Show TOC

Configuring the Security Policy for User IDs and PasswordsLocate this document in the navigation structure

Context

The user management engine (UME) enables you to define security policies that control aspects such as the length and content of user passwords and logon IDs, or how the system carries out password checks. The UME checks for compliance with this policy in the following instances:

  • When users log on to SAP NetWeaver Application Server (AS) Java

    Disabled by default, but you can enable it.

  • When users register themselves using the self-registration features of the UME

  • When users or administrators change user passwords with the UME

  • When administrators create new users with the UME

Note

If the UME cannot determine the security policy, it applies the default security policy as a fallback.

If the security policy is not adhered to, the UME provides detailed error messages where possible.

Caution

If the UME uses another system as the data source, ensure that the security policies you define here are in harmony with the other system. For example, if you define one password length here, but the users are restricted to shorter password lengths in the back-end system, it can lead to logon problems. If you use the user management of an ABAP system as the data source, these settings do not always apply.

For more information, see Integration of the UME Security Policy With External Data Source .

Procedure


  1. Start user management configuration.

    For more information, see Configuring User Management .

  2. Choose the Security Policy tab.

  3. Choose the Modify Configuration pushbutton.

  4. Select an existing security policy profile or create a new one.

    Note

    You can only edit the Default or custom security policy profiles in the user interface of the identity management application. Changing the Default security profile also makes the corresponding changes in the Technical User security policy profile. You can change the properties for the Default and consequently for the Technical User security policy profiles using the UME properties. However, If you modify the password expiration property for the Default security profile, this property will not affect the Technical User security policy profile (there is no expiration of the password for the Technical User security profile).

  5. Enter data as required.

    The following table provides recommendations and explanations for some of the security policy settings. The table is not a complete list of settings.

    Setting

    Supplemental Information

    Minimum or Maximum Length of Logon ID

    These settings are only checked when creating a logon ID. Afterwards they are ignored.

    Minimum Number of <character type> in Password

    Enter 0 to place no restrictions on how many or how few of specific type of characters (for example, mixed case or letters and numbers) a user must enter.

    Size of Password History

    Although you can configure this setting freely, a useful value might be 5. Use a value that is appropriate for your needs.

    Enter 0 if your data source already has a password history checking mechanism; unless you maintain users in the AS Java database for whom you want to maintain a password history.

    Allow Users to Change Their Own Passwords

    Recommendation

    We recommend you select this checkbox. You need this setting for self-management of passwords.

    When deselected, only an administrator (a user with change rights for users) can change a user's password. A user whose password has expired cannot change it. An administrator must reset it.

    Leave this checkbox empty when you have an LDAP server with read-write access as the data source and you want business users to change their passwords through the LDAP and not through self-management.

    Auto Unlock Time (Minutes)

    The auto unlock function does not reset the number of failed logon attempts when it unlocks a user. A user unlocked with this function may already have a number of failed logon attempts, causing the user to be locked immediately on the next failed logon.

    Enter 0 to deactivate this option. In this case, the user remains locked until unlocked by an administrator.

    Password Validity Period (Days)

    Once the user sets or receives a password, it is valid for the set number of days. After this period, the user must set a new password during his or her next log on attempt.

    Enter 0 to deactivate this option. In this case, the password never expires.

    Enforce Password Security Policy at Logon

    Select this checkbox to ensure users have compliant passwords after you change the security policy.

    Note

    Before you enable this feature, consider whether you want to force users in an existing data source to use the current UME security policy. This is especially true if the UME security policy is more stringent than an external data source, like a directory server.

  6. Save your entries.

Results

The policy is now valid for any users to whom this policy has been assigned. If you selected the Enforce Password Security Policy at Logon option, the new policy is enforced at the next logon. Otherwise the policy is only checked the next time the user changes their password.