Password Rules

The password must be at least 3 characters long.

Configurable with security policy or profile parameters.

The password cannot be more than 40 characters long.

Predefined by the system.

Any Unicode characters can be used. The system differentiates between upper and lowercase.

.

The first character cannot be an exclamation point (!) or a question mark (?).

Predefined by the system.

The first three characters cannot all be the same. For example AAA is not allowed.

Predefined by the system.

The password may not be in the list of impermissible passwords (table USR40).

Configurable. The default value is that all passwords, except PASS and SAP* are allowed.

The list contains character combinations or terms, where the asterisk (*) and question mark (?) can be used as placeholders. Asterisk (*) stands for a character sequence, and the question mark (?) for a single character.

If you break this password rule when assigning initial passwords in user maintenance as an administrator, you only receive a warning.

The password may not be PASS or SAP*

Predefined by the system.

If the user changes the password, the new password cannot be the same as the last <n> passwords of the user.

Configurable with security policy or profile parameters.

You can set the size of the password history (up to 100 passwords selected by the user).

You can reset a user's password to any initial password, therefore also to one of the last <n> passwords for this user. This is necessary, because you, as the administrator, should not know the passwords of the users, even past passwords. At the first interactive logon, the system prompts the user to change the initial password.

Users can only change their password after they have entered the old password correctly.

Predefined by the system

Users can change the password by choosing  System  User Profile  Own Data  (transaction SU3).

Users can only change their passwords again after a wait period.

Configurable with security profile or profile parameters.

The system can reject all password changes during the wait period (in days). If you, as an administrator, change a user's password, the user must change this initial password the next time he or she logs on, regardless of when he or she last changed his or her password.

System administrators can still change passwords as often as necessary.

The password must contain at least <n> lowercase letters.

Configurable with security profile or profile parameters.

The password must contain at least <n> uppercase letters.

Configurable with security profile or profile parameters.

At least one character in the new password must be different from the old password.

Configurable with security profile or profile parameters.

The current password must conform to the current password rules, the user must change the next time he or she logs on.

Configurable with security profile or profile parameters.

An unused productive password (a password set by the user) is valid for a maximum of <n> days.

Configurable with security profile or profile parameters.

After this period has expired, the user can no longer use the password for authentication. The user can still use some other logon method, such as X.509 certificate. You, as the user administrator, can reactivate password-based logon for this user by assigning a new initial password.

An unused initial password (a password set by the administrator) is valid for a maximum of <n> days.

Configurable with security profile or profile parameters.

After this period has expired, the user can no longer use the password for authentication. The user can still use some other logon method, such as X.509 certificate. You, as the user administrator, can reactivate password-based logon for this user by assigning a new initial password.