Hi Julius,

thanks for your response ... .

I thought of dynamically creating an RFC destination for the user-id and trying to call RFCPING sufficient number of times with the wrong password - until the user gets locked. But that programmatically not really slick and it should also trigger security incidents (in this partially perfect world we are all aiming at).

The portal is a service portal (ESS), so there are no real logons via the portal. I did not (re-)test this in newer versions of SAP NetWeaver, but according my current view and understanding USR02-TRDAT is not updated when RFC logons happen - only when dialog logons take place.

In the case I am talking about, I can actually "see" in USR02-TRDAT whether proper password logons are being done under the user-id ...

Thanks anyway ...

Ralf

Hello Ralf,

I just tested BAPI_USER_CHANGE.

It worked fine to deactivate the password... C

You need to activate the structure as well... X

Cheers,

Julius

Dear Julius,

I knew I overlooked something here ...

When I test-run BAPI_USER_CHANGE on a 6.10 system, I did set USERNAME to"JBROWN" (well - WA1 system), PASSWORD to ' ', PASSWORDX to 'X'.

And I got a result:

E 00 188 The first three characters of a password must all be different

Obviously the password was not deactivated this way.

What exactly did you do ?

Regards and thanks,

Ralf

Hello Ralf,

I am not to sure about a 6.10 system. Haven't seen one of those for a while now.

On an up-to-date patched system: Set the LOGONDATA-CODVN = 'X' (it will also default bcode to 0000000... not that that means very much though...) and activate the structure(s) as you wish.

Cheers,

Julius

PS: It is in the LOGONDATA structure. Not PASSWORD.

Message was edited by:

Julius Bussche

Dear Julius,

thanks - this works indeed. Even on 6.10. Authorizations checked are S_USER_GRP / 02 (which is sort of wrong as you can also activate/set the pw with this call ...).

I saw that there are these fields in the LOGONDATA structure, but I did not dare to use the whole structure and I did not see that you could activate parts of it ... Thanks for that hint !

Regards,

Ralf

Glad to hear that you got the first part working. Now to find the users to do it to...

My opinion: Actvt 02 is not necessarily wrong - classing the password deactivation as being a change to the user record... it's permitted authentication method. After all, you did not change the password (actvt 05).

For your information, in higher releases, BCODE is no longer evaluated as it does not store the password hash there any longer when using higher CODVNs.

For the record: "Hacking" things into USR02 can have horrible consequences. I have heard that if you get things wrong and cause a mess... then SAP can even elect to cancel support of the system. According to <a href="https://service.sap.com/sap/support/notes/7">SAP Note 7</a> it did not take long for the first person to find this out...

Cheers,

Julius

>> which is sort of wrong as you can also activate/set the pw with this call...

No. The BAPI checks the authority based on which structure you have activated and the data in the structure. It even checks S_USER_GRP, S_USER_AGR etc depending on what you are trying to change.

The definition of a BAPI is that it behaves exactly the same as the transaction code functionality it corresponds to (when exposed to the BAPI interface). So that which it provides which is analogue to SU01, it checked for the same authority.

Cheers,

Julius

Hi Julius,

well, hmm ... in authorizations it is always difficult to call something "right" or "wrong". Should not have used these terms.

What I meant was:

SU01 with S_USER_AGR / 01 allows you to create a user. Unfortunately you can also set the initial password then.

But after that, SU01 always seems to require S_USER_AGR / 05 for password resets (and user locks / unlocks of course).

SU01 with just S_USER_AGR / 02 still allows to deactivate the PW, but does not allow me to set it ...

Based on that it is possible to create SoD between user creation (01), user change & role/profile assignment (02,22) and user lock / unlock / pw resets (05, helpdesk). The fact that 01 allows to set up an initial password is not helpful here - but we can live with that ...

The BAPI works differently:

- BAPI_USER_CHANGE with just a password reset (PASSWORD / PASSWORDX) seems to require both S_USER_GRP / 02 and 05

- BAPI_USER_CHANGE with LOGONDATA / LOGONDATAX requires S_USER_GRP / 02 ...

My point is: The BAPI doesn't provide the same split between helpdesk functions (05) and the other functions (01, 02/22).

I should not have called it "wrong" for another reason: Documentation of S_USER_GRP does not talk about password resets at all - so there can't be anyting wrong about this anyway ))

I guess in any case we are touching an area that is a bit sophistic ...

Best regards,

Ralf

Hi Ralf,

This might be a support pack problem, but then you are on an ancient SP level... (see SAP note 191752). Besides, that was changed before 6.10.

>> SU01 with S_USER_AGR / 01 allows you to create a user.

No. S_USER_GRP

>> SU01 with just S_USER_AGR / 02 still allows to deactivate the PW,

>> but does not allow me to set it ...

I would see that as correct behaviour, except it is S_USER_GRP.

>> BAPI_USER_CHANGE with just a password reset (PASSWORD / PASSWORDX)

>> seems to require both S_USER_GRP / 02 and 05

My guess is that you have another "change related" (02) structure activated (for example you are not <b>re</b>-testing the FM with only the password change).

I still think it's an interface problem (between the chair and the keyboard ))

Cheers,

Julius

Hi Julius,

I will retest to exclude "interface" problems.

And sorry - S_USER_AGR is a typo. Should have been S_USER_GRP all the time.

Regards,

Ralf

PS: Wolfgang's <b>programmatic</b> suggestion can also answer the <i>"Now to find the users to do it to..."</i> question, in that they can do it to themselves.

Kind regards,

Julius

One could even go a step further to say that function modules should only be used by programs, which are then run by user administrators when they start the corresponding transactions.

At least... that is the way we do it.

Cheers,

Julius

Hello Wolfgang,

We worked hard at it and have reached a status in (production and related systems which require the same status) systems where only an emergency user can execute a function module outside of a CALL FUNCTION program context (i.e. they cannot directly maintain the interface of any function module, and, single-test it - that is what I was refering to). The remote invocations of the CALL FUNCTION was and is trickier, but I beleive that we continue to head in the right direction (including the authentication mechanism).

The idea behind an emergency user for such activities is not to be too strict... but rather to make exceptions (to the coded program context) transparent and auditable.

There are the odd functional consultants who required it (developers were not a problem at all because they understood why we did these "strict" changes), but these can be isolated into their program contexts as well (typically Z) and often highlighted programming / requirement / testing deficiencies (which can generally be solved, sooner or later).

>> Well, you always have to pay intention to the "usage constraints".

Yes, I agree. We restricted the S_DEVELOP program names (see above - for example) they are authorized for, but strive to eliminate them all (bar logged exceptions)... (<a href="http://en.wikipedia.org/wiki/De_Morgan%27s_laws">de morgan duality</a>).