Configuring the Security Policy for User IDs and Passwords

Context

The user management engine (UME) enables you to define security policies that control aspects such as the length and content of user passwords and logon IDs, or how the system carries out password checks. The UME checks for compliance with this policy in the following instances:

When users log on to SAP NetWeaver Application Server (AS) Java

Disabled by default, but you can enable it.
When users register themselves using the self-registration features of the UME
When users or administrators change user passwords with the UME
When administrators create new users with the UME

If the security policy is not adhered to, the UME provides detailed error messages where possible.

Procedure

Start user management configuration.

For more information, see Configuring User Management .
Choose the Security Policy tab.
Choose the Modify Configuration pushbutton.
Select an existing security policy profile or create a new one.

Note

You can only edit the Default or custom security policy profiles in the user interface of the identity management application. Changing the Default security profile also makes the corresponding changes in the Technical User security policy profile. You can change the properties for the Default and consequently for the Technical User security policy profiles using the UME properties. However, If you modify the password expiration property for the Default security profile, this property will not affect the Technical User security policy profile (there is no expiration of the password for the Technical User security profile).

Enter data as required.

The following table provides recommendations and explanations for some of the security policy settings. The table is not a complete list of settings.

Setting	Supplemental Information
Minimum or Maximum Length of Logon ID	These settings are only checked when creating a logon ID. Afterwards they are ignored.
Minimum Number of `<character type>` in Password	Enter `0` to place no restrictions on how many or how few of specific type of characters (for example, mixed case or letters and numbers) a user must enter.
Size of Password History	Although you can configure this setting freely, a useful value might be 5. Use a value that is appropriate for your needs. Enter `0` if your data source already has a password history checking mechanism; unless you maintain users in the AS Java database for whom you want to maintain a password history.
Allow Users to Change Their Own Passwords	Recommendation We recommend you select this checkbox. You need this setting for self-management of passwords. When deselected, only an administrator (a user with change rights for users) can change a user's password. A user whose password has expired cannot change it. An administrator must reset it. Leave this checkbox empty when you have an LDAP server with read-write access as the data source and you want business users to change their passwords through the LDAP and not through self-management.
Auto Unlock Time (Minutes)	The auto unlock function does not reset the number of failed logon attempts when it unlocks a user. A user unlocked with this function may already have a number of failed logon attempts, causing the user to be locked immediately on the next failed logon. Enter `0` to deactivate this option. In this case, the user remains locked until unlocked by an administrator.
Password Validity Period (Days)	Once the user sets or receives a password, it is valid for the set number of days. After this period, the user must set a new password during his or her next log on attempt. Enter `0` to deactivate this option. In this case, the password never expires.
Enforce Password Security Policy at Logon	Select this checkbox to ensure users have compliant passwords after you change the security policy. Note Before you enable this feature, consider whether you want to force users in an existing data source to use the current UME security policy. This is especially true if the UME security policy is more stringent than an external data source, like a directory server.

Save your entries.

Results

The policy is now valid for any users to whom this policy has been assigned. If you selected the Enforce Password Security Policy at Logon option, the new policy is enforced at the next logon. Otherwise the policy is only checked the next time the user changes their password.

Next Steps

Password Management