There are two ways in which you can define your choice of user passwords:
- You can use the system profile parameters to assign a minimum length for the passwords and define how often the user has to set new passwords.
- Invalid passwords can be entered in the table of reserved passwords, USR40. This table is maintained with transaction SM30. The entries can also be made generically:
- ? denotes one character
- * denotes a character string
The SAP System also has pre-defined password rules. You can control passwords with profile parameters login*
login/min_password_lng - Defines the minimum allowed length of a new password.
login/password_expiration_time - Defines the expiration period of the password
login/fails_to_user_lock - Locks the user after the specified amount of wrong logon attempts; user is unlocked at midnight if the login/failed_user_auto_unlock parameter is set
login/fails_to_session_end - Ends the user.s session after the specified amount of wrong logon attempts
login/disable_multiple_gui_login - Refuses multiple logon of users; only users listed in login/multi_login_users are allowed for multiple logon
login/min_password_diff - Defines the minimum number of different characters between old and new password including rotation
login/password_max_new_valid - Defines the validity period of passwords for newly created users
login/password_max_reset_valid - Defines the validity period of passwords reset
login/min_password_digits/_letters/_specials - Defines the minimum number of digits/letters/special characters in the password
login/disable_password_logon and login/password_logon_usergroup
Controls the deactivation of password-based logon
login/disable_cpic -Refuses incoming connections of type, CPIC
rdisp/gui_auto_logout - Defines the time for automatic SAPGUI logout
login/no_automatic_user_sapstar Controls the SAP* user
Default password, and protecting SAP*
Starting with installations of SAP Web Application Server release 6.10 and higher, the passwords of SAP* and DDIC are selected during the installation process.
Use the User Information System or report RSUSR003 to monitor the passwords of all
predefined users.
If possible, make use of the profile parameter, login/no_automatic_user_sapstar.
If you create a new client the default password for SAP* is pass. If you delete SAP* userid, logon is possible with SAP* /pass.
The DDIC user maintains the ABAP dictionary and software logistics. The system
automatically creates a user master record for user SAP* and DDIC in client 000 when
the SAP System is installed. This is the only user who can log on to the SAP System
during a release upgrade.
Do not delete or lock user DDIC because it is required for certain
installation and set-up tasks. User DDIC needs extensive authorization. As a result,
the profile SAP_ALL is allocated to it. The users, SAP* and DDIC, should be assigned
to user group SUPER to prevent unauthorized users from changing or deleting their
user master record.
Default clients in an SAP System:
• Client 000 is used for customizing default settings. SAP imports the customized
settings into this client in future SAP System releases during the upgrade process
or even with support packages. Client 000 should not be used to customize data
input or development.
• Client 066 is used by the SAP EarlyWatch service and should not be used or
deleted by the customers.
Please refer to new password rules
|
