The users may want to reset their password when the user is locked because the number of unsuccessful login attempts exceeded the maximum allowed or when they forget their password or for any other reason. USERREQUESTMANAGEMENT is the OData service used to execute password reset requests. When a user requests to reset the password:
An email notification is sent to the user with an auto generated password and an activation URL.
User should click on link to enable the auto generated password.
If successful, the auto generated password is set.
The user changes the auto generated password set in the next login (recommended)
This is the default behavior of User Self Service when a request for password reset is triggered. The reset request activation call made with entity UserRequestActivationRequestCollection of the OData service USERREQUESTMANAGEMENT only needs an activation key in the request body, password is not required. If a password is sent by the user, it is ignored and the auto generated password is set.
Sample request body for password reset request activation.
<entry xml:base="http://<host>:<port>/sap/opu/odata/IWBEP/USERREQUESTMANAGEMENT/" xmlns="http://www.w3.org/2005/Atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"> <category term="USERREQUESTMANAGEMENT.UserRequestActivationRequest" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"/> <content type="application/xml"> <m:properties> <d:ActivationKey>19E365184B2189BB754589C2EEA4A51B412AD639</d:ActivationKey> <m:properties> </content> </entry>
See the section Password Policy Check in Security Aspects of User Self Service.