Profile Parameters for Logon and Password (Login Parameters)

Use profile parameters to set password and logon rules.

These profile parameters define the minimum requirements for passwords. You cannot set upper limits for password rules, except for generated passwords. For example, users can use any number of special characters in their passwords, as long as they follow the other password rules.

The profile parameters replaced by security policies are shown in the last table. You can continue to use these parameter instead of the security policies. However, in this case, you cannot control the system behavior on a user-specific basis.

Note

To make the parameters globally effective in an ABAP System (system profile parameters), set them in the default system profile DEFAULT.PFL. However, to make them instance-specific, set the parameters in the profiles of the system application servers.

To display the parameter documentation, in the profile parameter maintenance tool (transaction RZ11), enter the parameter name and choose Display. On the next screen, choose the Documentation button.

Table 1: Password Rules
Parameter	Value	Description
login/password_charset	Default: 1 Permissible values: 0: Restrictive. The password can only consist of digits, letters, and the following (ASCII) special characters: !"@ $%&/()=?'*+~#-_.,;:{[]}\<>, and space and the grave accent. 1: Backward compatible. The password can consist of any characters including national special characters (such as ä, ç, ß from ISO Latin-1, 8859-1). However, all characters that are not contained in the set above (for value = 0) are mapped to the same special character, and the system therefore does not differentiate between them. 2: Not backward compatible. The password can consist of any characters. It is converted internally into the Unicode format UTF-8. If your system does not support Unicode, you may not be able to enter all characters on the logon screen. This restriction is limited by the codepage specified by the system language.	This parameter defines the characters of which a password can consist. Caution With login/password_charset = 2, the system stores passwords in a format that systems with older kernels cannot interpret. Therefore, ensure that all systems involved support the new password coding before setting the profile parameter to the value 2.

Table 2: Password Hash
Parameter	Value	Description
login/password_downwards_compatibility	Default: 1 Permissible values: 0: Stores passwords in a format that systems with older kernels cannot interpret. The system only generates new (non-backward-compatible) password hash values. 1: The system also generates backward compatible password hash values internally, but does not evaluate these for password-based logons (to its own system). This setting is required if you use this system as the central system of a Central User Administration and systems that only support backward compatible password hash values are also connected to the system group. 2: The system also generates backward compatible password hash values internally, which it evaluates if a logon with the new, non-backward compatible password failed. In this way, the system checks whether the logon would have been accepted with the backward compatible password (truncated after eight characters, and converted to upper-case). The system records this in the system log. The logon fails. This setting is to allow the identification of backward incompatibility problems. 3: As with 2, but the logon is regarded as successful. This setting is to allow the avoidance of backward incompatibility problems. 4: As with 3, but the system does not create an entry in the system log. 5: Full backward compatibility: the system only creates backward compatible password hash values.	Specifies the degree of backward compatibility. Caution With login/password_downwards_compatibility = 0, the system stores passwords in a format that systems with older kernels cannot interpret. Therefore, ensure that all systems involved support the new password coding before setting the profile parameter to the value 0.
login/password_hash_algorithm	Default: Depends on the kernel version Permissible values: see 991968 (unit: special character string).	Specifies the hash procedure and the coding format for the calculation of new password hash values. You do not usually need to change the default value set by the kernel. Note If the profile parameter login/password_downwards_compatibility has the value 5, only backward compatible passwords are permissible. This means that the parameter login/password_hash_algorithm would be meaningless.

Table 3: Multiple Logon
Parameter	Value	Description
login/disable_multi_gui_login	Default: 0 Permissible values: 0, 1 1: The system blocks multiple dialog logons in the same client and under the same user name.	Controls the deactivation of multiple dialog logons
login/multi_login_users	Default: `<empty_list>`	List of excepted users, that is, the users that are permitted to log on to the system more than once.

Table 4: Incorrect Logon
Parameter	Value	Description
login/fails_to_session_end	Default: 3 Permissible values: 1 - 99	Defines the number of unsuccessful logon attempts before the system does not allow any more logon attempts. Set the parameter to a value lower than the value of parameter login/fails_to_user_lock.

Table 5: Logon with Single Sign-On (SSO) Ticket
Parameter	Value	Description
login/accept_sso2_ticket	Default: 0 Permissible values: 0: Logon with an SSO ticket is deactivated. 1: Logon with an SSO ticket is permitted	Allows or locks the logon using SSO ticket.
login/create_sso2_ticket	Default: 0 Permissible values: 0: Ticket generation is deactivated 1: SSO ticket including certificate 2: SSO ticket without certificate	Allows the creation of SSO tickets. Recommendation We recommend you set this to 2. The SSO tickets are significantly smaller without the certificate and therefore have less overhead.
login/ticket_expiration_time	Default value: 8 (in hours)	Defines the validity period of an SSO ticket.
login/ticket_only_by_https	Default: 0 Permissible values: 0: Browser always sends ticket. 1: Browser only sends ticket for HTTPS connections.	Specifies how the system sets the logon ticket, generated at logon using HTTP(S), in the browser.
login/ticket_only_to_host	Default: 0 Permissible values: 0: Sends the ticket to all servers in the domain. 1: When logging on over HTTP(S), sends the ticket only to the server that created the ticket.	Specifies how the system sets the logon ticket, generated at logon using HTTP(S), in the browser.

