The following table presents the profile parameters with which you can set password and logon rules. These profile parameters define the minimum requirements for passwords. However, you cannot set any upper limits for password rules. For example, users can use any number of special characters in their passwords, as long as they follow the other password rules. More information about the procedure for changing profile parameters: Changing and Switching Profile Parameters.
Note
To make the parameters globally effective in an ABAP System (system profile parameters), set them in the default system profile DEFAULT.PFL. However, to make them instance-specific, set the parameters in the profiles of the system application servers.
To display the parameter documentation, in the profile parameter maintenance tool (transaction RZ11), enter the parameter name and choose Display. On the next screen, choose the Documentation button.
Parameter |
Value |
Description |
---|---|---|
login/min_password_lng |
Default: 6 Permissible values: 3 - 40 |
Defines the minimum length of the password. Until SAP NetWeaver 6.40 (inclusive), up to 8 characters. |
login/min_password_digits |
Default: 0 Permissible values: 0 - 40 |
Defines the minimum number of digits (0-9) in passwords. Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40 (inclusive), up to 8 characters.) |
login/min_password_letters |
Default: 0 Permissible values: 0 - 40 |
Defines the minimum number of letters (A-Z) in passwords. Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40 (inclusive), up to 8 characters.) |
login/min_password_lowercase |
Default: 0 Permissible values: 0 - 40 |
Specifies how many characters in lower-case letters a password must contain. Available after SAP NetWeaver 6.40 |
login/min_password_uppercase |
Default: 0 Permissible values: 0 - 40 |
Specifies how many characters in upper-case letters a password must contain. Available after SAP NetWeaver 6.40 |
login/min_password_specials |
Default: 0 Permissible values: 0 - 40 |
Defines the minimum number of special characters in the password Permissible special characters are: !"@ $%&/()=?'*+~#-_.,;:{[]}\<>│, space, and the grave accent. After SAP NetWeaver 6.40, all characters that are not letters or digits are regarded as special characters. Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40 (inclusive), up to 8 characters.) |
login/password_charset |
Default: 1 Permissible values:
|
This parameter defines the characters of which a password can consist. Available in the standard system as of SAP Web AS 6.40. Caution With login/password_charset = 2, the system stores passwords in a format that systems with older kernels cannot interpret. Therefore, ensure that all systems involved support the new password coding before setting the profile parameter to the value 2. End of the caution. |
Parameter |
Value |
Description |
---|---|---|
login/password_compliance_to_current_policy |
Default: 0 Permissible values:
|
Available after SAP NetWeaver 6.40 |
login/disable_password_logon |
Default: 0 Permissible values:
|
Controls the deactivation of password-based logon This means that the user can no longer log on using a password, but only with Single Sign-On variants (X.509 certificate, logon ticket). See Logon Data Tab Page Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package |
login/password_logon_usergroup |
Default: <empty_character_string> |
Controls the deactivation of password-based logon for user groups Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package |
login/password_max_idle_productive |
Default: 0: the check is deactivated Permissible values: 0 - 24,000 (unit: days) |
Specifies the maximum period for which an unused productive password (a password set by the user) remains valid. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password. Available after SAP NetWeaver 6.40 |
login/password_max_idle_initial |
Default: 0: the check is deactivated Permissible values: 0 - 24,000 (unit: days) |
Specifies the maximum period for which an unused initial password (a password set by the user administrator) remains valid. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password. This parameter replaces the profile parameters login/password_max_new_valid and login/password_max_reset_valid. Available after SAP NetWeaver 6.40 |
login/password_max_new_valid |
Default: 0 Permissible values: 0 - 24.000
|
Defines the validity period of passwords for newly created users. Only available in SAP Web Application Server 6.20 and 6.40. |
login/password_max_reset_valid |
Default: 0 Permissible values: 0 - 24.000
|
Defines the validity period of reset passwords. Only available in SAP Web Application Server 6.20 and 6.40. |
Parameter |
Value |
Description |
---|---|---|
login/min_password_diff |
Default: 1 Permissible values: 1 - 40 |
Defines the minimum number of characters that must be different in the new password compared to the old password. Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40 (inclusive), up to 8 characters.) |
login/password_expiration_time |
Default: 0 Permissible values: 0 - 1000 |
Defines the validity period of passwords in days. |
login/password_change_for_SSO |
Default: 1 Permissible values:
|
If the user logs on with Single Sign-On, checks whether the user must change his or her password. Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package |
login/password_history_size |
Default: 5 Permissible values: 1 - 100 (unit: number of entries) |
Specifies the number of passwords (chosen by the user, not the administrator) that the system stores and that the user is not permitted to use again. Available after SAP NetWeaver 7.0 |
login/password_change_waittime |
Default: 1 Permissible values: 1 - 1,000 (unit: days) |
Specifies the number of days that a user must wait before changing the password again. Available after SAP NetWeaver 6.40 |
Parameter |
Value |
Description |
---|---|---|
login/password_downwards_compatibility |
Default: 1 Permissible values:
|
Specifies the degree of backward compatibility. Available as of SAP NetWeaver 7.0 Caution With login/password_downwards_compatibility = 0, the system stores passwords in a format that systems with older kernels cannot interpret. Therefore, ensure that all systems involved support the new password coding before setting the profile parameter to the value 0. End of the caution. |
login/password_hash_algorithm |
Default: Depends on the kernel version Permissible values: see SAP Note 991968 (unit: special character string). |
Specifies the hash procedure and the coding format for the calculation of new password hash values. You do not usually need to change the default value set by the kernel. Note If the profile parameter login/password_downwards_compatibility has the value 5, only backward compatible passwords are permissible. This means that the parameter login/password_hash_algorithm would be meaningless. End of the note. Available after SAP NetWeaver 7.0. |
Parameter |
Value |
Description |
---|---|---|
login/disable_multi_gui_login |
Default: 0 Permissible values: 0, 1
|
Controls the deactivation of multiple dialog logons Available as of SAP Basis 4.6 |
login/multi_login_users |
Default: <empty_list> |
List of excepted users, that is, the users that are permitted to log on to the system more than once. Available as of SAP Basis 4.6 |
Parameter |
Value |
Description |
---|---|---|
login/fails_to_session_end |
Default: 3 Permissible values: 1 - 99 |
Defines the number of unsuccessful logon attempts before the system does not allow any more logon attempts. Set the parameter to a value lower than the value of parameter login/fails_to_user_lock. |
login/fails_to_user_lock |
Default: 5 Permissible values: 1 - 99 |
Defines the number of unsuccessful logon attempts before the system locks the user. |
login/failed_user_auto_unlock |
Default: 0: Locks due to incorrect logon attempts remain valid for an unlimited period Permissible values: 0, 1 |
Defines whether user locks due to unsuccessful logon attempts are automatically removed at midnight. |
Parameter |
Value |
Description |
---|---|---|
login/accept_sso2_ticket |
Default: 0 Permissible values:
|
Allows or locks the logon using SSO ticket. Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support Package |
login/create_sso2_ticket |
Default: 0 Permissible values:
|
Allows the creation of SSO tickets. Available as of SAP Basis 4.6D Recommendation We recommend you set this to 2. The SSO tickets are significantly smaller without the certificate and therefore have less overhead. End of the recommendation. |
login/ticket_expiration_time |
Default value: 8; Unit: hours |
Defines the validity period of an SSO ticket. Available as of SAP Basis 4.6D |
login/ticket_only_by_https |
Default: 0 Permissible values:
|
Specifies how the system sets the logon ticket, generated when logging on by HTTP(S), in the browser. Available as of SAP Basis 4.6D |
login/ticket_only_to_host |
Default: 0 Permissible values:
|
Specifies how the system sets the logon ticket, generated at logon using HTTP(S), in the browser. Available as of SAP Basis 4.6D |
Parameter |
Value |
Description |
---|---|---|
login/disable_cpic |
Default: 0 Permissible values: 0, 1 (unit: Boolean)
|
Refuse inbound connections of type CPIC |
login/no_automatic_user_sapstar |
Default: 1, that is, you need to explicitly activate the emergency user Permissible values: 0, 1 |
Control the emergency user SAP* (more information: SAP Notes 2383 and 68048) |
login/system_client |
Default: 000 Permissible values: 000 - 999 |
Specifies the default client that the system automatically enters on the logon screen. Users can, however, overwrite the default value with a different client. |
login/update_logon_timestamp |
Default: m Permissible values:
|
Specifies the exactness of the logon timestamp. Available as of SAP Basis 4.6 |
Parameter |
Value |
Description |
---|---|---|
rdisp/gui_auto_logout |
Default: 0 (unrestricted) Permissible values: Any numeric value |
Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections). |