Security policy attributes control the system behavior for password rules, password changes, and logon restrictions.
Security Policy Attribute |
Allowed Values |
Replaces Profile Parameter |
Description |
---|---|---|---|
MIN_PASSWORD_LENGTH |
Permissible values: 3 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 3 - 8. |
login/min_password_lng |
Determines the minimum length of a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords. |
MIN_PASSWORD_DIGITS |
Permissible values: 0 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8. |
login/min_password_digits |
Determines the minimum number of digits (0-9) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords. |
MIN_PASSWORD_LETTERS |
Permissible values: 0 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8. |
login/min_password_letters |
Determines the minimum number of ASCII letters (A-Z and a-z) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords. |
MIN_PASSWORD_LOWERCASE |
Permissible values: 0 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8. |
login/min_password_lowercase |
Determines the minimum number of ASCII lower-case letters (a-z) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords. |
MIN_PASSWORD_UPPERCASE |
Permissible values: 0 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8. |
login/min_password_uppercase |
Determines the minimum number of ASCII upper-case letters (A-Z) that must be contained in a password. The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords. |
MIN_PASSWORD_SPECIALS |
Permissible values: 0 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 0 - 8. |
login/min_password_specials |
Determines the minimum number of special characters that must be contained in a password. All characters that are neither digits (0-9) nor ASCII letters (A-Z or a-z) are regarded as special characters. These include national special characters and Unicode characters, if you are working in a Unicode system, as well as the ASCII characters !"@ $%&/()=?'`*+~#-_.,;:{[]}\<>| The attribute applies both when assigning new passwords and when changing the password or resetting existing passwords. |
CHECK_PASSWORD_BLACKLIST |
String | None |
Defines whether the system compares the password to a negative list of forbidden passwords at logon. If an administrator assigns a forbidden password, the system displays only a warning, after which the administrator can choose to continue. |
Security Policy Attribute |
Allowed Values |
Replaces Profile Parameter |
Description |
---|---|---|---|
PASSWORD_COMPLIANCE_TO_CURRET_POLICY |
0: No check 1: Check whether a change is required |
login/password_compliance_to_current_policy |
Controls whether, for a logon with a password, the system checks whether the password used fulfills the current password rules and whether the system prompts the user to change the password. Users of types service and system are excluded in principle from the requirement to change passwords and are therefore not affected by this rule. |
MIN_PASSWORD_DIFFERENCE |
Permissible values: 1 - 40 If profile parameter login/password_downwards_compatibility has the value 5, the permissible value range is 1 - 8. |
login/min_password_diff |
Defines the minimum number of characters that must be different in the new password compared to the old password. |
PASSWORD_CHANGE_INTERVAL |
Permissible values: 0 - 1000 (specified in days) |
login/password_expiration_time |
Defines whether, and after how many days since the last password change, the system prompts the user to change his or her (non-initial) password again. Users of the types service and system are not affected by this rule. |
PASSWORD_CHANGE_FOR_SSO |
0: System ignores requirement to change password (backward compatible) 1: User decides whether to change or delete password (default setting) 2: User must change password 3: Password is automatically deleted |
login/password_change_for_SSO |
If the user logs on with single sign-on, checks whether the user must change his or her password. |
PASSWORD_HISTORY_SIZE |
Permissible values: 1 - 100 |
login/password_history_size |
Specifies the number of passwords chosen by the user, not the administrator that the system stores and that the user is not permitted to use again. Prevents users from effectively deactivating the requirement to change their passwords regularly. |
MIN_PASSWORD_CHANGE_WAITTIME |
Permissible values: 1 - 1000 (specified in days) |
login/password_change_waittime |
Specifies the number of days that a user must wait before changing the password again. Forced password changes and password changes by the administrator are not affected and are immediately possible. |
Security Policy Attribute |
Allowed Values |
Replaces Profile Parameter |
Description |
---|---|---|---|
DISABLE_PASSWORD_LOGON |
0: Password logon is permitted (if possible) 1: Password logon is not possible |
|
Prevents a user being able to log on to the system with a password. |
DISABLE_TICKET_LOGON |
0: Logon and authentication assertion tickets are permitted. 1: System rejects logon tickets, but does not reject authentication assertion tickets. 2: System rejects logon tickets and authentication assertion tickets. |
None |
Prevents a user being able to log on to the system with a logon ticket or an authentication assertion ticket. |
MAX_FAILED_PASSWORD_LOGON_ATTEMPTS |
Permissible values: 1 - 99 |
login/fails_to_user_lock |
Defines the number of failed password logon attempts that a user can make before the system locks the password and blocks further password logon attempts. |
MAX_PASSWORD_IDLE_INITIAL |
0 - 24000 (specified in days) 0: Initial passwords are valid for an unrestricted period of time. |
login/password_max_idle_initial |
Defines the maximum period of time between the time of the last setting (or resetting) of an initial password and the next logon with this password. When setting up a new user account, or when changing the password of an existing user, the user administrator assigns an initial password. At the next interactive logon, the user must change this initial password to ensure that the password is known only to this user. After the time limit defined for the change has expired, the system displays the message Initial password has expired and rejects the logon. |
MAX_PASSWORD_IDLE_PRODUCTIVE |
Permissible values: 0 - 24000 (specified in days) 0: Productive passwords are valid for an unrestricted period of time. |
login/password_max_idle_productive |
Defines the maximum period of time between the time of the last change of the productive password and the next logon with this password. A productive password is a password set by the user. The user can only change the password again after an assignable period of time. Once this period has expired, the system displays the message Password was not used for a long period and therefore deactivated and rejects the logon. |
PASSWORD_LOCK_EXPIRATION |
0: Administrator must explicitly remove the password lock 1: Password lock applies for a maximum of 24 hours (automatic unlocking) |
login/failed_user_auto_unlock |
Defines whether the system automatically removes user locks due to unsuccessful logon attempts. |
SERVER_LOGON_PRIVILEGE |
0: Users cannot log on to SAP NetWeaver Application Server ABAP when the login/server_logon_restriction profile parameter is set to 1. 1: Users can log on to SAP NetWeaver Application Server ABAP when the login/server_logon_restriction profile parameter is set to 1. |
You can restrict access to the server by setting the profile parameter login/server_logon_restriction. If you set this profile parameter, only users who are assigned a security policy, which contains the attribute SERVER_LOGON_PRIVILEGE with the value 1 can log on to SAP NetWeaver Application Server ABAP. |