Password Profile Parameter

Similar Messages

• Profile parameter for passwords - conflicting documentations.

  Greetings!
  I've encountered an issue with profile parameter login/password_max_idle_productive
  Integrated help in SU01 says:
  You can use the profile parameter login/password_max_idle_productive to define the point as of which the validity of the productive password ends. The time is calculated from the date of the last password change plus the number of days specified in the profile parameter. Password-based logon is then not possible from this point.
  This makes this parameter redundant (we have login/password_expiration_time ).
  SAP Library says (see link below):
  Specifies the maximum period for which a productive password (a password chosen by the user) remains valid if it is not used.
  Which suggests that the time after which passwords are considered expired is calculated from last logon date plus whatever is the parameter value.
  SU01 help specifies explicitly how this parameter works but it conflicts with a more ambiguous description found in the SAP Library. The observed system behavior on logon is in line with SU01 help, but report RSUSR200 does not list the user as having an expired productive password.
  We're on ECC 6.0, release 701 with support package 3. I could not find any SAP notes relating to this issue.
  Has anyone encountered this issue before or have I just run into an odd glitch?
  [SAP Library|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/22/41c43ac23cef2fe10000000a114084/frameset.htm]

  It sounds like you have a requirement to set the expiration time (when the user has to change the password) which is for a different user group than those for which you want to disable an idle password. Currently, both are global settings and affect both user groups (actually, all users of type DIALOG and COMMUNICATION - only SERVICE and SYSTEM type users are not affected).
  In that there is an option for you... but be aware of license implications... or you can upgrade to 7.02 early next year (I think this is the correct release, time and release "alias" for it..) and then the config your security policies client dependently!
  Currently, your best option is to not set these two global parameters illogically and monitor the user group manually from RSUSR200.
  In the wild, many folks use the user type difference to workaround this, but that is also global to the user type so they are excepted from the expiration time as well. Additionally, not all functionality is available to them on the client side (e.g. SAP Logon Tickets won't work) and the authority-checks are even slightly different on some special cases.
  Personally, I don't understand why users with authorizations to make purchase requests only should change their passwords more often (expiration time) or be more active (idle time) than those with SAP_ALL etc.
  > I hadn't considered SSO since we do not currently use it.
  SSO solves several of these problems by deleting the password completely...
  Cheers,
  Julius
  Edited by: Julius Bussche on Oct 8, 2009 9:59 PM

• Profile parameter for to change password

  Hello everyone.
        Is there any profile parameter to change the password after certain number of days say 30 days. I see there are profile parameters for lenght , uppercase, lowecase but is there one to change the password after a given period of time.
  Thanks.
  Neha.

  > I checked the profile parameters using the program RSPARAM. But I am not able to find a parameter to prevent the old password from being used at least ten times. I also checked in the table TPFET.
  >
  login/min_password_diff                  min. number of chars which differ between old and new password
  > And also can we prevent the password being same as user id.
  >
  > Should these parameters be changed in the deafault profile or instance or start profile.
  >
  It depends ... you may decide this by discussing with BASIS team and as per your Company SOP. I prefer Default profile. But never use Instance profile.
  Please go through the following links:
  [Password Rules|http://help.sap.com/saphelp_nw04/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/frameset.htm]
  [Profile Parameters for Logon and Password (Login Parameters)|http://help.sap.com/saphelp_nw04/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/frameset.htm]
  [Password rules and preventing incorrect logons|https://websmp110.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=2467&_NLANG=E]
  [ Note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)|https://service.sap.com/sap/support/notes/862989]
  [Logon and Password Security in the SAP System|http://help.sap.com/saphelp_nw04/helpdata/en/eb/4bb638b5358259e10000009b38f8cf/frameset.htm]
  Regards,
  Dipanjan

• Profile Parameter required

  One of our new password policy's requirement is to have
  " The new password may have no more than 1 pair(s) of repeating
  characters"
  Could anyone please provide me the profile parameter by which we can set this rule?
  I had given some examples for the same in attached doc.

