Password Policy implementation for SAP users

Similar Messages

• Password policy document for Applicaiton users

  Hello All,
  Could someone provide any ploicy document ( Metalink Note ) which demonstrates how the pasword should be set in Oracle Applicaitons in 11i and R12
  THanks
  VInay Varma S

  user11381800 wrote:
  Hi,
  I have written the java code as per the metalink doc : How to Implement (Signon Password Custom) Profile Option in Oracle Applications 11i / R12 [ID 362663.1]
  I am able to meet all the requirements, but i need one more.
  How to implement 'no repetition of previous 5 passwords' ? because this is outside Java code I am not finding a proper way out.
  Also does EBS store your previous passwords in some table to retrieve them and how do i compare the encripted ones ?
  Thanks,
  Venkatram.This can be achieved using "Signon Password No Reuse" profile option.
  How To Keep Track Of FND User Password Changes [ID 844520.1]
  How To Setup Password Security? [ID 564125.1]
  Thanks,
  Hussein

• Creating second InfoView entry point for SAP users in XI 3.1

  Hi All,
  I have BOE XI 3.1 up and running with the Business Objects Integration kit SAP Solutions kit I would like to create a second infoview entry point for SAP users on the same physical box (single server) as regular InfoView. 
  I am trying to mock this up and have detailed the following steps below.  I suspect I am missing a few steps (for example, where do I specify the entry port?).  I am sure step 2 is wrong, as I the desktoplaunch no longer exists in Xi 3.1
  1.  Copy the InfoView.war file to a new directory ( Program Files/Business Objects/ Business Objects Enterprise 12.0/java/applications/sap).  I imagine I would need to rename the war file (say SAPInfoview.war)?
  2.  Create a xml file with the following logic (the part in bold I consider to be wrong...):
  <Context docBase="Program Files\Business Objects\Business Objects Enterprise 12.0\java\applications\sap\SAPInfoview.war" path="/
  businessobjects/enterprise115/desktoplaunch"
  crossContext="false" debug="0" reloadable="false"
  trusted="false"/>
  3.  Save the xml file (what name? does it matter) in Program Files\Business Objects\Tomcat55\conf\Catalina\localhost
  4.  Restart Tomcat
  5.  Change the web.xml to make SAP security the default.  But this should not be the regular infoview web.xml.  I'm not sure where this would reside.
  Thanks,
  Steve
  Edited by: Steve Bickerton on Jan 15, 2009 9:19 PM

  Hi Ingo,
  You've been working with Duncan and Sartaj on this.  The client has two set of users:  non HR which has no BW or R/3 authorization restrictions, and HR, which has authorization restrictions.
  They have deployed SSO using AD for the non HR users.  They also want to leverage InfoView rather than the SAP portal.  For the HR users, we therefore need to capture the SAP id and password at login time to enforce security at the BW and R/3 levels.  We could use the existing Infoview entry point (SSO will fail and they will be prompted for a SAP login).  I do remember that we offered a second InfoView entry point for SAP users in XIR2.  I thought this may be more elegant.
  Thanks,
  Steve

• Edit password rules only for BCC user

  Hi all,
  our customer has requested some changes on the password rules only for BCC users.
  So, i should change the follow component:
  /atg/userprofiling/passwordchecker/PasswordMinLengthRule
  /atg/userprofiling/passwordchecker/PasswordMixedCaseRule
  /atg/userprofiling/passwordchecker/PasswordMustIncludeNumberRule
  /atg/userprofiling/passwordchecker/PasswordMustIncludeSymbolRule
  /atg/userprofiling/passwordchecker/InternalPasswordMustNotIncludeLogin
  /atg/userprofiling/passwordchecker/InternalPasswordNotInPreviousNRule
  But the component password rules above, should be changed only for the BCC users. How can i do this?
  Edited by: user7618461 on 30-set-2011 3.45

  Hi Christoph,
  in your Identity Store, you can use LDAP Server as authentification method (Tab Workflow). You need an attribute which contains the DN of the users and fill out port and host of your directory. That means that the PW can remain in the AD. Just try it, haven't used this possibility yet. You could also use Kerberos via AD instead. These scenarios don't cover your requirement that some might be without an AD account (which is not that common).
  Otherwise it's getting difficult again to get all passwords at once from your AD. You have to decrypt the passwords without a key...  AD could store a lower encrypted password for NT4, which makes this a bit easier, but still "unesthetic". You get these hashes via SSL and not with the common initial load jobs.
  The PW-Hook gets the passwords before they are set. That's why you could store and ecrypt the new passwords in the Identity Store and wait for 1 or 2 months till everyone had to change their password (if you use this policy).
  Best regards,
  Nils
  Edited by: Nils Sibold on Jul 18, 2008 3:10 PM

