Profile parameter for passwords - conflicting documentations.
Greetings!
I've encountered an issue with profile parameter login/password_max_idle_productive
Integrated help in SU01 says:
You can use the profile parameter login/password_max_idle_productive to define the point as of which the validity of the productive password ends. The time is calculated from the date of the last password change plus the number of days specified in the profile parameter. Password-based logon is then not possible from this point.
This makes this parameter redundant (we have login/password_expiration_time ).
SAP Library says (see link below):
Specifies the maximum period for which a productive password (a password chosen by the user) remains valid if it is not used.
Which suggests that the time after which passwords are considered expired is calculated from last logon date plus whatever is the parameter value.
SU01 help specifies explicitly how this parameter works but it conflicts with a more ambiguous description found in the SAP Library. The observed system behavior on logon is in line with SU01 help, but report RSUSR200 does not list the user as having an expired productive password.
We're on ECC 6.0, release 701 with support package 3. I could not find any SAP notes relating to this issue.
Has anyone encountered this issue before or have I just run into an odd glitch?
[SAP Library|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/22/41c43ac23cef2fe10000000a114084/frameset.htm]
It sounds like you have a requirement to set the expiration time (when the user has to change the password) which is for a different user group than those for which you want to disable an idle password. Currently, both are global settings and affect both user groups (actually, all users of type DIALOG and COMMUNICATION - only SERVICE and SYSTEM type users are not affected).
In that there is an option for you... but be aware of license implications... or you can upgrade to 7.02 early next year (I think this is the correct release, time and release "alias" for it..) and then the config your security policies client dependently!
Currently, your best option is to not set these two global parameters illogically and monitor the user group manually from RSUSR200.
In the wild, many folks use the user type difference to workaround this, but that is also global to the user type so they are excepted from the expiration time as well. Additionally, not all functionality is available to them on the client side (e.g. SAP Logon Tickets won't work) and the authority-checks are even slightly different on some special cases.
Personally, I don't understand why users with authorizations to make purchase requests only should change their passwords more often (expiration time) or be more active (idle time) than those with SAP_ALL etc.
> I hadn't considered SSO since we do not currently use it.
SSO solves several of these problems by deleting the password completely...
Cheers,
Julius
Edited by: Julius Bussche on Oct 8, 2009 9:59 PM
Similar Messages
-
Configuring profile parameter for a table lock object
Hi Experts-
I want to set the 'wait time' (_WAIT) parameter as a profile parameter for a table lock object.
I have created a lock object on a ZTable. I lock and unlock this object in exclusive non-cumulative mode through the enqueue and dequeue lock object function modules. These generated FMs are invoked via my custom function module.
My function module will run in the background as a scheduled task in R/3. I execute the Enqueue FM at the start of the FM and keep the table locked until the last step finishes in my FM and then I Dequeue it. I want to have the processing wait and retry the Enqueuring FM at set intervals in case the one run doesn't finish entirely and a new run of this same job kicks off.
Thank you,
- Vik.Set the wait parameter = 'X'. These means that if it encounters a lock, then it will wait a certain time for the lock to be released. This certain time is a system value set by your basis team. I don't imagine it being a very long time.
CALL FUNCTION 'ENQUEUE_EZPIPHYINVREF'
EXPORTING
MODE_ZPIPHYINVREF = 'E'
MANDT = SY-MANDT
_WAIT = 'X'.
Regards,
Rich Heilman -
Profile parameter for to change password
Hello everyone.
Is there any profile parameter to change the password after certain number of days say 30 days. I see there are profile parameters for lenght , uppercase, lowecase but is there one to change the password after a given period of time.
Thanks.
Neha.> I checked the profile parameters using the program RSPARAM. But I am not able to find a parameter to prevent the old password from being used at least ten times. I also checked in the table TPFET.
>
login/min_password_diff min. number of chars which differ between old and new password
> And also can we prevent the password being same as user id.
>
> Should these parameters be changed in the deafault profile or instance or start profile.
>
It depends ... you may decide this by discussing with BASIS team and as per your Company SOP. I prefer Default profile. But never use Instance profile.