  Hi Jan,
  The new password mechanisms allow you to use "pass-phrases" in stead of "passwords". Too many entries in USR40 only weaken the password by excluding patterns for a dictionary attack.
  For example, you can now use a pass-phrase such as:
  "This passw0rd is easy to guess!"
  or
  "Do keep the kitch3n clean?"
  or
  "1 2 3 4...Goalllllllll!!!!!!!!!!"
  If all words with paîrs of ASCII characters or patterns were forbidden, then the pass-phrase is weakened.
  Rather throw in a special character and a digit and train the users to use pass-phrases. This can be hard though with folks who have been around for a long time and have a mental block at the 8th character of the SAPGui logon screen. I count myself to that league as well
  In my opinion only company names, SID's, months and seasons are still usefull in USR40, along with swearwords...
  Cheers,
  Julius

• Creating a Perl script for SAP sytem profile parameter

  Hi,
  I need to create a perl script for all th eprofile parameter to check as a security directive ,so that whenever the system is started it checks for this profile parameter.
  As per my company sap directive ,these are the profile parameter i need to set.
  Can anyone let me know how to write the scripts.
  login/min_password_lng Minimum password length for user password 320 Min.
  8
  login/password_expiration_t
  ime
  Number of days between forced password change. 0 Max.
  35
  login/fails_to_session_end Number of invalid logon attempts allowed before the
  SAP GUI is disconnected.
  3 Max.
  3
  login/fails_to_user_lock Number of invalid logon attempts before the user id is
  automatically locked by the system.
  12 Max.
  6
  rdisp/gui_auto_logout Time, in seconds, that SAPGUI is automatically disconnected
  because of in-activity.
  0 60-
  7200
  21
  auth/test_mode Jump into report RSUSR400 at every authority check N N22
  auth/system_access_check_
  off
  Switch off automatic authority check for special ABAP
  commands
  0 0
  auth/no_check_in_some_ca
  ses
  Special authorization checks turned off by customer.
  Enabling of Profile Generator
  N/Y23 Y
  login/ext_security Security access controlled by external software. N N24
  auth/rfc_authority_check Permission for remote function calls from within ABAP
  programs
  0 1
  login/failed_user_auto_unlo
  ck
  Enable system function for automatic unlock of users
  at midnight. (0 = locks remain)
  0 0
  login/
  no_automatic_user_sapstar
  (as of 3.1h)
  login/no_automatic_user_sa
  p* (prior to 3.1h)
  Disable ability to logon as SAP* with PASS as password
  when SAP* deleted.
  0 125,26
  auth/tcodes_not_checked TCode checking for SU53 & SU56 analysis disabled (empty
  "SU5
  3
  Regards,
  Chetan.

  Here's a simple perl script that should help you get what it is you're looking for - you can add all the parameters you want to search for, I just took a few of them:
  #!/usr/bin/perl -w
  use strict;
  use sapnwrfc;
  SAPNW::Rfc->load_config;
  my $rfc = SAPNW::Rfc->rfc_connect;
  my @parms = (   "login/min_password_lng",
            "login/password_expiration_time",
            "login/fails_to_session_end",
            "login/fails_to_user_lock" );
  for my $x (0 .. $#parms) {
       my $rcc = $rfc->function_lookup("SXPG_PROFILE_PARAMETER_GET");
       my $slr = $rcc->create_function_call;
       $slr->PARAMETER_NAME($parms[$x]);
       $slr->invoke;
       print "Value for $parms[$x] is: ".$slr->PARAMETER_VALUE."\n";
  $rfc->disconnect();
  And running it, you'll get:
  [dhull@397 scripts]$ ./read-profile.pl
  Value for login/min_password_lng is: 7
  Value for login/password_expiration_time is: 90
  Value for login/fails_to_session_end is: 3
  Value for login/fails_to_user_lock is: 6
  [dhull@397 scripts]$
  If you need to get your perl environment read to make RFC calls to your SAP system, check my series of blogs on how to do so here:
  https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/u/251752730
  Cheers,
  David.

• Profile Parameter : Time out for executing query on the web

  Hi gurus,
  I am executing queries on the web directly. This can be done from query designer with the button that says "Execute query on web". The problem is that for queries that take more than 600 Secs to run, I get an Application timed out error. Queries that take less than this run smoothly.
  Can anyone please tell me the profile parameter associated with this particular setting. It is not rdisp/max_wprun_time, I know for sure since the value for this profile parameter in my system is 9999. Please help.
  Thanks & rgds,
  Sree

  Issue resolved.
  Profile Paramter - icm/server_port_0
  Current Value - PROT=HTTP,PORT=8000,TIMEOUT=60,PROCTIMEOUT=600
  Changed to - PROT=HTTP,PORT=8000,TIMEOUT=60,PROCTIMEOUT=3600
  rgds,
  Sree

