Show TOC

Procedure documentationConfiguring the Security Policy for User ID and Passwords Locate this document in the navigation structure

 

The user management engine (UME) enables you to define security policies that control aspects such as the length and content of user passwords and logon IDs, or how the system carries out password checks. The UME checks for compliance to this policy in the following instances:

  • When users log on to SAP NetWeaver Application Server (AS) Java

    Disabled by default, but you can enable it.

  • When users register themselves using the self-registration features of the UME

  • When users or administrators change user passwords with the UME

  • When administrators create new users with the UME

Note Note

If the UME cannot determine the security policy, it applies the default security policy as a fallback.

End of the note.

If the security policy is not adhered to, the UME provides detailed error messages where possible.

Caution Caution

If the UME uses another system as the data source, ensure that the security policies you define here, are in harmony with the other system. For example, if you define one password length here, but the users are restricted to shorter password lengths in the back-end system, it can lead to logon problems. If you use the user management of an ABAP system as the data source, these settings do not always apply.

For more information, see Integration of the UME Security Policy With External Data Source.

End of the caution.

Procedure

  1. Start user management configuration.

    For more information, see Configuring User Management.

  2. Choose the Security Policy tab.

  3. Choose the Modify Configuration pushbutton.

  4. Select an existing security policy profile or create a new one.

    Note Note

    You can only edit the Default or custom security policy profiles.

    End of the note.

  5. Enter data as required.

    The following table provides recommendations and explanations for some of the security policy settings. The table is not a complete list of settings.

    Supplemental Information for Security Policy Settings

    Setting

    Supplemental Information

    Minimum or Maximum Length of Logon ID

    These settings are only checked when creating a logon ID. Afterwards they are ignored.

    Minimum Number of <character type> in Password

    Enter 0 to place no restrictions on how many or how few of specific type of characters (for example, mixed case or letters and numbers) a user must enter.

    Size of Password History

    Although you can configure this setting freely, a useful value might be 5. Use a value that is appropriate for your needs.

    Enter 0 if your data source already has a password history checking mechanism; unless you maintain users in the AS Java database for whom you want to maintain a password history.

    Allow Users to Change Their Own Passwords

    Recommendation Recommendation

    We recommend you select this checkbox. You need this setting for self-management of passwords.

    When deselected, only an administrator (a user with change rights for users) can change a user's password. A user, whose password has expired, cannot change it. An administrator must reset it.

    End of the recommendation.

    Leave this checkbox empty when you have an LDAP server with read-write access as the data source and you want business users to change their passwords through the LDAP and not through self-management.

    Auto Unlock Time (Minutes)

    The auto unlock function does not reset the number of failed logon attempts when it unlocks a user. A user unlocked with this function may already have a number of failed logon attempts, causing the user to be locked immediately on the next failed logon.

    Enter 0 to deactivate this option. The user remains locked until unlocked by an administrator.

    Password Validity Period (Days)

    Once the user sets or receives a password it is valid for the set number of days. After this period, the user must set a new password during his or her next log on attempt.

    Enter 0 to deactivate this option. The password never expires.

    Enforce Password Security Policy at Logon

    Select this checkbox to ensure users have compliant passwords after you change the security policy.

    Note Note

    Before you enable this feature, think if you want to force users in an existing data source to use the current UME security policy. This is especially true if the UME security policy is more stringent than an external data source, like a directory server.

    End of the note.

  6. Save your entries.

Result

The policy is now valid for any users to whom this policy has been assigned. If you selected the Enforce Password Security Policy at Logon option, the new policy is enforced at the next logon. Otherwise the policy is only checked the next time the user changes their password.

More Information

Password Management