AGLEA Blog

SAP User Management: password, 5 points for reflection

Written by Andrea Mazzolani (translation) | Apr 20, 2023 10:00:00 PM

Do you use a password to login to SAP systems?

Which are the most obvious cases which you should pay attention to?

The password management process for new users

Every day you define (some more, some less) users in the system. You receive from human resources a notification or in other ways, such as through a ticket, the users that need to be created.

 

Instead if you use a system such as SAP GRC Access Control or Identity Management You might not have this issue.

 

In these cases an automatic or manual workflow is activated to create new users in the various systems, including SAP.

 

At the end of the process, the new user, to be able to connect itself needs to know its credentials, meaning username and password.

 

1) How is this password communicated to him?

One of the first aspects to inquire about is how they are given this password. Often this aspect is related to the next point.

 

  • By email?
  • By phone?
  • Since it's always the same, by now anyone knows it, at least for the initial password?
  • By using a temporary link?

 

2) How do you manage the initial password?

Which initial password do you choose? This is one of the most important aspects which is often underestimated.

 

Which are the most common passwords? Maybe defined during the initial steps of the project? 

  • Init123a or similar i.e. Init00
  • Initial!
  • Company name and year, i.e. Aglea2020 or even Aglea1
  • ChangeNow! (this one is more in the Anglo-Saxon style)

 

If you use a similar technique to the above, then you should review this aspect.

What are the risks?

 

  • A user connects to another user's account. Do you really think it's difficult? If I know that there is a new colleague entering the company, and maybe I figure out the USERID which will be used in the systems, then I will be able to use a common password and login to his account. Clearly, if the new colleague has not logged in for the first time.
  • This same case might apply if the user doesn't log in for a long time after it was given the credentials. How often does it happen that a user is defined, maybe even a top-manager's account and there still hasn't been a first login since months.

 

For the above reasons, SAP has introduced a pop-up alert during the logon if there are multiple incorrect logon attempts.

 

To see logon attempts take a look at the following note: OSS 2322332 - Number of failed password logon attempts.

 

If I try to login with wrong SAP credentials, the following error will show up:

 

 

After the following correct logon I will see the following message:

 

 

3) Does the initial password expire?

By default the initial password has no expiration date, however through the SAP login/password_max_idle_initial instance profile you can insert the number of days for the password validity.

 

Passed the defined number of days the password will be disabled and therefore the user (even if he knows the password) will not be able to access the system.

 

4) Does the production password expire?

Even if not directly connected to the initial password aspects, there is a way to make a password expire, even the production one (even if changed by the user) in case of no logon for a certain period of time.

 

This parameter is called login/password_max_idle_productive. In this case I could insert a value lower than the mandatory password change (if I use this technique)

 

5) Do users have different passwords in different systems?

A further focus point regards the system copy. Or if your user has the same password in different systems. Why could this be a risk?

  • If I have access to the development and test systems, usually these are less controlled, and therefore from them I could get the password and access the production system and access with your user since the password is the same in the different systems.

 

Evaluate the automatic initial password generation

If you don't have tools such as SAP GRC Access Control or Identity Management solutions, then you can directly use the standard SAP functionality of automatic password generation.

 

This tool, located in the "Logon Data" tab in the SU01 transaction (the transaction for the management of all SAP users) it enables you to generate passwords.

 

By default SAP generates a password with the highest possible complexity, therefore with 40 characters, numbers, letters (lower case or upper case) and special characters too.

 

 

You can personalize the behavior of this transaction inside the PRGN_CUST table (through the SM30 transaction) using the following customizing switch:

  • GEN_PSW_MAX_LETTERS login/min_password_letters

Maximum number of digits in the generated password

  • GEN_PSW_MAX_DIGITS login/min_password_digits

Maximum number of letters in the generated password

  • GEN_PSW_MAX_SPECIALS login/min_password_specials

Maximum number of special characters in the generated password

  • GEN_PSW_MAX_LENGTH login/min_password_lng

Maximum length of the generated password