• EP implementation for Internet users

  Hello,
  I need to Implement EP for internet and intranet users, in which for internet users I need to fetch the summary data of R/3 applications.
  how shall we proceed with the implmentation of portal for internet users, pls suggest some blogs showing portal implementation for internet users.
  Regards
  Vishal

  Hi,
  To make available portal for both internal and external users, you've to setup a reverse proxy in DMZ. Your portal will reside in intranet and external (internet users) will access portal via reverseproxy.
  For reverseproxy there are 3 main options.
  - Apache as a ReverseProxy
  - ReverseProxy with IIS and ISAPI Filter
  - Using Web Dispatcher as reverse proxy.
  Now look at the following diagram;
      EXTERNAL USERS                INTERNET
            |
       REVERSEPROXY                 DMZ
  PORTAL SERVER                     INTRANET
  Internal Users will access portal normally with/without SSL. External Users will access portal with/without SSL via RProxy.
  This is how we setup and working well. We Used Apache as ReverseProxy on SuSe with SSL enabled.
  But testing WebDispatcher on SuSe for load balancing.

• Error while scheduling report for SAP users

  Hi All,
  We have SAP authentication enabled in our BO environment. (BO XI 3.1 sp2 FP 2.6 on windows 2003 server).
  There are some webi reports based on BW Bex queries that we are trying to run on behalf of certain SAP end users. This we are doing using "schedule for" option.
  Now what is happening here is if the end user has logged in once in BO system ,it runs fine. But in case user has not logged in to BO (using infoview etc.) ,it throws error saying "incomplete logon data" . Also if user changes or reset his password in BW and if he doesn't login to infoview after that ,system throws another error "Name or password incorrect (repeat logon)".
  Based on these observation, we are suspecting if BO system uses stored SAP users credentials while scheduling report for them based on their last login.
  Would like to mention here that we have checked option "automatically import users".
  Please advice if this behavior is normal or we are missing some setting.
  Thanks in advance,
  Chandra

  Hi All,
  Any pointers or suggestions for this issue ??
  Is there a setting/option avialable in CMC which could resolve these errors.
  Or, user has to login once to infoview in all circumstances to avoid these errors.
  Thanks,
  Chandra

• How to set password never expires for a user?

  Hello,
  I can't seem to find in the Administrative Console a place to enable "Password never expires".
  I know that if I edit the USR_PWD_NEVER_EXPIRES field in the OIM DB and put the value '1' it will work.
  However, I'd like to know how and if it is possible to activate this option on a user via OIM.
  Thanks in advance,
  Tomic

  Hi,
  Now I got it.Try this one.
  In FormMetaData.xml you will find.
  <Attribute name="-13" variantType="String" dataLength="1" map="Users.Password Never Expires" />
  Modify it to.
  <Attribute name="-13" variantType="String" dataLength="1" displayComponentType="CheckBox" map="Users.Password Never Expires" />
  Add this in.
  <Form name="3">
  <AttributeReference editable="true" optional="true">-13</AttributeReference>
  I never need this but I hope above will work.
  About disabling the resource I have few suggestion for you.
  1.You can have your password policy consistent across the resources you are integrating in OIM.
  2.Write an entity adapter so that when ever password is expired then can disable all provisioned user.
  3.Alternatively you can also write a schedule task which will check for password expire date and disable the resource.
  4.You will also need to enable the resources when password is changed.You can catch change password event through event handler or entity adapter.
  Please let me know if you have fllow up questions.
  Regards
  Nitesh

• Best practise for SAP users who leave the company

  Hi
  Could anyone reccommend a best practise document or give advice on how to deal with SAP user ID's when employee's/contractors/consultants leave? I am the basis admin just starting an SAP implementation and we have no dedicated authorisation team at the moment, so I have been asked to look into this :
  Currently we set the validity date in SU01 to the termination date.
  We chack there are no background jobs scheduled under that user id, if there are, we change the job owner to a valid user (we try to run all background jobs under an admin account).
  We do not delete the user as from an audit point of view I believe it restricts information you can report on and there are implications on change documents etc, so best to lock it with validity dates.
  Can anyone advise further?
  We are running SAP ECC 5.0 on Windows 2003 64 Bit/MS SQL 2000.
  Thanks for any help.