Please go through the following links:
[Password Rules|http://help.sap.com/saphelp_nw04/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/frameset.htm]
[Profile Parameters for Logon and Password (Login Parameters)|http://help.sap.com/saphelp_nw04/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/frameset.htm]
[Password rules and preventing incorrect logons|https://websmp110.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=2467&_NLANG=E]
[ Note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)|https://service.sap.com/sap/support/notes/862989]
[Logon and Password Security in the SAP System|http://help.sap.com/saphelp_nw04/helpdata/en/eb/4bb638b5358259e10000009b38f8cf/frameset.htm]
Regards,
Dipanjan -
The ENQUEUE function module also has the parameter _WAIT. This parameter determines the lock behavior when there is a Structure linklock conflict.
You have the following options:
· X: If a lock attempt fails because there is a competing lock, the lock attempt is repeated after waiting for a certain time. The exception FOREIGN_LOCK is triggered only if a certain time limit has elapsed since the first lock attempt. The waiting time and the time limit are defined by profile parameters.
i want to know what parameter define the wait time, thanks very much!Dear,
Please look to the below link, especially "Creating lock objects and Example of lock objects"...
http://help.sap.com/saphelp_46c/helpdata/en/cf/21eebf446011d189700000e8322d00/frameset.htm
Regards,
Sreenivas .Y -
Profile Parameter for HTTP communication
I have installed PI 7.1 service which contain double stacks(ABAP+JAVA).
Is it possible to access ABAP server using 8000 port, and Java server using 50000 port? (System number is 00).
The prerequisite is i need the the parameter icm/server_port_0 to be added to the profile.Hi Sharath, thanks for you reply.
Yes, after installation the default ports for ABAP and JAVA are 8000 and 50000. But if i set the parameter icm/server_port_0 = PROT=HTTP,PORT=50000, then the ABAP server also should be accessed through port 50000. If i still use 8000, nothing will return. If set icm/server_port_0 = PROT=HTTP,PORT=8000, then i only can access Java server also use port 8000.
I wonder if it is possible to use these two ports for ABAP and JAVA respective??
Thanks so much!
Regards
Edited by: Chris Xu on Mar 2, 2010 8:28 PM -
Profile parameter for BTC ignored.
This weekend, we ended up restoring some production systems. Becuase we did not want any background to run once the systems came up we changed the btc parm to "rdisp/wp_no_btc = 0 ". As we know, this should bring up the system without any background processes. This change was made on the instace level profile, and we checked for duplicate entries. After the PIT restore, SAP was brought up. However the same number of BGD processes were still active on the system. A look at RZ11 shows that the profile is set to 0 for all three categories.
The system in question are the BI system and the SCM system.
BI is on EhP1 andSCM is on 5.0.
The BI system is a muliti instance system, and the CI was changed to have BTC=0 and was brought up alone
SCM is a singe instance system.
Any ideas would be appreciated.
Regards,
DanThanks for the reply, but not exactly what I was asking.
To clarify.
I want to bring up the system with no background process. As you know when the system comes up the table TBTCS is searched for any dates in the past and those jobs that are found are scheduled. To this end, we set the profile parm
rdisp/wp_no_btc =0. However when the systems came up the original number of background processes were crearted. More perplexing is that looking at the parm in RZ11 shows the values for PROFILE, DEFAULT and CURRENT all set to 0.
So why did the system come up with BGD processes.
Regards,
Dan -
Profile Parameter Setup (RZ10) - Help Needed
In using RZ10 to setup profile parameter for QAS, in the scenario below:
How dow I change the "Unsubtituted and Subituted standard value to match this
miadevs2\sapmnt\trans
Parameter name: Status Seq. no.
DIR_TRANS Active 3
Parameter val.:
$(SAPTRANSHOST)\sapmnt\trans
Unsubstituted standard value:
miaqasc2\saploc\trans <b>(Need to change this value - It is grayed out)</b>
Substituted standard value:
miaqasc2\saploc\trans <b>(Need to change this value - It's grayed out) </b>Hi Joseph,
Change the field in "Param Value" at the top.
It will changed automatically the field value.
Hope this helps,
Erwan -
How to change INSTANCE profile parameter?
HI,
How to change INSTANCE PROFILE PARAMETER for permanent???
any step by step or note?
Thanks,Alf,
Its is recommended to do parameter changes through RZ10. Check the parameter in RZ11 and if you see a check mark against DynamicallySwitchable, you dont have to reboot else it requires a reboot. All the changes you made through RZ10 is permanent. You can do it through OS level but its not a good practice. If you do it through RZ10 it is logged.
