Logon and Password Security in the R/3 System 

This section provides a general overview of logon and password security in the R/3 System.

The Initial Password

When you create a user, you are required to enter a password for the user. The password must meet all of the internal requirements set by the R/3 System as well as any Customizing changes that you have made. For more information, see Setting Password Controls.

When a new user logs on for the first time, he or she must specify a new password before proceeding.

Password Requirements

The following table shows password requirements and whether they are fixed by the system or whether you can customize them.

Password Requirement

Type

Minimum length: 3 characters

Can be customized. Minimum length can be increased

Expiration

Can be customized. Number of days after which a password must be changed can be set. Default: password must not be changed

Password may not be set to a value
that is contained in a "lock-out list"

Can be customized. Default: all passwords, except PASS and SAP*

First character may not be ! or ?

Fixed in R/3 System

First three characters may not appear
in the same sequence in the user ID

Fixed in R/3 System

First three characters may not be identical

Fixed in R/3 System

Space character not allowed within first
three characters

Fixed in R/3 System

Password may not be PASS or SAP*

Fixed in R/3 System

Any character which may be typed on the
keyboard is allowed in a password.
Password is not case-sensitive. No
distinction is made between upper- and lowercase letters

Fixed in R/3 System

A user can change his or her password
no more than once a day. Restriction does
not apply to user administrators

Fixed in R/3 System

Password may not be changed to any of a user’s last five passwords

Fixed in R/3 System

 

For help in setting the customizable password requirements, see Customer-Defined Password Protection

Logging On

To access the R/3 System and its data, a user must log on to the system. A user must enter both user ID and password; it is not possible to have an empty password.

Before the user is admitted to the system, the system checks whether either of two conditions applies:

As user administrator, you can lock a user to prevent logons. You can find further details in Locking and Unlocking User Master Records.

You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords.

A user cannot change a password more than once a day. The system requires both the user’s current password and two matching entries of the new password.

If the user ID and password are correct, then the system displays the date and time of the user’s last logon. With the date and time, the user can check that no suspicious logon activity has occurred, such as a logon in the middle of the night. The logon date and time cannot be changed in a standard production R/3 System. The system does not record the logoff date and time.

Logon Errors

If a user has not entered a valid user ID, the system allows the logon attempt to continue until the user enters a valid user ID. User IDs, and passwords as well, are not case-sensitive. A user can enter his or her user ID in lowercase, uppercase, or a combination of both.

If a user enters an incorrect password, then the system allows the user two retries before terminating the logon attempt. Should the user continue to enter an incorrect password in subsequent logon attempts, then the system automatically locks the user against further logon attempts. The default maximum number of consecutive incorrect password entries is set to 12. You can set both of these incorrect logon limits to any value between 1 and 99. For more information, see Setting Password Controls.

A user that was locked because of too many incorrect passwords is automatically unlocked at midnight of the day the lock was set. A user administrator can unlock the user at any time.