  Hi,
  Different people will tell you different versions of what they believe is best practice, but in my opinion you are already doing reasonably well.
  What I prefer is
  1. Lock ID & set validity date.
  2. Assign user to user group LEAVER or EXPIRED or something similar (helps with reporting) out of SUIM/S_BCE* reports.
  3. Delete role assignment (should you need it, the role assignment will be in the change history docs anyway).
  4. Check background jobs & act accordingly.
  For ease of getting info I prefer not to delete the ID though plenty of people do.

• Not able to use password with characters for RFC User.

  hi All,
  I have installed SAP SCM 5.0 with MaxDB 7.6and liveCache 7.6.
  I created RFC user and RFC destination to administer liveCache globally as per SAP notes 305634 and 452745. I changed the initial passwords and tested Remote login for RFC User.
  But when I try to start liveCache with startrfc following the link below
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/95/379f3cad1e3251e10000000a114084/frameset.htm
  I got the following error
  RFC Call/Exception: SYSTEM_FAILURE
  Group       Error group 104
  Key         RFC_ERROR_SYSTEM_FAILURE
  Message     Name or password is incorrect (repeat logon)
  Then I logged into the CI with RFC user and try to start the liveCache with RSLVCSTART T-Code SE38..I got the following error.
  Error DBMCLI_COMMAND_EXECUTE_ERROR when starting liveCache LCS on server saplcslc
  Message no. LVC007
  I tried by changing the password for RFC user to numeric [0-9] and special characters [$,:] which worked fine.
  Does anyone faced this issue earlier? I searched notes, sdn and finally google ... but no luck to resolve the issue.
  Your help is much appreciated.
  Thanks,
  Venkat

  Yes I used LCA as liveCache connection. I resolved the issue with RSLVCSTART. Thanks for your suggestion to run connection test. I used wrong password for control user in the LCA connection. Now LCA connection shows everything is fine.
  But I am still not able to use alphanumeric password RFC user to start the liveCache from command line. I get the following when run startrfc command...
  bash-3.00$ /usr/sap/CAT/rfcsdk/bin/startrfc -3 -d LCSCLNT001 -h sapcatci -s 51 -c 001 -u LCSRFC -p Mach1cspsap\$ -l EN -F START_LIVECACHE_LVC -E IV_CON_NAME=LCA
  RFC Call/Exception: SYSTEM_FAILURE
  Group       Error group 104
  Key         RFC_ERROR_SYSTEM_FAILURE
  Message     Name or password is incorrect (repeat logon)
  bash-3.00$ echo $?
  1
  But I can start the liveCache from command line with numeric password successfully.
  bash-3.00$ /usr/sap/CAT/rfcsdk/bin/startrfc -3 -d LCSCLNT001 -h sapcatci -s 51 -c 001 -u LCSRFC -p 19811983\$ -l EN -F STOP_LIVECACHE_LVC -E IV_CON_NAME=LCA
  bash-3.00$ echo $?
  0
  Note the difference between the passwords used. Do i need to change any settings to accept alphanumeric passwords for RFC user.
  Note that I am able to start liveCache server in both cases(alphanumeric password and numeric password) by logging into SAP GUI and RSLVCSTART program. The problem is only when i try to start the liveCache from the commandline.
  Any help will be much appreciated.
  Thanks,
  Venkat

• How to implement for sap system use HADR

  hi expert ，
         i am a newbie to sap basis， we have a requirement that do HA for our sap using HADR，i want know if there are some good sulotion for my scenario。
     our scenaro is we have two window 2008 sever host，one host  has a sap system and we want the sap db2 database as a primary，and the other host also has a same the system which is restore from the previous sap system which we implement by system copy using database restore not migration。i want know as our secanrio could i achive SAP application HA by HADR，if we donu2018t have  HA  software  like MSCS。whether we must manual monitor the primary sap   when it stop because any issue like hardware failed and then manual start the other sap system in the other host？
    our two sap system have different sap profile beacause the hostname are different.
  our aim is when one of our host can't use we can immediate start the other sap system in the other host, the less the change the better the solution .
  is it possible?
  thanx very much,
  best regards.

