Show TOC Start of Content Area

Background documentation UME Properties for the Security Policy  Locate the document in its SAP Library structure

These properties enable you to define the security policies for logon IDs and passwords in the user management engine (UME). If you use ABAP user management as a data source, the system ignores these values in most cases. For more information about the security policy, see Security Policy.

Security Policy Properties of the UME

Property

Value

Description

ume.logon.security_policy.
auto_unlock_time

Default value is 60.

0 = Deactivate this option. The user remains locked.

Number of minutes before the system unlocks a logon ID after a series of failed logon attempts.

ume.logon.security_policy
enforce_policy_at_logon

Default value is FALSE.

Determines if the system checks passwords against the security policy during password logon and requires users to change their password if it no longer meets the current policy.

ume.logon.security_policy.
lock_after_
invalid_attempts

Default value is 6.

Possible values: 0 to 9999

0 = Infinite number of failed logon attempts allowed.

Number of failed logon attempts before user is locked.

This is automatically set to 0 if you have a combined SAP NetWeaver Application Server (AS) Java and AS ABAP installation.

ume.logon.security_policy.
log_client_hostaddress

 

See Security Audit.

ume.logon.security_policy.
log_client_hostname

 

See Security Audit.

ume.logon.security_policy.
oldpass_in_newpass_allowed

Default value is FALSE.

Defines whether old password can be part of new password. The UME checks the old and new password against each other when the user attempts to change the password.

ume.logon.security_policy.
password_alpha_
numeric_required

Default value is 1.

Minimum number of alphabetic and numeric characters in passwords.

For example if the property is set to 3, passwords must contain at least 3 letters and at least 3 numbers.

ume.logon.security_policy.
password_change_allowed

Default value is TRUE.

Determines if user passwords can be changed. We recommend you leave this property set to TRUE. You need this property for self-management of passwords.

When FALSE, only an administrator (a user with change rights for users) can change a user’s password. A user, whose password has expired, cannot change it. An administrator must reset it.

Example

You can set this property to FALSE, when you have a directory server as the data source and you do not perform password management with SAP NetWeaver or the portal.

ume.logon.security_policy.
password_expire_days

Default value is 90.

Number of days before password expires.

ume.logon.security_policy.
password_history

Default value = 0.

The UME can store the hash value of user passwords. Set this value to prevent users from reusing the same password after their old password expires. The system does not enter passwords set by the administrator in the password history.

Although this value is for practical purposes freely configurable (you can set the value in the trillions), a more useful value might be 5. Use a value that is appropriate for your application.

Note

Set this value to zero (0) if your data source already has a password history checking mechanism; unless you maintain users in the AS Java database for whom you want to maintain a password history..

ume.logon.security_policy.
password_impermissible

 

Enter a comma-separated list terms or character combination, which the UME rejects when users set their passwords. Use the asterisk (*) and question mark (?) as variables. Asterisk (*) stands for any sequence of characters, and questions mark (?) stands for a single character.

Note

aaa* = The UME rejects all passwords that start with aaa.

ume.logon.security_policy.
password_last_change_
date_default

A date in the format MM/DD/YYYY.

Default value is 12/31/9999.

If a user has never changed his or her password using the AS Java, this date counts as the last date on which the user changed his or her password.

See also: ume.logon.security_policy.
password_expire_days
.

ume.logon.security_policy.
password_max_idle_time

Default value is 0.

Possible Values: 0 to 2147483647.

Value = 0: This check is deactivated.

Number of days after the last successful logon with user ID and password that the UME locks the user’s password.

With the UME property ume.logon.security_policy.
password_successful_
check_date_default
you must set a default last successful password check date for users who either have no last successful logon date stored or whose last successful password check date is older than the default date.

When a user’s password is locked, he or she can no longer log on with the password and must contact the system administrator to get a new password.

Before SPS 7, the UME sets the last successful password check date when you create each user. From SPS 7 and later, the UME only records a user's last successful password check date if the password idle time check is enabled; that is, when maximum idle time is greater than zero.

ume.logon.security_policy.
password_max_length

Default value is 14.

Maximum password length. This must not be less than the cumulated values of the properties password_mix_case_
required
, password_alpha_numeric
_required
and password_special_
char_required
.

ume.logon.security_policy.
password_min_length

Default value is 1.

Minimum password length.

ume.logon.security_policy.
password_mix_case_required

Default value is 0.

Minimum number of upper and lower case letters in passwords.

For example if the property is set to 3, passwords must contain at least 3 lower case letters and at least 3 upper case letters.

ume.logon.security_policy.
password_special_
char_required

Default value is 0.

Minimum number of special characters in passwords.

ume.logon.security_policy.
password_successful_
check_date_default

A date in the format MM/DD/YYYY.

Default value is 12/31/9999.

Defines the default date for last successful logon with user ID and password, when a user has no successful logon with user ID and password recorded or the last logon took place before the default date.

When you set ume.logon.
security_policy.
password_max_idle_
time
, we recommend you change the password successful check date default to the current date. This ensures that the UME checks all logons that follow for idle passwords and that you do not accidentally lock out users with previously recorded password check dates.

ume.logon.security_policy.
userid_digits

Default value is 0.

Value < 0: Digits are not allowed.

Value = 0: Digits are allowed.

Value > 0: Digits are required.

Minimum number of digits in user logon ID.

ume.logon.security_policy.
userid_in_password_allowed

Default value is FALSE.

Defines whether user ID can be part of password.

ume.logon.security_policy.
userid_lowercase

 

Deprecated.

ume.logon.security_policy.
userid_special_
char_required

Default value is 0.

Value < 0: Special characters are forbidden.

Value = 0: Special characters are allowed.

Value > 0: Special characters are required.

Minimum number of special characters in user logon ID.

ume.logon.security_policy.
useridmaxlength

Default value is 20.

Maximum length of user ID.

This is automatically set to 12 if you have a combined AS Java and AS for ABAP installation.

If you are using a database as data source for user data, this value must be less than or equal to 200.

ume.logon.security_policy.
useridminlength

Default value is 5.

Minimum length of user ID.

 

End of Content Area