Thanks
Prince Jose -
Creating a Perl script for SAP sytem profile parameter
Hi,
I need to create a perl script for all th eprofile parameter to check as a security directive ,so that whenever the system is started it checks for this profile parameter.
As per my company sap directive ,these are the profile parameter i need to set.
Can anyone let me know how to write the scripts.
login/min_password_lng Minimum password length for user password 320 Min.
8
login/password_expiration_t
ime
Number of days between forced password change. 0 Max.
35
login/fails_to_session_end Number of invalid logon attempts allowed before the
SAP GUI is disconnected.
3 Max.
3
login/fails_to_user_lock Number of invalid logon attempts before the user id is
automatically locked by the system.
12 Max.
6
rdisp/gui_auto_logout Time, in seconds, that SAPGUI is automatically disconnected
because of in-activity.
0 60-
7200
21
auth/test_mode Jump into report RSUSR400 at every authority check N N22
auth/system_access_check_
off
Switch off automatic authority check for special ABAP
commands
0 0
auth/no_check_in_some_ca
ses
Special authorization checks turned off by customer.
Enabling of Profile Generator
N/Y23 Y
login/ext_security Security access controlled by external software. N N24
auth/rfc_authority_check Permission for remote function calls from within ABAP
programs
0 1
login/failed_user_auto_unlo
ck
Enable system function for automatic unlock of users
at midnight. (0 = locks remain)
0 0
login/
no_automatic_user_sapstar
(as of 3.1h)
login/no_automatic_user_sa
p* (prior to 3.1h)
Disable ability to logon as SAP* with PASS as password
when SAP* deleted.
0 125,26
auth/tcodes_not_checked TCode checking for SU53 & SU56 analysis disabled (empty
"SU5
3
Regards,
Chetan.Here's a simple perl script that should help you get what it is you're looking for - you can add all the parameters you want to search for, I just took a few of them:
#!/usr/bin/perl -w
use strict;
use sapnwrfc;
SAPNW::Rfc->load_config;
my $rfc = SAPNW::Rfc->rfc_connect;
my @parms = ( "login/min_password_lng",
"login/password_expiration_time",
"login/fails_to_session_end",
"login/fails_to_user_lock" );
for my $x (0 .. $#parms) {
my $rcc = $rfc->function_lookup("SXPG_PROFILE_PARAMETER_GET");
my $slr = $rcc->create_function_call;
$slr->PARAMETER_NAME($parms[$x]);
$slr->invoke;
print "Value for $parms[$x] is: ".$slr->PARAMETER_VALUE."\n";
$rfc->disconnect();
And running it, you'll get:
[dhull@397 scripts]$ ./read-profile.pl
Value for login/min_password_lng is: 7
Value for login/password_expiration_time is: 90
Value for login/fails_to_session_end is: 3
Value for login/fails_to_user_lock is: 6
[dhull@397 scripts]$
If you need to get your perl environment read to make RFC calls to your SAP system, check my series of blogs on how to do so here:
https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/u/251752730
Cheers,
David. -
Profile Parameter : Time out for executing query on the web
Hi gurus,
I am executing queries on the web directly. This can be done from query designer with the button that says "Execute query on web". The problem is that for queries that take more than 600 Secs to run, I get an Application timed out error. Queries that take less than this run smoothly.
Can anyone please tell me the profile parameter associated with this particular setting. It is not rdisp/max_wprun_time, I know for sure since the value for this profile parameter in my system is 9999. Please help.
Thanks & rgds,
SreeIssue resolved.
Profile Paramter - icm/server_port_0
Current Value - PROT=HTTP,PORT=8000,TIMEOUT=60,PROCTIMEOUT=600
Changed to - PROT=HTTP,PORT=8000,TIMEOUT=60,PROCTIMEOUT=3600
rgds,
Sree -
Personal Profile service for Brazil - Type Conflict for infotype 0002
Hello All,
We are enabling personal profile service for Brazil. And we did all the required configuration for that.
When I access the personal info service I can see the overview page with personal data. But when I click on display link, I get the error message saying -
Type conflict with ASSIGN in program CL_HRPA_UI_CONVERT_0002_BR
Is there any configuration missing?
Thanks,
BhushanShort text
Type conflict with ASSIGN in program "CL_HRPA_UI_CONVERT_0002_BR====CP".
What happened?
Error in the ABAP Application Program
The current ABAP program "CL_HRPA_UI_CONVERT_0002_BR====CP" had to be
terminated because it has
come across a statement that unfortunately cannot be executed.
