shows, the minimum length for passwords is defined with the login/min_password_lng parameter. The parameters login/min_password_digits, login/min_password_letters, login/min_password_lowercase, login/min_password_uppercase, and login/min_password_specials specify the minimum number of digits, letters (number of upper and lower case), and special characters that a password must contain, respectively.

The parameter login/password_expiration_time specifies the number of days after which users must set a new password. If the parameter is set to 0, the users do not need to change their password.

The following rules apply to all passwords:

  • Passwords cannot start with "?" or "!".

  • Passwords cannot be "pass".

Hint

The setting that determines that users must create a new password that differs from the previous 5 passwords they have entered is no longer mandatory. You can use the login/password_history_size parameter to set the history from between 1 and 100. The proposed standard value remains 5.

You can define additional password restrictions in table USR40.

The login/password_max_idle_initial parameter indicates the maximum length of time during which an initial password (a password selected by the user administrator) remains valid if it is not used. Once this period has expired, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.

The parameter login/password_max_idle_productive indicates the maximum length of time a production password (a password chosen by the user) remains valid when it is not used. Once this period has expired, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.

With the parameter login/min_password_diff, the administrator can determine the number of different characters a new password must possess in comparison with the old one when users change their passwords. This parameter has no effect when a new user is created or passwords are reset (for the latter, the parameters for initial passwords apply).

As the figure Profile Parameters for User Logons shows, you can set the number of failed logon attempts after which SAP GUI is terminated with the login/fails_to_session_end parameter. If users want to try the logon again, they must restart SAP GUI.

You use the login/fails_to_user_lock parameter to configure the number of possible failed logon attempts before the user is locked in the SAP system. The failed logon counter is reset after a successful logon attempt.

Hint

At midnight (server time), the users that were locked as a result of incorrect logon attempts are no longer automatically unlocked by the system (default value since AS ABAP 7.0). You reactivate this automatic unlocking with the parameter login/failed_user_auto_unlock = 1.

The administrator can unlock, lock, or assign a new password to users in user maintenance (transaction SU01).

If the login/disable_multi_gui_login is set to 1, a user cannot log on to a client more than once. This can be desirable for system security reasons. If the parameter is set to 1, when users attempt to log on to the system in a new logon session, they can either continue with the new session by ending the previous one or terminate the logon attempt. Users to whom this should not apply should be specified in the parameter login/multi_login_users, separated by commas and with no spaces.

Security Policies

In addition to login parameters, you can create security policies to control the logon behavior and the system behavior for password rules and changes. Security policies replace the behavior that is defined by profile parameters.

Individual users sometimes need a non-standard security policy regarding logon behavior and passwords. For example, users with extensive authorizations, such as using administrator passwords, should have stronger protection than standard users. These users should be prompted to change their passwords more often and should be subject to more complex password rules. Intensive use of these requirements can lead to an increase in help desk inquiries, however, if standard users have to meet such requirements as well.

A security policy is a collection of security attributes and their values. You create security policies in transaction SECPOL where you define the attributes with specific values for a desired logon and system behavior. The advantage of security policies is that you can assign them on a user and client-specific basis.

Note

Creating security policies is a customizing operation, this is why you need a customizing transport request.

As shown in figure Defining and Assigning Security Policy, you need to perform the following steps to create and assign a security policy:

  1. In transaction SECPOL, you create a new security policy by choosing New Entries.
  2. Specify the attributes for the security policy by choosing the Attributes node.
  3. Assign the security policy to a user in the user maintenance (transaction SU01).

    On the Logon Data tab, enter the created security policy in the field Security Policy.

    You can also assign it to multiple users using mass user maintenance (transaction SU10).

As shown in figure Defining and Assigning Security Policy, you need to perform the following steps to create and assign a security policy:

As soon as you assign a security policy to a user master record, it defines the desired behavior. If you leave the field blank, the standard behavior defined with profile parameters applies.

(Optional) Use a Security Policy

Prerequisites

Business Example

As an SAP system administrator, you want to create a dedicated security policy and assign it to selected users.

Note

In this exercise, when an object name or value contains ##, replace ## by the number your trainer assigned to you.