Table 6: Other Logon Parameters
Parameter	Value	Description
login/disable_cpic	Default: 0 Permissible values: 0, 1 (Boolean) 1: Refuses inbound connections of type CPIC. Inbound connections of type RFC remain unaffected.	Refuse inbound connections of type CPIC
login/no_automatic_user_sapstar	Default: 1, that is, you need to explicitly activate the emergency user Permissible values: 0, 1	Control the emergency user SAP*. For more information, see 2383 and 68048 )
login/server_logon_restriction	Default: 0 Permissible values: 0: Normal operation. Users can log on to the system normally. 1: Only users with the security policy attribute SERVER_LOGON_PRIVILEGE with the value 1 can log on to the system. 2: No users can log on to the system.	Use this profile parameter to prevent other users from logging on to the system. This can be useful during system maintenance. This feature requires specific kernel releases. For more information, see 1891583 .
login/system_client	Default: 000 Permissible values: 000 - 999	Specifies the default client that the system automatically enters on the logon screen. Users can, however, overwrite the default value with a different client.
login/update_logon_timestamp	Default: m Permissible values: d: exact to the day h: exact to the hour m: exact to the minute s: exact to the second (backward compatible)	Specifies the exactness of the logon timestamp.

Table 7: User Parameters
Parameter	Value	Description
rdisp/gui_auto_logout	Default: 0 (unrestricted) Permissible values: Any numeric value	Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).

Table 8: Parameters Replaced by Security Policies
Parameter	Security Policy Attribute	Value	Description
login/min_password_lng	MIN_PASSWORD_LENGTH	Default: 6 Permissible values: 3 - 40	Defines the minimum length of the password.
login/min_password_digits	MIN_PASSWORD_DIGITS	Default Value: 0 Permissible values: 0 - 40	Defines the minimum number of digits (0-9) in passwords.
login/min_password_letters	MIN_PASSWORD_LETTERS	Default Value: 0 Permissible Values: 0 - 40	Defines the minimum number of letters (A-Z) in passwords.
login/min_password_lowercase	MIN_PASSWORD_LOWERCASE	Default Value: 0 Permissible Values: 0 - 40	Specifies how many characters in lower-case letters a password must contain.
login/min_password_uppercase	MIN_PASSWORD_UPPERCASE	Default Value: 0 Permissible Values: 0 - 40	Specifies how many characters in upper-case letters a password must contain.
login/min_password_specials	MIN_PASSWORD_SPECIALS	Default Value: 0 Permissible Values: 0 - 40	Defines the minimum number of special characters in the password. All characters that are not letters or digits are regarded as special characters.
login/password_compliance_to_current_policy	PASSWORD_COMPLIANCE_TO_CURRENT_POLICY	Default: 0 Permissible values: 0: No Check 1: During the password check, the system checks whether the current password fulfills the current password rules. If this is not the case, it forces a password change.	Used to check password to current security policy.
login/disable_password_logon	DISABLE_PASSWORD_LOGON	Default: 0 Permissible values: 0: Password logon is possible 1: Password logon is only possible for users in the group specified in the parameter login/password_logon_usergroup. 2: Password logon is not possible in general	Controls the deactivation of password-based logon This means that the user can no longer log on using a password, but only with single sign-on variants (X.509 certificate, logon ticket). See Logon Data Tab Page
login/password_logon_usergroup	DISABLE_PASSWORD_LOGON	Default: `<empty_character_string>`	Controls the deactivation of password-based logon for user groups
login/password_max_idle_productive	MAX_PASSWORD_IDLE_PRODUCTIVE	Default: 0: the check is deactivated Permissible Values: 0 - 24,000 (in days)	Specifies the maximum period for which an unused productive password (a password set by the user) remains valid. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password.
login/password_max_idle_initial	MAX_PASSWORD_IDLE_INITIAL	Default: 0: the check is deactivated Permissible Values: 0 - 24,000 (in days)	Specifies the maximum period for which an unused initial password (a password set by the user administrator) remains valid. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password. This parameter replaces the profile parameters login/password_max_new_valid and login/password_max_reset_valid.
login/min_password_diff	MIN_PASSWORD_DIFFERENCE	Default: 1 Permissible values: 1 - 40	Defines the minimum number of characters that must be different in the new password compared to the old password.
login/password_expiration_time	PASSWORD_CHANGE_INTERVAL	Default: 0 Permissible Values: 0 - 1000 (in days)	Defines the validity period of passwords in days.
login/password_change_for_SSO	PASSWORD_CHANGE_FOR_SSO	Default: 1 Permissible values: 0: Requirement to change password is ignored (backward compatible) 1: Dialog box with options 2 and 3 (user decides) 2: Password change dialog only (enter: old and new passwords) 3: Deactivation of the password (automatically, no dialog box)	If the user logs on with single sign-on, checks whether the user must change his or her password.
login/password_change_waittime	MIN_PASSWORD_CHANGE_WAITTIME	Default: 5 Permissible values: 1 - 100 (number of entries)	Specifies the number of passwords (chosen by the user, not the administrator) that the system stores and that the user is not permitted to use again.
login/password_change_waittime	MIN_PASSWORD_CHANGE_WAITTIME	Default: 1 Permissible values: 1 - 1000 (in days)	Specifies the number of days that a user must wait before changing the password again.
login/fails_to_user_lock	MAX_FAILED_PASSOWRD_LOGON_ATTEMPTS	Default: 5 Permissible values: 1 - 99	Defines the number of unsuccessful logon attempts before the system locks the user.
login/failed_user_auto_unlock	PASSWORD_LOCK_EXPIRATION	Default: 0: Locks due to incorrect logon attempts remain valid for an unlimited period Permissible values: 0, 1	Defines whether user locks due to unsuccessful logon attempts are automatically removed at midnight.