What can you do?
Note down which actions and inputs caused the error.
To process the problem further, contact you SAP system
administrator.
Using Transaction ST22 for ABAP Dump Analysis, you can look
at and manage termination messages, and you can also
keep them for a long time.
Error analysis
You attempted to assign a field to a typed field symbol,
but the field does not have the required type.
How to correct the error
Adapt the type of the field symbol to the type of the field or use an
untyped field symbol or use the "CASTING" addition.
If the error occures in a non-modified SAP program, you may be able to
find an interim solution in an SAP Note.
If you have access to SAP Notes, carry out a search with the following
keywords:
"ASSIGN_TYPE_CONFLICT" " "
"CL_HRPA_UI_CONVERT_0002_BR====CP" or "CL_HRPA_UI_CONVERT_0002_BR====CM003"
"IF_HRPA_UI_CONVERT_STANDARD~OUTPUT_CONVERSION"
If you cannot solve the problem yourself and want to send an error
notification to SAP, include the following information:
1. The description of the current problem (short dump)
To save the description, choose "System->List->Save->Local File
(Unconverted)".
2. Corresponding system log
Display the system log by calling transaction SM21.
Restrict the time interval to 10 minutes before and five minutes
after the short dump. Then choose "System->List->Save->Local File
(Unconverted)".
3. If the problem occurs in a problem of your own or a modified SAP
program: The source code of the program
In the editor, choose "Utilities->More
Utilities->Upload/Download->Download".
Line SourceCde
6 DATA: attributes TYPE hrpad_field_attribute_tab.
7 DATA: l_object_key TYPE hcm_object_key.
8 DATA: l_subrc TYPE sysubrc.
9
10 FIELD-SYMBOLS <r0002_br> TYPE hcmt_bsp_pa_br_r0002.
11 FIELD-SYMBOLS <p0002_br> TYPE p0002.
12 FIELD-SYMBOLS <p0625> TYPE p0625.
13
14 is_ok = if_hrpa_ui_convert_standard~true.
15 ASSIGN screen_structure TO <r0002_br>.
16 l_object_key = <r0002_br>-object_key.
17 MOVE-CORRESPONDING pnnnn TO super_screen_ref.
18
19 CALL METHOD super->if_hrpa_ui_convert_standard~output_conversion
20 EXPORTING
21 screen_structure_name = a_super_screen_structure_main
22 pnnnn = pnnnn
23 message_handler = message_handler
24 field_metadatas = field_metadatas
25 IMPORTING
26 screen_structure = super_screen_ref
27 is_ok = is_ok
28 field_attributes = field_attributes.
29
30 MOVE-CORRESPONDING super_screen_ref TO screen_structure.
31
32 CASE a_super_screen_structure_main.
33 WHEN 'HCMT_BSP_PA_XX_R0002'.
34 ASSIGN pnnnn TO <p0002_br>.
35 ASSIGN screen_structure TO <r0002_br>.
>>>>> ASSIGN pnnnn2 TO <p0625>.
37 MOVE-CORRESPONDING <p0002_br> TO <r0002_br>.
38 MOVE-CORRESPONDING <p0625> TO <r0002_br>. -
Dear All,
Kindly advice,
We have recently changed the instance profile parameters for enabling
the password policy. The parameters that we changed are
login/password_expiration_time 60
login/min_password_specials 1
login/min_password_lng 8
login/min_password_letters 2
login/min_password_digits 1
login/password_max_new_valid 45
login/password_max_reset_valid 45
We are using ECC 4.7
After we have restarted the system, all users were prompted
automatically to change the passwords except three users which we had
created recently.. Although we have given the "login/min_password_lng"
as 8, it still taking 4 letters as password without any special
characters in it.
Kindly advice us in this regard and if u need any more information
please let us know.
Regards
GAURAVHi,
As said by António Barrote, might be you are having more application servers and parameters are set in one server only. If that is the case then if those 3 users are logging in to other server then it will not prompt. Also, if you say that, no we have only one server and all the parameters are set correctly and working fine for other 240 users. Then yes you are right.
As per my understanding, it has not asked for password change for these 3 users because this users are created recently and after creating them you have set the parameters. Hence after the parameters came in to effect it will not ask for password change for these 3 users because the password expiration is 60 days as per value you have set above. Hence after 60 days form the date when you have created those users and set password it will prompt them to change password and at that time it will not allow them to set password for length 4 letters, but will set as per the parameters.