Steps

  1. Create a security policy LOWSEC## allowing a minimal password length of 6 characters.

    1. You are working as user TRAIN-## in your SAP system.

    2. Start transaction SECPOL.

    3. Choose Edit to change from the display to the change mode.

    4. Choose New Entries (F5).

    5. In the Security Policy field, enter LOWSEC##. In the Short Text field, enter any short description. When done, choose Save (Ctrl+S).

    6. If required, provide or create a customizing request.

    7. Still in change mode, select the checkbox left to your LOWSEC## security policy.

    8. Double-click Attributes (in the Dialog Structure pane at the left).

    9. Choose New Entries (F5).

    10. In the Policy Attribute Name field, use the F4 help to select MIN_PASSWORD_LENGTH. In the Attrib.Value field, enter 6.

    11. When done, choose Save (Ctrl+S). If required, confirm the customizing request.

  2. Assign your security policy LOWSEC## to your user ADMIN-##.

    1. Continue working in your SAP system.

    2. Start transaction SU01.

    3. In the User field, enter ADMIN-##.

    4. Choose Change (Shift+F6).

    5. Choose the Logon Data tab.

    6. In the Security Policy field, use the F4 help to select LOWSEC##.

    7. Choose Save (Ctrl+S).

  3. As user TRAIN-##, change the password of user ADMIN-##. For the new password, choose a length of 6 to 9 characters.

    1. Launch the initial screen of transaction SU01 and verify that the User field still shows the ADMIN-## user.

    2. Choose Change Password (Shift+F8).

    3. Enter a new initial password (twice) which applies to the current security settings. Ensure a length of 6 to 9 characters.

Result

Although the profile parameter login/min_password_lng is still on the (default) value 10, your SAP system accepts shorter passwords for users with security policy LOWSEC##.

Note

Security policies are client-specific and can be transported.

Restricting User Logons During Maintenance Work

The SAP system administrator must manage system downtime manually. This means that the administrator is responsible for locking the SAP system, logging off the users, stopping batch processing, interrupting RFC connections and other interface communication, and so on.

When, for example, maintenance work is being performed on the system, only specific administrators should be able to log on to the system.

Options to Restrict User Logons to the Application Server

  • Setting the profile parameter login/server_logon_restriction
  • Defining a maintenance period using transaction SMAINTENANCE

Using one of these options you can restrict logons to the application server. In general users are not allowed to log on to the system, only users with a specific security policy assigned can log on to the system.

The security policy must either contain the attribute SERVER_LOGON_PRIVILEGE with value 1 or the attribute TENANT_RUNLEVEL_PRIVILEGE with value 1.

Restricting User Logons by setting the parameter login/server_logon_restriction

. The parameter login/server_logon_restriction can be changed dynamically in RZ11 without restarting the SAP system.

Possible values for parameter login/server_logon_restriction

  • 0: No restriction

  • 1: Logon to the application server only allowed with special authorization

  • 2: No logons allowed on the application server

  • 3: An external logon to the application server is allowed only with special rights

  • 4: No external logon to the application server is allowed

The following values are possible:

  • 0: No restriction

    All users can log on to the application server.

  • 1: Logon to the application server only allowed with special authorization

    Only users with a specific security policy assigned can log on to the system. The security policy must contain the attribute SERVER_LOGON_PRIVILEGE with value 1. Users who try to log on to the system without this special authorization will see an error message: Server is currently not generally available (restricted logon).

  • 2: No logons allowed on the application server

    Users who try to log on to the system see an error message: Server is currently not generally available (logon not possible).

  • 3: An external logon to the application server is allowed only with special rights

    Only those users whose assigned security policy contains the attribute SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system externally. Users who try to log on to the system externally without special authorization see the following error message: Server is currently not generally available (restricted logon).

    SAP Note 2065596Restricting logons to application server describes which logon types are not external logons.

  • 4: No external logon to the application server is allowed

    Users who try to log on to the system externally without special rights see the following error message: Server is currently not available (logon not permitted).

Hint

Setting this dynamic profile parameter does not log active users off from the application server. Use transaction RZ10 to save this value permanently. You can use the where-used list in the user information system (transaction SUIM) to find out to which users the security policy with the SERVER_LOGON_PRIVILEGE attribute has been assigned. To do so, start transaction SUIM and choose: Where-Used ListSecurity PoliciesIn Users.

