Security Policy Attributes for Logon and Passwords

MIN_PASSWORD_LENGTH

Permissible values: 3 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 3 - 8.

login/min_password_lng

Determines the minimum length of a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords.

MIN_PASSWORD_DIGITS

Permissible values: 0 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8.

login/min_password_digits

Determines the minimum number of digits (0-9) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords.

MIN_PASSWORD_LETTERS

Permissible values: 0 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8.

login/min_password_letters

Determines the minimum number of ASCII letters (A-Z and a-z) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords.

MIN_PASSWORD_LOWERCASE

Permissible values: 0 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8.

login/min_password_lowercase

Determines the minimum number of ASCII lower-case letters (a-z) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords.

MIN_PASSWORD_UPPERCASE

Permissible values: 0 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8.

login/min_password_uppercase

Determines the minimum number of ASCII upper-case letters (A-Z) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords.

MIN_PASSWORD_SPECIALS

Permissible values: 0 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8.

login/min_password_specials

Determines the minimum number of special characters that must be contained in a password. All characters that are neither digits (0-9) nor ASCII letters (A-Z or a-z) are regarded as special characters. These include national special characters and Unicode characters, if you are working in a Unicode system, as well as the ASCII characters !"@ $%&/()=?'`*+~#-_.,;:{[]}\<>|

The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords.

CHECK_PASSWORD_BLACKLIST

Defines whether the system compares the password to a negative list of forbidden passwords at logon. If an administrator assigns a forbidden password, the system displays only a warning, after which the administrator can choose to continue.

PASSWORD_COMPLIANCE_TO_CURRET_POLICY

0: No check

1: Check whether a change is required

login/password_compliance_to_current_policy

Controls whether, for a logon with a password, the system checks whether the password used fulfills the current password rules and whether the system prompts the user to change the password. Users of types service and system are excluded in principle from the requirement to change passwords and are therefore not affected by this rule.

MIN_PASSWORD_DIFFERENCE

Permissible values: 1 - 40

If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 1 - 8.

login/min_password_diff

Defines the minimum number of characters that must be different in the new password compared to the old password.

PASSWORD_CHANGE_INTERVAL

Permissible values: 0 - 1000 (specified in days)

login/password_expiration_time

Defines whether, and after how many days since the last password change, the system prompts the user to change his or her (non-initial) password again. Users of the types service and system are not affected by this rule.

PASSWORD_CHANGE_FOR_SSO

0: System ignores requirement to change password (backward compatible)

1: User decides whether to change or delete password (default setting)

2: User must change password

3: Password is automatically deleted

login/password_change_for_SSO

If the user logs on with single sign-on, checks whether the user must change his or her password.

PASSWORD_HISTORY_SIZE

Permissible values: 1 - 100

login/password_history_size

Specifies the number of passwords chosen by the user, not the administrator that the system stores and that the user is not permitted to use again.

Prevents users from effectively deactivating the requirement to change their passwords regularly.

MIN_PASSWORD_CHANGE_WAITTIME

Permissible values: 1 - 1000 (specified in days)

login/password_change_waittime

Specifies the number of days that a user must wait before changing the password again. Forced password changes and password changes by the administrator are not affected and are immediately possible.

DISABLE_PASSWORD_LOGON

0: Password logon is permitted (if possible)

1: Password logon is not possible

• login/disable_password_logon

• login/password_logon_usergroup

Prevents a user being able to log on to the system with a password.

DISABLE_TICKET_LOGON

0: Logon and authentication assertion tickets are permitted.

1: System rejects logon tickets, but does not reject authentication assertion tickets.

2: System rejects logon tickets and authentication assertion tickets.

None

Prevents a user being able to log on to the system with a logon ticket or an authentication assertion ticket.

MAX_FAILED_PASSWORD_LOGON_ATTEMPTS

Permissible values: 1 - 99

login/fails_to_user_lock

Defines the number of failed password logon attempts that a user can make before the system locks the password and blocks further password logon attempts.

MAX_PASSWORD_IDLE_INITIAL

0 - 24000 (specified in days)

0: Initial passwords are valid for an unrestricted period of time.

login/password_max_idle_initial

Defines the maximum period of time between the time of the last setting (or resetting) of an initial password and the next logon with this password.

When setting up a new user account, or when changing the password of an existing user, the user administrator assigns an initial password. At the next interactive logon, the user must change this initial password to ensure that the password is known only to this user. After the time limit defined for the change has expired, the system displays the message Initial password has expired and rejects the logon.

MAX_PASSWORD_IDLE_PRODUCTIVE

Permissible values: 0 - 24000 (specified in days)

0: Productive passwords are valid for an unrestricted period of time.

login/password_max_idle_productive

Defines the maximum period of time between the time of the last change of the productive password and the next logon with this password.

A productive password is a password set by the user. The user can only change the password again after an assignable period of time. Once this period has expired, the system displays the message Password was not used for a long period and therefore deactivated and rejects the logon.

PASSWORD_LOCK_EXPIRATION

0: Administrator must explicitly remove the password lock

1: Password lock applies for a maximum of 24 hours (automatic unlocking)

login/failed_user_auto_unlock

Defines whether the system automatically removes user locks due to unsuccessful logon attempts.

0: Users cannot log on to SAP NetWeaver Application Server ABAP when the login/server_logon_restriction profile parameter is set to 1.

1: Users can log on to SAP NetWeaver Application Server ABAP when the login/server_logon_restriction profile parameter is set to 1.

You can restrict access to the server by setting the profile parameter login/server_logon_restriction. If you set this profile parameter, only users who are assigned a security policy, which contains the attribute SERVER_LOGON_PRIVILEGE with the value 1 can log on to SAP NetWeaver Application Server ABAP.