Login password parameters

Actually profile parameters  to protect system any type of misuse by user.In order to protect SAP system against unauthorized access, you must define password rules, set the relevant profile parameters and change the initial

 values.Login password parameters let the user to set up password, under the password rules.

  

The parameters can be maintained using transaction RZ10. You should insert them into the DEFAULT profile so they take affect for all instances. Make sure to restart the instances.

1. Call transaction RZ10.

2. Select the default (DEFAULT.PFL).

3. Select Extended maintenance.

4. Change or add the parameters, as required.

5. Save and activate the profile.

6. Restart the application server.

See how they work…

login/min_password_lng:          

This parameter defines the minimum length of the password. Recommended value is 8

Default value: 6; permissible values: 3 – 40 

 login/min_password_digits:     

This parameter Defines the minimum number of digits (0-9) in passwords.

Default value: 0; permissible values: 0 – 40

Table level restriction

I am posting this topic in question and answers method, hope you like it. These que & ans are inter linked with another, read orderly to avoid confusion 

S_TABU_DIS AUTH OBJECT AND ITS FIELDS

 What is se16/sm30... 

 It is a data browser .User can access tables by using these T codes.

What does table contain?

All the sap data stored in the form of tables. some of the tables have sensitive information which cannot accessed by every employee like vendor details, Profit & Loss reports, Salary details etc.,

Table are two types

1)Standard:These tables comes with sap installation

2)Customized:These tables are created manually based on requirement

What happen if user has access to se16/sm30...
 If user has se16/sm30 access, user can access to tables whether it standard or customized tables...It leads to excessive access.

If we remove se16/sm30 access?

It is a bad idea to remove t code from user why because users need some information as per their business process .if we removes user cant access to those data

 Then what has security admin to do....

Security admin find out which tables are require for user, create a authorization group and map these tables to user. Assign this authorization group to user via S_TABU_DIS.

What is S_TABU_DIS

It is a authorization object of se16/sm30 used for table level restriction. It has two fields

One is (ACTVT) field contains permitted operations, we have to give tick mark

Secondly DICBERCLS in this field we give authorization group name.

Once a user has access a particular table authorization group, the user can access all tables linked to the authorization group..

How to create authorization group....

In Se54 we create authorization group.Authorization  group it self is empty.we map the tables to it. the default authorization group is SC.

 1)Hit SE54

2)Choose AUTHORIZATION GROUP

3) click on CREATE/CHANGE button.

How to Remove duplicate roles

Most of sap users have duplicate roles in sap.using this ABAP report we can find and remove duplicate roles .duplicate roles nothing but  if user  has a same roles with different validity period

COMPRESS SAME ROLES WHICH HAVE DIFF VALIDITY

Do you know why this is happening?

Whenever user  complains that no authorization for particular access which had earlier means that transactions related role expired for that user.

Most of user admins instead of extending validity of role,again assign  that  role with new start and end date.This  occurs mostly multiple assigned composite roles.

Is just because of a user admin mistake?   yes it is

PRGN_COMPRESS_TIMES is a standard ABAP report available within your SAP system(I'd say use this  report  if you're not working with Central User Administration)it compresses same roles which are assigned and make it as a single role by taking the start date and end date into calculation(Consider least start date and highest end date)

Have a look on this picture i am sure you get a idea on compression

 

still confusion....

look at screes shots.

Forbidden password

What is your password?

***123
abc***
welcome****
***hello
qwerty**
love
dragon
password@**

 

 

Usually max people set their password like  above …if any of you set passwords as above then you are in Risk…………

In SAP its very dangerous RISK because its matter of cores in business.To stop making easy to guess passwords SAP introduce this concept called forbidden password.Let us see the setup of forbidden password/Illegal password with screenshots.

Table USR40 is used to store the restricted passwords. It  is also referred as exception list of passwords.Simply we set up some well-known passwords in USR40 to avoid use of these passwords. We can restrict password as Texts/numbers/special characters……It allows users to define strong passwords to avoid misuse /hacking from intruders. This is part of Authentication Security.

 

• Go to SM30

SAP Security Syllabus

Topic 1: Introduction to SAP and SAP Security

•         i.             Transaction codes
•       ii.            Landscape

Topic 2: User Administration.

              A. Single user creation SU01

•         i.            Create user
•       ii.            Reset/Change/Deactivate Password
•     iii.            Assign Roles/Profiles.
•      iv.            Lock /Unlock user
•        v.            Delete user

             B. Mass user creation SU10

•         i.            Create users
•       ii.            Deactivate mass users password 
•      iii.            Assign Roles/profiles 
•      iv.            Lock / unlock users 
•        v.            Delete mass users 
•      vi.            Disadvantages of SU10

             C. user types and uses

             D. other ways to set up users.

             E. User groups.

Topic 3: Role Administration.

            A. Role types

•         i.    Single role
•       ii.   Derived role
•     iii.   Composite role

             B. Introduction to Authorization objects

•         i.   Activities/fields.
•       ii.   Important Authorization objects

             C. Add manually authorization objects/T-codes.

•         i.            Deactivate authorization object.

              D.  Traffic lights.

              E. Mass user comparison.

              F. Mass Role/Profile generation.

Topic 3: Role Transport

•    i.             Transport request types 
•   ii.            Transport single /mass roles.
•  iii.            Release transport 
•   iv.            Import transport.
•    v.             Role Download/upload.

Topic 4: Profile parameter setup.

Topic 5: Tables and Reports.

Topic 6: Forbidden Password restriction.

Topic 7: User information (SUIM).

•    i.            User selection criteria 
•  ii.            Roles by complex selection criteria. 
• iii.            Comparison. 
• iv.            Change documents

Topic 8: Background job.

Topic 9: Restriction on Tables.

•   i.            Authorization group creation. 
• ii.            Map authorization group to Tables.

Topic 10: Troubleshooting.

•    i.            SU53 
•  ii.            ST01

Topic 11: check indicator /su24 changes

Topic 11: Implementation Phases.

Topic 12: Audit.

•    i.            Internal Audit 
•  ii.            External Audit.