SAP Tips: Passwords in SAP – A closer look and some useful tips.
SAP Tips: Tips for passwords in SAP
Have you ever been prompted to change your password in SAP and then the format was not accepted? This is controlled by your security team. Here’s how they do it!
Changing password parameters
The password parameters are stored in transaction RZ11. To get started, let’s take a look at the parameter which controls the minimum number of characters which must differ between old and new passwords.
Example: If your old password was “password123” and you set your new password to “password1234”, you may receive a message to say that your new password must contain at least three different characters.
*By the way, I am not advocating that you use “password123” as your password!
This setting is controlled in the RZ11 transaction, which displays profile parameters. Once you have entered the screen, add the below profile parameter into the Parameter Name field.
Please note that those with security access will be able to change parameters using transaction RZ10, as well as display them.
When you press the display button, you will see the below screen:
Look for the “Current Value” to show what is the setting for the parameter (Current Value appears towards the bottom of the screen).
You can also see the SAP notes for the parameter by clicking on the Display Documentation icon at the top left of the screen, or by pressing F7:
This will show you the full SAP description of the parameter, the number of characters and the default value:
Helpfully, the documentation will also show any related parameters, as below:
Let’s take a quick look at each of these parameters and what they do:
• login/min_password_diff – see above
• login/min_password_lng – determined the minimum length a password must be. Default is 10.
• login/min_password_digits – contains the minimum number of digits which MUST exist in the password (default is 1).
• login/min_password_letters – contains the minimum number of letters which MUST exist in the password (default is 1).
• login/min_password_specials – contains the minimum number of special characters which MUST exist in the password (default is 0). Special characters are not digits or letters.
• login/min_password_lowercase – contains the minimum number of lowercase letters which MUST exist in the password (default is 1).
• login/min_password_uppercase – contains the minimum number of uppercase letters which MUST exist in the password (default is 1).
• login/disable_password_logon – for systems where other types of logons are possible, such as single sign-on (SSO), browser certification, or external security product, it is possible to disable password logons. The default here is 0 (password-based logon is possible).
• login/password_charset – defines the characters which a password can contain. This is only really applicable where you are using a non-unicode system.
• login/password_downwards_compatibility – S/4HANA systems support logons with passwords up to 40 characters, case-sensitive and with Unicode characters. Lower versions of SAP do not support the same criteria. The passwords are stored as has values in S/4HANA, which are not backward compatible. You can utilise this parameter to store passwords in different ways, to enable them to become backwards compatible.
• login/password_compliance_to_current_policy – used to check whether the password entered when logging on, complies with current rules. If the value is set to 1 (check), then a message is posted at logon where the rules are not compliant, prompting the user to change their password. System users are excluded from this check. The default value is 0 (no check).
Please note that there are plenty of other password related parameters which can be explored (such as login/password_max_idle_initial and login/password_expiration_time). I’ll let you explore them in your own time!
Restricting illegal passwords and defining password patterns
It can be a good idea to stop users from creating passwords that are too easy to guess. For example, disallow the word “password” or “SAP” or the sequence “123”.
This can be done by amending table USR40. Here is the step by step guide:
1. In the SAP GUI, go to transaction SM30 and enter table USR40:
2. Click on “Edit” to bring up the table entries. Not the “cross client” message telling you that any entries will be valid for all clients.
3. Click on “New Entries” to add entries into the table. For example:
a. Entry “SAP” will exclude a password of “SAP”.
b. Entry “SAP*” will exclude a password beginning with “SAP”
c. Entry “*SAP*” will exclude any string within the password of “SAP”
My entries above exclude use of the word “password” for use as the password, exclude “123” as the final characters of a password, and exclude the uppercase use of “SAP” anywhere in the password.
I hope you find this useful! Stay tuned for another SAP Tip from Eursap next month.
Be sure to also check out Eursap’s SAP Blog for more in depth articles.
Author: Jon Simmonds, IT Director, Architecture
Get in touch with Eursap – Europe’s Specialist SAP Recruitment Agency