Since for these 3 users password was set before enabling parameters those will apply only after expiration period. Otherwise what you can do is reset the password for them now and ask them to change it and now it will make them change password as per the parameters.
Hope clarified.
Thanks & Regards,
Sharath Babu M -
Profile Parameters for Logon and Password (Login Parameters)
I've upgraded SM3.2 to SM4.0 and now users can create password with 40 characters. I want to return to max 8 letters in password and to big letters in password. I' haven't found appropriate parameter. Does parameter login/password_downwards_compatibility provide me compatybility to old login parameters?
Hi,
Also follow the following
/people/sap.user72/blog/2005/10/19/attention-security-administrators-new-password-rules-are-on-their-way
After SAP NetWeaver 6.40, the password hash algorithm is changed from MD5 to SHA-1. This means that more secure hash values, which are not backward-compatible, and which make reverse engineering attacks difficult, can be generated. By default, new systems generate two hash values: a backward-compatible value and a new value. However, you can configure the system so that only the new hash value, which is not backward-compatible, is generated. You can set the degree of backward compatibility with the profile parameter login/password_downwards_compatibility.
The system can determine the type (new or old) of the current user password at any time. During logon, the system calculates the password hash based on the entered data and in accordance with the information from the user master record (see the hash procedure used) and compares the hash values. The system decides itself which part of the entered password is evaluated.
· If the user master record shows that the users password was encrypted with the old password hash algorithm, the system only evaluates the first eight characters and converts these to upper-case
· If the user master record shows that the users password is encrypted with the new password hash algorithm, the system evaluates all characters as they were entered (up to 40 characters, with no conversion to upper-case).
The new functions do not initially have any consequences after the upgrade; the operation of the system and password queries continue to run as usual. The passwords of the new type gradually replace the passwords of the old type.
Do reward with points.
REgards. -
I want to be the only one who can access my profile, so how to create passwords for profiles (NOT for websites) ?
thanksMaybe use the portable Firefox version on a USB stick if you want to prevent access to your profile.<br />
Solutions that use an extension can easily be bypassed by starting in [[Safe mode]].<br />
Otherwise you need to locate the Firefox profile folder on an encrypted drive.
See http://portableapps.com/apps/internet/browsers/portable_firefox -
Yosemite server Profile manager how setup time for password after sleep
Hi,
In Profile Manager in Setup & Privacy is possibility setup password after sleep, but I need setup time period. Is it possible? Because when I push this profile it prevent users to setup this period and when i remove this profile (whole payload for Security & Privacy) it still prevent users to change this two setting.Hi CodyCodes,
Just discovered the same issue today as well. Further complicating things, the screensaver timeout setting in Login Window doesn't apply to Profile Manager clients no matter what the setting. This was reproduced and confirmed by the Apple Tech I was working with. He's submitted the bug to their engineering staff. I requested that he ask them why there is no setting for password on sleep or screensaver. Hopefully this is resolved soon, as this feature is 99% of the reason we're implementing Profile Manager to begin with.
Cheers
Maybe you are looking for
-
Serial number problem and downloads
I had to do a hard re-set of my Centro to remove Versamail since the Palm OS can't recognize the GoDaddy cert on our server. When I attempted to reload my bonus software, namely documents to go, the program said my serial number was not valid. When
-
I have a MAC Pro from 2011 currently running MAC OS 10.9.5. This weekend I cloned the MAC HD drive to a new SSD drive for improved performance. The clone was completed successfully with no errors. After the clone completed I successfully restarted
-
Payment Advice customizing - F110
Hello Together, We are developing a custom payment advice sapscript form for use with the standard (RFFO*) payment programs - through transaction F110. We have assigned the new form in FBZP (payment methods per company code - form for the payment med
-
Report to show Dely sch dt/OA dt/IBD dt.
Hi, Is there any standard report to show quantities against the following. Input is Material. Delivery schedule date as per PO/Order Acknowledgement date as entered in Confirmations tab/Delivery date as mentioned in Inbound Delivery document. If it i
-
How to setup Cintiq 12wx along with dual monitors (3 displays total)
I'm considering purchasing a Wacom Cintiq 12wx. I currently run the latest LR and Photoshop CS5 with two NEC P221W monitors (which I keep color-calibrated) on Windows 7, set up with my desktop extended across both displays. They are both running at