Profile Parameters for Logon and Password (Login Parameters)

Use profile parameters to set password and logon rules.

These profile parameters define the minimum requirements for passwords. You cannot set any upper limits for password rules, except for generated passwords. For example, users can use any number of special characters in their passwords, as long as they follow the other password rules.

Note

To make the parameters globally effective in an ABAP system (system profile parameters), set them in the default system profile DEFAULT.PFL. However, to make them instance-specific, set the parameters in the profiles of the system application servers.

To display the parameter documentation, in the profile parameter maintenance tool (transaction RZ11), enter the parameter name and choose Display. On the next screen, choose the Documentation button.

Table 1: Password Rules
Parameter	Value	Description
login/min_password_lng	Default: 6 Permissible values: 3 - 40	Defines the minimum length of the password.
login/min_password_digits	Default: 0 Permissible values: 0 - 40	Defines the minimum number of digits (0-9) in passwords.
login/min_password_letters	Default: 0 Permissible values: 0 - 40	Defines the minimum number of letters (A-Z) in passwords.
login/min_password_lowercase	Default: 0 Permissible values: 0 - 40	Specifies how many characters in lowercase letters a password must contain.
login/min_password_uppercase	Default: 0 Permissible values: 0 - 40	Specifies how many characters in uppercase letters a password must contain.
login/min_password_specials	Default: 0 Permissible values: 0 - 40	Defines the minimum number of special characters in the password. All characters that are not letters or digits are regarded as special characters.
login/password_charset	Default: 1 Permissible values: 0: Restrictive. The password can only consist of digits, letters, and the following (ASCII) special characters: `!"@ $%&/()=?'*+~#-_.,;:{[]}\<>`, space, and the grave accent. 1: Backward compatible. The password can consist of any characters including national special characters (for example, `ä`, `ç`, `ß` from ISO Latin-1, 8859-1). However, all characters that are not contained in the set above (for value = `0`) are mapped to the same special character, and the system therefore does not differentiate between them. 2: Not backward compatible. The password can consist of any characters. It is converted internally into the Unicode format UTF-8. If your system does not support Unicode, you may not be able to enter all characters on the logon screen. This restriction is limited by the code page specified by the system language.	This parameter defines the characters of which a password can consist. Caution With login/password_charset = 2, the system stores passwords in a format that systems with older kernels cannot interpret. Therefore, ensure that all systems involved support the new password coding before setting the profile parameter to the value 2.

Table 2: Password Logon
Parameter	Value	Description
login/password_compliance_to_current_policy	Default: 0 Permissible values: 0: No check. 1: During the password check, the system checks whether the current password fulfills the current password rules. If this is not the case, it forces a password change.	Used to check passwords against the current security policy.
login/disable_password_logon	Default: 0 Permissible values: 0: Password logon is possible. 1: Password logon is only possible for users in the group specified in the parameter login/password_logon_usergroup. 2: Password logon is not possible in general	Controls the deactivation of password-based logon This means that the user can no longer log on using a password, but only with Single Sign-On variants (X.509 certificate, logon ticket). See Logon Data Tab Page
login/password_logon_usergroup	Default: `<empty_character_string>`	Controls the deactivation of password-based logon for user groups
login/password_max_idle_productive	Default: 0: The check is deactivated. Permissible values: 0 - 24,000 (in: days)	Specifies the maximum period for which an unused productive password (a password set by the user) remains valid. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password.
login/password_max_idle_initial	Default: 0: The check is deactivated. Permissible values: 0 - 24,000 (in days)	Specifies the maximum period for which an unused initial password (a password set by the user administrator) remains valid. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password. This parameter replaces the profile parameters login/password_max_new_valid and login/password_max_reset_valid.

Table 3: Password Changes
Parameter	Value	Description
login/min_password_diff	Default: 1 Permissible values: 1 - 40	Defines the minimum number of characters that must be different in the new password compared to the old password.
login/password_expiration_time	Default: 0 Permissible values: 0 - 1000	Defines the validity period of passwords in days.
login/password_change_for_SSO	Default: 1 Permissible values: 0: Requirement to change password is ignored (backward compatible). 1: Dialog box with options 2 and 3 (user decides). 2: Password change dialog only (enter old and new passwords). 3: Deactivation of the password (automatically, no dialog box).	If the user logs on with single sign-on, checks whether the user must change his or her password.
login/password_history_size	Default: 5 Permissible values: 1 - 100 (number of entries)	Specifies the number of passwords (chosen by the user, not the administrator) that the system stores and that the user is not permitted to use again.
login/password_change_waittime	Default: 1 Permissible values: 1 - 1000 (in: days).	Specifies the number of days that a user must wait before changing the password again.