If you have activated the emergency user, SAP*, a logon to the system with the SAP* user is always possible. The emergency user is active if the profile parameter login/no_automatic_user_sapstar is set to 0 and a user master record for user SAP* user does not exist in transaction SU01.

Defining a Maintenance Period Using Transaction SMAINTENANCE

Transaction SMAINTENANCE allows you to define a maintenance period. During this maintenance period, normal users will not be able to log on.

Only users with a specific security policy assigned can log on to the system. The security policy must contain the attribute TENANT_RUNLEVEL_PRIVILEGE with value 1.

Users who try to log on to the system externally without special rights see the following error message: Server is generally not available at this time (maintenance only)

In addition, only admin batch jobs will be executed (all other jobs will be on hold). For more information, see the SAP Online Documentation for SAP S/4HANA (Product Assistance), area Enterprise TechnologyABAP PlatformAdministrating the ABAP PlatformAdministration Concepts and ToolsAdministration of Application Server ABAPMaintenance Mode.

Lock inactive users

You can use the report RSUSR_LOCK_USERS to lock inactive users. The report lets you select and lock the users automatically. Select the criteria for locking the users in the selection screen of the report RSUSR_LOCK_USERS. You can choose to check the results of the selection and display the users first or to lock the users immediately. Note that only a local user lock is set here. You can run the report both online and in the background.

Initial Passwords for Standard Users

There are two basic types of standard users: those created by installing the SAP system and those created when you copy clients.

As the figure "Standard Users" shows, during the installation of the SAP system, the clients 000 and (depending on the system / release) 066 are created. Client 001 is not always created during an SAP installation, but it is created in other circumstances, such as an SAP ECC installation. Standard users are predefined in the clients. The standard names and passwords of these users may be known to other people, so you must protect them against unauthorized access.

  • The SAP system standard user, SAP*

    SAP* is defined in the system code, so it is the only user in the SAP system for which no user master record is required. By default, SAP* has the password PASS and unrestricted access authorizations for the system.

    When you install the SAP system, a user master record for SAP* is created automatically in client 000 (and 001, if it exists). During the installation process, the administrator is prompted to enter a password (in the prompt for the master password). The installation process will proceed once the password is entered. The master record created here deactivates the special properties of SAP*, so that only the authorizations and password defined in the user master record now apply.

    Hint

    Special characteristics of the SAP* user.

    In case you proactively want to ensure that the user SAP* is no longer required for most emergency situations and that the general profile SAP_ALL no longer has to be assigned to the emergency user, see SAP Note 76829Emergency role for user administration.

    Note

    Starting with SAP_BASIS 754, the client copy procedures have been changed and enhanced, see SAP Note 2962811New Client Copy Tool: General Information for details. This new tool includes improved security and reduced manual effort, that is, the user SAP* is no longer needed to perform client copies, providing the benefit the SAP system does not have to be restarted. Additionally, for better process automation it is integrated into the ABAP task manager via task lists.

  • The DDIC user

    This user is responsible for maintaining the ABAP Dictionary and the software logistics.

    When you install the SAP system, a user master record is automatically created in client 000 (and 001, if it exists) for the user DDIC. During the installation, you will be prompted to enter a password for this user, similar to the master password prompt for the SAP* user. Certain authorizations are predefined in the system code for the DDIC user, meaning that it is, for example, the only user that can log on to the SAP system during the installation of an upgrade.

  • The EarlyWatch user

    Depending on the system / release, the EarlyWatch user is delivered in client 066 and is protected by the password SUPPORT. The EarlyWatch experts at SAP used to work with this user. This user should not be deleted. Change the password. This user should only be used for EarlyWatch functions of monitoring and performance.

    Client 066 is not used any more, you can delete it. For details, refer to SAP Note 1749142How to remove unused clients including client 001 and 066.

Caution

To protect the system against unauthorized access, we recommend that you assign these users to the user group SUPER in client 000 [001]. This user group is only assigned to superusers.

To counter this problem and protect the system against misuse, you can deactivate the special properties of SAP*. To deactivate SAP*, set the system profile parameter login/no_automatic_user_sapstar to a value of > 0. If the parameter is active, SAP* no longer has any special properties. If you now delete the SAP* user master records, the login with PASS no longer works.

To restore the former properties of SAP*, you need to reset the parameter and to restart the system.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn