User ID and Password Authentication for SAP GUI

Implementation Considerations

The AS ABAP security model requires that all users log on with valid authentication credentials. With user ID and password authentication, users enter their authentication credentials consisting of user ID, password and an AS ABAP client system.

User ID and password authentication enables you to enforce access control to your AS ABAP systems with an authentication mechanism that offers basic access protection with relatively low complexity of security configuration tasks.

Using user ID and password authentication in complex system landscapes where users must log on to multiple systems, however, increases the user work load from the required multiple entries of user IDs and passwords for system access.

In addition, the overall security of your systems could be reduced due to the greater number of passwords that users must keep secret. Due to the requirement to keep passwords secret, your systems can become vulnerable to system engineering attacks, where user's passwords can be guessed or deceitfully acquired from a user.

Password Security

The user password represents a secret form of authentication data that is used to establish the user's identity. Therefore, a critical element in protecting access to your AS ABAP systems is maintaining the secure storage and transport of entered user passwords. After users provide their passwords, the SAP GUI uses hashing algorithms to disguise the password and ensure the confidentiality and integrity of the password during its transport and storage.

As of SAP NetWeaver 6.40, the password hash algorithm changed from MD5 to SHA-1. This means that more secure hash values, which are not downward-compatible and which make reverse engineering attacks more difficult, can be generated. By default, new systems generate two hash values: a downward-compatible value and a new value. You can configure the system so that only the new hash value is generated.

For more information, see the information about profile parameter login/password_downwards_compatibility in Password Rules.

Security Checks

After the AS ABAP system receives the authentication information for the user, the system performs the following checks to grant access:

1. Whether the user has a password and whether the user can log on with a password logon.

2. Whether the user has been locked and is therefore not allowed to log on:

   • The user administrator can lock a user to prevent the user from logging on to the system. For more information, see the Lock/Unlock section of User Maintenance Functions.

   • The system also sets a logon lock if the user exceeds the permitted number of logon attempts (only for password-based logons).

3. Whether the user's logon data authentication credentials are correct.

4. Whether the user must set a new password. Users must set new passwords in the case of an initial password, an expired password, or a password that has been reset by the administrator. You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords.

If the user ID and password are correct, then the system displays the date and time of the user's last logon under  System  Status . With the date and time, the user can check that no suspicious logon activity has occurred. The logon date and time cannot be changed in a standard production system. The system does not record the logoff date and time.

Configuration

For information about configuring the security protection mechanisms for user ID and password logon with the SAP GUI, see Logon and Password Security for SAP GUI.