  hi paul ,
      thanx for your information，i have already read the inforamtion about sg247363 once-over and SAMP。 but unfortunately we have a different situation，we only have two windows servers and must installed windows server 2008 OS because some reasons。we also don't have have other host to install sap。as this situation，how could we implement HA beacuse we also don't have shared disk。the window server are isolation。
  i  also read some pdf which download from sdn ， in the book the HA is  implemneted as the sap application has a separate host and has two host for DB2 database using HADR，the HA is rely the cluster software 。in this situation the sap application also need HA to avoid single point failure。
      as the limited i have said above， is it possible to do HA by MSCS ，can any body tell me if the MSCS is free to install in OS windows 2008？ if we can't use it  free，have any other solution？in the worst ， we must manual monitor the application and when a sap application or database can't work ，we want to restart the other sap which in the other host，we need the database synchronization between two database which using HADR。is it possible ？if it do， whether there are some additional setup for sap application because the two sap application have different sap profile name（a sap is a system copy from the other by database restore）。
      any reply will be appreciated。

• Diferent password expiration days for different users in the same system.

  Hi sdn gurus,
  We need to configure different password expiration days for different groups of users in the same system.
  We know how to configure the system to define a password expiration time for the complete system (parameter login/password_expiration_time), but we must configure some expiration time to a group of users and another expiration time to another one in the SAME system.
  Somebody know a way to do this?
  Thanks in advance for your help!!!

  Hi Sunny,
  Thanks for your reply!!!
  We know the parameter is for the complete system ... but we are trying to find out if exist another way to define diferent passwrod expiration days, to diferent group of users (may be with an additional system parameters or UME configuration).
  Thanks to all for your help.

• What should the default tablespace be for SAP users

  I'm using Oracle 10.2.0.4
  For the users
  OPS$<SID>ADM
  OPS$ORA<SID>
  SAP<SID>
  what should the default tablespace be
  PSAP<SID>USR or PSAP<SID>

  Hello Bill,
  > For the users
  > OPS$<SID>ADM
  For this user the default tablespace is SYSTEM
  > OPS$ORA<SID>
  For this user the default tablespace is SYSTEM
  > SAP<SID>
  For this user the default tablespace is PSAPPRDUSR
  Regards,
  Federico Biavati

• Changes done for sap user details

  Hi All,
  I need to know a standard transaction code or FM;
  which can give the information on the modifications/changes done
  for the sap user's first name; last name and e-mail id.
  Any help will be appreciated.
  Thanking you all in advance.

  Hi Kanagaraja,
  I really appreciate you inputs, it will definitely have entries posted by BAPI.
  But the requirement I have is little different.
  I will have some person changing the user information manually,
  I need to go somewhere and find out whether the person has made the
  changes in user's first name, last name or e-mail id.
  So, I am looking out for some FM or table or even standard t-code where
  I could find the changes done, and change log lately.
  Thanks and Best Regards

• ORA-01017: invalid username/password; logon denied FOR SYS USER

  Hello,
  I was usually login through the same password for sys user to log on to the database as sysdba, but last time i used " / as sysdba" to connect using local system administrative account which is connected very well and still connecting in the same way. The initializing parameter file set with the following parameter:
  remote_login_passwordfile=EXCLUSIVE
  Now if i use to connect the database server remotely using sys user, it gives me "ORA-01017: invalid username/password; logon denied" error and if i use the same login credentials on DB server machine using other local user accounts it is giving me "Insufficient Privilige" error. I can only connect now using local administrator account from DB server machine using " / as sysdba" statement.
  Kindly guide me the issue.

  When you use " / as sysdba" locally on server, you are using OS authentication which will bypass the password file and user/pass authentication.
  Looks like you have discrepancy between the password you use and real password. You can login " / as sysdba" and change your SYS password to a new one.
  When was last time you successfully login using password? What has changed since then?

• How do I turn off password at login for all users?

  I want to keep separate users but I don't want a password requirement to login for any user. How do I turn off the password requirement at login altogether?

  Its not only a matter of other people, but also any software-based threats or even mishaps. For instance, there are some Terminal commands that can be executed by a program, script, or even another user that require authentication. If you do not have a password set then these can be executed directly with administrative privileges. Some of these can be disastrous to the system if used incorrectly.
  I agree for the most part if your system is fairly isolated then this is not much of an issue, but there is the rare possibility of malware or simple user mistakes that a good password helps guard against.