Table 4: Other Password Profile Parameters
Parameter	Value	Description
login/password_downwards_compatibility	Default: 1 Permissible values: 0: Stores passwords in a format that systems with older kernels cannot interpret. The system only generates new (non-backward-compatible) password hash values. 1: The system also generates backward compatible password hash values internally, but does not evaluate these for password-based logons (to its own system). This setting is required if you use this system as the central system of a Central User Administration and systems that only support backward compatible password hash values are also connected to the system group. 2: The system also generates backward compatible password hash values internally, which it evaluates if a logon with the new, non-backward compatible password failed. In this way, the system checks whether the logon would have been accepted with the backward compatible password (truncated after eight characters, and converted to uppercase). The system records this in the system logon. The logon fails. This setting is to allow the identification of backward incompatibility problems. 3: As with 2, but the logon is regarded as successful. This setting is to allow the avoidance of backward incompatibility problems. 4: As with 3, but the system does not create an entry in the system log. 5: Full backward compatibility: the system only creates backward compatible password hash values.	Specifies the degree of backward compatibility. Caution With login/password_downwards_compatibility = 0, the system stores passwords in a format that systems with older kernels cannot interpret. Therefore, ensure that all systems involved support the new password coding before setting the profile parameter to the value 0.
login/password_hash_algorithm	Default: Depends on the kernel version. Permissible values: See SAP Note 991968 (unit: special character string).	Specifies the hash procedure and the coding format for the calculation of new password hash values. You do not usually need to change the default value set by the kernel. Note If the profile parameter login/password_downwards_compatibility has the value 5, only backward compatible passwords are permissible. This means that the parameter login/password_hash_algorithm would be meaningless.

Table 5: Multiple Logon
Parameter	Value	Description
login/disable_multi_gui_login	Default: 0 Permissible values: 0: The system allows multiple dialog logons in the same client and under the same user name. 1: The system blocks multiple dialog logons in the same client and under the same user name.	Controls the deactivation of multiple dialog logons.
login/multi_login_users	Default: `<empty_list>`	List of users, who are permitted to log on to the system more than once.

Table 6: Incorrect Logon
Parameter	Value	Description
login/fails_to_session_end	Default: 3 Permissible values: 1 - 99	Defines the number of unsuccessful logon attempts before the system does not allow any more logon attempts. Set the parameter to a value lower than the value of parameter login/fails_to_user_lock.
login/fails_to_user_lock	Default: 5 Permissible values: 1 - 99	Defines the number of unsuccessful logon attempts before the system locks the user.
login/failed_user_auto_unlock	Default: 0: Locks due to incorrect logon attempts remain valid for an unlimited period Permissible values: 0, 1	Defines whether user locks due to unsuccessful logon attempts are automatically removed at midnight.

Table 7: Logon with SSO Ticket
Parameter	Value	Description
login/accept_sso2_ticket	Default: 0 Permissible values: 0: Logon with an SSO ticket is deactivated. 1: Logon with an SSO Ticket is permitted.	Allows or locks the logon using SSO ticket.
login/create_sso2_ticket	Default: 0 Permissible values: 0: Ticket generation is deactivated. 1: SSO ticket including certificate. 2: SSO ticket without certificate.	Allows the creation of SSO tickets. Recommendation We recommend you set this to 2. The SSO tickets are significantly smaller without the certificate and therefore have less overhead.
login/ticket_expiration_time	Default: 8 (in hours)	Defines the validity period of an SSO ticket.
login/ticket_only_by_https	Default: 0 Permissible values: 0: Browser always sends ticket. 1: Browser only sends ticket for HTTPS connections.	Specifies how the system sets the logon ticket, generated at logon using HTTP(S), in the browser.
login/ticket_only_to_host	Default: 0 Permissible values: 0: Sends the ticket to all servers in the domain. 1: When logging on over HTTP(S), sends the ticket only to the server that created the ticket.	Specifies how the system sets the logon ticket, generated at logon using HTTP(S), in the browser.

Table 8: Other Login Parameters
Parameter	Value	Description
login/disable_cpic	Default: 0 Permissible values: 0: Allow inbound connections of type CPIC. 1: Refuses inbound connections of type CPIC. Inbound connections of type RFC remain unaffected.	Refuse inbound connections of type CPIC
login/no_automatic_user_sapstar	Default: 1: You must explicitly activate the emergency user. Permissible values: 0, 1	Control the emergency user SAP* (more information: SAP Notes 2383 and 68048 )
login/system_client	Default: 000 Permissible values: 000 - 999	Specifies the default client that the system automatically enters on the logon screen. Users can, however, overwrite the default value with a different client.
login/update_logon_timestamp	Default: m Permissible values: d: Exact to the day. h: Exact to the hour. m: Exact to the minute. s: Exact to the second (backward compatible).	Specifies the exactness of the logon time stamp.

Table 9: Other User Parameters
Parameter	Value	Description
rdisp/gui_auto_logout	Default: 0 (unrestricted) Permissible values: Any numerical value.	Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).