• Profile parameter icm/host_name_full is not set correctly

  Hi All,
  I am  working on Solution Manager 4.0. When I execute TCODE "SOLUTION_MANAGER", it gives the following error:
  Profile parameter icm/host_name_full is not set correctly (see long text)
  When I click on "Long Text", it gives me the following message widow:
  Message Number: SOL_GRAPHIC002
  Diagnosis
  The graphic cannot be displayed, since the profile parameter icm/host_name_full is not set correctly.
  Procedure
  Set the profile parameter icm/host_name_full correctly.
  For more information, see SAP Notes 434918 and 677118.
  I have referred to both the notes above. In note# 434918, it says that I need latest kernel patch (which is 150).Also the icm/host_name_full parameter parameter was not there in Solution Manager, so I created in the following manner:
  Parameter Name =icm/host_name_full
  Parameter Value=smgdcs1s.example.com
  But however, the error continues to be the same.
  Kindly help me asap.
  Thanks in advance.
  Regards,
  Faisal

  Hi Markus,
  Earlier the profile was activated and server was also restarted. However, it was not efffective.
  Now once again i have activated the profile and restared the server. Now I am able to see the profile and it value in
  RZ10
  RZ11
  Thanks a alot for your valuable inputs
  Thanks and Regards,
  Faisal

• Profile Parameter to execute Abap Program at user logon.

  Hi Experts
  I've written a small printer selection program to change the users profile parameter.
  Is there another profile parameter that can be given to execute this program automatically
  when the user logs on.....The reason why I'm looking for a profile parameter to do this is, that only
  certain users need to have this happen at logon.
  Kind Regards
  Vic

  Hi Javi,
  I don't think you need a custom process chain for this. You can use delivered Process Chain for logic and hard-code your script name in the package. In that script you can call BADI that has your ABAP program inside.
  You can find guides how to build BADI here:[How to Pass Parameters to Custom Logic BADI using START_BADI|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20f4252d-98ca-2b10-e689-f85085ae2d12] or here [Creating Custom Script Logic Keyword BADI's - BPC NW|Creating Custom Script Logic Keyword BADI's - BPC NW;.
  Method IF_UJ_CUSTOM_LOGIC~EXECUTE has IT_CV as one of parameters. In your script you probably have to use *XDIM_MEMBERSET to get parameters from DM prompt. IT_CV will have all XDIM members.
  Please let me know if you have any other questions.
  Regards,
  Gersh

• User Profile Parameter ID KVS not work

  Hi,
  I've got some troubles with parameter id KVS. I set it in my user profile,
  parameter = KVS    
  value = B2   
  description = Version (CO)
  when I call report GPCQE53LSADXCC16KZ1R96N5156001, there are two fields with this parameter,
  and their value remain "0" instead of "B2".
  I need to put the parameter value on one of this two fields, how can I do?
  Could someone help me?
  thank you in advance,
  Fede

  You can run Incremental Sync from user profile 3-4 times. This will delete the user profile from SharePoint UPA.
  Now, we need to run UPA clean job timer job available in Job Definition inside central administration.
  This is a by design issue which you have raised. But, to get it done on the same day you need to follow above mentioned steps. This would be done in some hour and cannot be achieved in 4-5 minutes. So, your original request is a by design issue and can be
  done i some hours.
  Thank You, Pallav S. Srivastav ----- If this helped you resolve your issue, please mark it Answered.

• Setting profile parameter icm/HTTP/error_templ_path

  Hi, I have a SAP Enterprsie Portal installation with only java stack (no abap stack),
  i want to set a profile parameter icm/HTTP/error_templ_path,
  please direct me how to set this parameter, 
  also, i need this parameter to be applicable for the SAP web dispatcher, i mean it should be effective for all java instances (i have 2 java instances),
  please help,.......................as there is no ABAP stack, i dont know where to set this parameter

  That parameter you mentioned describes of where the error templates can be found
  You can generate your own static or dynamic error pages for the ICM
  which are sent to the client if an error occurs. Use this parameter
  to specify the directory in which the ICM can find the pages.
  If this parameter is not set, the ICM returns its own static error
  page.
  For information about how to generate the error pages, see the
  documentation in the SAP Library or using the Help Portal.
  SAP Web Application Server -> Client/Server Technology ->
  Architecture of the SAP Web Application Server -> SAP Web
  Application Server Components -> Internet Communication Manager ->
  Error Handling Using the ICM.
  Eventhough u have only java stack u'll have an ICM.
  Since the value for the parameter is just a string mentioning the path of the folder which contains the customised web pages.
  Mention the same path in all the instance profiles (in your case 2 java instances).

