Skip to Content
avatar image
Former Member

Quiz: understanding security policies in SAP (SECPOL)

Scenario:

Imagine your SAP system (1 application server) is running with the following system profile parameter settings (RZ10):

Kernel default values:

login/min_password_digits = 0

login/min_password_lng = 6

login/min_password_lowercase = 0

login/min_password_specials = 0

Default profile values:

login/min_password_lng = 8

login/min_password_lowercase = 1

Instance profile values:

login/min_password_digits = 1

login/min_password_lowercase = 2

login/min_password_specials = 1

Due to strict security requirements for employees in the IT department of your company, you now want to ensure that all of them use at least 4 digits in their password. You have heard about security policies in the SAP system and therefore you created the following new security policy using transaction SECPOL and assigned it to all IT employees.

Security policy values:

MIN_PASSWORD_DIGITS = 4

Question:

Which of the following password options can be used by IT employees after the new security policy has been assigned to their user master record?

Possible options to choose:

  1. ab-1234
  2. abcd-123
  3. 123456
  4. abc-1234
  5. abcd1234

Choose wisely and please explain your choice.

Hint: SAP Security policies / Group policies

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 02, 2015 at 11:32 AM

    Not sure whether I'm allowed to participate but, the answer is:

    effective values:

    login/min_password_digits = 4

    login/min_password_lng = 6

    login/min_password_lowercase = 0

    login/min_password_specials = 0

    The matching passwords thus are:

    1.ab-1234

    3.123456

    4.abc-1234

    5.abcd1234

    Reason can be found in the docs and also in tx SECPOL. Profile parameters values will ONLY be used for users where no security policy was assigned to. As soon as you assign values using security policies, you will have to assign all values using the security policy. For all other values the defaults will be used (which was listed as kernel defaults above and which also can be seen by clicking effective values in secpol).

    Why is this the case? Because security policies can be transported and thus need to be selfcontained. This would not work, if they would be an extension to the profile parameters, because in this case the effective policy on different systems could be different.

    Kind regards,

    Patrick

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 31, 2015 at 07:55 PM

    It depends on whether it is a new installation of 7.31 or higher, or an older installation which has been upgraded.

    If login/password_compliance_to_current_policy has it's default, then all of the above is the possible.

    If, depending on above, USR40 is maintained with very basic policies then probably none of them will be possible unless it is a password set by an admin.

    So if the IT employees can set productive passwords for themselves in SU01, then it is again just a warning about the characters, so most tempting answer would be 4 in that case.

    But most likely answer is that after assigning the policy, all of the above would still continue to work.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Julius,

      thanks for sharing your thoughts. I do not want to make the quiz more complicated, but in real life you are right and these things need to be considered too.

      Concerning your input I want to define these additional conditions for my quiz question:

      • System parameter login/password_compliance_to_current_policy is set to value 0 in default profile (out of scope).
      • USR40 is not maintained (out of scope).
      • IT employees do not have access to SU01.
      • User type of IT employees is set to Dialog (A).
      • Question focusses on the next password change being performed by IT employees.


      Optimized Question (now more precise):

      Which of the following password options can be used by IT employees when performing a password change via transaction SU3 after the new security policy has been assigned to their user master record?


      You get another chance to answer the question.


      Best regards

      Stefan

  • Oct 31, 2015 at 08:25 PM

    Hi,

    Answer - 4.

    Instance profile takes precedence and along with Sec policy.

    Thanks.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Ah, I got it!

      No passwords are being changed because all the IT employees have left the company because of the confusing password rules? ;-)

      Just joking - I am going to have to pass here then and go back to reading the docs for the moment...

      Cheers,

      Julius