Show TOC

Protective Measures for Logons and Passwords in ABAP SystemsLocate this document in the navigation structure

Use

The basic authentication mechanism uses the password and name of a user. For this basic authentication, AS ABAP provides security functions, for example, password hashes and password checks.

For more information, see Logon and Password Security in the ABAP System.

Security Policy Profiles, Profile Parameters, and Password Rules

By default profile parameters define what the logon ID and password can look like as well as password expiration, and in some cases, whether the user can log on in a dialog session. You can configure and assign custom security policy profiles for users that require security policies that are more strict or more lax.

For more information, see Security Policy Attributes for Logon and Passwords.

Password rules define the minimum requirements for passwords. Some rules are predefined by the SAP system, for example, the maximum length.

  • To change the default minimum length for passwords, set the profile parameter login/ min_ password_ lng.

  • To force users to have to change their passwords after a set period of time, set the profile parameter login/ password_ expiration_ time.

For more information about the available password and logon parameters, see Profile Parameters for Logon and Password (Login Parameters).

For more information about all password rules, see Password Rules.

Password Storage and Transport

By using a one-way hash routine, the system converts a user's plain-text password to a corresponding hash value that is stored in the database.

Recommendation

Although the one-way hash routine makes it nearly impossible to compute the original plain-text password from the hash value, restrict access to the table USR02 where the hash values are stored.

For more information, see SAP Note 1237762 Information published on SAP site.

How the password is protected during transport depends on the front end component used. See the following examples:

  • SAP GUI for Windows

    For the transport between the SAP GUI for Windows and the application server, the data is compressed.

    Note

    For increased security, you can use Secure Network Communications (SNC). With SNC, you eliminate the need to send the password over the network altogether.

  • Web frontend

    When using a Web frontend (for example, SAP GUI for HTML or WebReporting), you can have the information transfer encrypted by using the Secure Sockets Layer (SSL) protocol.

For more information, see Transport Layer Security on the AS ABAP.

Additional Recommendations

  • Assign the appropriate user type for users whose passwords should not expire, for example, system or communication users that are used for background processing or for communicating between systems.

    For more information, see User Management.

  • Users should avoid using names, dates, or words that can be found in a standard dictionary for passwords. There are many programs available that can automatically determine passwords that fit in these categories.

  • You can make a password relatively safe by including a mixture of alphabetic and numeric characters with at least one special character in the middle of the password.

  • We especially advise the system administrator to use a complex password with the maximum length that contains at least one digit and special character.

To prohibit certain character combinations, enter prohibited passwords in the table USR40. (Use transaction SM30). Enter either a question mark (?) or asterisk (*) as wildcard characters. The question mark (?) stands for a single character and the asterisk (*) stands for any combination of characters of any length.

Example

Entry in Table USR40

Description

123*

Prohibits any password that begins with the sequence 123.

*123*

Prohibits any password that contains the sequence 123.

AB?

Prohibits all passwords that begin with AB and have one additional character, for example, ABA, ABB, or ABC.