The SAP GUI user ID and password authentication functions enable authorized users to access the AS ABAP by interactively providing a user ID and password. From the SAP Logon Pad, the user must choose the AS ABAP system, and subsequently specify the user ID, password and client system to log on to.
The AS ABAP security model requires that all users log on with valid authentication credentials. With user ID and password authentication, users enter their authentication credentials consisting of user ID, password and an AS ABAP client system.
A user must always provide both a user ID and password. When creating a user record you must specify an initial password for the user. To enable logging on without a password you can use Single Sign-On. For more information, see Single Sign-On for SAP GUI.
User ID and password authentication enables you to enforce access control to your AS ABAP systems with an authentication mechanism that offers basic access protection with relatively low complexity of security configuration tasks.
Using user ID and password authentication in complex system landscapes where users must log on to multiple systems, however, increases the user work load from the required multiple entries of user IDs and passwords for system access.
In addition, the overall security of your systems could be reduced due to the greater number of passwords that users must keep secret. Due to the requirement to keep passwords secret, your systems can become vulnerable to system engineering attacks, where user's passwords can be guessed or deceitfully acquired from a user.
For additional security when using user id and password authentication, we recommend that you configure rules for password complexity and require that users change passwords on regular time intervals. In addition, you can develop authentication extensions to store the user's credentials in a secure medium, for example smart cards. For more information, see the SAP NetWeaver Library: Function-Oriented View .
The user password represents a secret form of authentication data that is used to establish the user's identity. Therefore, a critical element in protecting access to your AS ABAP systems is maintaining the secure storage and transport of entered user passwords. After users provide their passwords, the SAP GUI uses hashing algorithms to disguise the password and ensure the confidentiality and integrity of the password during its transport and storage.
As of SAP NetWeaver 6.40, the password hash algorithm changed from MD5 to SHA-1. This means that more secure hash values, which are not downward-compatible and which make reverse engineering attacks more difficult, can be generated. By default, new systems generate two hash values: a downward-compatible value and a new value. You can configure the system so that only the new hash value is generated.
For more information, see the information about profile parameter login/password_downwards_compatibility in Password Rules.
After the AS ABAP system receives the authentication information for the user, the system performs the following checks to grant access:
Whether the user has a password and whether the user can log on with a password logon.
Whether the user has been locked and is therefore not allowed to log on:
The user administrator can lock a user to prevent the user from logging on to the system. For more information, see the Lock/Unlock section of User Maintenance Functions.
The system also sets a logon lock if the user exceeds the permitted number of logon attempts (only for password-based logons).
Whether the user's logon data authentication credentials are correct.
Whether the user must set a new password. Users must set new passwords in the case of an initial password, an expired password, or a password that has been reset by the administrator. You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords.
If the user ID and password are correct, then the system displays the date and time of the user's last logon under. With the date and time, the user can check that no suspicious logon activity has occurred. The logon date and time cannot be changed in a standard production system. The system does not record the logoff date and time.
For information about configuring the security protection mechanisms for user ID and password logon with the SAP GUI, see Logon and Password Security for SAP GUI.