SAP Logon & Password Security

Posted by — March 6, 2011 in SAP SECURITY 1 Comment

This article provides a general overview of log on and password security in the SAP System.

Initial Password

When you create a user master record, you must assign a password to the user. The password must meet the internal requirements set by the SAP System and your own regulations. As the administrator you do not need to observe the following rules:

• List of invalid passwords in table USR040
• Password history; that is, the password can also be one of the last five passwords used by the user
• Minimum number of different characters between the old and the new password

When a new user logs on for the first time, he or she must change the password. To do this, the user enters the old password once and then the new password twice. When the user enters the new password, the system checks it against all password rules defined by SAP and by the administrator.

Logon with User ID and Password

To be able to access the SAP system and the data contained in it, the users of the SAP system must log on. To do this, they enter their user ID and password. A user must enter both user ID and password; it is not possible to have an empty password. Before the user is granted access after entering his or her password, the system checks

1.Whether the user has a password and whether the user can log on with a password log on
2.Whether the user has been locked and is therefore not allowed to log on:

• The user administrator can lock a user to prevent the user logging on to the system.
• The system also sets a logon lock if the user exceeds the permitted number of log on attempts.

3.Whether the user’s logon data (password, user name, and client) are correct
4.Whether the user must set a new password (in the case of an initial password, an expired password, or a password that has been reset by the administrator). You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords.

If the user ID and password are correct, then the system displays the date and time of the user’s last logon under System > Status. With the date and time, the user can check that no suspicious logon activity has occurred. The logon date and time cannot be changed in a standard production system. The system does not record the log off date and time.

Password Checks

Password Checks for Password-Based Log on
For every failed password check, the failed logon counter for the affected user master record is increased. If the user changes his or her password, the system first checks the current password. If this check fails, the system increases the incorrect logon counter. If the user exceeds the limit set by the profile parameter login/fails_to_user_lock, the user is locked.

This operation is logged in the Security Audit Log and in the Syslog. If a lock is set, subsequent password checks are immediately terminated (without a statement about the correctness of the password). The lock is regarded as invalid after the end of the current day. The failed logon counter is reset by a successful password check at logon or password change; this is also logged in the Security Audit Log. Non-password-based logons do not affect the failed logon counter; active logon locks, that is, locks that the administrator has set in transaction SU01, are taken into account at each logon or password change.

Password Checks for Non-Password-Based Log on
If you are using a SAP GUI logon, the system checks, in the case of non-password-based logon variants, whether the user has a password that must be changed. If you are using SAP GUI logon, the administrator can use the profile parameter login/password_change_for_SSO and its parameters to display various dialog boxes.

Logon Errors

If a user enters an incorrect password, then the system allows the user two retries before terminating the logon attempt. Should the user continue to enter an incorrect password in subsequent logon attempts, then the SAP GUI connection is terminated. By default, this is done after three consecutive failed logon attempts. You can use the parameter login/fails_to_user_session_end to specify the number of logon attempts that the system should allow before terminating the connection.

The user can repeat the logon attempt until he or she enters a valid user ID or until the permissible number of logon attempts is exhausted (parameter login/fails_to_user_lock). Neither user IDs nor passwords are case-sensitive, meaning that a user can enter his or her user ID as desired. A locked user is automatically unlocked again at midnight (with the parameter login/fails_user_auto_unlock); however, a user administrator can unlock the user at any time.

You May Also Like

SAML2: Format ’emailAddress’ is not supported for user assignment

Internal error – NUMBER_GET_NEXT call error (SU01)

SNCCONFIG: Displaying the SNC Configuration for Application Server ABAP

How to mass update the SNC Name/Canonical Name of SAP User

1 Comment

  1. Pingback: Sap Login Password_change_for_sso - Donation Portal

Leave a Reply?