• Configuring profile parameter for a table lock object

  Hi Experts-
    I want to set the 'wait time' (_WAIT) parameter as a profile parameter for a table lock object.
    I have created a lock object on a ZTable. I lock and unlock this object in exclusive non-cumulative mode through the enqueue and dequeue lock object function modules. These generated FMs are invoked via my custom function module.
    My function module will run in the background as a scheduled task in R/3. I execute the Enqueue FM at the start of the FM and keep the table locked until the last step finishes in my FM and then I Dequeue it. I want to have the processing wait and retry the Enqueuring FM at set intervals in case the one run doesn't finish entirely and a new run of this same job kicks off.
  Thank you,
  - Vik.

  Set the wait parameter = 'X'.  These means that if it encounters a lock, then it will wait a certain time for the lock to be released.  This certain time is a system value set by your basis team.  I don't imagine it being a very long time.
    CALL FUNCTION 'ENQUEUE_EZPIPHYINVREF'
         EXPORTING
              MODE_ZPIPHYINVREF = 'E'
              MANDT             = SY-MANDT
              _WAIT             = 'X'.
  Regards,
  Rich Heilman

• PI 7.1 Exchange profile parameter:

  Hi
  I got a chance to have a look at PI 7.1. While going through the Exchange Profile parameters, I found a new addition to the existing parameter list. Its called internal. I could not find any information about it.
  help.sap documenation also does not make a mention of this parameter
  I want to know why this parameter is required. Please help.
  Best regards,
  Hari

  Hi,
  I am not sure but most of the Exchange profile parameter are to be for SAP Intyernal use only that should not be altered while custom Installations.
  May be that kind of paramteres have sagreegated under Internal category to restrict the changes for it.
  Thanks
  Swarup

• Read profile parameter in ABAP

  How could I read out a profile parameter such as zcsa/installed_languages in ABAP?
  Is the a function I could use?
  regards HT

  Here is one way...
  REPORT  zrich_0001.
  types: begin of tpar,
         status type sy-index,
         name(60) type c,
         user_wert(60) type c,
         default_wert(60) type c,
         end of tpar.
  data: par_usub type table of tpar with HEADER LINE.
  data: par_sub  type table of tpar  with header line.
  call 'C_SAPGALLPARAM' id 'PAR_USUB' field par_usub-*sys*
                        id 'PAR_SUB'  field par_sub-*sys*.
  read table par_usub with key name = 'zcsa/installed_languages'.
  if sy-subrc = 0.
    write:/ par_usub-name(30), par_usub-user_wert(20),
            par_usub-default_wert(20).
  endif.
  REgards,
  Rich Heilman

• Setting profile parameter

  Hi all,
  To use dynamic error handling in the ICM or Web dispatcher, we must set the profile parameter icm/HTTP/error_templ_path to the directory with the error template files.
  How can we do this? Where do we set the profile parameter? Is there any TCode for this?
  Regards,
  Saurabh

  go to rz10
  choose instance profile
  choose radiobutton extended maintenance.
  click change
  in the resulting screen click create button now using F4 choose the desired paramter and set its value
  check out this online documentation about error template and where it can be stored.
  http://help.sap.com/saphelp_nw04/helpdata/en/f6/3c0b0389cea34ba66f10d62b718a1a/frameset.htm
  Regards
  Raja
  check out the following weblog on SDN way of saying thanks.
  /people/mark.finnern/blog/2004/08/10/spread-the-love

• Profile parameter changes

  Hi gurus,
  while changing the profile parameter login/min_password_lng, getting error  E:login/min_password_lng is not identified identically on all servers. kindly help me to change the profile parameter login/min_password_lng.
  thanks in Advance,
  Anbu

  Hi,
         When you define a parameter at instance level this overrides the global definition. I believe you have removed the instance level definition for this parameter ??  Ensure that this parameter is defined ONLY in the DEFAULT profile . The summary is to have one value for this parameter for the whole SAP system rather than having different values for different application servers as a security policy parameter(of this kind) is something to do with a complete SAP system.
  Let us know.
  cheers !
  PRADi