Configuring the Security Policy for User ID
and Passwords
Use
You can define what a valid password and logon ID can look like. You can also set the conditions under which the system locks a user out, or when the user has to choose a new password.
If you connect to other systems, you should be sure the security policies you define here, are in harmony with the other system. For example, if you define one password length here, but the users are restricted to shorter password lengths in the back-end system, it can lead to logon problems. If you use the user management of an ABAP system as the data source, these settings do not always apply.
For more information, see Security Policy.
Prerequisites
This procedure requires you to restart the SAP NetWeaver Application Server (AS) Java, so you should plan for the required down time while the AS Java restarts.
Procedure
T...
1. Start user management configuration.
For more information, see Configuring User Management.
2. Choose the Security Policy tab.
3. Choose Modify Configuration.
4. Select an existing security policy profile or create a new one.
You can only edit the Default or custom security policy profiles in the user interface of the identity management application. Changing the Default security profile also makes the corresponding changes in the Technical User security policy profile. You can change the properties for the Default and consequently for the Technical User security policy profiles from the UMEproperties. However, If you modify the password expiration property for the Default security profile, this property will not affect the Technical User security policy profile (there is no expiration of the password for the Technical User security profile).
5. Enter data as required.
Security Policy Settings
Setting |
Description |
Minimum Length of Logon ID |
Enter the minimum length a logon ID can be. |
Maximum Length of Logon ID |
Enter the maximum length a logon ID can be. |
Minimum Number of Digits in Logon ID |
Enter the minimum number of digits a logon ID must have. |
Minimum Number of Special Characters in Logon ID |
Enter the minimum number of special characters a logon ID must have. |
Minimum Length of Password |
Enter the minimum length a password can be. |
Maximum Length of Password |
Enter the maximum length a password can be. |
Minimum Number of Mixed Case Letters in Password |
Enter the minimum number of upper case letters and lower case letters a password must have. For example if you enter 3, passwords must contain at least 3 upper-case and 3 lower-case letters. Enter 0 to place no restrictions on how many or how few upper case letters and lower case letters a user must enter. |
Minimum Number of Alphanumeric Characters in Password |
Enter the minimum number of letters and numbers a password must have. For example if you enter 3, passwords must contain at least 3 letters and at least 3 numbers. Enter 0 to place no restrictions on how many or how few letters and numbers users must enter. |
Minimum Number of Special Characters in Password |
Enter the minimum number of special characters a password must have. Enter 0 to place no restrictions on how many or how few special characters users must enter. |
Size of Password History |
Prevents users from using a password they previously used. Enter the number of most recently used passwords you want the system to exclude. The UME stores the hash value of the previous passwords. The system does not enter passwords set by the administrator in the password history. Although you can configure this setting freely, a useful value might be 5. Use a value that is appropriate for your application. Enter 0 if your data source already has a password history checking mechanism; unless you maintain users in the AS Java database for whom you want to maintain a password history. |
Impermissible Passwords |
Enter a comma-separated list terms or character combination, which the UME rejects when users set their passwords. Use the asterisk (*) and question mark (?) as variables. |
Allow Logon ID as Part of Password |
Select to allow users to include their logon ID in their password. |
Allow Old Password as Part of New Password |
When selected, users can include their old password in their new password. The UME checks the old password against the new password, when users change it. |
Allow Users to Change Their Own Passwords |
We recommend you select this option. You need this setting for self-management of passwords. When deselected, only an administrator (a user with change rights for users) can change a user’s password. A user, whose password has expired, cannot change it. An administrator must reset it. Deselect this option when you have an LDAP server with read-write access as the data source and you want business users to change their passwords through the LDAP and not through the SAP NetWeaver Portal. |
Maximum Number of Failed Logon Attempts |
Enter how many times in a row a user can provide the wrong password during logon, before the system locks the user account. The user cannot log on until the account is unlocked. Enter 0 to allow users an unlimited number of failed logon attempts. |
Auto Unlock Time (Minutes) |
Enter the number of minutes after which the system automatically unlocks a user account, after the user was locked due to failed log on attempts. Enter 0 to deactivate this option. The user remains locked until unlocked by an administrator. |
Password Validity Period (Days) |
Once the user sets or receives a password it is valid for the set number of days. After this period, the user must set a new password during his or her next log on attempt. Enter 0 to deactivate this option. A user’s password never expires. |
Enforce Password Security Policy at Logon |
Select this option to ensure users have compliant passwords after you change the security policy. The system checks passwords against the security policy during password logon and requires users to change their password if it no longer meets the current policy. |
6. Choose Save All Changes.
7. Restart the AS Java.